With the push to secure all data traffic to our critical systems, many organizations are moving to secured versions of classic technology. One project we see repeatedly is the switch from insecure FTP to encrypted FTPS. Not to be confused with SFTP, FTPS stands for FTP over SSL/TLS and it is to FTP what HTTPS is to HTTP. Just like secure web pages, FTPS uses a system of certificates to encrypt and secure FTP transfers. If you’re making the switch to FTPS, you may find that you begin to receive the error message “Secure connection error, return code -23” when you attempt to connect to another system.
Return code 23 means the certificate in use on the remote server is not signed by a trusted authority. This is caused by one of two things:
- The server is using a self-signed certificate
- The server is using a commercial certificate issued by an entity for which IBM i does not have a built-in root certificate.
To correct this, the CA certificate used to sign the server’s certificate needs to be imported into DCM on the IBM i and marked as trusted. You will need to obtain a copy of that CA certificate in the form of a .cer file which needs to be placed in the IFS where DCM will be able to read it. The server administrator should be able to provide this file or tell you how to obtain it.
If the certificate being used was issued by a commercial entity, you may be able to download what you need directly from the issuer’s website (assuming you can figure out who that is). Once the CA is trusted by the system then all certificates signed by it—including the one in use on this FTP server—will automatically be trusted by extension. That should eliminate the error.
Getting the cert into DCM is not a particularly difficult process, but there are a few pitfalls in the form of file format details and just getting everything in the right spot.
If you come across this issue, iTech has the experience and knowledge to help. Contact us here.