Documente Academic
Documente Profesional
Documente Cultură
File transfer is an essential and important activity in the day-to-day computing world. Security
lapses during file transfer can invite leak important data to the external world. As a result,
securing FTP is of primary importance. Hence, in AIX® V6.1, IBM® has introduced a secure
flavor of FTP (and ftpd) based on OpenSSL, using Transport Layer Security (TLS) to encrypt
both the command and the data channels of file transfer. This article shows the advantage of
using this AIX V6.1 feature and its usage between AIX and other heterogeneous systems that
already support this feature. This article focuses on AIX secure FTP with a Windows® server.
Introduction
Transport Layer Security (TLS) is a cryptographic protocol that provides secure communication
between clients and servers. When a server and client communicate, TLS ensures that no third
party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets
Layer (SSL). This enables any user on the system to exchange files in a secure manner, as long
as their counterpart offers this extension as well.
You might wonder if you already have a secure file transfer protocol, or FTP, (sftp) which comes
with openSSH, why would you opt for a new way of securing the FTP? While it may seem that
using secure FTP only and no secure telnet might not be most desirable, this method is in fact a
sensible alternative for environments where you are not able to use OpenSSH. For example, if
your most trusted systems run on a dedicated and segregated network, it makes perfect sense to
use telnet for remote access within that very network zone (or working from the console). But even
in such scenarios, you might very well have the need to transfer data from or to this secure zone,
which can be accomplished now using secure FTP.
Another scenario could be that you are using OpenSSH already but you still have to exchange
data with outside systems that do not support any form of SSH (thus neither scp nor sftp). Most
often, such (legacy) systems offer "FTP via SSL" (often called ftps) instead.
The secure communication between the FTP client and server makes use of the certificates, a
combination of a public-private key pair. Hence, the creation of certificates in-house or the import
of certificates from commercial certifying authorities is the second requirement for setting up FTP
over SSL.
• Creation of certificates
• Setting up of FTP services at the Windows server
• Configuration of FTP at the AIX client
• Data transfer using secure FTP
The article looks into each of these activities separately.
Creation of certificates
As stated previously, certificates need to be created for negotiation between the FTP server and
the client if there is not already a commercial certificate.
First, install OpenSSL on the Windows machine if certificates are created at this machine. If not,
the commercial certificates just need to be brought into this machine.
Create a root-level private key and root-level certificate request (holding the public key).
Generate the certificate for root (valid for approximately 10 years) by self-signing it:
You can have a look at your root certificate just to make sure everything's right by using:
29:4d:d9:86:82:79:d5:c6:0e:f2:3e:4d:e6:7c:0a:15:bd:74:
2a:57:13:b4:aa:69:93:37:74:b0:f6:2b:77:08:cb:ee:77:d3:
33:35:dc:5d:c2:67:97:ec:9c:e7:88:14:e3:06:74:3e:84:42:
36:fe:3b:b8
Now you will create an RSA key for the Windows FTP server without a PEM passphrase; hence,
you will use a different command than the one used previously. It is important not to use any
passphrases on such server keys. Otherwise, it would be required to input that passphrase every
time the key gets used (which is impossible to accomplish when ftpd is using it).
Next, create a certificate request for the key you just created (including its public key):
Next, sign the server key request with the root CA's private and self-signed public key. This creates
the server certificate (again, valid approximately for 10 years):
In order to make server configurations easier as well as the distribution of certified key files, it
is handy to have the server key, the server certificate, and the root certificate in one single file
(OpenSSL supports this). So combine all three files into one file. This file should be protected with
respective file permissions.
Now you have the server certificate in the .pfx format, which Windows accepts. It is very important
that you add this certificate to the Microsoft® Management console's trusted certificate repository.
Failure to do so will result in making the certificate untrusted during the usage.
The Microsoft Management Console (MMC) can be accessed by Start -> Run -& type mmc .
Once the Snap-in "certificate" is added to the console, you get the certificate categories as listed
below. Select the trusted root certificate or any other certificate category accordingly and import
the server certificate that you had created into it.
The import of the certificate will open up the Certificate Import Wizard, following which the import
of certificate becomes successful.
You have now changed the OpenSSL certificate for the FTP purpose into a trusted certificate in the
Windows machine.
Now open up the Internet Information Services (IIS) manager and add this trusted certificate as a
part of the the ISS server certificate database and now it can be used for the different services of
IIS, which includes secure FTP.
Importing the server certificate into this repository makes it usable for the secure FTP service.
Also, note that the certificate is OK and is trusted. After the certificate is successfully added, you
have to 'apply' the changes in the IIS Manager for the changes to take effect.
Create a new site for this purpose and the work area will create the FTP-specific services. In this
case, create a site called ssl_ftp_site.
You can assign specific IP address and ports for which this FTP server needs to be associated. In
this step, there is an option that asks you to specify the certificate. If the certificate is created and
ready for usage, it can be specified now or could be left for later configuration.
This step configures the FTP servers authentication mode and the users who are allowed, along
with their read/write permissions and completes the configuration of the FTP site in the IIS.
The panel at the right side under the "Manage FTP Site" section helps you to either stop or run the
service. It is always important to stop the server and restart it for any changes to take effect.
Now you must set the FTP SSL settings for the site, which is available on the workspace of the
FTP site home.
Again, do not forget to stop the server and restart it for the changes to take effect.
Adjust the user's .ftpcnf file to point to the CA certificate by only changing this one line:
CA_PATH ./root_cert.pem
This will establish an encrypted session without any modifications needed on the client side. If the
certificate, however, is self-signed, the client has to blindly trust the server, so the FTP command
will display the most important data of the certificate it received during the TLS handshake to leave
the decision up to the user whether he wants to connect or not.
The command ftp –s remote_host will work only for AIX-to-AIX machines. One has to use the ftp
–s –M remote_host option to get the secure FTP working between AIX and non-AIX machines.
Conclusion
This article covered the various aspects of the secure FTP setup, which includes the FTP service
configuration on the Windows server side and the FTP configuration on the client side. This feature
adds a very important security capability to the AIX operating system and helps it to harness the
similar functionality available with other operating systems, tthus helping the customer to have a
secure file transfer in a heterogenous environment.
Related topics
• "Information for System p" Visit this this site for additional information.
• The AIX 6 Advanced Security Features, Introduction and Configuration Guide —highlights and
explains the security features enhancements on AIX 6.1.
• Windows Server 2008 (Administrator's Pocket Consultant) by William R. Stanek
• Internet Information Services (IIS) 7.0 Administrator's Pocket Consultant by William R. Stanek
• Download AIX Web Download Pack like openssl, lsof.
• Download IBM product evaluation versions and get your hands on application development
tools and middleware products from DB2®, Lotus®, Rational®, Tivoli®, and WebSphere®.