Configure the adapter for FTPS protocol (SSL or TLS), WebSphere Adapter for FTP

IBM BPM, V8.0.1, All platforms > Authoring services in Integration Designer > Services and service-related functions > Access external services with adapters > Configure and using adapters > IBM WebSphere Adapters > FTP > Plan for adapter implementation > Security > Support for FTPS protocol
Configure the adapter for FTPS protocol

WebSphere Adapter for FTP supports connecting to an FTPS server using the SSL or TLS protocol. WebSphere Adapter for FTP can be configured to connect to the FTPS server in either explicit or implicit mode. The adapter supports secure FTP using SSL v3.0 and TLS v1.0.

To enable SSL, ensure that the following prerequisites are met:

The FTPS server supports secure communication using SSL.
The FTPS server has its own private key and certificate.
The adapter uses a passive FTP mode of data transfer with the FTPS server. If there is a firewall between the client and the server, the firewall settings might need to be configured to enable this mode.

The data connection protection commands are exchanged between the adapter and the server after you have successfully logged in but before you establish the data connection.

By default, the adapter issues PBSZ 0 command before issuing the PROT command.
The WebSphere Adapter for FTP supports Clear and Private levels of data channel protection.

Refer to the following configuration table that represents the different combinations.

Configuration information
Configuration Protocol FTPS connection mode Data connection encryption Description
1 FTP over SSL Implicit Clear With this configuration, the adapter connects to the FTP server in SSL implicit mode and the data is transferred in the clear text format and there is no data encryption.
2 FTP over SSL Implicit Private With this configuration, the adapter connects to the FTP server in SSL implicit mode and the data channel is encrypted.
3 FTP over SSL Explicit Clear With this configuration, the adapter connects to the FTP server in SSL explicit mode and the data is transferred in the clear text format. There is no data encryption.
4 FTP over SSL Explicit Private With this configuration, the adapter connects to the FTP server in SSL explicit mode and the data channel will be encrypted.
5 FTP over TLS Implicit Clear With this configuration, the adapter connects to the FTP server in TLS implicit mode and the data is transferred in clear text format. There is no data encryption.
6 FTP over TLS Implicit Private With this configuration, the adapter connects to the FTP server in TLS implicit mode and the data channel is encrypted.
7 FTP over TLS Explicit Clear With this configuration, the adapter connects to the FTP server in TLS explicit mode and the data channel is in clear text format. There is no data encryption.
8 FTP over TLS Explicit Private With this configuration, the adapter connects to the FTP server in TLS explicit mode and the data channel is encrypted.

Files passing through the FTP server are vulnerable to third-party interference when SSL is not configured for use with the adapter. Using SSL prohibits data from being modified intentionally or unintentionally during transport and protects it from being intercepted. SSL is effective because it uses several cryptographic processes: public key cryptography for authentication with the FTP server and secret key cryptography and digital signatures for privacy and data integrity. SSL allows the adapter to authenticate the identity of the FTP server.

Procedure

In the external service wizard, set the Protocol to FTP over SSL - File Transfer Protocol over Secure Socket Layer or FTP over TLS - File Transfer Protocol over Transport Layer Security.
In the Secure configuration area of the external service wizard, set the FTPS connection mode to either Explicit or Implicit mode. The default port number used for Explicit mode is 21 and Implicit mode is 990. Change the port number accordingly if the FTPS server runs on a different port.
Set Data channel protection level to Private or Clear.
If you select the:

Private level of data protection, the data transfer is integrity and confidentiality protected
Clear level of data protection, the data transfer is in clear form.
The default value is set to private.

Set the adapter trust store. A trust store helps an FTP client decide what it can trust. While using SSL, FTPS server sends its certificate to the FTP client for verification. The FTP client verifies the certificate to ascertain that it is communicating with the intended FTP server. To enable this verification process, the FTP server's certificate must be present in the client's trust store.

Use keytool utility, if you want to import servers certificate into clients trust store.
For example, enter the command keytool -import -v -alias serverCert -file server.cert -keystore clientTrustStore where server.cert is the certificate of the server and clientTrustStore is the trust store of the client.
Set Keystore type to the type of keystore used while creating the truststore.
Set Truststore file to the absolute path of the truststore file.
Set Truststore password to the password of the truststore. The password is used to check the integrity of the contents of the truststore.

Optional: Client authentication can be enabled while establishing an SSL connection. When using SSL, FTPS server requests for the clients certificate. The FTPS server verifies the certificate sent by the client to ascertain that it is communicating with the intended client. To enable this verification process, the FTPS server has to support client authentication and the clients certificate must be present at the servers trust store. At the clients end, clients keystore information has to be available for the exchange of the certificate to take place.

You can create a keystore using the keytool utility.
Set the Keystore file to the absolute path of the keystore.
Set the Keystore password to the password of the keystore. The password is used to check the integrity of the contents of the keystore
Set the Key password to the password provided while creating the key in the keystore. This value is required to extract the certificate from the keystore while establishing an SSL connection.
Ensure that the value of Keystore type property is same as the type used while creating the keystore.

Support for FTPS protocol

Next topic: Configure the adapter for FIPS 140-2

Related concepts:

Support for FTPS protocol

Related reference:

Activation specification properties
Managed (J2C) connection factory properties

Configuration	Protocol	FTPS connection mode	Data connection encryption	Description
1	FTP over SSL	Implicit	Clear	With this configuration, the adapter connects to the FTP server in SSL implicit mode and the data is transferred in the clear text format and there is no data encryption.
2	FTP over SSL	Implicit	Private	With this configuration, the adapter connects to the FTP server in SSL implicit mode and the data channel is encrypted.
3	FTP over SSL	Explicit	Clear	With this configuration, the adapter connects to the FTP server in SSL explicit mode and the data is transferred in the clear text format. There is no data encryption.
4	FTP over SSL	Explicit	Private	With this configuration, the adapter connects to the FTP server in SSL explicit mode and the data channel will be encrypted.
5	FTP over TLS	Implicit	Clear	With this configuration, the adapter connects to the FTP server in TLS implicit mode and the data is transferred in clear text format. There is no data encryption.
6	FTP over TLS	Implicit	Private	With this configuration, the adapter connects to the FTP server in TLS implicit mode and the data channel is encrypted.
7	FTP over TLS	Explicit	Clear	With this configuration, the adapter connects to the FTP server in TLS explicit mode and the data channel is in clear text format. There is no data encryption.
8	FTP over TLS	Explicit	Private	With this configuration, the adapter connects to the FTP server in TLS explicit mode and the data channel is encrypted.