Topic
  • 5 replies
  • Latest Post - ‏2013-01-09T18:34:51Z by SystemAdmin
SystemAdmin
SystemAdmin
6902 Posts

Pinned topic FTPS problem on AIX 6.1

‏2010-08-02T20:17:19Z |
Hi

I had received a request to setup FTPS from AS400 to AIX server. However before doing that I am testing FTPS feature provided by IBM on AIX 6.1 Server with two AIX servers. IBM has released FTPS feature in AIX 6.1. I had setup self-signed Ceritficate authority using FTPS on Server A as per the instructions mentioned in AIX 6 Advanced security features pdf. when I run ftp -s <Server A> from Server B to use ftps connection. I am getting below error message. Can anyone please help me to resolve this issue.

234 Using authentication type TLSv1
TLS Auth Entered.
Error with certificate at depth 0
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
e6:e5:07:90:81:3d:c7:18
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=CT, L=Danbury, O=TAMPA, OU=IS
Validity
Not Before: Aug 2 19:57:18 2010 GMT
Not After : Jul 30 19:57:18 2020 GMT
Subject: C=US, ST=CT, L=Danbury, O=TAMPA, OU=IS
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:bb:25:c4:cd:49:cf:74:30:1c:3f:06:6a:2d:45:
54:90:c9:b9:0a:ad:9f:43:f8:1c:96:0f:f7:b0:7e:
fc:3b:e9:b6:1a:09:ec:4b:05:31:3e:27:6f:ec:4a:
17:c8:3d:58:30:ba:41:bf:46:29:42:c0:46:62:44:
94:8e:b2:95:23:f9:b8:10:0b:7b:10:6e:0b:e1:28:
e8:89:20:35:81:84:c0:03:7d:b9:92:a3:9a:de:1d:
9d:24:32:45:35:e8:a6:b8:48:56:88:08:d1:85:d9:
c4:13:1d:fe:3a:7d:b0:41:51:58:0b:ec:fd:83:d8:
c2:ca:35:44:19:2c:09:ad:5c:db:e9:7e:47:93:c2:
66:b5:23:74:d2:d3:83:2d:49:04:94:61:75:70:52:
34:ac:3f:61:e1:41:3b:7d:d0:e7:cf:ec:2f:69:f1:
24:76:41:68:46:48:b4:4a:af:fb:5a:5e:37:74:06:
04:0d:2d:c4:fe:b1:63:8b:e9:40:8d:72:93:03:8e:
ec:c9:1c:39:96:20:3b:42:86:c5:7b:63:a3:d4:e8:
47:e3:e0:c0:5c:2b:28:a3:16:31:38:5e:7f:e8:29:
96:f7:ab:ad:2b:a1:88:b1:f2:ef:37:b3:af:8d:ea:
f8:9a:85:9e:c7:b0:8f:33:00:db:19:fd:3f:a6:15:
e7:b7
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
a2:4b:de:30:53:f4:73:25:3e:bb:c6:d2:2e:1e:b5:3e:b5:69:
0c:3a:d4:03:59:71:06:af:c9:8b:78:3e:2e:a2:2f:28:3b:0d:
07:46:fd:07:da:b1:b4:1d:bc:c8:0e:e4:06:cc:60:1a:47:1d:
9f:55:d6:d5:1e:72:e3:e8:91:f1:22:3f:8d:7a:29:e8:0c:fb:
7f:3c:5d:96:82:f9:af:0c:c4:f9:72:9d:b2:4f:77:d8:d7:da:
a1:a7:0e:6c:6d:1f:b1:0b:d5:1e:5a:f0:99:d7:38:fe:56:18:
32:0c:35:ca:bb:f2:a5:6c:22:98:8a:b7:4f:f6:5c:c4:5c:1d:
8c:db:f2:9b:24:90:3e:4d:e5:a3:50:3a:40:45:dd:c6:81:99:
cc:f5:bd:63:40:a7:be:5c:de:e3:ef:10:21:5c:00:94:42:12:
11:9f:f6:e7:99:60:69:1c:d7:fe:83:78:b4:07:8c:3c:13:e4:
7e:87:47:1c:6d:61:0b:f9:94:89:ad:39:5d:ea:dc:62:5e:15:
b7:0b:73:2e:34:63:a1:fc:f3:c4:34:ce:0e:d4:c6:ed:58:fe:
e6:13:af:16:fb:00:81:d1:84:ce:ce:5b:e6:dd:e6:62:af:09:
72:d1:b5:16:e8:d0:d5:92:b4:bb:d7:c0:e9:49:2b:47:7b:41:
a3:04:77:69
Error error 18:self signed certificate

ERROR Error during the hand shake for the control connection
ERROR Error setting BIO object for the control connection
FTP: Unable to authenticate to Server.
Updated on 2013-01-09T18:34:51Z at 2013-01-09T18:34:51Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    6902 Posts

    Re: FTPS problem on AIX 6.1

    ‏2010-08-03T03:45:39Z  
    have you read the error message before posting it?
    > Error error 18:self signed certificate
  • SystemAdmin
    SystemAdmin
    6902 Posts

    Re: FTPS problem on AIX 6.1

    ‏2010-08-03T15:30:03Z  
    have you read the error message before posting it?
    > Error error 18:self signed certificate
    Thanks for your response.

    I have read the error message before posting it. I had re-done all the ftps setup. Now i get different error message.

    Error error 7:certificate signature failure

    error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed
    ERROR Error during the hand shake for the control connection
    error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib
    ERROR Error setting BIO object for the control connection
    FTP: Unable to authenticate to Server.

    I had followed exactly the same steps as mentioned in AIX 6 Advanced Security Features Introduction and Configuration.

    Below are the steps I had followed:


    Using self-signed certificates

    In this example, we will store all TLS relevant keys and certificates in root’s ~/.tls
    directory on our server, but you can pick your own location if you wish. You
    simply need to change /etc/ftpd.cnf later to reflect the actual paths for the keys
    and certificates after completion.

    1. Setting up the directory structure on the first server. This one will also have
    the CA keys and root certificate stored:
    1. cd
    2. mkdir .tls
    3. cd .tls
    4. mkdir rootCA
    5. chmod 700 rootCA
    6. cd rootCA

    2. Creating a root level private key and root level certificate request (holding the
    public key):
    1. openssl req -newkey rsa:2048 -sha1 -keyout root_key.pem -out
    root_req.pem
    Generating a 2048 bit RSA private key
    ....................................................................
    ....................................................................
    .......................................................+
    ..+
    writing new private key to 'root_key.pem'
    Enter PEM pass phrase:<type anything here, at least 4 chars>
    Verifying - Enter PEM pass phrase:<repeat the above>

    You are about to be asked to enter information that will be
    incorporated into your certificate request.

    What you are about to enter is what is called a Distinguished Name
    or a DN.
    There are quite a few fields but you can leave some blank.
    For some fields there will be a default value.
    If you enter '.', the field will be left blank.

    Country Name (2 letter code) US:
    State or Province Name (full name) Some-State:TX
    Locality Name (eg, city) []:Austin
    Organization Name (eg, company) Internet Widgits Pty Ltd:IBM
    Organizational Unit Name (eg, section) []:CA
    Common Name (eg, YOUR name) []:
    Email Address []:
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:

    You must enter a PEM pass phrase in order to protect your private root key. You
    should also enter some data for at least the first five fields in order to create a
    complete DN. Using less entries will result in certificates that will not work.
    (Please note that depending on the entropy on your system, the progress
    indicator will probably look different.)

    3. Generating the certificate for root (valid approximately 10 years) by
    self-signing it:

    1. openssl x509 -req -days 3650 -in root_req.pem -signkey
    root_key.pem -out root_cert.pem
    Signature ok
    subject=/C=US/ST=TX/L=Austin/O=IBM/OU=ITSO
    Getting Private key
    Enter pass phrase for root_key.pem: <enter your PEM pass phrase from
    step 2>

    You can have a look at your root certificate just to make sure everything is
    right by using:

