I am working with my Java service to establish a FTPS connection to another server. Anyone who had worked on this before? I also want to understand how we are going to use the PEM certificate to setup a connection.
What I have is PEM file, username/password, port, host.
Hi,
I do not have the exact solution but I do have a few questions/thoughts about this topic.
Have you tried using the ftp related public services (pub.client:ftp) for this usecase? (The built in services guide has detailed information about FTP services) . Is there a limitation with the existing services because of which you are inclined to use Java services?
PEM certificates are not directly supported in Integration Server and would need to be converted to DER format to use with IS.
For the second point I think that this dependent on IS version.
Can you provide us your version please?
Additionally it might be helpful to have a look at the IS Built-In-Services reference (for the first point) and to the IS Java API (for the second point).
Is it the server certificate of the ftps host or some sort of client certificate for the user you are using for connection?
You can check this by renaming or copying the PEM to CER extension (is the same file format internally, DER would use a binary coded version of the PEM/CER text format). CER is recognized by Windows as a certificate extension while PEM is not. When opening a CER-extended file in Windows it should display some informations about the certificate like issuer (a DN), validity, serial number, key algorithms, requester (a DN) etc.
When it is the server certificate for the FTPS (via SSL/TLS), you will only need to add the issuer certificate (and their issuing certificates) to your truststore in IS defined as global truststore and you will trust this certificate automatically when it is presented to your server while connection handshaking.
When it is for the user for logging in to the FTPS server this gets more complicated, depends on the fact if you use basic auth with user/password or certificate based auth with certificate and passphrase.
It is client certificate. Can you suggest what is best to use? I think I can have the details for both user/password and certificate/passphrase. But for now, I only have the user/password.
About the support for PEM certificates, I checked 10.5 and 10.7 IS Admin guides and concluded that PEM are not directly supported. Was it the case that they were supported earlier? Just curious.
Question answered in a future post , please ignore.
please have a look at the IS Administrators Guide for details about certificate handling.
When using certificate based auth there are built-in services to specify which certificate should be sent to the partner system to identify yourself.
There should be an equivalent in the JavaAPI as well.
I would strongly encourage the OP to not “do FTPS” within Java services. Do whatever payload prep is needed with FLOW, Java if necessary, then do the FTPS file transfer with FLOW steps.
Yes, we tried using pub.client:ftp but I think it is not working as an FTPS (only FTP?). My team suggested to create a Java service to be able to connect to partner’s server.
Another question, how are we going to use the certificate for authentication? I have this code and I want to understand how are we going to insert the cert file in this Java service.
FTPSClient ftps = new FTPSClient();
ftps.connect(host, port);
ftps.login(username, password);
Apologies but I am just new with working on FTPS. Hope you understand. Thank you so much.
I would focus on determining what is amiss there and correct it rather than drop to Java.
Often, servers that offer FTPS connections also support SFTP – might using SFTP be an option? There is more administrative UI support for SFTP than for FTPS.
Addendum:
FTPS is based on SSL/TLS transports security, but unfortunately not for auth data.
SFTP is based on SSH connection (this means usually port 22).
Additionally IS does not provide support for creating a SFTP listening port, while for FTPS this is possible.
From the IS Built-In-Services Reference for pub.client.ftp:login:
The FTP services will always connect to a secure FTP server using a non-secure (SSL)
socket. After getting a valid reply from the AUTH command, the FTP services will
convert the connected socket to an SSL socket and initiate SSL handshaking.
please have a look at the IS Built-In-Services Reference documentation for chapter 3 “Client Folder”.
There is an additional sub folder for pub.client.ftp-services.
pub.client.ftp:login has an input document structrure named secure, where it can be specified how the connection is secured.
This implies that sensitive information is exposed. The AUTH command is used to initialize a secure connection. The USER command to login is after the AUTH.
And exactly this flew in the FTPS protocol was the reason why SFTP was invented instead of adopting the FTPS to allow connecting over secure socket during handshaking.
(I assume “flew” was supposed to be “flaw”)
I’m not sure I understand. FTPS is not insecure. The AUTH command is used to initiate the handshake to establish the secure channel. E.g. AUTH TLS Nothing sensitive is shared before that. What am I missing?