IBM Support

IBM AIX: Configure ftpd to use TLS with a self-signed certificate

Question & Answer


Question

How do I configure ftpd on AIX® to use TLS with a self-signed certificate?

Answer

Follow these steps to create a self-signed certificate and to configure ftpd to use it. These steps assume that the certificate directory is /.tls, and that all the commands are run by the root user.
1. Create the top-level certificate directory. It must be readable by all users.
mkdir /.tls
chmod 755 /.tls
2. Set up the certificate directory to meet the requirements of the openssl command to create self-signed certificates with the default /var/ssl/openssl.cnf file.
cd /.tls
mkdir private newcerts
chmod 700 private
echo 01 > serial
> index.txt
ln -s . demoCA
3. Create a private key and a server certificate request. The -subj argument is an X.520 Distinguished Name. It can contain any sequence valid DN fields.
This openssl command has an example subject. Do not use it as-is. This list shows the typical uses for each field. You can use any values you like.
  • C: Your country
  • ST: Your state, province, or other area name
  • L: Your city
  • O: Your organization, such as a company or department name
  • OU: Your organizational unit, such as a department or server type
  • CN: The certificate's called name
openssl req -batch -nodes -new -sha256 -newkey rsa:2048 -keyout private/server_key.pem -subj '/C=US/ST=Texas/L=Austin/O=IBM DSO/OU=IBM DSO server/CN=IBM DSO server certificate/' -out server_certreq.pem
4. Create the server certificate from the server certificate request. The certificate validity period in the example is 7300 days, which is 20 years. The server certificate must be readable by all users, so do not change its permissions from the default of 644.
yes | openssl ca -policy policy_anything -days 7300 -in server_certreq.pem –out server_cert.pem -selfsign -keyfile private/server_key.pem -notext
5. Ensure that the server's private key is only readable by root.
chmod 600 private/*
6. Configure ftpd to use the self-signed certificate and its private key by setting these options in /etc/ftpd.cnf.
CERTIFICATE /.tls/server_cert.pem
CERTIFICATE_PRIVATE_KEY /.tls/private/server_key.pem
7. (Optional) Increase the security of ftpd by disabling support for DES and anonymous cipher algorithms by setting this option in /etc/ftpd.cnf. For more information about the syntax of the CIPHER_LIST option, see https://www.openssl.org/docs/man1.0.2/man1/openssl-req.html.
CIPHER_LIST HIGH,!ADH-DES-CBC3-SHA,!DES-CBC3-SHA,!kEDH,!kDHE
8. (Optional) Increase the security of ftpd by disabling support for all versions of TLS except TLS 1.2 by setting these options in /etc/ftpd.cnf.
SSLv3 NO
TLSv1 NO
TLSv1.1 NO
9. (Optional) Configure ftpd to allow only secure connections.
Modify the ftpd entry in /etc/inetd.conf to add the -e flag to the ftpd command line. Here is an example of the modified entry.
ftp     stream  tcp6    nowait  root    /usr/sbin/ftpd  ftpd -e
Finally, refresh inetd to pick up the change.
refresh -s inetd

SUPPORT:

If the instructions in this document do not lead to resolution of the problem, follow these instructions to open a case. The product must be under warranty or have an active and valid support contract.

a. Document or take screen captures of all symptoms, errors, or messages.

b. Capture any logs or data relevant to the issue.

c. Contact IBM® to open a case.

-For electronic support, visit the IBM Support Community:
https://www.ibm.com/mysupport
-If you require telephone support, visit this web page:
https://www.ibm.com/planetwide/

d. Provide a detailed description of the issue and reference this technote.

e. Upload all of the details and data to the case.

-You can attach files to the case in the IBM Support Community, or
-Upload data to IBM test case server analysis at this URL:

http://www.ibm.com/support/docview.wss?uid=ibm10733581

f. Click here to submit feedback for this document.

[{"Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cvxGAAQ","label":"Communication Applications-\u003EFTP\/FTPS"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
05 June 2023

UID

isg3T1011849