Topic
5 replies Latest Post - ‏2013-01-09T18:34:51Z by SystemAdmin
SystemAdmin
SystemAdmin
6908 Posts
ACCEPTED ANSWER

Pinned topic FTPS problem on AIX 6.1

‏2010-08-02T20:17:19Z |
Hi

I had received a request to setup FTPS from AS400 to AIX server. However before doing that I am testing FTPS feature provided by IBM on AIX 6.1 Server with two AIX servers. IBM has released FTPS feature in AIX 6.1. I had setup self-signed Ceritficate authority using FTPS on Server A as per the instructions mentioned in AIX 6 Advanced security features pdf. when I run ftp -s <Server A> from Server B to use ftps connection. I am getting below error message. Can anyone please help me to resolve this issue.

234 Using authentication type TLSv1
TLS Auth Entered.
Error with certificate at depth 0
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
e6:e5:07:90:81:3d:c7:18
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=CT, L=Danbury, O=TAMPA, OU=IS
Validity
Not Before: Aug 2 19:57:18 2010 GMT
Not After : Jul 30 19:57:18 2020 GMT
Subject: C=US, ST=CT, L=Danbury, O=TAMPA, OU=IS
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:bb:25:c4:cd:49:cf:74:30:1c:3f:06:6a:2d:45:
54:90:c9:b9:0a:ad:9f:43:f8:1c:96:0f:f7:b0:7e:
fc:3b:e9:b6:1a:09:ec:4b:05:31:3e:27:6f:ec:4a:
17:c8:3d:58:30:ba:41:bf:46:29:42:c0:46:62:44:
94:8e:b2:95:23:f9:b8:10:0b:7b:10:6e:0b:e1:28:
e8:89:20:35:81:84:c0:03:7d:b9:92:a3:9a:de:1d:
9d:24:32:45:35:e8:a6:b8:48:56:88:08:d1:85:d9:
c4:13:1d:fe:3a:7d:b0:41:51:58:0b:ec:fd:83:d8:
c2:ca:35:44:19:2c:09:ad:5c:db:e9:7e:47:93:c2:
66:b5:23:74:d2:d3:83:2d:49:04:94:61:75:70:52:
34:ac:3f:61:e1:41:3b:7d:d0:e7:cf:ec:2f:69:f1:
24:76:41:68:46:48:b4:4a:af:fb:5a:5e:37:74:06:
04:0d:2d:c4:fe:b1:63:8b:e9:40:8d:72:93:03:8e:
ec:c9:1c:39:96:20:3b:42:86:c5:7b:63:a3:d4:e8:
47:e3:e0:c0:5c:2b:28:a3:16:31:38:5e:7f:e8:29:
96:f7:ab:ad:2b:a1:88:b1:f2:ef:37:b3:af:8d:ea:
f8:9a:85:9e:c7:b0:8f:33:00:db:19:fd:3f:a6:15:
e7:b7
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
a2:4b:de:30:53:f4:73:25:3e:bb:c6:d2:2e:1e:b5:3e:b5:69:
0c:3a:d4:03:59:71:06:af:c9:8b:78:3e:2e:a2:2f:28:3b:0d:
07:46:fd:07:da:b1:b4:1d:bc:c8:0e:e4:06:cc:60:1a:47:1d:
9f:55:d6:d5:1e:72:e3:e8:91:f1:22:3f:8d:7a:29:e8:0c:fb:
7f:3c:5d:96:82:f9:af:0c:c4:f9:72:9d:b2:4f:77:d8:d7:da:
a1:a7:0e:6c:6d:1f:b1:0b:d5:1e:5a:f0:99:d7:38:fe:56:18:
32:0c:35:ca:bb:f2:a5:6c:22:98:8a:b7:4f:f6:5c:c4:5c:1d:
8c:db:f2:9b:24:90:3e:4d:e5:a3:50:3a:40:45:dd:c6:81:99:
cc:f5:bd:63:40:a7:be:5c:de:e3:ef:10:21:5c:00:94:42:12:
11:9f:f6:e7:99:60:69:1c:d7:fe:83:78:b4:07:8c:3c:13:e4:
7e:87:47:1c:6d:61:0b:f9:94:89:ad:39:5d:ea:dc:62:5e:15:
b7:0b:73:2e:34:63:a1:fc:f3:c4:34:ce:0e:d4:c6:ed:58:fe:
e6:13:af:16:fb:00:81:d1:84:ce:ce:5b:e6:dd:e6:62:af:09:
72:d1:b5:16:e8:d0:d5:92:b4:bb:d7:c0:e9:49:2b:47:7b:41:
a3:04:77:69
Error error 18:self signed certificate

ERROR Error during the hand shake for the control connection
ERROR Error setting BIO object for the control connection
FTP: Unable to authenticate to Server.
Updated on 2013-01-09T18:34:51Z at 2013-01-09T18:34:51Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    6908 Posts
    ACCEPTED ANSWER

    Re: FTPS problem on AIX 6.1

    ‏2010-08-03T03:45:39Z  in response to SystemAdmin
    have you read the error message before posting it?
    > Error error 18:self signed certificate
    • SystemAdmin
      SystemAdmin
      6908 Posts
      ACCEPTED ANSWER

      Re: FTPS problem on AIX 6.1

      ‏2010-08-03T15:30:03Z  in response to SystemAdmin
      Thanks for your response.

      I have read the error message before posting it. I had re-done all the ftps setup. Now i get different error message.

      Error error 7:certificate signature failure

      error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed
      ERROR Error during the hand shake for the control connection
      error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib
      ERROR Error setting BIO object for the control connection
      FTP: Unable to authenticate to Server.

      I had followed exactly the same steps as mentioned in AIX 6 Advanced Security Features Introduction and Configuration.

      Below are the steps I had followed:


      Using self-signed certificates

      In this example, we will store all TLS relevant keys and certificates in root’s ~/.tls
      directory on our server, but you can pick your own location if you wish. You
      simply need to change /etc/ftpd.cnf later to reflect the actual paths for the keys
      and certificates after completion.

      1. Setting up the directory structure on the first server. This one will also have
      the CA keys and root certificate stored:
      1. cd
      2. mkdir .tls
      3. cd .tls
      4. mkdir rootCA
      5. chmod 700 rootCA
      6. cd rootCA

      2. Creating a root level private key and root level certificate request (holding the
      public key):
      1. openssl req -newkey rsa:2048 -sha1 -keyout root_key.pem -out
      root_req.pem
      Generating a 2048 bit RSA private key
      ....................................................................
      ....................................................................
      .......................................................+
      ..+
      writing new private key to 'root_key.pem'
      Enter PEM pass phrase:<type anything here, at least 4 chars>
      Verifying - Enter PEM pass phrase:<repeat the above>

      You are about to be asked to enter information that will be
      incorporated into your certificate request.

      What you are about to enter is what is called a Distinguished Name
      or a DN.
      There are quite a few fields but you can leave some blank.
      For some fields there will be a default value.
      If you enter '.', the field will be left blank.

      Country Name (2 letter code) US:
      State or Province Name (full name) Some-State:TX
      Locality Name (eg, city) []:Austin
      Organization Name (eg, company) Internet Widgits Pty Ltd:IBM
      Organizational Unit Name (eg, section) []:CA
      Common Name (eg, YOUR name) []:
      Email Address []:
      Please enter the following 'extra' attributes
      to be sent with your certificate request
      A challenge password []:
      An optional company name []:

      You must enter a PEM pass phrase in order to protect your private root key. You
      should also enter some data for at least the first five fields in order to create a
      complete DN. Using less entries will result in certificates that will not work.
      (Please note that depending on the entropy on your system, the progress
      indicator will probably look different.)

      3. Generating the certificate for root (valid approximately 10 years) by
      self-signing it:

      1. openssl x509 -req -days 3650 -in root_req.pem -signkey
      root_key.pem -out root_cert.pem
      Signature ok
      subject=/C=US/ST=TX/L=Austin/O=IBM/OU=ITSO
      Getting Private key
      Enter pass phrase for root_key.pem: <enter your PEM pass phrase from
      step 2>

      You can have a look at your root certificate just to make sure everything is
      right by using:

      1. openssl x509 -in root_cert.pem -text -noout
      Certificate:
      Data:
      Version: 1 (0x0)
      Serial Number:
      d2:01:13:b6:2d:b3:a8:b8
      Signature Algorithm: md5WithRSAEncryption
      Issuer: C=US, ST=TX, L=Austin, O=IBM, OU=CA
      Validity
      Not Before: Apr 26 19:45:52 2007 GMT
      Not After : May 23 19:45:52 2017 GMT
      Subject: C=US, ST=TX, L=Austin, O=IBM, OU=CA
      Subject Public Key Info:
      Public Key Algorithm: rsaEncryption
      RSA Public Key: (2048 bit)
      Modulus (2048 bit):
      00:97:57:11:84:e5:bb:a7:21:06:36:5b:1f:7b:b7:
      http://...
      When things look fine, you are finished with setting up your own root CA. We
      go up one directory level to create the first server key and certificate:

      1. cd ..

