Table of Contents

[ Up To Main Index]

Using FTPS (FTP with SSL) with Positive Pay

FTPS is now supported in Positive Pay, with the beta release in September 2009.

Pre-Requisites

You must have a functional, fully patched copy of the IBM Digital Certificate Manager installed: 5722SS1 34 Digital Certificate Manager.

Your system should have the latest IBM cumulative PTF package for your current i5/OS release installed.

Obtaining a Certificate

Obtain a certificate from the bank or finanial institution to which you wish to connect via FTPS. You must obtain the certificate in .pem or .der format or convert it. Below is an example of a .pem format certificate (the example is not a valid certificate):

-----BEGIN CERTIFICATE-----
MIIDnDCCAwWgAwIBAgIJAKmQE6Ml94whMA0GCSqGSIb3DQEBBQUAMIGRMQswCQYD
VQQGEwJVUzEPMA0GA1UECBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDEgMB4G
A1UEChMXU2FsZW0gU29mdHdhcmUgU2VydmljZXMxGDAWBgNVBAMTD2Z0cC5keW9r
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCjFZO3HhRNlmSeQojX6ZC3
vzNVhDw3vFWsK8bf9aQgl5ooJqRYB1G8RPOKVdmPBoJ0ktYr4D3tm7rxRZ5ewO5m
mWyIb4yv7Qvl6lk6G7SFugzxY2FGQ29obEEj/b/Y/pZFcIrciUJ5VnE1+l+uTBl9
dUUG0mFydfTYE3Z0WMoFQQ==
-----END CERTIFICATE-----

If the certificate is not in .pem or .der format use the OpenSSL package (a free internet download) to convert.

Installing the Certificate

The Digital Certificate Manager is accessed throught the administration instance of the web server. If it is not already started you may start it with the command:

STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)

Then point a browser at http:<i5 IP>:2001/, which is port 2001 on your i5 server. It may take a few minutes for the web server instance to initialize. ==== Import the Certificate ==== * From the main page select the option for the Digital Certificate Manager. * Select the *SYSTEM certificate store. * Under Manage Certificates, select the option to Import Certificate. * Specify Certificate Authority (CA). * Specify the full path name of the text file in the IFS containing the pem format certificate. * Specify a label for the certificate. This will be the “name” of the Certificate Authority. * The certificate should now show as imported, and the View Certificate function from the left pane should show the certificate as enabled, and should allow the display of correct information contained in the certificate. ==== Configure FTP Client to Use the Certificate ==== * From the left pane, under Manage Applications, select Define CA Trust List. * Specify Client. * Specify i5/OS TCP/IP FTP Client. * Specify the Certificate Authority created in the prior step (the certificate label). * The Define CA Trust List page should show that the FTP client trust list was updated.

At this point you should be able to manually connect from the i5's ftp client to the bank's ftp server with a secure connection. When finished end the *ADMIN instance of the web server: ENDTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN) ===== Configuring Positive Pay for FTPS ===== To configure FTPS for Positive Pay, take 1. Work with Positive Pay Applications and select the application in question with option 1. From the main application screen take F8=Configure FTP

                                                                    
                            Configure FTP                           
                                                                    
        Use FTP  . .: Y   Y=Yes N=No S=FTPS                         
                                                                    
        Domain. . . : ftp.informdecisions.com                               
        User Name . : myuserprofile                                 
        Password. . :                                               
        Confirm . . :                                               
                                                                    
        Target Path : /                                             
        Target File : posPay.txt                                    
                                                                    
        Port:         *DFT        *SECURE *DFT 1-65535              
        Encryption .: *NONE       *SSL *NONE                        
        FTP Mode . .: *PASSIVE    *ACTIVE *PASSIVE                  
                                                                    
   F1=Help   F12=Previous  F23=Delete                               
                                                                    
                                                                    
* Use FTP: Enter Y to use unencrypted FTP, S to use FTPS, and N to disable the FTP definition (enables modem transmission). * Domain: Enter the ftp url provided by the bank. This can be an IP address. * User Name: Enter the login name provided by the bank. * Password: Enter the login password provided by the bank. * Target Path: Enter the target path on the remote system. If the bank does not specify a remote directory leave blank.You can always specify '.' (without the apostrophes) to change directory to the current directory. * Target File: Enter the name you wish for the uploaded file. You have to name the file something even if the bank does not require a specific name. * Port: Specify the remote port: *DFT for the default for the FTP mode in use (21 for unencrypted ftp, 990 for FTPS), *SECURE to specify the SSL port, or enter a port number. *DFT will normally be the correct entry. * Encryption: Enter *SSL or *NONE. * FTP Mode: Specify *PASSIVE for passive FTP or *ACTIVE for active FTP. If not instructed by the bank use *PASSIVE for easier transit through firewalls. ===== Using FTPS ===== ==== Extracting Data ==== You must separately extract information before transmitting. Use the EXTRACT command. This can be made a scheduled job; see the WRKJOBSCDE display. ==== Data Report ==== To print the contents of the file use the command REPORT. This should be run after the EXTRACT command. The REPORT command can be run with the defaults, in which case it will print the transmission / reception file fields in the order in which they occur in the file with minimal spacing between report columns. You can fix the column order and column starting position of the fields by specifying the report column starting positions in the command invocation. For example:
                      Print Pos Pay Trans File Rpt (REPORT)                     
                                                                                
 Type choices, press Enter.                                                     
                                                                                
 Positive Pay Definition  . . . .   mybanktrx     Character value               
 ID Print Column  . . . . . . . .   '*DEFAULT'    *DEFAULT *OMIT INTEGER        
 Acct Print Column  . . . . . . .   1             *DEFAULT *OMIT INTEGER        
 Ck Nbr Print Column  . . . . . .   20            *DEFAULT *OMIT INTEGER        
 Paid Date Print Column . . . . .   40            *DEFAULT *OMIT INTEGER        
 Amt Print Column . . . . . . . .   60            *DEFAULT *OMIT INTEGER        
 Stop Date Print Column . . . . .   '*DEFAULT'    *DEFAULT *OMIT INTEGER        
 Cleared Date Print Column  . . .   '*DEFAULT'    *DEFAULT *OMIT INTEGER        
 Payee Print Column . . . . . . .   '*DEFAULT'    *DEFAULT *OMIT INTEGER        
 Void ID Print Column . . . . . .   '*DEFAULT'    *DEFAULT *OMIT INTEGER        
 Void Date Print Column . . . . .   '*DEFAULT'    *DEFAULT *OMIT INTEGER        
 Void Ck Nbr Print Column . . . .   '*DEFAULT'    *DEFAULT *OMIT INTEGER        
 Void Amt Print Column  . . . . .   '*DEFAULT'    *DEFAULT *OMIT INTEGER        
 Void Paid Date Print Column  . .   '*DEFAULT'    *DEFAULT *OMIT INTEGER        
 Void Payee Print Column  . . . .   '*DEFAULT'    *DEFAULT *OMIT INTEGER        
 Trx Count Print Column . . . . .   '*DEFAULT'    *DEFAULT *OMIT INTEGER        
One should specify the column print location of all fields in the file or none. Remember that to determine which fields are in the file consult the Positive Pay bank transmission file specification, option 1 from menu FMGPAY. ==== Transmitting Data ==== From the Positive Pay Application Definition list take option 9 on the definition you wish to transmit. You can also use the command TRANSMIT. This can be made a scheduled job. The conversation with the remote server is put into the job log. —- [ Up To Main Index]