Manualshelf

WU-FTPD 2.6.1 Release Notes (5900-2465, September 2012)

ManualsBrandsHP ManualsSoftwareHP-UX 11i v2 Networking Software
12345678910
1. Create DSA parameters:
openssl dsaparam -out dsap.pem 1024
2. Create a DSA CA certificate and private key:
openssl req -x509 -newkey dsa:dsap.pem -keyout cacert.pem -out
cacert.pem
3. Create the CA directories and files:
/opt/openssl/misc/CA.pl -newca
Enter cacert.pem when prompted for the CA file name.
4. Create a DSA certificate request and private key (a different set of parameters can optionally
be created first):
openssl req -out newreq.pem -newkey dsa:dsap.pem
5. Sign the request:
CA.pl -signreq
The newcert.pem and privkey.pem files are created. newcert.pem is the certificate
that must be loaded by ftpd and cacert.pem is the CA certificate that must be loaded by
FTP to verify the server certificate.
NOTE: By default, the CA.pl script requests for a password to protect the private keys. If
you are protecting the password with a PEM passphrase, enable the ftpd -z
password=value option and set the appropriate password.
Configuring a WU-FTPD TLS server and an FTP client
This section addresses the following topics:
“Configuring an FTP server in a TLS/SSL environment” (page 10)
“Configuring an FTP client in a TLS/SSL environment” (page 11)
Consider the following points before configuring an FTP TLS server and an FTP client:
You cannot use TLS security mechanism to secure third party file transfers (PROXY transfer).
TLS security mechanism does not use the TCP sendfile() API to transfer data contents.
Therefore, even if the sendfile() API is configured, the TLS security mechanism overrides
the configuration.
The usetls, rsacert, rsakey, and CAfile are the minimum set of configuration flags
or options that must be enabled for securing FTP control connection using TLS. This is also the
minimum configuration that is sufficient for a user to login from an FTP client provided the
certificate sent by the FTP client is successfully verified by the CA certificate loaded by the FTP
server.
If both the TLS/SSL and Kerberos security features are enabled in FTP, the TLS/SSL feature
obtain precedence over the Kerberos feature during logon. Therefore, the user is prompted
for the username and password even though Kerberos is enabled in the system.
Configuring an FTP server in a TLS/SSL environment
To configure an FTP server in a TLS/SSL environment, complete the following steps:
1. Ensure that the OpenSSL software is installed in the system.
2. For the HP-UX 11i v2 operating system, the WU-FTPD 2.6.1 software bundle provides the FTP
product bundle and the SSL libraries as two independent products. So, ensure that the
10 WU-FTPD 2.6.1 Release Notes