< Home

Managing Files When the Device Functions as an FTPS Server

Pre-configuration Tasks

Before connecting to the FTPS server to manage files, complete the following tasks:

  • Ensure that routes are reachable between the terminal and the device.
  • Ensure that the FTP client software supporting SSL has been installed on the terminal.

Configuration Procedure

Table 1 describes the procedure for managing files when the device functions as an FTPS server.

Table 1 Managing files when the device functions as an FTPS server

No.

Task

Description

Remarks

1

Upload the server digital certificate and private key

Upload the digital certificate and private key to the device.

Task 1 must be performed before task 2. The other tasks can be performed in any sequence.

2

Configure the SSL policy and load the digital certificate

Configure an SSL policy and load the digital certificate to the server.

3

Configure the FTPS server function and set FTP service parameters.

Configure an SSL policy for the FTPS server and set FTPS server parameters including the port number, source address, and timeout duration.

4

Configure local FTP user information

Configure FTP local users including the service type and authorized directory.

5

Connect to the device using FTPS

Connect to the device using FTPS on the terminal.

-

Default Parameter Settings

Table 2 Default parameter settings

Parameter

Default Setting

SSL policy

No SSL policy is created for an FTPS server.

FTPS server function

Disabled

Listening port number

21

FTP user

No local user is created.

Procedure

  • Upload the server digital certificate and private key.

    Upload the server digital certificate and private key file to the security directory on the device in SFTP or SCP mode. If no security directory exists on the device, run the mkdir directory command to create one.

    The server must obtain a digital certificate (including the private key file) from a CA. Clients that connect to the server must obtain a digital certificate from the CA to authenticate the validity of the server digital certificate.

    A certificate authority (CA) is an entity that issues and manages digital certificates. Digital certificates used on the FTPS server must be issued by a CA.

    Digital certificates support the PEM, ASN1, and PFX formats. Despite of the formats, the certificates have the same content.

    • A PEM digital certificate has a file name extension .pem and is applicable to text transmission between systems.

    • An ASN1 digital certificate has a file name extension .der and is the default format for most browsers.

    • A PFX digital certificate has a file name extension .pfx and is a binary format that can be converted into the PEM or ASN1 format.

    For details, see the description about uploading files in other modes.

  • Configure the SSL policy and load the digital certificate.

    Load the digital certificate and specify the private key.

    Table 3 Configuring the SSL policy and loading the digital certificate

    Operation

    Command

    Description

    Enter the system view.

    system-view

    -

    (Optional) Customize the SSL cipher suite.

    ssl cipher-suite-list customization-policy-name

    Customize an SSL cipher suite policy and enter the cipher suite policy view.

    By default, no customized SSL cipher suite policy is configured.

    set cipher-suite { tls12_ck_dss_aes_128_gcm_sha256 | tls12_ck_dss_aes_256_gcm_sha384 | tls12_ck_rsa_aes_128_gcm_sha256 | tls12_ck_rsa_aes_256_gcm_sha384 | }

    Configure the cipher suites for a customized SSL cipher suite policy.

    By default, no customized SSL cipher suite policy is configured.

    If a customized SSL cipher suite policy is being referenced by an SSL policy, the cipher suites in the customized cipher suite policy can be added, modified, or partially deleted. Deleting all of the cipher suites is not supported.

    If a customized SSL cipher suite policy is being referenced by an SSL policy, the cipher suites in the customized cipher suite policy can be added, modified, or partially deleted. Deleting all of the cipher suites is not allowed.

    The system software does not support the tls12_ck_rsa_aes_256_cbc_sha256, tls1_ck_dhe_dss_with_aes_128_sha, tls1_ck_dhe_dss_with_aes_256_sha, tls1_ck_dhe_rsa_with_aes_128_sha, tls1_ck_dhe_rsa_with_aes_256_sha, tls1_ck_rsa_with_aes_128_sha, and tls1_ck_rsa_with_aes_256_sha parameters. To use the tls12_ck_rsa_aes_256_cbc_sha256, tls1_ck_dhe_dss_with_aes_128_sha, tls1_ck_dhe_dss_with_aes_256_sha, tls1_ck_dhe_rsa_with_aes_128_sha, tls1_ck_dhe_rsa_with_aes_256_sha, tls1_ck_rsa_with_aes_128_sha, or tls1_ck_rsa_with_aes_256_sha parameter, you need to install the WEAKEA plug-in. For higher security purposes, you are advised to use other parameters.

    quit

    Return to the system view.

    Create an SSL policy and enter the SSL policy view.

    ssl policy policy-name

    -

    (Optional) Set a minimum version of an SSL policy.

    ssl minimum version { tls1.1 | tls1.2 }

    By default, the SSL minimum version of an SSL policy is TLS1.2.

    The system software does not support the tls1.0 parameter. To use the tls1.0 parameter, you need to install the WEAKEA plug-in. For higher security purposes, you are advised to specify the tls1.1 or tls1.2 parameter.

