SSL Certificate-Based Login

EFT Server Enterprise supports authentication using SSL certificates for FTPS, and HTTPS, and AS2 connections, rather than password-based login. This is similar to SFTP authentication in which a particular SFTP key is associated with a user account; when the user logs in and provides the key, as long as the keys match, they are allowed to proceed. Unlike SFTP, SSL offers the option to authenticate using both password and certificate rather one or the other.

Normally, when a client supplies an SSL certificate for the SSL handshake (if requested by EFT Server), EFT Server determines whether that certificate is in the global trusted list. If the certificate is trusted, EFT Server completes the process of negotiating a shared secret and then moves on to the authentication stage, requesting a username followed by a password. If the user enters the wrong password (or no password at all), the authentication attempt fails, even though a certificate was found in the trusted store that matched the client’s certificate.

icon_info.gif

EFT Server determines whether certificate keys used on EFT Server are current and reports the status in the PCI DSS Compliance Report. Refer to Possible Compliance Report Outcomes for more information.

With certificate-based authentication, the sequence of steps would be virtually the same. If certificate-based authentication is enabled, and after the client’s username has been provided, but prior to EFT Server requesting the user’s password, EFT Server verifies that the public-key of the provided certificate matches the certificate in the trusted store that is associated with (mapped to) this particular user’s account. If a match is made, that user is automatically authenticated for that session. If the protocol expects a username/password sequence, EFT Server always returns TRUE, regardless of the password supplied by the client (whether null or invalid pass).

icon_info.gif

Compliance with PCI DSS requires that users change their password upon initial login. Because this login method does not use a password, it potentially violates the PCI DSS and is, therefore, not available on Sites defined using the "strict security settings" option.

To specify SSL certificate-based logins for the Site

  1. In the administration interface, connect to EFT Server and click the Server tab.

  2. In the left pane, click the Site that you want to configure.

  3. In the right pane, click the Connections tab.

  4. Next to SSL certificate settings, click Configure. The SSL Certificate Settings dialog box appears.

    db_sslcertificatesettings.gif

  5. Do one of the following:

  6. To require connecting clients to use the certificate, select the Require SSL certificates from connected clients check box.

  7. Click OK to save the changes.

  8. Click Apply to save the changes on EFT Server.

To specify SSL certificate-based logins for the Settings Template or a User

  1. In the administration interface, connect to EFT Server and click the Server tab.

  2. In the left pane, click the Settings Template or user that you want to configure.

  3. In the right pane, click the Connections tab. (If the SSL Auth button is dimmed, you are using EFT Server "SMB" edition. This feature is available in EFT Server Enterprise only.)

  4. Select the FTPS (SSL/TLS) check box, if not inherited from the Site, then click SSL Auth. The SSL Authentication Options dialog box appears.

    db_sslauthenticationoptions.gif

  5. In the SSL authentication options list, specify the authentication method:

    1. If you need to define a certificate, click Create Cert. The Create SSL Certificate wizard appears.

    2. To view or import certificates, click Cert. Manager. The Certificate Manager appears.

  6. Click OK to close the dialog box.

  7. Click Apply to save the changes on EFT Server.

Related Topics

Creating Certificates

Assigning a Certificate

The Certificate Manager

Enabling FTPS, HTTPS (SSL) on the Site

The AS2 Module