IBM Support

Secure FTP downloads for IBM i PTFs

News


Abstract

IBM Fix Central has implemented a secure FTP function to download PTF images from the Fix Central FTP site. This new function allows customers to use the FTP server in a secure fashion. The unsecure FTP method of downloading PTF images is no longer available.

Content

The Fix Central team and the IBM i iGSC have updated one the ways that PTF orders are obtained from the Fix Central FTP site.  This site is now using a secure FTP option for IBM i customers to download PTF images.  This method is only used when the Download virtual images using FTP option is selected as the download option after ordering PTFs:

image 8767

After you have selected this option, you will receive emails with the order number, the FTP command, the user ID and the password, which you must use in order to download the order from the FTP site.  The previous FTP method of using “ANONYMOUS” as your user ID to sign onto the FTP server has been eliminated and is no longer available.  The new function requires you to sign in using a special user ID and password which will be provided in the emails, in order to download PTFs that were ordered in the above fashion.  In addition to using this user ID and password, you will be required to have set up secure FTP on your IBM i system.

Important information:

When you use this method of sending your IBM i PTFs to the FTP server as your delivery method, you will receive the 3 emails.  The first email will still essentially be the one that says that your order has been received.  The second and third emails will contain the information that will be needed such as your user ID, Password and information for you to use to download these PTFs from the server.

You will need to set up your IBM i system as the client to which Secure FTP (SFTP) or FTP/SSL (FTPS) will be used to download PTFs.  To setup FTPS, you will need to understand and use Digital Certificate Manager (DCM), creating a Digital Certificate Store which holds your certificates and setting up the IBM i as the secure client to which the PTFs will be downloaded.  Below are links to documents which may be of help in answering questions you might have.

The following tools are for setting up FTPS:

The following document includes steps to download the required Fix Central Server certificates and then to configure the IBM i FTP client to use SSL:  SSL/TLS FTP Client Configuration for Fix Central Secured FTP Downloads (FTPS) https://www.ibm.com/support/pages/node/6475697

The following document includes steps and answers to questions on the use of DCM:  Digital Certificate Manager (DCM) - Frequently Asked Questions and Common Tasks 

The following tools are for setting up SFTP:

NOTE: These tools are as-is tools and are not supported by the IBM i iGSC.  If you are downloading the PTFs to a PC and a Proxy Server is in place, the IBM i support teams do not support this.  You need to contact your Firewall or Security teams for the answers to your questions.

This link takes you to a document with steps for setting up SFTP using the PuTTY tool: Instructions for setting up SFTP for use in downloading PTFs from Fix Central to the IBM i.

Firewall considerations: 
  • IBM bulk FTPS method for Fix Central is referenced by 2 hostnames: delivery01-bld.dhe.ibm.com and delivery01-mul.dhe.ibm.com.  When using FTPS, the initial communication is over port 21 using SSL/TLS encryption. Then the data command like "dir" or for each "get" operation on a per file basis an outgoing "TCP" communication using a port between 65024 thru 65535 is opened.
  • When using the SFTP method, the communication requires port 22 to the 2 hostnames: delivery01-bld.dhe.ibm.com and delivery01-mul.dhe.ibm.com .
  • If a firewall is being used:  the above listed ports must be opened for the two hostnames: delivery01-bld.dhe.ibm.com and delivery01-mul.dhe.ibm.com.  It is recommended to use the hostnames but if actual IP addresses must be used then the ports need to be opened for the following IP addresses:
    170.225.126.67 used to access delivery01-bld.dhe.ibm.com
    129.35.224.102 (170.225.119.157 after 10/20/23) used to access delivery01-mul.dhe.ibm.com
    129.35.224.101 (170.225.119.156 after 10/20/23) used to access delivery01-bld.dhe.ibm.com in case of failover from BLD to MUL
    170.225.126.68 used to access delivery01-mul.dhe.ibm.com in case of failover from MUL to BLD
  • Note: IP address changes occurring on 10/20/23 are documented here: 'Preparing customer firewalls and proxies for the upcoming infrastructure changes on IBM Electronic Fix Distribution / IBM Fix Central system', https://www.ibm.com/support/pages/node/7030591
  • Additional questions may be answered in the documentation under the section titled: What does my firewall team need to know?
Using an FTP client to download secure images to a PC:

Note:                                                                                                                                                                                                                                                      The following example uses FileZilla as the FTP client. This is a freeware product not supported by IBM. Use an FTP client of your choice.   If you are downloading the PTFs to a PC and a Proxy Server is in place, the IBM i support teams do not support this.  You need to contact your Firewall or Security teams for the answers to your questions.

The customer installs an FTP client (such as FileZilla) to their PC.
Once it is installed, start it and you should see this:
image 10999
Now from the secondemail that you get from Fix Central, at the very top you will see the following information:
INFORMATION YOU WILL NEED TO RETRIEVE YOUR ORDER
Your user ID --> BQ8433
FTP Server --> delivery01-bld.dhe.ibm.com
Transfer type --> ascii/binary
Directory on server --> 12304423/C
Files to get --> ftpSI76515.txt
                    --> ilstSI76515.txt
                    --> sha256.txt
                     --> SI76515_1.bin

So now on the FileZilla screen:  enter the FTP server in the space for the Host, the username provided in the second email, password provided in the third email and specify port 22 (21 and 990 may also work). Then click quick connect and you should end up with the following screen:

image 11007

Now next to remote site you need to paste in the 'directory on server' from the note from fix central.  In my case it is /12304423/C
For the local site you need to put in where on your pc do you want the file stored in.  In my case it was C:\
Highlight the files in the remote site location that you want to download to your PC. Right-click on them and select the 'Download' option and the images will be transferred to your pc.
Once the images are downloaded to your PC, FTP the images to the IBM i IFS directory, add them to an image catalog, and continue the steps to install PTFs from an image catalog.
Though the links noted are as-is tools, we have tested the instructions using PuTTY and it has worked quite well.

Related Information

Using software fixes

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000001iCOAAY","label":"PTF-\u003Eorder ptfs"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]

Document Information

Modified date:
04 October 2023

UID

ibm11077897

Page Feedback