Integration Server 10.3 | Integration Server Administrator's Guide | Configuring Ports | Adding an FTPS Port
 
Adding an FTPS Port
The FTPS (FTP over SSL) port enables the server to authenticate the FTP client and server in a secure manner, and encrypt the control and data exchange between the FTP client and server.
Keep the following points in mind when configuring an FTPS port:
*FTPS clients are always prompted for a userid and password.
*By default, the FTPS port will work only with secure clients. A secure client is a client that secures the connection by issuing the AUTH command. You also can configure the FTPS listener to operate with clients that are not secure.
*You can configure the FTPS port to use its own certificate or use Integration Server certificate, or to request or require client certificates. In addition, you can configure the listener to use a private key and certificate chain residing in a keystore (file- or SmartCard/HSM-based). For more information about client certificates, see Authenticating Clients.
*By default, Integration Server does not perform certificate mapping for FTPS ports. To use this feature, you must set the watt.net.ftpUseCertMap configuration property to true. For more information about how client authentication works for FTPS ports, see Authenticating Clients. For more information about certificate mapping, see Importing a Certificate (Client or CA Signing Certificate) and Mapping It to a User.
*When a user logs in through an FTPS port, Integration Server can place the user in the default FTP root directory or in the client user directory. Integration Server chooses the directory based on the setting of the watt.server.login.userFtpDir parameter. For more information, see Server Configuration Parameters.
*To add an FTPS port
1. Open Integration Server Administrator if it is not already open.
2. In the Security menu of the Navigation panel, click Ports.
3. Click Add Port.
4. In the Add Port area of the screen, select webMethods /FTPS.
5. Click Submit. Integration Server displays a screen requesting information about the port. Enter the following information:
For this parameter...
Specify...
Enable
Select whether to enable (Yes) or disable (No) this FTPS port.
Port
The number you want to use for the port. Select a number that is not already in use on this host machine.
Important:
If you are running multiple Integration Servers on the same host machine, make sure the port numbers used on each server are unique.
Alias
An alias for the port that is unique for this Integration Server. An alias must be between 1 and 255 characters in length and include one or more of the following: letters (a -z, A-Z), numbers (0-9), underscore (_), period (.), and hyphen (-).
Description
A description of the port.
Package Name
Package associated with this port. When you enable the package, the server enables the port. When you disable the package, the server disables the port.
If you replicate this package, Integration Server creates a port with this number and the same settings on the target server. If a port with this number already exists on the target server, its settings remain intact. This feature is useful if you create an application that expects input on a specific port. The application will continue to work after it is replicated to another server.
Bind Address (optional)
IP address to which to bind this port. Specify a bind address if your machine has multiple IP addresses and you want the port to use this specific address. If you do not specify a bind address, the server picks one for you.
Passive Mode Listen Address (optional)
Address to be sent by the PORT command. You can specify a host name or IP address.
Note:
This option is not applicable when the FTPS port is bound to an IPv6 address. In that case, the passive mode listen address is the same as the port bind address.
When running in passive mode, the FTPS port sends a PORT command to the FTPS client. The PORT command specifies the address and port to which the client should connect to create a data connection. If the FTPS port is behind a NAT server, however, the address of the host on which Integration Server runs is not visible to the FTPS client. Consequently the PORT command does not contain the information the client needs to connect to the server. To remedy this situation, you can specify a value for the watt.net.ftpPassiveLocalAddr property in the server configuration file (server.cnf), which is located in the Integration Server_directory \instances\instance_name\config directory (see Server Configuration Parameters).
Alternatively, you can use the Passive Mode Listen Address field to specify the passive mode address for an individual FTPS port. That way, you can specify a different passive mode address for each FTPS port. If an address is specified in the Passive Mode Listen Address field and in the watt.net.ftpPassiveLocalAddr property, the PORT command uses the value specified in the watt.net.ftpPassiveLocalAddr property.
Secure Clients Only
Select this check box to prevent the FTPS listener from operating with non-secure clients.
6. Under Security Configuration, enter the following information:
For this parameter...
Specify...
Use JSSE
If this port should support TLS 1.1 or TLS 1.2, click Yes to create the port using the Java Secure Socket Extension (JSSE) library. The default is Yes.
If you set this value to No, the port supports only SSL 3.0 and TLS 1.0 and Entrust IAIK library is used to create the outbound FTPS connection.
Note:
To control the cipher suites used on Integration Server ports that use JSSE and handle inbound requests, set the watt.net.jsse.server.enabledCipherSuiteList. For more information, see Server Configuration Parameters.
Client Authentication
The type of client authentication you want Integration Server to perform for requests that arrive on this FTPS port. Select one of the following:
Option
Description
Username/Password
Integration Server prompts the client for a user ID and password.
Request Client Certificates
Integration Server requests client certificates for all requests. If the client does not provide a certificate, the server prompts the client for a userid and password. If the client provides a certificate:
*The server checks whether the certificate exactly matches a client certificate on file and is signed by a trusted authority. If so, the client is logged in as the user to which the certificate is mapped in Integration Server. If not, the client request fails, unless central user management is configured.
*If central user management is configured, the server checks whether the certificate is mapped to a user in the central user database. If so, the server logs the client on as that user. If not, the client request fails.
Require Client Certificates
Integration Server requires client certificates for all requests. The server behaves as described for Request Client Certificates, except that the client must always provide a certificate.
7. Under Listener Specific Credentials, enter the following information:
Note:
Use these settings only if you want to use a different set of credentials from the ones specified on the Certificates Screen.
For this parameter...
Specify...
Keystore Alias
Optional. A user-specified, text identifier for an Integration Server keystore.
The alias points to a repository of private keys and their associated certificates. Although each listener points to one keystore, there can be multiple keys and their certificates in the same keystore, and more than one listener can use the same keystore alias.
For more information, see Creating Keystore Aliases.
Key Alias
Optional. The alias for the private key, which must be stored in the keystore specified by the above keystore alias.
Truststore Alias
Optional. The alias for the truststore. The truststore must contain the trusted root certificate for the CA that signed Integration Server certificate associated with the key alias. The truststore also contains the list of CA certificates that Integration Server uses to validate the trust relationship.
8. Click Save Changes.
9. On the Ports screen, click Edit to change the Access Mode if necessary. You may Set Access Mode to Allow by Default or Reset to default access settings.
For more information about setting access mode for a port and controlling IP access for a port, see Controlling Access to Resources by Port
10. On the Portsscreen, also check the list of ports to ensure that the status in the Enabled column is Yes. If it is not, click No to enable the port.