With V5R2 (latest PTFs) we are trying to setup secure FTP to our bank, but have had no success with the certificates and certificate authorities. The bank has put us in touch with another of their clients, who is having the same problem. The bank has also indicated that other iSeries FTP attempts have also been unsuccessful, with many giving up and connecting with other methods.
At least in our case, we cannot get by the "-23 Certificate is not signed by a trusted certificate authority" error when attempting a secure connection. What are we missing?
It sounds like the signer (that is, the Certificate Authority (CA) or certificate issuer) is not in the list of "Trusted signers". In other words, when the certificate is being verified, the verifier does not trust the CA that issued the certificates. To understand what needs to be fixed, you need to determine who is verifying who. In an SSL connection, the client will always verify the server. The client is the system initiating the connection. The server is the system being connected to. Optionally, you can configure the connection to require client authentication. In this case, the server verifies the client. Either the server is presenting a digital certificate issued by a CA that is not recognized by the client or vice versa. To fix the problem, you need to get the CA's root certificate in the verifier's list of CAs that it recognizes and trusts.
MORE INFORMATION ON THIS TOPIC
The Best Web Links: tips, tutorials and more.
Search400's targeted search engine: Get relevant information on security.
Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.
Check out this Search400.com Featured Topic: Top ten security tips
This was first published in May 2004