The FTPS (FTP over SSL) port enables the server to authenticate the FTP client and server in a secure manner, and encrypt the control and data exchange between the FTP client and server.
Keep the following points in mind when configuring an FTPS port:
FTPS clients are always prompted for a userid and password.
By default, the FTPS port will work only with secure clients. A secure client is a client that secures the connection by issuing the AUTH command. You also can configure the FTPS listener to operate with clients that are not secure.
You can configure the FTPS port to use its own certificate or use Integration Server certificate, or to request or require client certificates. In addition, you can configure the listener to use a private key and certificate chain residing in a keystore (file-or SmartCard/HSM-based). F(file-or m(file-ore inf(file-ormation about client certificates, see
"Authenticating Clients" on page 447.
By default, Integration Server does not perform certificate mapping for FTPS ports.
To use this feature, you must set the wa.net.ftpUseCertMap configuration property to true. For more information about how client authentication works for FTPS ports, see "Authenticating Clients" on page 447. For more information about certificate mapping, see "Importing a Certificate (Client or CA Signing Certificate) and Mapping It to a User" on page 452.
When a user logs in through an FTPS port, Integration Server can place the user in the default FTP root directory or in the client user directory. Integration Server chooses the directory based on the seing of the wa.server.login.userFtpDir parameter. For more information, see "Server Configuration Parameters" on page 851.
To add an FTPS port
1. Open Integration Server Administrator if it is not already open.
2. In the Security menu of the Navigation panel, click Ports.
3. Click Add Port.
Configuring Ports
For this parameter... Specify...
Port The number you want to use for the port. Select
a number that is not already in use on this host machine.
Important: If you are running multiple Integration Servers on the same host machine, make sure the port numbers used on each server are unique.
Alias An alias for the port that is unique for this
Integration Server. An alias must be between 1 and 255 characters in length and include one or more of the following: leers (a -z, A-Z), numbers (0-9), underscore (_), period (.), and hyphen (-).
Description A description of the port.
Package Name Package associated with this port. When you enable the package, the server enables the port. When you disable the package, the server disables the port.
If you replicate this package, Integration Server creates a port with this number and the same seings on the target server. If a port with this number
already exists on the target server, its seings remain intact. This feature is useful if you create an application that expects input on a specific port. The application will continue to work after it is replicated to another server.
Bind Address (optional) IP address to which to bind this port. Specify a bind address if your machine has multiple IP addresses and you want the port to use this specific address. If you do not specify a bind address, the server picks one for you.
Passive Mode Listen
Address (optional) Address to be sent by the PORT command. You can specify a host name or IP address.
Note: This option is not applicable when the FTPS port is bound to an IPv6 address. In that case, the passive mode listen address is the same as the port bind address.
When running in passive mode, the FTPS port sends
Configuring Ports
For this parameter... Specify...
the client should connect to create a data connection.
If the FTPS port is behind a NAT server, however, the address of the host on which Integration Server runs is not visible to the FTPS client. Consequently the PORT command does not contain the information the client needs to connect to the server. To remedy this situation, you can specify a value for the wa.net.ftpPassiveLocalAddr property in the server configuration file (server.cnf), which is located in the Integration Server_directory\instances
\instance_name \config directory (see "Server Configuration Parameters" on page 851).
Alternatively, you can use the Passive Mode Listen Address field to specify the passive mode address for an individual FTPS port. That way, you can specify a different passive mode address for each FTPS port.
If an address is specified in the Passive Mode Listen Address field and in the wa.net.ftpPassiveLocalAddr property, the PORT command uses the value
specified in the wa.net.ftpPassiveLocalAddr property.
Secure Clients Only Select this check box to prevent the FTPS listener from operating with non-secure clients.
6. Under Security Configuration, in the Client Authentication list, select the type of client authentication you want Integration Server to perform for requests that arrive on this FTPS port.
Option Description
Username/Password Integration Server prompts the client for a user ID and password.
Configuring Ports
Option Description
If central user management is configured, the server checks whether the certificate is mapped to a user in the central user database. If so, the server logs the client on as that user. If not, the client request fails.
Require Client Certificates Integration Server requires client certificates for all requests. The server behaves as described for Request Client Certificates, except that the client must always provide a certificate.
7. Under Listener Specific Credentials, enter the following information:
Note: Use these seings only if you want to use a different set of credentials from the ones specified on the Certificates Screen.
For this parameter... Specify...
Keystore Alias Optional. A user-specified, text identifier for an Integration Server keystore.
The alias points to a repository of private keys and their associated certificates. Although each listener points to one keystore, there can be multiple keys and their certificates in the same keystore, and more than one listener can use the same keystore alias.
For more information, see "Creating Keystore Aliases" on page 410.
Key Alias Optional. The alias for the private key, which must be stored in the keystore specified by the above keystore alias.
Truststore Alias Optional. The alias for the truststore. The truststore must contain the trusted root certificate for the CA that signed Integration Server certificate associated with the key alias. The truststore also contains the list of CA certificates that Integration Server uses to validate the trust relationship.
8. Click Save Changes.
9. On the Ports screen, click Edit to change the Access Mode if necessary. You may Set Access Mode to Allow by Default or Reset to default access settings.
Configuring Ports
For more information about seing access mode for a port and controlling IP access for a port, see "Controlling Access to Resources by Port" on page 422
10. On the Portsscreen, also check the list of ports to ensure that the status in the Enabled column is Yes. If it is not, click No to enable the port.