What is unthinkable in the Unix world - sending unencrypted sign on information - is still the standard connection method for most AS400 staff, with Telnet, FTP, Rexec and probably other protocolls sending ASCII encoded user, password and data in clear text over the network.
Countermeasure:
In the Digital Certificate Manager select a Certification Authority(CA) and create a certificate. Set the certificate as standard for the selected Certification Authority.
For most Telnet clients and FTPS no keystore handling is needed, any certificate presented by the host will be accepted. Telnet needs the ALWSSL parameter set to *YES in the CHGTELNA command as do some other protocolls. FTPS distinguishes between encryption of the control channel and (optional) data encryption.
Youtube Video: IBM i (AS/400, iSeries) Security 1 - Password Sniffing
In this video Wireshark is used to log user profiles and passwords from FTP and Telnet connections / connection attempts. Reading the log of an unencrypted telnet session could also disclose other sensitive information like cutomer data.