SSL support
The FTP Client Connector supports FTPS and can perform secure transfers. This involves the use of a SSL/TLS layer below the standard FTP protocol to encrypt the control and/or data channels used by FTP. You can know about the two common uses of FTPS using the information provided here.
- Implicit FTPS is a widely implemented style in which the client connects to a different control port (from the default 21), and an SSL handshake is performed before any FTP commands are sent. The entire FTPS session is encrypted. Implicit FTPS does not allow for negotiation and the client should immediately challenge the FTPS Server with the TLS/SSL handshake. If the control channel is unencrypted, any subsequent data channels must also be unencrypted (no SSL); if the control channel is encrypted, the subsequent data channels may be clear or encrypted. The Internet Assigned Numbers Authority (IANA) officially designates port 990 as the FTPS control channel port and port 989 as the FTPS data channel port.
- Explicit FTPS or FTPES. According to this method, the client connects using clear text on port 21 and may negotiate a secure TLS connection during the FTP setup or at any time thereafter. The server may allow non-encrypted FTP in case negotiation fails. Encrypted data channels and encryption on the control channel can be set up and torn down by the client at any time.
As stated above the FTP protocol uses two channels to operate. The control (command) channel is used for sending commands to the FTP server and the data channel for data transfer. In order to allow greater granularity, the FTP Client Connector allows you to turn on SSL support for each of the channels.
Using the Security parameter, you can specify the following options: None, Use SSL on control channel, Use SSL on control and data channels. The first implies that no SSL support will be provided and no security benefits can be expected.
When Use SSL on control channel is selected, the control (command) channel uses SSL. In this case the certificate used by the FTP server must be added to the truststore of IBM Security Directory Integrator (this truststore is set by the javax.net.ssl.trustStore property in the solution.properties file). That way the client can authenticate the server and communication will succeed. Also when using this option, remember to change the port used by the connector to the one that the server uses for FTP/SSL connections (the default is 990).
The other option providing SSL support is Use SSL on control and data channels. When this is selected, the client will attempt to negotiate a secure data channel besides securing the control channel. This is done by sending "PBSZ 0" and "PROT P" commands to the server. The PBSZ command defines the largest buffer size to be used for application-level encoded data sent or received on the data connection. However, since TLS/SSL handles blocking of data, a '0' parameter is used. The other command (PROT) defines the protection used for FTP data connections, where the "P" parameter stands for Private - TLS/SSL will be used, which provides Integrity and Confidentiality protection.
The Explicit mode SSL option has effect only when one of the SSL options is selected for the connection, for example, SSL on control or on control and data. This mode alters the behavior and the initial connection to the remote FTP server is not an SSL socket. SSL is then negotiated on the control channel after establishing the connection. The remote ftp server rejects the negotiation, which causes the connector to abort the session.
The Security parameter lists the allowed set of security options for the FTP Client Connector. However, when the connector is created using scripts there is one other option. Since its security parameters are passed as arguments when it connects to the FTP server (for example, connect(String host, String user, String password, boolean useSSLonCommandChannel, boolean useSSLonDataChannel, boolean explicitModeSSL) it is possible to enable SSL on the data channel and not on the control channel. This configuration implies that the client must connect to the SSL/TLS port of the server sending a plaintext message. The attempt certainly won’t succeed, so the FTP Client Connector checks for this case and an error message is displayed when the AssemblyLine is started.
As stated above, the FTP Client Connector can operate in two modes: Active and Passive. In Passive mode, the FTP server waits for connections from the FTP Client Connector (for the command and data channels). When this occurs the server sends its certificate to the client and SSL communication is possible. In Active mode the situation is the same for the command channel, but this time the client listens for connections (for the data channel). In normal cases this would require the client to send its certificate to the server for validation. To overcome this problem, the SSL session is run in client mode – this means that the SSL roles are reversed (the TCP server acts as client and the TCP client as server, so again the server will send its certificate to the client). This is achieved by the setUseClientMode(true) method.