FTPS Configuration for WPG Integrated FTP Server

Resolving The Problem

In FTPS mode the FTP server can be used either in FTP Server Authentication mode or the FTP Client Authentication mode. The administrator has to configure the FTP Server to support requests for both Server Authentication and Client Authentication. This can be done by configuring the required certificates.

By default the FTP Server port number used for Server Authentication mode is 3021, and that for Client Authentication mode is 3022. The WPG FTP Scripting Receiver, FTP Scripting Sender, FTP Receiver and FTP Sender can work as clients with the FTP Server in the FTPS mode.

Generate required certificates.

Using the certificate generation tool such as iKeyMan, generate two pairs of certificates. Let us call this as “Server Certificate” and “Client Certificate”. For more information on Generating the below mentioned Certificates using iKeyMan, please refer to slides 3 -17 from the following WSTE presentation:

FTPClient.der is the public key used by FTP Client. This is uploaded in WPG Sending Host, and used during FTPS Client Authentication mode.

FTPClient.jks has the private key used by FTP Client. This is uploaded in WPG Receiving Host and used during FTPS Client Authentication mode.

FTPServer.der is the public key used by FTP Client. This is uploaded in WPG Receiving Host and used during FTPS Server Authentication mode.

FTPServer.jks has the private key used by FTP Client. This is uploaded in WPG Sending Host, and used during FTPS Server Authentication mode.

Uploading the required certificates:

Part A: Perform the following tasks on WPG Sending Host, which has the FTP Server installed.

1. Log in to WPG admin console as Hub Operator.

2. Click on “Account Admin Profiles Certificates” link which will bring up the certificate list page.

3. Click on “Load Certificate” link to bring up the Load New Certificate page.

4. Click on the check box for “Root and Intermediate certificates” and click on the browse button next to “Certificate Location”. Upload the “FTPClient.der”. Click on “Finish” button to complete the upload of Client Public Key.

5. The Certificate upload message will appear under the messages area.

6. The Certificate list will now look as shown below:

This completes the uploading of the public key of the FTP Client. This is used during “Client Authentication”.

Now we will continue uploading the private key of FTP Server, which is used during the FTPS “Server Authentication” mode.

1. Click on “Load Certificate” link to bring up the Load New Certificate page. Click on “Browse” button next to Trust Store (or) KeyStore location. Load the FTPServer.p12 or FTPServer.jks. Provide the correct password as specified during creation of the certificates and click on next.

2. Select the appropriate certificate from the dropdown next to “Select the certificate to be uploaded”. Click on Next.

3. This takes us to Step 3 – Provide certificate details page. Provide a name for the leaf certificate. In this case it is given as “FTP Server Certificate”, and a meaningful description. Select the check box next to “Is this certificate for FTP Server Authentication” and Certificate Type check "SSL Server". Also make sure that the “Status” radio option is enabled.

4. Click on Finish to complete the upload of Server Certificate.

Finally the certificate list should look as below:

This completes the uploading of the required private certificate of FTP Server. This certificate is used for “Server authentication”.

Part B: Perform the following tasks on Receiving Host, which is acting as FTP Client.

1. Log in to WPG admin console as Hub Operator.

2. Click on “Account Admin Profiles Certificates” link which will bring up the certificate list page.

3. Click on “Load Certificate” link to bring up the Load New Certificate page.

1. Click on the check box for “Root and Intermediate certificates” and click on the browse button next to “Certificate Location”. Upload the “FTPServer.der”. Click on “finish” button to complete the upload of Server Public Key.

2. The certificate upload message is displayed as shown below:

3. The Certificate list should look as shown below.

This completes the upload of the Server certificate that is used during FTPS “Server Authentication” mode.

Now we will continue uploading the FTP Client certificate on Receiving Host, which is used in FTPS “Client Authentication” mode.

1. Click on “Load Certificate” link to bring up the Load New Certificate page. Click on “Browse” button next to Trust Store (or) KeyStore location. Load the FTPClient.p12 or FTPClient.jks. Provide the correct password that is used while generating the certificate and click on next.

2. Select the appropriate certificate from the dropdown next to “Select the certificate to be uploaded”. Click on Next.

3. This takes us to Step 3 – Provide certificate details page. Provide a name for the leaf certificate. In this case it is given as “FTP Client Certificate”, and a meaningful description. Select the check box next to “SSL Client”. Make sure that the Status Radio button is “Enabled”. Click on Finish to complete the certificate upload.

4. The certificate upload message is displayed as shown below:

1. Finally the certificate list should look as below:

This completes the upload of required certificates for both FTP Server Authentication and Client Authentication in FTPS mode.

Note: If you are using your WPG machine as both the FTP Server and Client then all of the certs would need to be installed on the one machine such as the following example: