Sterling Secure Proxy Version 3 FTP Adapter Configuration with SSL. ProFTP SSL Certificate creation with openssl

Transcription

1 Sterling Secure Proxy Version 3 FTP Adapter Configuration with SSL The SSP configuration has been tested with the following components. SSP 3 on Windows 2003 ProFTP Version on Red Hat ES 4 Lftp Version on Red Hat ES 4 In this document the products installation is not treated: we assume that they are up and running properly. ProFTP SSL Certificate creation with openssl 1. Create a RSA private key for your ProFTP server (will be Triple-DES encrypted and PEM formatted): openssl genrsa -des3 -out server.key Create a Certificate Signing Request (CSR) with the server RSA private key (output will be PEM formatted): openssl req -new -key server.key -out server.csr 3. If you use an external Certification Authority you can skip the steps from 4 to 6 and deliver the CSR file to CA. 4. Create a Self Signing Certification Authority with the following openssl command from a normal user directory: private key for your CA (will be Triple-DES encrypted and PEM formatted): openssl genrsa -des3 -out ca.key self-signed CA Certificate (X509 structure) with the RSA key of the CA (output will be PEM formatted): openssl req -new -x509 -days 365 -key ca.key -out ca.crt 5. Prepare a script named sign.sh delivered with the ssl package mod_ssl of ProFTP. For your commodity it is included in the present document.

2 sign.sh.txt 6. Sign the CSR with the command./sign.sh server.csr and this results in a server.crt file For more information consult the site ProFTP SSL Configuration Add at the end of the file /etc/proftpd.conf the following section. <IfModule mod_tls.c> TLSEngine on TLSLog /var/log/proftpd/tls.log TLSProtocol SSLv23 # Are clients required to use FTP over TLS when talking to this server? TLSRequired on # Server's certificate TLSRSACertificateFile /home/supporto/certs/server.crt TLSRSACertificateKeyFile /home/supporto/certs/server.key # CA the server trusts TLSCACertificateFile /home/supporto/certs/ca.crt # Authenticate clients that want to use FTP over TLS? TLSVerifyClient off </IfModule> Please note the below parameters. 1. TLSRSACertificateKeyFile is the private key created in the step 1 of the previous section. 2. TLSRSACertificateFile is the certificate received back from the CA or the one generated in step TLSVerifyClient is off because we re not using the client authentication and consequently the parameter TLSCACertificateFile can have any value. 4. TLSRequired on means that SSL is mandatory for any connection.

3 Reference site: Restart ProFTP: you will be prompted for the pass phrase used in the step 1 (Private Key generation) Lftp Configuration In the this phase the goal is to test SSP functionality, so Lftp check of the incoming certificate again a trusted root file has been disabled using the following parameter in the file /etc/lftp.conf: set ssl:verify-certificate off. Reference Site: Sterling Secure Proxy Configuration Certificate Setting 1. Create a System Certificate in PKCS12 format for the FTP Adapter.. This can be easily done with Sterling Commerce Certificate Wizard. As usual the Public Key can be eithrr Self Signed or CA Signed. 2. Import the System Certificate in SSP with the Configuration Manager into the System Certificate Store: After importing that you ll see:

4 In this example the System Certificate is SSP3CD and the Default Key Store has been used. 3. Import the ProFTP Certificate in SSP with the Configuration Manager into the Trusted Certificate Store: it corresponds to the one referenced by TLSRSACertificateFile in /etc/proftpd.conf.

5 After importing that you ll see: In this example the Trusted ate is FTPPROMilan and the Defauly Trust Store has been used. FTP Adapter Configuration See the below example: The most important parameter is the Listen Port on which the Adapter is listening for the incoming connection from FTP clients. A netmap has to be created if it doesn t exist: in this example it is named FTPGLTest. In this example there is no additional setting in the Advanced and Properties Tabs. FTP Adapter Netmap Configuration The nodes are divided in Inbound and Outbound: the Inbound ones are the FTP Client, being the Outbound the FTP Server. Lftp is an Inbound Node:

6 Here is its configuration

7 1. The Peer Address Pattern in the Basic Tab allows validating incoming DNS or IP Address: in this case the wildcard * don t set any restriction. 2. The Policy allows validating User and Certificate against an External Authentication Server or an internal Netmap (User only): in this example we use a very basic policy without any check. 3. The Key System Certificate is used to establish the SSL connection between SSP and the client. In this example we use the same Certificate between SSP and the Server, but they can be different. 4. The Logging Level is set to Debug in this phase just to check the new connection: after it can be moved to ERROR. ProFTP is an Outbound Node

8 1. The Basic Tab contains the ProFTP connection information. 2. Notice, please, the reference to ProFTP certificate in the Security Tab. 3. Also in this case the Logging Level is set to DEBUG

9 FTP Adapter Monitoring Check if the Adapter is running: You don t have to recycle the Adapter after modifying its configuration. FTP Adapter Logs For each side of the connection a log is created in C:\Program Files\Sterling Commerce\SSP3.0.00\logs. For the present configuration they are named: 1. secureproxy-ftpgltest.ftppro.log 2. secureproxy-ftpgltest.lftp.log Connection Testing Run Lftp with the following command: lftp -u"user","password" ftp:// :5021/ Please note that user, password must be a valid account for ProFTP. ftp:// :5021/ is the SSP URL Additional Comments The SSP configuration used in this example has been also successfully tested with the following FTP clients: FileZilla a Sterling Commerce C:E Command Line Client