< Home

Managing Files When the Device Functions as an FTPS Client

Pre-configuration Tasks

Before connecting to a device as an FTPS client to manage files, complete the following tasks:

  • Ensure that routes are reachable between the current device and the FTPS server.
  • Load the digital certificate on the FTPS server.
  • Obtain the host name or IP address of the FTPS server, FTPS user name, and password.

Configuration Procedure

Table 1 describes the procedure for managing files when the device functions as an FTPS client.

Table 1 Procedure for managing files when the device functions as an FTPS client

No.

Task

Description

Remarks

1

Upload the CA certificate and CRL file

Upload required files to the device.

After the FTPS connection is established, perform tasks 4 and 5 in any sequence.

2

Configure the SSL policy and load the CA certificate and CRL file

-

3

Connect to the FTPS server

-

4

Run FTP commands to perform file-related operations

Run FTP commands to perform file-related operations, such as uploading and downloading files, configuring the file transfer mode, and viewing the online help about FTP commands.

5

(Optional) Change the login user

-

6

Disconnect the FTP client from the FTP server

-

Procedure

  • Upload the CA certificate and CRL file.

    Upload the CA certificate and CRL file to the security directory on the device in FTP, SFTP, or SCP mode. If no security directory exists on the device, run the mkdir security command to create one.

    • The FTPS client must obtain certificates from the CA to authenticate the digital certificate of the server.

    • The CRL is issued by the CA and contains serial numbers of certificates that are revoked. If the digital certificate is listed in the CRL file, the client cannot authenticate the server successfully and the FTPS connection fails.

    Digital certificates support the PEM, ASN1, and PFX formats. Despite of the formats, the certificates have the same content.

    • A PEM digital certificate has a file name extension .pem and is applicable to text transmission between systems.

    • An ASN1 digital certificate has a file name extension .der and is the default format for most browsers.

    • A PFX digital certificate has a file name extension .pfx and is a binary format that can be converted into the PEM or ASN1 format.

    The CRL file supports the ASN1 and PEM formats. These two formats represent the same contents.

    For details, see the description about uploading files in other modes.

  • Configure an SSL policy and load the CA certificate and CRL file.

    Table 2 Configuring an SSL policy and loading the CA certificate and CRL file

    Operation

    Command

    Description

    Enter the system view.

    system-view

    -

    (Optional) Customize SSL cipher suite.

    ssl cipher-suite-list customization-policy-name

    Customize an SSL cipher suite policy and enter the cipher suite policy view.

    By default, no customized SSL cipher suite policy is configured.

    set cipher-suite { tls12_ck_dss_aes_128_gcm_sha256 | tls12_ck_dss_aes_256_gcm_sha384 | tls12_ck_rsa_aes_128_gcm_sha256 | tls12_ck_rsa_aes_256_gcm_sha384 }

    Configure the cipher suites for a customized SSL cipher suite policy.

    By default, no customized SSL cipher suite policy is configured.

    To configure cipher suites for a customized SSL cipher suite policy, run the set cipher-suite command.

    If a customized SSL cipher suite policy is being referenced by an SSL policy, the cipher suites in the customized cipher suite policy can be added, modified, or partially deleted. Deleting all of the cipher suites is not supported.

    The system software does not support the tls12_ck_rsa_aes_256_cbc_sha256, tls1_ck_dhe_dss_with_aes_128_sha, tls1_ck_dhe_dss_with_aes_256_sha, tls1_ck_dhe_rsa_with_aes_128_sha, tls1_ck_dhe_rsa_with_aes_256_sha, tls1_ck_rsa_with_aes_128_sha, and tls1_ck_rsa_with_aes_256_sha parameters. To use the tls12_ck_rsa_aes_256_cbc_sha256, tls1_ck_dhe_dss_with_aes_128_sha, tls1_ck_dhe_dss_with_aes_256_sha, tls1_ck_dhe_rsa_with_aes_128_sha, tls1_ck_dhe_rsa_with_aes_256_sha, tls1_ck_rsa_with_aes_128_sha, or tls1_ck_rsa_with_aes_256_sha parameter, you need to install the WEAKEA plug-in. For higher security purposes, you are advised to use other parameters.

    quit

    Return to the system view.

    Create the SSL policy and enter the SSL policy view.

    ssl policy policy-name

    -

    (Optional) Set a minimum version of an SSL policy.

    ssl minimum version { tls1.1 | tls1.2 }

    By default, the SSL minimum version of an SSL policy is TLS1.2.

    The system software does not support the tls1.0 parameter. To use the tls1.0 parameter, you need to install the WEAKEA plug-in. For higher security purposes, you are advised to specify the tls1.1 or tls1.2 parameter.

    (Optional) Bind a customized SSL cipher suite policy to an SSL policy.

    binding cipher-suite-customization customization-policy-name

    By default, no customized cipher suite policy is bound to an SSL policy. Each SSL policy uses a default cipher suite. After a customized cipher suite policy is unbound from an SSL policy, the SSL policy uses one of the following cipher suites supported by default:

    • tls1_ck_rsa_with_aes_256_sha
    • tls1_ck_rsa_with_aes_128_sha
    • tls1_ck_dhe_rsa_with_aes_256_sha
    • tls1_ck_dhe_dss_with_aes_256_sha
    • tls1_ck_dhe_rsa_with_aes_128_sha
    • tls1_ck_dhe_dss_with_aes_128_sha
    • tls12_ck_rsa_aes_256_cbc_sha256

    If the cipher suite in the customized cipher suite policy bound to an SSL policy contains only one type of algorithm (RSA or DSS), the corresponding certificate must be loaded for the SSL policy to ensure successful SSL negotiation.

