SFTPPlus Documentation
5.6. FTPES / FTPIS Server-side Setup and Usage¶
5.6.1. Introduction¶
This page contains setup instructions for server-side client’s peer authentication using X.509 SSL certificates. This applies for both implicit FTPS (FTPIS) and explicit FTPES (FTPES).
Please note that while the page references SSL certificate authentication, the certification in question is the PKI X.509 certificate format. Since both the Local Manager and configuration file (configuration/server.ini) make reference to SSL certificates, we will be using this term throughout the page.
If you are intending to generate an X.509 SSL self-signed certificate and/or implementing mutual X.509 SSL authentication using only self-signed certificates please go to the Q and A section for the FTP and FTPS Service.
For FTP commands and usage, please go to the FTP section.
5.6.2. How to enable PKI X.509 SSL certificate-based authentication¶
SSL certificate-based authentication allows clients to authenticate using username and SSL certificate pair credentials. A password is no longer required in this case.
To enable SSL certificate-based authentication, set the following option inside the FTP/FTPS service configuration section (located by default in configuration/server.ini):
[services/03288e36-cf6b-4bd5-a9be-f421372f17e6]
name = ftps
enable_ssl_certificate_authentication = Yes
In the Local Manager FTPS services configuration, set to Enable SSL certificate based authentication.
This option is enabled by default, so you should already have this option set.
A valid SSL certificate should have the value of the Common Name (CN) field match the authenticated username.
5.6.3. Further configuration options¶
The following are additional configurations for the FTPS service.
5.6.3.1. SSL certificate path options¶
Add the path to the SSL certificate used the service:
[services/03288e36-cf6b-4bd5-a9be-f421372f17e6]
name = ftps
ssl_certificate = MyCompany/PKI/Server-US-Cert-and-Key.pem
Add the path to the SSL key used by the service, or leave empty if the key is in the certificate file.
To check if the key is in the certificate file, view the certificate and check if the following is within the certificate:
-----BEGIN RSA PRIVATE KEY-----
PRIVATE_KEY_CONTENT_HERE
-----END RSA PRIVATE KEY-----
Add the SSL Key Password, if used.
5.6.3.2. Disable/enable password based authentication¶
Deselect Enable password based authentication to not provide password prompts should SSL authentication fail. The configuration file should be:
[services/03288e36-cf6b-4bd5-a9be-f421372f17e6]
name = ftps
enable_password_authentication = No
Otherwise, if the SSL authentication failed, you can allow a password prompt instead.
Note that if the SSL authentication failed and password is disabled, the user is not able to log in.
5.6.3.3. Certificate authority option¶
Add the path to the Certificate authority. If empty, the client’s certificate is not validated.
5.6.3.4. Certification revocation list option¶
Add the path or HTTP URL to the certificate revocation list. Set it to crl-distribution-points to enable CDP usage. Leave empty to disable certificate revocation list checking.
Below is a configuration example if a CRL is used:
[services/03288e36-cf6b-4bd5-a9be-f421372f17e6]
name = ftps
ssl_certificate_revocation_list = MyCompany/PKI/CA-CRL.pem
Below is an example of a CRL in PEM format:
-----BEGIN X509 CRL-----
CONTENT_OF_CRL
-----END X509 CRL-----
But note that the CRL may be encoded in the DER format instead.
5.6.4. Enabling authentication for accounts and groups¶
For each account, enable Allow SSL certificates in Local Manager or set the configuration to Yes:
[services/03288e36-cf6b-4bd5-a9be-f421372f17e6]
name = ftps
allow_certificate_authentication = Yes
If the account is enabled to inherit from group, ensure that the account’s Groups is allowing SSL certificates.
User-only configuration:
[services/03288e36-cf6b-4bd5-a9be-f421372f17e6]
name = ftps
allow_certificate_authentication = inherit
Therefore the relevant group configuration should be:
[services/03288e36-cf6b-4bd5-a9be-f421372f17e6]
name = ftps
allow_certificate_authentication = True
5.6.5. How to disable PKI X.509 SSL certificate-based authentication¶
To disable SSL certificate-based authentication, you will have to set the following option inside the FTP/FTPS service configuration section (located by default in configuration/server.ini):
[services/03288e36-cf6b-4bd5-a9be-f421372f17e6]
name = ftps
enable_ssl_certificate_authentication = No
After disabling SSL certificate-based authentication, you must check that password-based authentication is enabled. Otherwise, clients will have no other authentication method available to log in.