Secure Internet file transfer protocols

Non-IBM users must use one of the following secure file transfer protocols to access the Secure File Transfer service from the Internet. Non-secure FTP cannot be used over the Internet since it transmits authentication information in clear te t.

Secure FTP over SSL or TLS (FTPS)

FTPS is also !nown "SS# FTP"$ "FTP using SS#" or "FTP using T#S". This is an e tension to the FTP protocol to support secure file transfer using Secure Soc!ets #a%er &SS#' or Transport #a%er Securit% &T#S' technolog%. The Internet (ngineering Tas! Force &I(TF' )F* +,-. Securing FTP with T#S standard &http/00www.fa1s.org0rfc0rfc+,-..t t' was originall% proposed in -223. The FTPS standard has been driven b% IBM *orporation through the I(TF standards process. Man% software vendors$ including IBM$ and open source pro4ects provide support for the FTPS protocol. Note: FTPS is not the same as SS5 FTP &Secure Shell' or SFTP. SFTP is not supported at this time. It is important to note that some customers ma% e perience difficulties using the FTPS protocol through their networ! infrastructures. *ustomers connect to IBM through a variet% of firewalls$ routers and ISPs that ma% perform Networ! 6ddress Translation &N6T' and stateful inspection of FTP traffic flows. *ustomers ma% e perience problems connecting to or using the server due to the wa% some networ! e1uipment handles FTPS flows. These issues are described in an e pired draft I(TF )F* entitled FTP0T#S Friendl% Firewalls &http/00tools.ietf.org0html0draft-murra%-auth-ftp-ssl-72'. If necessar%$ customers should contact their local networ! support and networ! providers to determine how to best support FTPS within their environments. 6n FTP software client that supports the SS# or T#S protocol must be used. There are numerous FTPS software clients available. IBM provides FTPS support on several platforms$ such as 809S -.,.7 and later$ 9S0+77 :;), and later and <ebSphere 5ost 9n-=emand. Man% popular third-part% FTP software vendors provide FTPS support as well. 6n Internet search engine ma% be used to search on "FTP>client>SS#" or "FTP>client>T#S" to identif% third part% or open source alternatives. (ncr%ption of both the FTP control and data channels is re1uired$ however the FTP server also supports use of the *lear *ommand *hannel &***' FTP command. ?se of the *** command causes the

FTP control connection to be sent in clear te t after secure authentication has occurred. Internet users with firewall issues ma% e perience benefit when using an FTP software client that also supports ***. See I(TF )F* ,,,@ FTP Securit% ( tensions &http/00www.ietf.org0rfc0rfc,,,@.t t' for further information on the *** command. The FTP server is configured to support FTP over SS#0T#S using either 6ctive or Passive FTP modes. 5owever$ since 6ctive mode FTP ma% be disabled b% networ! routers or firewalls b% default$ customers ma% have better success using Passive FTP mode. The server uses ports 3;7,+ through 3;;A; for Passive FTP data connections. The server also supports use of the (PS: 6## FTP command as defined in I(TF )F* ,+,@ FTP ( tensions for IPv3 and N6Ts &http/00www.ietf.org0rfc0rfc,+,@.t t'. If supported b% the FTP client$ this ma% provide some benefit to customers using Networ! 6ddress Translation &N6T' devices that also have support for it. The FTP server supports use of SS# version ,$ SS# version A and T#S version -. The server accepts both the 6?T5 SS# &depricated' and 6?T5 T#S commands from the FTP client. The serverBs SS# certificate is signed b% the (1uifa Secure *ertificate 6uthorit% &*6'. If this *6 is not in the list of trusted *6s for %our secure FTP client$ the root certificate ma% be obtained directl% from http/00www.geotrust.com0resources0rootCcertificates0inde .htm. Note also that the server name specified in the certificate is testcase.boulder.ibm.com &and not testcase-%ellow.boulder.ibm.com'. Some client software will validate that the hostname of the server being accessed is the same as the name specified in the server certificate. The SecureTransport Server (nterprise (dition software from Tumbleweed *orporation is used to provide this service. Tumbleweed *orporation also provides SecureTransport *lient software specificall% for use with their server software. *ustomers who ma% be unable to get FTPS to function in their environments ma% consider use of this software$ which supports use of the 5TTPS protocol. 6lthough there are no current plans in this regard$ IBM reserves the right to replace the server software at some future date$ at which time this vendor proprietar% client software would become inoperable. See http/00www.tumbleweed.com0products0securetransport0securetranspor

tCclient.html for further information on the Tumbleweed SecureTransport *lients.

Secure HTTP over SSL/TLS (HTTPS)

5TTP over SS#0T#S &5TTPS' is the secure version of the 5TTP protocol used on the <orld <ide <eb. 5TTPS uses the Secure Soc!ets #a%er &SS#' or Transport #a%er Securit% &T#S' protocols to encr%pt the session data. The Secure File Transfer server supports file upload and download from a web browser using 5TTPS. Note: ?se of the 5TTPS protocol re1uires e plicit login to the Secure File Transfer service. It is not possible to directl% lin! to Secure File Transfer files from another web page.