ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaiq_5.4.0.1/rzaiqtlsssl.htm

125 lines
8.0 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Secure the FTP client with Transport Layer Security or Secure Socket Layer" />
<meta name="abstract" content="You can use Transport Layer Security (TLS) or Secure Sockets Layer (SSL) connections to encrypt data transferred over File Transfer Protocol (FTP) control and data connections." />
<meta name="description" content="You can use Transport Layer Security (TLS) or Secure Sockets Layer (SSL) connections to encrypt data transferred over File Transfer Protocol (FTP) control and data connections." />
<meta name="DC.Relation" scheme="URI" content="rzaiqrzaiqimplement.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaiqscenariossl.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaiqsslparent.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzahu/rzahumngcaapptrust.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaiqrzaiqclientsession.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaiqsecopen.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaiqsecdata.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2004, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2004, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzaiqtlsssl" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Secure the FTP client with Transport Layer Security or Secure Socket
Layer</title>
</head>
<body id="rzaiqtlsssl"><a name="rzaiqtlsssl"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Secure the FTP client with Transport Layer Security or Secure Socket
Layer</h1>
<div><p>You can use Transport Layer Security (TLS) or Secure Sockets Layer
(SSL) connections to encrypt data transferred over File Transfer Protocol
(FTP) control and data connections.</p>
<p>The primary reason for encryption on the control connection is to conceal
the password when logging on to the FTP server.</p>
<p>Before using the FTP client to make secure connections to servers, you
must use DCM to configure trusted certificate authorities for the FTP Client.
Any certificate authorities which were used to create certificates assigned
to servers that you want to connect to must be added. Exporting or importing
Certificate Authority (CA) certificates might be required depending on the
CAs used. Refer to Define a CA trust list for an application in the DCM topic
for more information about CA trusted authorities.</p>
<p>If you choose TLS or SSL encryption for the control connection, the FTP
client will also encrypt the data sent on the FTP data connection by default.
FTP protocol does not allow you to have a secure data connection without a
secure control connection.</p>
<p>Encryption can have a significant performance cost and can be bypassed
on the data connection. This allows you to transfer non-sensitive files without
decreasing performance and still protect the system's security by not exposing
passwords.</p>
<p>The FTP client has parameters for the STRTCPFTP CL command and subcommands
which are used as part of the TLS or SSL support (SECOpen and SECData).</p>
<div class="section"><h4 class="sectiontitle">Specifying Transport Layer Security or Secure Socket Layer
protection for the iSeries™ FTP client</h4><dl><dt class="dlterm">Control connection</dt>
<dd>TLS/SSL protection can be specified on the STRTCPFTP command and the SECOPEN
subcommand.<p>For the STRTCPFTP (FTP) command, specify *SSL for the SECCNN
secure connection parameter to request a secure control connection. Also,
you might be able to specify *IMPLICIT to obtain a secure connection on a
pre-defined server port number.</p>
<p>Within your FTP client session, the
SECOPEN subcommand can be used to obtain a secure control connection.</p>
</dd>
<dt class="dlterm">Data connection</dt>
<dd>For the STRTCPFTP (FTP) command, enter *PRIVATE for the DTAPROT data protection
parameter to specify a secure data connection. Enter *CLEAR for the DTAPROT
data protection parameter to specify data to be sent without encryption.<p>When
you have a secure control connection, you can use the SECDATA subcommand to
change the data connection protection level.</p>
</dd>
<dt class="dlterm">Implicit SSL connection</dt>
<dd>Some FTP servers support what is called an implicit SSL connection. This
connection provides the same encryption protection as the *SSL option, but
can only be done on a pre-determined server port, typically 990, for which
the server must be configured to expect an SSL or TLS connection negotiation.<p>This
method is provided to allow secure connections to those FTP implementations
that cannot support the standard protocol for providing TLS or SSL protection.</p>
<p>Many
early implementations of SSL support used the implicit approach, but now it
has been deprecated by the IETF.</p>
</dd>
</dl>
<div class="note"><span class="notetitle">Note:</span> <p>The standard protocol for setting up an TLS or SSL
connection requires that the AUTH (Authorization) server subcommand be used
when making the connection to the server. Also, the server subcommands PBSZ
and PROT are used to specify the data protection level.</p>
<p>However, for
an implicit SSL connection, the AUTH, PBSZ, and PROT server subcommands are <span class="uicontrol">not</span> sent
to the server. Instead, the server will act as if the client had sent these
subcommands with the parameters shown below:</p>
<ul><li>AUTH SSL</li>
<li>PBSZ 0</li>
<li>PROT P</li>
</ul>
</div>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaiqrzaiqimplement.htm" title="You can protect your data by securing File Transfer Protocol (FTP) with Secure Sockets Layer (SSL), monitoring FTP users, and managing user access to FTP functions.">Secure File Transfer Protocol</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzaiqsslparent.htm" title="With Secure Sockets Layer (SSL) you can eliminate the exposure of transmitting passwords and data in the clear when using the i5/OS File Transfer Protocol (FTP) server with an FTP client that also uses SSL.">Use Secure Sockets Layer to secure the File Transfer Protocol server</a></div>
</div>
<div class="reltasks"><strong>Related tasks</strong><br />
<div><a href="../rzahu/rzahumngcaapptrust.htm">Define a CA trust list for an application</a></div>
</div>
<div class="relref"><strong>Related reference</strong><br />
<div><a href="rzaiqrzaiqclientsession.htm" title="You can start and stop a client session from this topic.">Start and stop a client session</a></div>
<div><a href="rzaiqsecopen.htm">SECOpen (Setting Data Security Protection)</a></div>
<div><a href="rzaiqsecdata.htm">SECData (Setting Data Security Protection)</a></div>
</div>
<div class="relinfo"><strong>Related information</strong><br />
<div><a href="rzaiqscenariossl.htm" title="Use Secure Sockets Layer (SSL) to secure data being transferred to your partner company.">Scenario: Secure File Transfer Protocol with Secure Sockets Layer</a></div>
</div>
</div>
</body>
</html>