IBM Support

IBM AIX: Configure ftpd to use TLS with a self-signed certificate

Question & Answer


Question

How do I configure ftpd on AIX® to use TLS with a self-signed certificate?

Answer

Follow these steps to create a self-signed certificate and to configure ftpd to use it. These steps assume that the certificate directory is /.tls, and that all the commands are run by the root user.
1. Create the top certificate directory. It must be readable by all users.
mkdir /.tls
chmod 755 /.tls
2. Set up the certificate directory to meet the requirements of the openssl command to create self-signed certificates with the default /var/ssl/openssl.cnf file.
cd /.tls
mkdir private newcerts
chmod 700 private
echo 01 > serial
> index.txt
ln -s . demoCA
3. Create a private key and a server certificate request.  The -subj argument is an X.520 Distinguished Name.  It can contain any sequence valid DN fields.
openssl req -batch -nodes -new -sha256 -newkey rsa:2048 -keyout private/server_key.pem -subj '/C=US/ST=Texas/L=Austin/O=IBM DSO/OU=IBM DSO server/CN=IBM DSO server certificate/' -out server_certreq.pem
4. Create the server certificate from the server certificate request.  The certificate validity period in the example is 7300 days, which is 20 years. The server certificate must be readable by all users, so do not change its permissions from the default of 644.
yes | openssl ca -policy policy_anything -days 7300 -in server_certreq.pem –out server_cert.pem -selfsign -keyfile private/server_key.pem -notext
5. Ensure that the server's private key is only readable by root.
chmod 600 private/*
6. Configure ftpd to use the self-signed certificate and its private key by setting these options in /etc/ftpd.cnf.
CERTIFICATE /.tls/server_cert.pem
CERTIFICATE_PRIVATE_KEY /.tls/private/server_key.pem
7. (Optional) Increase the security of ftpd by disabling support for DES and anonymous cipher algorithms by setting this option in /etc/ftpd.cnf. For more information on the syntax of the CIPHER_LIST option, see https://www.openssl.org/docs/man1.0.2/man1/openssl-req.html.
CIPHER_LIST HIGH,!ADH-DES-CBC3-SHA,!DES-CBC3-SHA,!kEDH,!kDHE
8. (Optional) Increase the security of ftpd by disabling support for all versions of TLS except TLS 1.2 by setting these options in /etc/ftpd.cnf.
SSLv3 NO
TLSv1 NO
TLSv1.1 NO

SUPPORT:

If the instructions in this document do not lead to resolution of the problem, follow these instructions to open a case.  The product must be under warranty or have an active and valid support contract.

a.  Document or take screen captures of all symptoms, errors, or messages.

b.  Capture any logs or data relevant to the issue.

c.  Contact IBM® to open a case.

   -For electronic support, visit the IBM® Support Community:
     https://www.ibm.com/mysupport
   -If you require telephone support, visit this web page:
      https://www.ibm.com/planetwide/

d.  Provide a detailed description of the issue and reference this technote.

e.  Upload all of the details and data to the case.

   -You can attach files to the case in the IBM® Support Community, or
   -Upload data to IBM® test case server analysis at this URL:

    http://www.ibm.com/support/docview.wss?uid=ibm10733581

f.  Click here to submit feedback for this document.

[{"Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cvxGAAQ","label":"Communication Applications->FTP\/FTPS"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
08 October 2020

UID

isg3T1011849