IBM BPM, V8.0.1, All platforms > Authoring services in Integration Designer > Services and service-related functions > Access external services with adapters > Configure and using adapters > IBM WebSphere Adapters > FTP > Plan for adapter implementation > Security
Support for FTPS protocol
Data that travels across a network can be intercepted by third parties. When this data includes private information, such as passwords or credit card numbers, steps must be taken to make this data unintelligible to unauthorized users. Data encryption can be achieved using cryptographic protocols, such as secure socket layer (SSL) and transport layer security (TLS). When FTP protocol is used with SSL or TLS, the security mechanism is referred to as secure FTP or FTPS (Also known as FTP over SSL or FTP over TLS).
By configuring secure socket layers (SSL) or transport layer security (TLS), you protect the integrity of information sent between the FTP server and adapter. When the adapter is configured to work in secure FTP, both the control connection and data connection can be encrypted.
Secure socket layer (SSL)
Secure socket layer (SSL) is a network protocol used to transmit data in a secure mode. SSL protocol uses the public key cryptography technique to encrypt the data while transferring, and also ensures data confidentiality.
Transport layer security (TLS)
Transport layer security (TLS) is a protocol used for secure data transfer between the client and the server. It is the successor of the secure socket layer (SSL) protocol.
FTPS connection modes
The FTPS client can establish a connection with the secure FTP server in either implicit or explicit mode.
Implicit mode: In an implicit mode, the communication between the client and server is set up immediately in secure mode. The text information exchanged between the client and server is in an encrypted format. The default port for implicit mode is 990.
Explicit mode: In an explicit mode, the connection begins with an unencrypted FTP connection. When any sensitive information, such as password, needs to be sent, the client explicitly issues a request to switch to a secure FTP connection. After the successful SSL negotiation, a secure command channel is established between the client and the server.Explicit mode works with the default port 21 and is compliant with RFC 2228 commands. RFC 2228 specifies the mechanism for authenticating connections and confidential data transfer between the client and server, and this is referred to as explicit mode. The AUTH command is used for specifying the security mechanism for the explicit mode. The client sends an AUTH command (AUTH SSL/TLS) to the FTPS server and switches to a secure command connection.
By using the connection modes, the data protection level with which the data is transferred between the client and the server can be configured.
Data connection encryption
According to RFC 2228, Protection buffer size (PBSZ) and data channel protection level (PROT) commands are issued by the client to specify the protection level on the data channel.
Protection buffer size (PBSZ) is used to negotiate a maximum protected buffer size for the data connection. PBSZ command accepts a long value as an argument, and determines the maximum size of the buffer in which the encoded data is sent or received during data transfers.
FTP over TLS supports only PBSZ 0 to ensure that the buffering of data does not takes place. PBSZ command with the argument value '0' indicates a streaming protocol and the data is transferred as a stream of data.
PROT command allows client or server negotiation for the security level data connection. RFC 2228 specifies the following four levels of protection:
- Clear (C): The Clear protection level indicates that the data channel carries the raw data for the file transfer, with no security applied.
- Safe (S): The Safe protection level indicates that the data is integrity protected.
- Confidential (E): The Confidential protection level indicates that the data is confidentiality protected.
- Private (P): The Private protection level indicates that the data is integrity and confidentiality protected.
FTP over TLS protocol supports only Clear and Private levels of data protection.
Server authentication
Server authentication is a check performed for a secure connection. While establishing an SSL connection to the FTPS server, the FTP client performs a server certificate validation against the certificates present in the client trust store. The client trust store contains the certificates of all servers that are trusted. If the required certificate of the server is found in the client trust store, then a connection is established.
If the certificate is not found in the client trust store, the server is considered as an untrusted server, an exception is generated, and a connection is not established with the FTPS server.
Client authentication
Client authentication is similar to server authentication, except that the server requests a certificate from the client to verify if it is from a trusted client. The certificate has to be signed by a certificate authority trusted by the server. The client authentication requires a compatible FTPS server for authenticating. When a server requests a certificate, the client has the option to send a certificate. The server allows the connection if the client's certificate can be trusted.
The FTP server authenticates the client based on the public certificate while establishing an SSL connection. The client provides the public key during an SSL connection and is exchanged with the FTPS server, which authenticates the clients identity based on the certificates configured in the servers trusted certificates.
- Configure the adapter for FTPS protocol
WebSphere Adapter for FTP supports connecting to an FTPS server using the SSL or TLS protocol. WebSphere Adapter for FTP can be configured to connect to the FTPS server in either explicit or implicit mode. The adapter supports secure FTP using SSL v3.0 and TLS v1.0.- Configure the adapter for FIPS 140-2
The federal information processing standard 140-2 (FIPS) is a United States government standard for cryptographic features like encryption, decryption, hashing (message digests), secure socket layers, transport layer security, Internet Protocol security, Secure shell, signatures, key exchange, and key or certificate generation used in software products and modules. If you are an user working with the United States government who must conform to the FIPS standard, you can configure the adapter to run in FIPS mode.
Related concepts:
Related tasks:
Configure the adapter for FTPS protocol
Related reference: