Configuring FTPS

To use FTPS for Firewall, you need to switch port 21 to a different port number. Follow these steps:

  1. First, assign your own certificate to the FTP server on the IBM i, as shown in IBM documentation at https://www.ibm.com/support/pages/configuring-ssl-ftp-server.
  2. Confirm that the user-defined port that you wish to use is not busy or restricted on the IBM i. NOTE: Select a port number greater than 1023. Port 2121 is a common choice for the FTPS port.
  3. On the command line, enter the command

WRKSRVTBLE

The Work with Service Table Entries screen appears:

                       ​ Work with Service Table Entries​                         
 ​
  ​       ​  ​                                                ​ System:​  ​ S520    ​ 
 Type options, press Enter.​                                                     
  ​
 1=Add​  ​ 4=Remove​  ​ 5=Display​                                                 
                                                                                
 Opt​  Service​                                 ​ Port​  Protocol​                   
 ​
    ​                                                                           
 ​
    ​ as-admin-http                   ​         2001​  tcp                       ​ 
 ​
    ​ as-admin-http                   ​         2001​  udp                       ​ 
 ​
    ​ as-admin-https                  ​         2010​  tcp                       ​ 
 ​
    ​ as-admin-https                  ​         2010​  udp                       ​ 
 ​
    ​ as-central                      ​         8470​  tcp                       ​ 
 ​
    ​ as-central-s                    ​         9470​  tcp                       ​ 
 ​
    ​ as-database                     ​         8471​  tcp                       ​ 
 ​
    ​ as-database-s                   ​         9471​  tcp                       ​ 
 ​
    ​ as-debug                        ​         4026​  tcp                       ​ 
 ​
    ​ as-dtaq                         ​         8472​  tcp                       ​ 
 ​
    ​ as-dtaq-s                       ​         9472​  tcp                       ​ 
                                                                ​
  ​      More...​ 
 Parameters for options 1 and 4 or command​                                      
 ===>​                                                                           
 F3=Exit​  ​ F4=Prompt​  ​ F5=Refresh​  ​ F6=Print list​  ​ F9=Retrieve​  ​ F12=Cancel​    
 F17=Top​  ​ F18=Bottom​                                                           
                                                                                
  1. Type 1 in the Opt field on the first line and press Enter. The standard Add Service Table Entry (ADDSRVTBLE) screen appears.
  2. Enter the following values in its fields:
    • Service: 'ftp-control'
    • Port: the new port number
    • Protocol: 'udp'
  1. Press the F4 key, Enter, and the F3 key. The Work with Service Table Entries screen reappears.
  2. Again, type 1 in the Opt field on the first line and press Enter. The standard Add Service Table Entry (ADDSRVTBLE) screen appears.
  3. Enter the following values in its fields:
    • Service: 'ftp-control'
    • Port: the new port number
    • Protocol: 'tcp'
  1. Press the F4 key, Enter, and the F3 key. The Work with Service Table Entries screen reappears.
  2. Scroll down with the PageDown key until you see lines for the service ftp-control and port 21. For each, enter 4 in the Opt field and press Enter. The Confirm Delete of Service Table Entries screen appears. If the listing of the services to be deleted is correct, press Enter to confirm the deletions.
  3. To update FTP attributes, disabling insecure FTP and allowing only secure sockets, enter the command

CHGFTPA NAMEFMT(*LIB) CURDIR(*CURLIB) ALWSSL(*ONLY)

  1. To restart the FTP server, enter the commands

ENDTCPSVR SERVER(*FTP)

STRTCPSVR SERVER(*FTP)

  1. To update the FTPS server data port definitions, enter the commands

ENDTCPSVR SERVER(*FTP)

ADDENVVAR ENVVAR(QIBM_FTP_PORT_RANGE) VALUE('1023-65535') LEVEL(*SYS)

WRKENVVAR

STRTCPSVR SERVER(*FTP)

  1. Open all ports higher than 1023 on the firewall (1024-65535) from the Imperva Gateway to the AS/400 server.
  2. Check via the main WAN/LAN Firewall rules that the ports are not blocked.
  3. If FTPEXITPGM (the FTP exit point program) is enabled on the server, disable it.