      4. Now we are creating an RSA key for the first FTP server without a PEM pass
      phrase, hence we use a different command than the one we used in step 2 to
      create a new key:

      1. openssl genrsa 2048 > server_key.pem
      Generating RSA private key, 2048 bit long modulus
      ...........+
      ....................................................................
      ..........................................+
      e is 65537 (0x10001)
      It is important not to use any pass phrases on such server keys. Otherwise, it
      would be required to input that pass phrase every time the key gets used
      (which is impossible to accomplish when ftpd is using it).

      5. Next, we are creating a certificate request for the key we have just created
      (including its public key):

      1. openssl req -new -key server_key.pem -out server_req.pem
      You are about to be asked to enter information that will be
      incorporated into your certificate request.
      What you are about to enter is what is called a Distinguished Name
      or a DN.
      There are quite a few fields but you can leave some blank
      For some fields there will be a default value,
      If you enter '.', the field will be left blank.

      Country Name (2 letter code) US:
      State or Province Name (full name) Some-State:TX
      Locality Name (eg, city) []:Austin
      Organization Name (eg, company) Internet Widgits Pty Ltd:IBM
      Organizational Unit Name (eg, section) []:ITSO
      Common Name (eg, YOUR name) []:
      Email Address []:
      Please enter the following 'extra' attributes
      to be sent with your certificate request
      A challenge password []:
      An optional company name []:

      6. Next, we are signing the server key request with our root CA’s private and
      self-signed public key. This will create the server certificate (again, this is
      valid for approximately 10 years):

      1. openssl x509 -req -days 3650 -in server_req.pem -CA
      rootCA/root_cert.pem -CAkey rootCA/root_key.pem -CAcreateserial -out
      server_cert.pem
      Signature ok
      subject=/C=US/ST=TX/L=Austin/O=IBM/OU=ITSO
      Getting CA Private Key
      Enter pass phrase for rootCA/root_key.pem: <enter your PEM pass
      phrase from step 2>

      7. In order to make server configurations easier as well as the distribution of
      certified key files, it is handy to have the server key, the server certificate, and
      the root certificate in one single file (OpenSSL supports this). So we are
      combining all three files to one file now:

      1. cat server_key.pem server_cert.pem rootCA/root_cert.pem > server.pem

      This file should be protected with respective file permissions to be accessible
      by root only (for example, 600). It can be copied to any other FTP server or
      you can repeat steps 4 through 7 for any additional FTP server you want to
      have its own signed key.

      8. Finally, we adjust the path names in /etc/ftpd.cnf file:

      CERTIFICATE /root/.tls/server.pem
      CERTIFICATE_PRIVATE_KEY /root/.tls/server.pem

      Since we have combined all the keys and certificates in one file, we use that
      name for both the certificate and the key. Depending on your individual setup,
      this might be different if you are using separate files. All other lines must be left
      as comments. They are not needed in this simple self-signed rootCA scenario.
  • SystemAdmin
    SystemAdmin
    6908 Posts
    ACCEPTED ANSWER

    Re: FTPS problem on AIX 6.1

    ‏2010-08-05T20:48:42Z  in response to SystemAdmin
    I did not get correct update
  • Lea.Tripplehorn
    Lea.Tripplehorn
    1 Post
    ACCEPTED ANSWER

    Re: FTPS problem on AIX 6.1

    ‏2011-03-03T00:25:29Z  in response to SystemAdmin
    AIX_Guru wrote:
    I did not get correct update

    Have you got the answer? I've got the same problem.
  • SystemAdmin
    SystemAdmin
    6908 Posts
    ACCEPTED ANSWER

    Re: FTPS problem on AIX 6.1

    ‏2013-01-09T18:34:51Z  in response to SystemAdmin
    I'm getting the same exact error with the self-signed certificate having followed the instructions. Anyone ever solve this?