FTPS clients are always prompted for a userid and password.FTPS clients are always prompted for a userid and password.By default, the FTPS port will work only with secure clients. A secure client is a client that secures the connection by issuing the AUTH command. You also can configure the FTPS listener to operate with clients that are not secure.You can configure the FTPS port to use its own certificate or use Integration Server certificate, or to request or require client certificates. In addition, you can configure the listener to use a private key and certificate chain residing in a keystore (file- or SmartCard/HSM-based). For more information about client certificates, see
Authenticating Clients.By default, Integration Server does not perform certificate mapping for FTPS ports. To use this feature, you must set the watt.net.ftpUseCertMap configuration property to true. For more information about how client authentication works for FTPS ports, see
Authenticating Clients. For more information about certificate mapping, see
Importing a Certificate (Client or CA
Signing Certificate) and Mapping It to a User.When a user logs in through an FTPS port, Integration Server can place the user in the default FTP root directory or in the client user directory. Integration Server chooses the directory based on the setting of the watt.server.login.userFtpDir parameter. For more information, see
Server Configuration Parameters.
To add an FTPS portFor this parameter... | Specify... |
Enable | Select whether to enable (Yes) or disable (No) this FTPS port. |
Port | The number you want to use for the port. Select a number that is not already in use on this host machine. Important: If you are running multiple Integration Servers on the same host machine, make sure the port numbers used on each server are unique. |
Alias | An alias for the port that is unique for this Integration Server. An alias must be between 1 and 255 characters in length and include one or more of the following: letters (a -z, A-Z), numbers (0-9), underscore (_), period (.), and hyphen (-). |
Description | A description of the port. |
Package Name | Package associated with this port. When you enable the package, the server enables the port. When you disable the package, the server disables the port. If you replicate this package, Integration Server creates a port with this number and the same settings on the target server. If a port with this number already exists on the target server, its settings remain intact. This feature is useful if you create an application that expects input on a specific port. The application will continue to work after it is replicated to another server. |
Bind Address (optional) | IP address to which to bind this port. Specify a bind address if your machine has multiple IP addresses and you want the port to use this specific address. If you do not specify a bind address, the server picks one for you. |
Passive Mode Listen Address (optional) | Address to be sent by the PORT command. You can specify a host name or IP address. Note: This option is not applicable when the FTPS port is bound to an IPv6 address. In that case, the passive mode listen address is the same as the port bind address. When running in passive mode, the FTPS port sends a PORT command to the FTPS client. The PORT command specifies the address and port to which the client should connect to create a data connection. If the FTPS port is behind a NAT server, however, the address of the host on which Integration Server runs is not visible to the FTPS client. Consequently the PORT command does not contain the information the client needs to connect to the server. To remedy this situation, you can specify a value for the watt.net.ftpPassiveLocalAddr property in the server configuration file (server.cnf), which is located in the Integration Server_directory \instances\instance_name\config directory (see
Server Configuration Parameters). Alternatively, you can use the Passive Mode Listen Address field to specify the passive mode address for an individual FTPS port. That way, you can specify a different passive mode address for each FTPS port. If an address is specified in the Passive Mode Listen Address field and in the watt.net.ftpPassiveLocalAddr property, the PORT command uses the value specified in the watt.net.ftpPassiveLocalAddr property. |
Secure Clients Only | Select this check box to prevent the FTPS listener from operating with non-secure clients. |
For this parameter... | Specify... | |
Use JSSE | If this port should support TLS 1.1 or TLS 1.2, click Yes to create the port using the Java Secure Socket Extension (JSSE) library. The default is Yes. If you set this value to No, the port supports only SSL 3.0 and TLS 1.0 and Entrust IAIK library is used to create the outbound FTPS connection. Note: To control the cipher suites used on Integration Server ports that use JSSE and handle inbound requests, set the watt.net.jsse.server.enabledCipherSuiteList. For more information, see Server Configuration Parameters. | |
Client Authentication | The type of client authentication you want Integration Server to perform for requests that arrive on this FTPS port. Select one of the following: | |
Option | Description | |
Username/Password | Integration Server prompts the client for a user ID and password. | |
Request Client Certificates | Integration Server requests client certificates for all requests. If the client does not provide a certificate, the server prompts the client for a userid and password. If the client provides a certificate: The server checks whether the certificate exactly matches a client certificate on file and is signed by a trusted authority. If so, the client is logged in as the user to which the certificate is mapped in Integration Server. If not, the client request fails, unless central user management is configured.If central user management is configured, the server checks whether the certificate is mapped to a user in the central user database. If so, the server logs the client on as that user. If not, the client request fails. | |
Require Client Certificates | Integration Server requires client certificates for all requests. The server behaves as described for Request Client Certificates, except that the client must always provide a certificate. | |
For this parameter... | Specify... |
Keystore Alias | Optional. A user-specified, text identifier for an Integration Server keystore. The alias points to a repository of private keys and their associated certificates. Although each listener points to one keystore, there can be multiple keys and their certificates in the same keystore, and more than one listener can use the same keystore alias. For more information, see
Creating Keystore Aliases. |
Key Alias | Optional. The alias for the private key, which must be stored in the keystore specified by the above keystore alias. |
Truststore Alias | Optional. The alias for the truststore. The truststore must contain the trusted root certificate for the CA that signed Integration Server certificate associated with the key alias. The truststore also contains the list of CA certificates that Integration Server uses to validate the trust relationship. |