Can I spell it out a different way. Your client can check the validity of the server's certificate, and make sure it is IBM you are connected to. To do this, you need a CA certificate matching the IBM server's certificate. Most machines have a wide selection, and so this should not be a problem.
As part of the handshake the server can request/require a certificate from the client. If you use a self signed certificate, which IBM has it's own copy off - it would work - but is impractical (think of the management overhead of these). You can have a certificate (signed by a CA) which you send to IBM. IBM has the same CA so can validate the certificate. This means IBM knows the name (Distinguished Name) of the certificate (O=MYCOMPANYNAME,C=GB), but IBM may not be set up to associate this DN with your company - IBM might use your account number instead. At a different level you can set up z/OS to map certificate DNs to a userid (O=MYCOMPANYNAME, C=* ) or say with this specific DN use this userid. Colin On Thu, 20 Mar 2025 at 12:53, Kurt Quackenbush <[email protected]> wrote: > > There is a requirement that the client must be FTPS enabled to connect > to IBM site. > > > Can i use Self signed certificate for my FTP server ? Or IBM distributes > certificate to their customer to upload them in our mainframe and trust it ? > > If you download from an IBM FTP server to your z/OS, then the server is > IBM's, and you run an FTP client on your z/OS. To authenticate with the > IBM server, your FTP client must trust the root certificate that issued the > IBM server's certificate, not some random self signed certificate you > generate. > > What are you trying to download, and which IBM server are you trying to > download from? > > Kurt Quackenbush > IBM | z/OS SMP/E and z/OSMF Software Management | [email protected] > > Chuck Norris never uses CHECK when he applies PTFs. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
