Secure the FTP client with Transport Layer Security or Secure Socket Layer

You can use Transport Layer Security (TLS) or Secure Sockets Layer (SSL) connections to encrypt data transferred over File Transfer Protocol (FTP) control and data connections.

The primary reason for encryption on the control connection is to conceal the password when logging on to the FTP server.

Before using the FTP client to make secure connections to servers, you must use DCM to configure trusted certificate authorities for the FTP Client. Any certificate authorities which were used to create certificates assigned to servers that you want to connect to must be added. Exporting or importing Certificate Authority (CA) certificates might be required depending on the CAs used. Refer to Define a CA trust list for an application in the DCM topic for more information about CA trusted authorities.

If you choose TLS or SSL encryption for the control connection, the FTP client will also encrypt the data sent on the FTP data connection by default. FTP protocol does not allow you to have a secure data connection without a secure control connection.

Encryption can have a significant performance cost and can be bypassed on the data connection. This allows you to transfer non-sensitive files without decreasing performance and still protect the system's security by not exposing passwords.

The FTP client has parameters for the STRTCPFTP CL command and subcommands which are used as part of the TLS or SSL support (SECOpen and SECData).

Specifying Transport Layer Security or Secure Socket Layer protection for the iSeries™ FTP client

Control connection
TLS/SSL protection can be specified on the STRTCPFTP command and the SECOPEN subcommand.

For the STRTCPFTP (FTP) command, specify *SSL for the SECCNN secure connection parameter to request a secure control connection. Also, you might be able to specify *IMPLICIT to obtain a secure connection on a pre-defined server port number.

Within your FTP client session, the SECOPEN subcommand can be used to obtain a secure control connection.

Data connection
For the STRTCPFTP (FTP) command, enter *PRIVATE for the DTAPROT data protection parameter to specify a secure data connection. Enter *CLEAR for the DTAPROT data protection parameter to specify data to be sent without encryption.

When you have a secure control connection, you can use the SECDATA subcommand to change the data connection protection level.

Implicit SSL connection
Some FTP servers support what is called an implicit SSL connection. This connection provides the same encryption protection as the *SSL option, but can only be done on a pre-determined server port, typically 990, for which the server must be configured to expect an SSL or TLS connection negotiation.

This method is provided to allow secure connections to those FTP implementations that cannot support the standard protocol for providing TLS or SSL protection.

Many early implementations of SSL support used the implicit approach, but now it has been deprecated by the IETF.

Note:

The standard protocol for setting up an TLS or SSL connection requires that the AUTH (Authorization) server subcommand be used when making the connection to the server. Also, the server subcommands PBSZ and PROT are used to specify the data protection level.

However, for an implicit SSL connection, the AUTH, PBSZ, and PROT server subcommands are not sent to the server. Instead, the server will act as if the client had sent these subcommands with the parameters shown below:

  • AUTH SSL
  • PBSZ 0
  • PROT P
Parent topic: Secure File Transfer Protocol
Related concepts
Use Secure Sockets Layer to secure the File Transfer Protocol server
Related tasks
Define a CA trust list for an application
Related reference
Start and stop a client session
SECOpen (Setting Data Security Protection)
SECData (Setting Data Security Protection)
Related information
Scenario: Secure File Transfer Protocol with Secure Sockets Layer