    (Optional) Bind a customized SSL cipher suite policy to an SSL policy.

    binding cipher-suite-customization customization-policy-name

    By default, no customized cipher suite policy is bound to an SSL policy. Each SSL policy uses a default cipher suite. After a customized cipher suite policy is unbound from an SSL policy, the SSL policy uses one of the following cipher suites supported by default:

    • tls1_ck_rsa_with_aes_256_sha
    • tls1_ck_rsa_with_aes_128_sha
    • tls1_ck_dhe_rsa_with_aes_256_sha
    • tls1_ck_dhe_dss_with_aes_256_sha
    • tls1_ck_dhe_rsa_with_aes_128_sha
    • tls1_ck_dhe_dss_with_aes_128_sha
    • tls12_ck_rsa_aes_256_cbc_sha256

    If the cipher suite in the customized cipher suite policy bound to an SSL policy contains only one type of algorithm (RSA or DSS), the corresponding certificate must be loaded for the SSL policy to ensure successful SSL negotiation.

    Load the digital certificate in the PEM format.

    certificate load pem-cert cert-filename key-pair { dsa | rsa } key-file key-filename auth-code cipher auth-code

    Load the digital certificate in the PEM, ASN1, or PFX format.

    NOTE:
    • You can load a certificate or certificate chain for only one SSL policy. Before loading a certificate or certificate chain, you must unload any existing certificate or certificate chain.
    • When you configure an SSL policy to load a certificate or certificate chain, ensure that the maximum length of the key pair in the certificate or certificate chain is 2048 bits. If the length of the key pair exceeds 2048 bits, the certificate file or certificate chain file cannot be uploaded to the device.
    • Before rolling V200R008C00 or a later version back to an earlier version, back up the SSL private key file.

    Load the digital certificate in the ASN1 format.

    certificate load asn1-cert cert-filename key-pair { dsa | rsa } key-file key-filename

    Load the digital certificate in the PFX format.

    certificate load pfx-cert cert-filename key-pair { dsa | rsa } { mac cipher mac-code | key-file key-filename } auth-code cipher auth-code

    Load the digital certificate chain in the PEM format.

    certificate load pem-chain cert-filename key-pair { dsa | rsa } key-file key-filename auth-code cipher auth-code

  • Configure the FTPS server function and set FTP service parameters.

    FTPS is based on the FTP protocol. You can enable the FTPS server function and set FTP service parameters.

    Table 4 Configuring the FTPS server function and setting FTP service parameters

    Operation

    Command

    Description

    Enter the system view.

    system-view

    -

    (Optional) Specify a port number for the FTP server.

    ftp [ ipv6 ] server port port-number

    The default port number is 21.

    If a new port number is configured, the FTP server disconnects all FTP clients and uses this new port number to listen for connection requests. Attackers do not know the port number and cannot access the listening port of the FTP server.

    Configure the SSL policy on the FTPS server.

    ftp secure-server ssl-policy policy-name

    The SSL policy configured on the FTPS server is the same as that created in the last step.

    Enable the FTPS server function.

    ftp [ ipv6 ] secure-server enable

    By default, the FTPS server function is disabled.

    NOTE:

    To enable the security FTPS server function, you must disable the FTP server function.

    (Optional) Configure the source address of the FTP server.

    ftp server-source { -a source-ip-address | -i interface-type interface-number }

    This configuration helps to improve device security by filtering both incoming and outgoing packets.

    After the source address of the FTP server is configured, you must enter this address to log in to the FTP server.

    (Optional) Configure the timeout duration of the FTP server.

    ftp [ ipv6 ] timeout minutes

    By default, the idle timeout duration is 10 minutes.

    If no operation is performed on the FTP server during the timeout duration, the FTP client automatically disconnects from the FTP server.

    • If the FTPS service is enabled, the port number of the FTPS service cannot be changed. To change the port number, run the undo ftp [ ipv6 ] secure-server command to disable the FTPS service first.

    • After operations on files are complete, run the undo ftp [ ipv6 ] secure-server to disable the FTPS server function to ensure the device security.

  • Configure local FTP user information.

    Before performing operations on files using FTPS, configure the local user name and password, service type, and authorized directory on the FTPS server.

    Table 5 Configuring local FTP user information
    Operation Command Description

    Enter the system view.

    		 system-view -

    Enter the AAA view.

    		 aaa -

    Configure the local user name and password.

    		 local-user user-name password irreversible-cipher password -

    Configure the local user level.

    		 local-user user-name privilege level level
    NOTE:

    The user level must be set to 3 or higher to ensure successful connection establishment.

    Configure the service type for local users.

    		 local-user user-name service-type ftp

    By default, a local user can use any access type.

    Configure an authorized directory.

    		 local-user user-name ftp-directory directory

    By default, the FTP directory of a local user is empty.

    When multiple FTP users use the same authorized directory, you can use the set default ftp-directory directory command to configure a default directory for these FTP users. In this case, you do not need run the local-user user-name ftp-directory directory command to configure an authorized directory for each user.

  • Connect to the device using FTPS.

    The FTP client software supporting SSL must be installed on the terminal to ensure that the terminal can connect to the FTPS server using third-party software to manage files.

    The file system limits the number of files in the root directory to 50. Creation of files in excess of this limit in the root directory may fail.

Verifying the Configuration

  • Run the display ssl policy command to view the SSL policy and digital certificate.
  • Run the display [ ipv6 ] ftp-server command to view the FTPS server status.

  • Run the display ftp-users command to view information about the FTP users who log in to the FTP server.

Parent Topic: Local File Management
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic