IBM Support

Secure FTP failing after applying PTF for IBMi Operating System, Secure connection error, return code -16. - Sterling Gentran:Server for iSeries

Troubleshooting


Problem

After applying IBMi PTF or upgrading OS Secure FTP failing with error: Secure connection error, return code -16.

Symptom

1 000000000000Output redirected to a file.
2 000000000000Input read from specified override file.
3 000000000000Connecting to host SCIFTPS.STERCOMM.COM at address nnn.nn.nnn.nn using port 21.
4 000000000000220 CONNECT:Enterprise Gateway 2.0.02.S49 FTP Server ready... 14:57:11 08-14-2015
5 000000000000234 AUTH: command accepted. Securing command channel ...
6 000000000000Secure connection error, return code -16.

Cause

After applying PTF to Operating System or upgrading Operating System on IBMi
Operating System upgrade or PTF removes a Cipher from DCM which is still being used by Sterling Collaboration Network.
***NEED to Reactivate some of the ciphers that were disabled in OS upgrade.  For future reference get the TLS version and ciphers required from their VAN first, then call IBM OS FTP support to get them reactivated.

Environment

Native FTP *SSL from the IBMi command line also fails

Diagnosing The Problem

Gentran FTP log or Native FTP from IBMi command line

Resolving The Problem

***NEED to Reactivate some of the ciphers that were disabled in OS upgrade.  For future reference get the TLS version and ciphers required from their VAN first, then call IBM OS FTP support to get them reactivated.
Operating System PTF, upgrade OS or both, removed a (weak) cipher from Document Certificate Manager (DCM) for FTP. The Cipher negotiates with Sterling Collaboration Network Secure *SSL mailboxing (RC4 128 SHA)

1. See Related URL regarding changes made to IBMi System Value QSSLPCL

2. Receive a replacement of an SSL certification from Sterling Collaboration Network.

3. Sterling Collaboration Network Secure *SSL mailboxing (RC4 128 SHA) certificate needs to be added back to DCM for FTP as follows:

a. Log into your DCM
(if you need assistance with this contact IBMi Operating System DCM support.)

b. Click on Select a Certificate Store.

c. Select *SYSTEM and continue

d. Enter your iSeries DCM password and continue

e. Click on Fast Path

f. Work with client application

g. Select IBM i TCP/IP FTP Client

h. SSL Cipher Specifications option - if *PGM is select, then this needs to be changed to Define Cipher Specifications list and make sure the RC4 128 SHA is included and enabled in the list.

Related Information

Secure FTP System Value options

[{"Product":{"code":"SS6UY8","label":"Sterling Gentran:Server for iSeries"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Maintenance","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"3.6;3.5","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]

Document Information

Modified date:
09 April 2021

UID

swg21964529

Page Feedback