Question & Answer
Question
ftpd
on AIX® to use TLS with a self-signed certificate?Answer
ftpd
to use it. These steps assume that the certificate directory is /.tls
, and that all the commands are run by the root user.mkdir /.tls chmod 755 /.tls
openssl
command to create self-signed certificates with the default /var/ssl/openssl.cnf
file.cd /.tls mkdir private newcerts chmod 700 private echo 01 > serial > index.txt ln -s . demoCA
openssl
command has an example subject. Do not use it as-is. This list shows the typical uses for each field. You can use any values you like.- C: Your country
- ST: Your state, province, or other area name
- L: Your city
- O: Your organization, such as a company or department name
- OU: Your organizational unit, such as a department or server type
- CN: The certificate's called name
openssl req -batch -nodes -new -sha256 -newkey rsa:2048 -keyout private/server_key.pem -subj '/C=US/ST=Texas/L=Austin/O=IBM DSO/OU=IBM DSO server/CN=IBM DSO server certificate/' -out server_certreq.pem
yes | openssl ca -policy policy_anything -days 7300 -in server_certreq.pem –out server_cert.pem -selfsign -keyfile private/server_key.pem -notext
chmod 600 private/*
ftpd
to use the self-signed certificate and its private key by setting these options in /etc/ftpd.cnf
.CERTIFICATE /.tls/server_cert.pem CERTIFICATE_PRIVATE_KEY /.tls/private/server_key.pem
ftpd
by disabling support for DES and anonymous cipher algorithms by setting this option in /etc/ftpd.cnf
. For more information about the syntax of the CIPHER_LIST option, see https://www.openssl.org/docs/man1.0.2/man1/openssl-req.html.CIPHER_LIST HIGH,!ADH-DES-CBC3-SHA,!DES-CBC3-SHA,!kEDH,!kDHE
ftpd
by disabling support for all versions of TLS except TLS 1.2 by setting these options in /etc/ftpd.cnf
.SSLv3 NO TLSv1 NO TLSv1.1 NO
ftpd
to allow only secure connections.ftpd
entry in /etc/inetd.conf
to add the -e
flag to the ftpd
command line. Here is an example of the modified entry.ftp stream tcp6 nowait root /usr/sbin/ftpd ftpd -e
inetd
to pick up the change.refresh -s inetd
SUPPORT: If the instructions in this document do not lead to resolution of the problem, follow these instructions to open a case. The product must be under warranty or have an active and valid support contract. a. Document or take screen captures of all symptoms, errors, or messages. b. Capture any logs or data relevant to the issue. c. Contact IBM® to open a case. -For electronic support, visit the IBM Support Community: d. Provide a detailed description of the issue and reference this technote. e. Upload all of the details and data to the case. -You can attach files to the case in the IBM Support Community, or http://www.ibm.com/support/docview.wss?uid=ibm10733581 f. Click here to submit feedback for this document. |
Related Information
Was this topic helpful?
Document Information
Modified date:
05 June 2023
UID
isg3T1011849