    1. openssl x509 -in root_cert.pem -text -noout
    Certificate:
    Data:
    Version: 1 (0x0)
    Serial Number:
    d2:01:13:b6:2d:b3:a8:b8
    Signature Algorithm: md5WithRSAEncryption
    Issuer: C=US, ST=TX, L=Austin, O=IBM, OU=CA
    Validity
    Not Before: Apr 26 19:45:52 2007 GMT
    Not After : May 23 19:45:52 2017 GMT
    Subject: C=US, ST=TX, L=Austin, O=IBM, OU=CA
    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)
    Modulus (2048 bit):
    00:97:57:11:84:e5:bb:a7:21:06:36:5b:1f:7b:b7:
    http://...
    When things look fine, you are finished with setting up your own root CA. We
    go up one directory level to create the first server key and certificate:

    1. cd ..

    4. Now we are creating an RSA key for the first FTP server without a PEM pass
    phrase, hence we use a different command than the one we used in step 2 to
    create a new key:

    1. openssl genrsa 2048 > server_key.pem
    Generating RSA private key, 2048 bit long modulus
    ...........+
    ....................................................................
    ..........................................+
    e is 65537 (0x10001)
    It is important not to use any pass phrases on such server keys. Otherwise, it
    would be required to input that pass phrase every time the key gets used
    (which is impossible to accomplish when ftpd is using it).

    5. Next, we are creating a certificate request for the key we have just created
    (including its public key):

    1. openssl req -new -key server_key.pem -out server_req.pem
    You are about to be asked to enter information that will be
    incorporated into your certificate request.
    What you are about to enter is what is called a Distinguished Name
    or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.

    Country Name (2 letter code) US:
    State or Province Name (full name) Some-State:TX
    Locality Name (eg, city) []:Austin
    Organization Name (eg, company) Internet Widgits Pty Ltd:IBM
    Organizational Unit Name (eg, section) []:ITSO
    Common Name (eg, YOUR name) []:
    Email Address []:
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:

    6. Next, we are signing the server key request with our root CA’s private and
    self-signed public key. This will create the server certificate (again, this is
    valid for approximately 10 years):

    1. openssl x509 -req -days 3650 -in server_req.pem -CA
    rootCA/root_cert.pem -CAkey rootCA/root_key.pem -CAcreateserial -out
    server_cert.pem
    Signature ok
    subject=/C=US/ST=TX/L=Austin/O=IBM/OU=ITSO
    Getting CA Private Key
    Enter pass phrase for rootCA/root_key.pem: <enter your PEM pass
    phrase from step 2>

    7. In order to make server configurations easier as well as the distribution of
    certified key files, it is handy to have the server key, the server certificate, and
    the root certificate in one single file (OpenSSL supports this). So we are
    combining all three files to one file now:

    1. cat server_key.pem server_cert.pem rootCA/root_cert.pem > server.pem

    This file should be protected with respective file permissions to be accessible
    by root only (for example, 600). It can be copied to any other FTP server or
    you can repeat steps 4 through 7 for any additional FTP server you want to
    have its own signed key.

    8. Finally, we adjust the path names in /etc/ftpd.cnf file:

    CERTIFICATE /root/.tls/server.pem
    CERTIFICATE_PRIVATE_KEY /root/.tls/server.pem

    Since we have combined all the keys and certificates in one file, we use that
    name for both the certificate and the key. Depending on your individual setup,
    this might be different if you are using separate files. All other lines must be left
    as comments. They are not needed in this simple self-signed rootCA scenario.
  • SystemAdmin
    SystemAdmin
    6902 Posts

    Re: FTPS problem on AIX 6.1

    ‏2010-08-05T20:48:42Z  
    I did not get correct update
  • Lea.Tripplehorn
    Lea.Tripplehorn
    1 Post

    Re: FTPS problem on AIX 6.1

    ‏2011-03-03T00:25:29Z  
    AIX_Guru wrote:
    I did not get correct update

    Have you got the answer? I've got the same problem.
  • SystemAdmin
    SystemAdmin
    6902 Posts

    Re: FTPS problem on AIX 6.1

    ‏2013-01-09T18:34:51Z  
    I'm getting the same exact error with the self-signed certificate having followed the instructions. Anyone ever solve this?