EFT Server supports authentication using SSL (Secure Sockets Layer, a protocol designed and implemented by Netscape Communications, provides for encryption of a session, authentication of a server, and optionally a client, and message authentication.) certificates for FTPS (File Transfer Protocol Secure; (commonly referred to as FTP/SSL); way in which FTP software can perform secure file transfers, involving the use of a SSL/TLS layer below the standard FTP protocol to encrypt the control and/or data channels.), and HTTPS (A secure HTTP connection; HTTP is used, but with TCP port 443 and an additional encryption/authentication layer between HTTP and TCP.), and AS2 (Applicability Statement 2; a specification for data exchange, to perform the task of sending and receiving data via a secure connection. AS2 is also referred to as EDIINT AS2 or EDI over the Internet AS2.) connections, rather than password-based login. This is similar to SFTP (Secure File Transfer Protocol; a network protocol designed by the IETF to provide secure file transfer and manipulation facilities over the secure shell (SSH) protocol.) authentication in which a particular SFTP key is associated with a user account; when the user logs in and provides the key, as long as the keys match, they are allowed to proceed. Unlike SFTP, SSL offers the option to authenticate using both password and certificate rather one or the other.
Normally, when a client supplies an SSL certificate for the SSL handshake (if requested by EFT Server), EFT Server determines whether that certificate is in the global trusted list. If the certificate is trusted, EFT Server completes the process of negotiating a shared secret and then moves on to the authentication stage, requesting a username followed by a password. If the user enters the wrong password (or no password at all), the authentication attempt fails, even though a certificate was found in the trusted store that matched the client’s certificate.
|
|
EFT Server determines whether certificate keys used on EFT Server are current and reports the status in the Compliance Report. Refer to Possible Compliance Report Outcomes for more information. |
With certificate-based authentication, the sequence of steps would be virtually the same. If certificate-based authentication is enabled, and after the client’s username has been provided, but prior to EFT Server requesting the user’s password, EFT Server verifies that the public-key of the provided certificate matches the certificate in the trusted store that is associated with (mapped to) this particular user’s account. If a match is made, that user is automatically authenticated for that session. If the protocol expects a username/password sequence, EFT Server always returns TRUE, regardless of the password supplied by the client (whether null or invalid pass).
|
|
Compliance with PCI DSS (Multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures.) requires that users change their password upon initial login. Because this login method does not use a password, it potentially violates the PCI DSS and is, therefore, not available with HS-enabled Sites. |
To specify SSL certificate-based logins for the Site
In the Administrator, connect to EFT Server and click the Server tab.
In the left pane, click the Site that you want to configure.
In the right pane, click the Connections tab.
Next to SSL certificate settings, click Configure. The SSL Certificate Settings dialog box appears.
Do one of the following:
Create a certificate:
Click Create. The Create SSL Certificate wizard appears.
Follow the steps in Creating Certificates to create the SSL certificate for the Site.
Use an existing certificate:
In the Certificate box, specify the SSL certificate that is required to connect to the Site.
In the Private key box, specify the private key for the certificate.
In the Passphrase and Confirm passphrase boxes, provide the password for the certificate.
To require connecting clients to use the certificate, select the Require SSL certificates from connected clients check box.
Click OK to save the changes.
Click Apply to save the changes on EFT Server.
To specify SSL certificate-based logins for the Settings Level or User
In the Administrator, connect to EFT Server and click the Server tab.
In the left pane, click the Settings Template or user that you want to configure.
In the right pane, click the Connections tab.
Select the FTPS (SSL/TLS) check box, if not inherited from the Site, then click SSL Auth. The SSL Authentication Options dialog box appears.
In the SSL authentication options list, specify the authentication method:
Specified in Settings Template
Password only (the default)
SSL Certificate - If SSL Certificate is specified, the bottom box becomes available. Certificates that are defined on the Site appear in the box. Click the user certificate in the box.
If you need to define a certificate, click Create Cert. The Create SSL Certificate wizard appears.
To view or import certificates, click Cert. Manager. The Certificate Manager appears.
Click OK to close the dialog box.
Click Apply to save the changes on EFT Server.
