Print | Rate this content

HP-UX - FTPS: How to Setup FTPS on a FTP Client

Information

Trying to connect to a bank's ftp server. They say we need to use passive mode & use ftps & implicit ssl. User tried the command ftp-z ssl with the host & port number but cannot connect. User is able to connect to the bank from windows using filezilla so its not a firewall issue. Here is the message we get when trying to connect:



ftp -z ssl 170.135.217.200 20024
WARNING! SSL/TLS initialization failed
WARNING! Continuing in a Fallback mode
ftp: connect: Connection timed out
ftp>

Details

How to setup FTPS on a FTP Client

Configure the FTP client

On the FTP client, copy the CA cert to the client and change the file permission.



# mkdir -p /etc/ftp/security/
# chmod 755 /etc/ftp/security/
# chmod 755 /etc/ftp/
# scp root@FTPServer:/etc/ftpd/security/cacert.pem \
/etc/ftp/security/cacert.pem
# chmod 644 /etc/ftp/security/cacert.pem

NOTE: The signed FTP Server cert stays on the FTP server to complete the chain.

FTP client command line options will override the client configuration file options.

The CA cert can also be placed in the users home directory.

If the client needs to use its own certificates for "client authentication" generate a CSR for the client using "CA.pl -newreq" on the client and then have the FTP server sign the request. Then install the new signed Client cert on the client and have ftp reference this new signed Client cert.

To connect via TLS/SSL

Once all the certs are in place on the client, use one of 3 ways to connect to the FTP server over TLS.

Be sure to reference the client cert files only if doing client authentication: (-z cert=client-cert.pem -z key=client-key.pem).

Connect using the command line:



# ftp -z CAfile=/etc/ftp/security/cacert.pem <server>

# ftp -z CAfile=/etc/ftp/security/cacert.pem \
-z cert=/home/user1/client-cert.pem \
-z key=/home/user1/client-key.pem <server>

Connect using a Configuration File:

# vi /home/user1/.tls.conf
CAfile=/etc/ftp/security/cacert.pem
rsacert=/home/user1/certs/client-cert.pem
rsakey=/home/user1/certs/client-key.pem
# ftp -z config=/home/user1/.tls.conf <server>

Connect using Environment Variables:

The following is the minimum required variables for a basic FTPS connection.

Be sure to add the additional appropriate variables if the client certificate for authentication is needed. See the WU_FTPD Release Notes for details.

It is important to use the <dot> to source in a file of environment variables to keep them in the existing shell.



# vi /home/user1/.ftps_envar.sh
#The following are the minimum options for ftps:
export FTP_USESSL=1
export FTP_SSL_CA_FILE=/etc/ftp/security/cacert.pem #CACert

# cd /home/user1/
# . /home/user1/.ftps_envar.sh
# ftp <server>

FTPS session:



# ftp -z CAfile=/etc/ftp/security/cacert.pem MyFTPServerHostName.hp.com

Connected to MyFTPServerHostName.hp.com.
220 MyFTPServerHostName.hp.com FTP server (Revision 1.1 Version wuftpd-2.6.1(PHNE_38578) Fri Sep 5 12:10:54 GMT 2008) ready.
234 AUTH TLS OK. ? TLS/SSL Authentication passed
[TLSv1/SSLv3, cipher DHE-RSA-AES256-SHA, 256 bits]
Name (0:root):
331 Password required for root.
Password:
230 User root logged in.
Remote system type is UNIX.
Using binary mode to transfer files.

ftp>status

TLS/SSL protection of control connection: on.
TLS/SSL protection of data connections: off.

FTPS troubleshooting

Verify the OS, WU-FTPD and SSL versions.
Review the ftpd and ftp CLI options.
Review the configuration files and/or environment variables contents.
Review the certificate file paths and file permissions.
Review the server syslog file.
Review the certificates files themselves:

ftpd-rsa-ca.pem/cacert.pem #CAPubKey
ftpd-rsa-cert.pem/newcert.pem #CAPubKey
ftpd-rsa-key.pem/newkey.pem #SvrPriKey
# openssl x509 -text -noout -in /etc/ftpd/security/cacert.pem |more

Debug with:

# ftpd -v -l -z debug=2 -z logalldata
# ftp -z debug=2 -z secure -z logfile=/tmp/ssl.log -z ...

The maximum debug levels are:

Client: -z debug=2
Server: -z debug=5 which is very very very verbose logging, use =2

FTP, FTPS and SSL references

Click here to access "WU-FTPD 2.6.1 release notes, HP-UX 11i v1, HP-UX 11i v2, HP-UX 11i v3" .

Using OpenSSL Certificates:

Click here to access "Using OpenSSL Certificates with HP-UX IPSec A.02.01" .

Click here to access "Using OpenSSL Certificates with HP-UX IPSec A.03.00" .

HP-UX System Administrator's Guide:

Security Management

Click here to access "HP-UX System Administrator's Guide: Security Management HP-UX 11i Version 3" .

Man pages:

ftpd(1M), ftp(1), openssl(1), req(1), config(5)

Legal Disclaimer: Products sold prior to the November 1, 2015 separation of Hewlett-Packard Company into Hewlett Packard Enterprise Company and HP Inc. may have older product names and model numbers that differ from current models.

Provide feedback

Please rate the information on this page to help us improve our content. Thank you!
Document title: HP-UX - FTPS: How to Setup FTPS on a FTP Client
Document ID: emr_na-c03017718-2
How helpful was this document?
How can we improve this document?
Note: Only English language comments can be accepted at this time.
Please wait while we process your request.