    Load the CA certificate in the PEM format.

    trusted-ca load pem-ca ca-filename

    Load the CA certificate in the PEM, ASN1 or PFX format.

    A maximum of four CA certificates can be loaded in an SSL policy. The loaded CA certificates are added to the existing CA list.

    NOTE:

    Before rolling V200R008C00 or a later version back to an earlier version, back up the SSL private key file.

    Load the CA certificate in the ASN1 format.

    trusted-ca load asn1-ca ca-filename

    Load the CA certificate in the PFX format.

    trusted-ca load pfx-ca ca-filename auth-code cipher auth-code

    Load the CRL file

    crl load { pem-crl | asn1-crl } crl-filename

    A maximum of two CRL files can be loaded in an SSL policy. The loaded CRL files are added to the existing CRL file list.
    • If only one CA certificate exists on the FTPS server, configure all CA certificates in the validation path up to and including the root CA certificate.
    • If a certificate chain exists on the FTPS server, configure only the root CA certificate on the client.
    • If the CRL file is not loaded, the FTPS connection is not affected. However, the client cannot authenticate the digital certificate of the server. You are advised to load the CRL file and keep it up to date.

  • Connect to the FTPS server.

    Table 3 Connecting to the FTPS server

    Operation

    Command

    Description

    Connect the FTPS client to the FTPS server based on IPv4.

    ftp ssl-policy policy-name [ -a source-ip-address | -i interface-type interface-number ] host [ port-number ] [ public-net | vpn-instance vpn-instance-name ]

    Run either of the commands based on the IP address type.

    Connect the FTPS client to the FTPS server based on IPv6.

    ftp ssl-policy policy-name ipv6 host-ipv6-address [ port-number ]

    When connecting to the FTPS server, run the ftp command to enter the FTP client view and the open command to implement FTP connection.

    Users must enter the correct user name and password to enter the FTP client view and manage files on the server.

  • Run FTP commands to perform file-related operations.

    After connecting to the FTPS server, users can run FTP commands to perform file-related operations on the FTPS server.

    User rights are configured on the FTP server.

    The file system limits the number of files in the root directory to 50. Creation of files in excess of this limit in the root directory may fail.

    Users can perform the following operations in any sequence.

    Table 4 Running FTP commands to perform file-related operations
    Operation Command Description
    Change the working directory on the server. cd remote-directory -
    Change the current working directory to its parent directory. cdup -
    Display the working directory on the server. pwd -
    Display or change the local working directory. lcd [ local-directory ]

    The lcd command displays the local working directory on the client, and the pwd command displays the working directory on the remote server.
    Create a directory on the server. mkdir remote-directory

    The directory name can consist of letters and digits. The following special characters are not supported: < > ? \ :
    Delete a directory from the server. rmdir remote-directory -
    Display information about the specified directory or file on the server. dir/ls [ remote-filename [ local-filename ] ]
    • The ls command displays only the directory or file name, whereas the dir command displays detailed directory or file information such as name, size, and creation date.
    • If no directory is specified in the command, the system searches for the file in the user's authorized directories.
    Delete a file from the server. delete remote-filename -
    Upload one or more files. put local-filename [ remote-filename ]

    Or

    mput local-filenames
    • To upload a file, run the put command.
    • To upload multiple files, run the mput command.
    Download one or more files. get remote-filename [ local-filename ]

    Or

    mget remote-filenames
    • To download a file, run the get command.
    • To download multiple files, run the mget command.
    Set the file transfer mode to ASCII or Binary. ascii

    Or

    binary

    Select either of them.

    • The default file transfer mode is ASCII.

    • The ASCII mode is used to transfer text files, and the binary mode is used to transfer programs, system software, and database files.
    Set the data transmission mode to passive or active. passive

    Or

    undo passive

    Select either of them.

    The default data transmission mode is active.
    View the online help about FTP commands. remotehelp [ command ] -
    Enable the system prompt function. prompt By default, the prompt function is disabled.
    Enable the verbose function. verbose

    After the verbose function is enabled, all FTP response messages are displayed on the FTP client.

  • (Optional) Change the login user.

    The current user can switch to another user in the FTP client view. The FTP connection between the new user and FTPS server is the same as that established by running the ftp ssl-policy command.

    Operation Command Description

    Change the current user in the FTP client view.

    		 user user-name [ password ]

    When the login user is switched to another user, the original user is disconnected from the FTP server.

  • Disconnect the FTPS client from the FTPS server.

    Users can run different commands in the FTP client view to disconnect the FTPS client from the FTPS server.

    Operation Command Description

    Disconnect the FTP client from the FTP server and return to the user view.

    		 bye or quit Select one of them.

    Disconnect the FTP client from the FTP server and return to the FTP client view.

    		 close or disconnect

Verifying the Configuration

  • Run the display ssl policy command to check the SSL policy, CA certificate, and CRL file configured on the FTPS client.
Parent Topic: File Management on Other Devices
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic