Configuring FTPS
To use FTPS for Firewall, you need to switch port 21 to a different port number. Follow these steps:
- First, assign your own certificate to the FTP server on the IBM i, as shown in IBM documentation at https://www.ibm.com/support/pages/configuring-ssl-ftp-server.
- Confirm that the user-defined port that you wish to use is not busy or restricted on the IBM i. NOTE: Select a port number greater than 1023. Port 2121 is a common choice for the FTPS port.
- On the command line, enter the command
WRKSRVTBLE
The Work with Service Table Entries screen appears:
Work with Service Table Entries System: S520 Type options, press Enter. 1=Add 4=Remove 5=Display Opt Service Port Protocol as-admin-http 2001 tcp as-admin-http 2001 udp as-admin-https 2010 tcp as-admin-https 2010 udp as-central 8470 tcp as-central-s 9470 tcp as-database 8471 tcp as-database-s 9471 tcp as-debug 4026 tcp as-dtaq 8472 tcp as-dtaq-s 9472 tcp More... Parameters for options 1 and 4 or command ===> F3=Exit F4=Prompt F5=Refresh F6=Print list F9=Retrieve F12=Cancel F17=Top F18=Bottom |
- Type 1 in the Opt field on the first line and press Enter. The standard Add Service Table Entry (ADDSRVTBLE) screen appears.
- Enter the following values in its fields:
- Service: 'ftp-control'
- Port: the new port number
- Protocol: 'udp'
- Press the F4 key, Enter, and the F3 key. The Work with Service Table Entries screen reappears.
- Again, type 1 in the Opt field on the first line and press Enter. The standard Add Service Table Entry (ADDSRVTBLE) screen appears.
- Enter the following values in its fields:
- Service: 'ftp-control'
- Port: the new port number
- Protocol: 'tcp'
- Press the F4 key, Enter, and the F3 key. The Work with Service Table Entries screen reappears.
- Scroll down with the PageDown key until you see lines for the service ftp-control and port 21. For each, enter 4 in the Opt field and press Enter. The Confirm Delete of Service Table Entries screen appears. If the listing of the services to be deleted is correct, press Enter to confirm the deletions.
- To update FTP attributes, disabling insecure FTP and allowing only secure sockets, enter the command
CHGFTPA NAMEFMT(*LIB) CURDIR(*CURLIB) ALWSSL(*ONLY)
- To restart the FTP server, enter the commands
ENDTCPSVR SERVER(*FTP)
STRTCPSVR SERVER(*FTP)
- To update the FTPS server data port definitions, enter the commands
ENDTCPSVR SERVER(*FTP)
ADDENVVAR ENVVAR(QIBM_FTP_PORT_RANGE) VALUE('1023-65535') LEVEL(*SYS)
WRKENVVAR
STRTCPSVR SERVER(*FTP)
- Open all ports higher than 1023 on the firewall (1024-65535) from the Imperva Gateway to the AS/400 server.
- Check via the main WAN/LAN Firewall rules that the ports are not blocked.
- If FTPEXITPGM (the FTP exit point program) is enabled on the server, disable it.