FTPS server support by the protocol bridge

The protocol bridge supports a subset of the FTPS protocol as defined by RFC-2228, RFC-4217, and the Internet-Draft entitled Secure FTP over SSL.

For a list of valid cipher suite values for connections between protocol bridge agents and FTPS servers, see Cipher suites in the IBM® SDK and Runtime Environment Java Technology Edition Version 7 product documentation.

The following features of the FTPS protocol are supported:

• Implicit and explicit modes of operation.
• Validation of the server certificate.
• Optional mutual authentication using client certificate checks.
• Optional use of a clear control channel after the initial authentication and level of protection for the data channel has been selected.
• SHA-2 cipher suites and FIPS 140-2 compliance are supported. The following versions of Java are required: IBM JREs 6.0 SR13 FP2, 7.0 SR4 FP2, or later.

The following features of the FTPS protocol and runtime environment are not supported:

• Use of the ADAT command for additional security data exchange.
• Use of FTPS for channel encryption only that is, where the servers certificate is not validated.
• Selection of the Clear, Secure, or Confidential levels of protection using the PROT command.
• Encryption for each command using the MIC, CONF, and ENC commands.
• Fallback to the FTP protocol if the server does not support explicit FTPS. Use the FTP support provided by the protocol bridge to work with such a server.
• Use of the FEAT command to determine the available capabilities of the FTPS server.
• Validation of certificates using pattern matching against the DN field.
• Certificate revocation checking.
• Validation of certificates with the issuing trusted certificate authority.
• Explicit selection of the cipher suites available to the SSL negotiation phase of establishing a session.
• Use of extensions specific to z/OS® or IBM i that integrate cryptography with the operating system. Specifically, the use of the z/OS keyring or non-hierarchical file systems for storing key and trust information, for example, data sets. Cryptographic hardware and offload engines are used if these functions are managed transparently by the JVM and do not require explicit application code.