Is it possible to set up an FTP server with SSL on V5R2?
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
Yes it is. The iSeries FTP server supports either Transport Layer Security (TLS) or Secure Sockets Layer (SSL) protected sessions, including client authentication and automatic sign-on to encrypt data transferred over both the FTP control and data connections. Before you can configure your FTP server to use SSL, you must install the prerequisite programs and set up digital certificates on your iSeries server. However, before we look at how to configure your FTP server it is important to understand the FTP protocol.
FTP uses two TCP connections, one for control and one for data. The standard control connection is TCP port 21, and the default data connection is port 20. To start a secure FTP (FTPS) session, a client can connect to the non-encrypted TCP port 21 and then negotiate authentication and encryption options. This is known as an explicit control connection. On the other hand, an implicit connection is when the client chooses a secure FTP port; usually port 990, where connections are assumed to be TLS/SSL. The primary reason to encrypt on the control connection is to conceal the password when logging on to the FTP server. FTP does not allow you to have a secure data connection without a secure control connection.
When you use TLS/SSL encryption for the control connection, the FTP client will also encrypt the data sent on the FTP data connection. Encryption can have a significant performance cost and can be bypassed on the data connection to transfer non-sensitive files without decreasing performance and still protect the system's security by not exposing passwords. The iSeries FTP server provides for both of these options. In order to set up FTP with SSL on your iSeries V5R2 server you will need to ensure that it has the following installed:
- V5R2 or later of OS/400
- TCP/IP Connectivity Utilities
- Cryptographic Access Provider 128-bit for iSeries server
- IBMR Digital Certificate Manager (DCM)
- IBM HTTP Server
- Create a Local Certificate Authority or use DCM to configure the FTP server to use a public certificate associate with the FTP server
- Require client authentication for the FTP server
- Enable SSL on the FTP server
To receive further assistance visit the IBM iSeries Information Center.
Dig Deeper on SSL and TLS VPN Security
Related Q&A from Michael Cobb
Open source NoSQL MongoDB database faced 30,000 insecure instances. Expert Michael Cobb explains the misconfiguration that led to this, and how to ...continue reading
A new Veracode report offers details on common mobile application security risks. Expert Michael Cobb explains these flaws, and what developers can ...continue reading
Juniper firewall products were found to have two backdoor vulnerabilities. Expert Michael Cobb explains how a cryptographic algorithm and hardcoded ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.