IBM Support What's New?

Setting up FTPS / TLS with ftp on AIX 6.1

Technote (FAQ)


In AIX 6.1 a new ftp security feature was added:

Transport Layer Security (TLS) is a cryptographic protocol that provides secure communication between clients and servers. This enables any user on the system to exchange files in a secure manner if their counterpart offers this extension as well.


Configuring FTP over TLS (AIX to AIX)

Requires OpenSSL to be installed (at least version openssl-0.9.71-1.aix5.1.ppc.rpm)

Source -

Below are the steps to be followed to setup FTP with TLS in AIX 6.1 (For detailed instructions refer to source)

1. Create directory structure for certificates and key files

> cd
> mkdir .tls
> cd .tls
> mkdir rootCA
> chmod 700 rootCA
> cd rootCA

2. Creating a root level private key and root level certificate request (holding the public key):

> openssl req -newkey rsa:2048 -sha1 -keyout root_key.pem -out root_req.pem

3. Generating the certificate for root (valid approximately 10 years) by self-signing it:

> openssl x509 -req -days 3650 -in root_req.pem -signkey root_key.pem -out root_cert.pem

4. You can have a look at your root certificate just to make sure everything is right by using:

> openssl x509 -in root_cert.pem -text -noout

5. Change directory (to .tls)

> cd ..

6. Now we are creating an RSA key for the first FTP server without a PEM pass
phrase, hence we use a different command than the one we used in step 2 to
create a new key:

> openssl genrsa 2048 > server_key.pem

7.Next, we are creating a certificate request for the key we have just created
(including its public key):

> openssl req -new -key server_key.pem -out server_req.pem

8. Next, we are signing the server key request with our root CA's private and
self-signed public key. This will create the server certificate (again, this is
valid for approximately 10 years):

> openssl x509 -req -days 3650 -in server_req.pem -CA rootCA/root_cert.pem -CAkey rootCA/root_key.pem -CAcreateserial -out server_cert.pem

9. In order to make server configurations easier as well as the distribution of
certified key files, it is handy to have the server key, the server certificate, and
the root certificate in one single file (OpenSSL supports this). So we are
combining all three files to one file now:

> cat server_key.pem server_cert.pem rootCA/root_cert.pem > server.pem

10. Finally, we adjust the path names in /etc/ftpd.cnf file: (assumes .tls is created in "/" directory)

CERTIFICATE /.tls/server.pem

Now try ftp in secure mode,

> ftp -s <hostname>

Configuring FTP over TLS (AIX to Windows)


Document information

More support for: AIX family

Software version: 6.1

Operating system(s): AIX

Reference #: T1011849

Modified date: 2012-01-31