Securing FTP clients with Transport Layer Security or Secure Sockets Layer
You can use Transport Layer Security (TLS) or Secure Sockets Layer (SSL) connections to encrypt data transferred over File Transfer Protocol (FTP) control and data connections.
The primary reason for encryption on the control connection is to conceal the password when logging on to the FTP server.
Before using the FTP client to make secure connections to FTP servers, you must use DCM to configure trusted certificate authorities for the FTP client. Any certificate authorities that were used to create certificates assigned to FTP servers that you want to connect to must be added. Exporting or importing certificate authority (CA) certificates might be required depending on the CAs used.
If you choose TLS or SSL encryption for the control connection, the FTP client will also encrypt the data sent on the FTP data connection by default. FTP protocol does not allow you to have a secure data connection without a secure control connection.
Encryption can have a significant performance cost and can be bypassed on the data connection. This allows you to transfer non-sensitive files without decreasing performance and still protect the system's security by not exposing passwords.
The FTP client has parameters for the STRTCPFTP CL command and subcommands which are used as part of the TLS or SSL support (SECOpen and SECData).
Specifying Transport Layer Security or Secure Sockets Layer protection for the IBM i FTP client
- Control connection
- TLS/SSL protection can be specified on the STRTCPFTP command and the SECOPEN
subcommand.
For the STRTCPFTP (FTP) command, specify *SSL for the SECCNN secure connection parameter to request a secure control connection. Also, you might be able to specify *IMPLICIT to obtain a secure connection on a pre-defined server port number.
Within your FTP client session, the SECOPEN subcommand can be used to obtain a secure control connection.
- Data connection
- For the STRTCPFTP (FTP) command, enter *PRIVATE for the DTAPROT data protection
parameter to specify a secure data connection. Enter *CLEAR for the DTAPROT
data protection parameter to specify data to be sent without encryption.
When you have a secure control connection, you can use the SECDATA subcommand to change the data connection protection level.
- Implicit SSL connection
- Some FTP servers support what is called an implicit SSL connection. This
connection provides the same encryption protection as the *SSL option, but
can only be done on a pre-determined server port, typically 990, for which
the server must be configured to expect an SSL or TLS connection negotiation.
This method is provided to allow secure connections to those FTP implementations that cannot support the standard protocol for providing TLS or SSL protection.
Many early implementations of SSL support used the implicit approach, but now it has been deprecated by the IETF.
The standard protocol for setting up a TLS or SSL connection requires that the AUTH (Authorization) server subcommand be used when the FTP server is being connected. Also, the server subcommands PBSZ and PROT are used to specify the data protection level.
However, for an implicit SSL connection, the AUTH, PBSZ, and PROT server subcommands are not sent to the FTP server. Instead, the server acts as if the client has sent these subcommands with the parameters shown as follows:
- AUTH SSL
- PBSZ 0
- PROT P