If you use your Power System as an FTP server on the Internet, it is accessible to the entire world. Therefore, attention to FTP security is necessary to ensure that vital business data stored on your Power System server is not compromised. There are also steps you can take to protect your FTP client.
Use SSL to secure the FTP server
The FTP server provides enhanced security while sending and receiving files over a network. FTP server uses Secure Sockets Layer (SSL) to secure passwords and other sensitive data during an information ex- change. The FTP server supports either SSL or TLS protected sessions, including client authentication.
Most SSL-enabled applications connect a client to separate TCP ports, one port for “unprotected” sessions and the other for secure sessions. However, secure FTP is a bit more flexible. A client can connect to a non-encrypted TCP port (usually TCP port 21) and then negotiate authentication and encryption op- tions. A client can also choose a secure FTP port (usually TCP port 990), where connections are assumed to be SSL. The Power Systems FTP server provides for both of these options.
Before you can configure the FTP server to use SSL, you must install the prerequisite programs and set up digital certificates on your Power System. Visit the IBM Infocenter or, search Google for ‘Use SSL to secure the FTP server’ for more information.
To configure SSL to secure FTP, complete the following tasks :
- Create a local Certificate Authority or use DCM to configure the FTP server to use a public cer- tificate for SSL.
- Associate a certificate with the FTP server
- Require client authentication for the FTP server (optional)
- Enable SSL on the FTP server
Create or Modify a Server Profile
A secure FTP server profile must be defined using the Esend command EFTPSVR.
The first page of the EFTPSVR entry contains basic FTP information. From this page use function F17 (Secure FTP) to create the additional secure FTP values.
These three parameters are used to define a secure connection.
Specifies the port number to be used for connecting to the FTP server.
Normally the “well-known” port value of 21 is used to connect to the FTP server. Under some circum- stances, the FTP server may be contacted at a port other than port 21. In those situations, the port param- eter may be used to specify the server port to connect to.
*DFT - The value 00021 is used.
*SECURE - The value 00990 is used. Port 990 is reserved for secure FTP servers which immedi- ately use Transport Layer Security (TLS) or Secure Sockets Layer (SSL) protocols to encrypt data.
1-65535 - The requested port value is used. This value is validated to ensure it is in the proper range. If 990 is specified, the FTP client will perform the same functions as if *SECURE were specified.
Specifies the type of security mechanism to be used for protecting information transferred on the FTP control connection (which includes the password used to authenticate the session with the FTP server). Transport Layer Security (TLS) and Secure Sockets Layer (SSL) are compatible protocols which use encryption to protect data from being viewed during transmission and verify that data loss or corruption does not occur.
Note: The FTP client sub-command SECOPEN can be used to open a protected FTP connection dur- ing an FTP client session.
*DFT - If the PORT parameter specifies *SECURE or 990, *IMPLICIT is used; otherwise, *NONE is used.
*IMPLICIT - The FTP client immediately attempts to use TLS/SSL when connecting to the speci- fied FTP server (without sending an AUTH sub-command to the server). If the server does not support implicit TLS/SSL on the specified port, or the TLS/SSL negotiation fails for any reason, the connection is closed.
*SSL - After connecting to the specified FTP server, the FTP client sends an AUTH (authorization) sub-command requesting a TLS/SSL protected session. If the server supports TLS/SSL, a TLS/SSL negotiation is performed. If the server does not support TLS/SSL or the TLS/SSL negotiation fails, the connection is closed.
*NONE - The FTP client does not use encryption when connecting to the specified FTP server.
Specifies the type of data protection to be used for information transferred on the FTP data connection. This connection is used to transfer file data and directory listings. The FTP protocol does not allow pro- tection of the data connection, if the control connection is not protected.
The DTAPROT parameter controls the use of the PROT (protection) FTP server sub-command. The FTP client sub-command SECDATA can be used to change protection for specific FTP data connections dur- ing an FTP client session.
*DFT - If the SECCNN parameter specifies a protected control connection, *PRIVATE is used; oth- erwise, *CLEAR is used.
*PRIVATE - Information sent on the FTP data connection is encrypted. If the SECCNN parameter specifies that the FTP control connection is not encrypted, *PRIVATE cannot be specified.
*CLEAR - Information sent on the FTP data connection is not encrypted.
Using ESEND to run secure FTP
Once configured, using secure FTP is as simple as specifying ‘sftp:’ instead of ‘ftp:’ in a recipient parameter of an ESEND or SEQUEL command.
Note: SFTP must be used with a server profile entry (as defined in section above).