SSL Certificate-Based Login

EFT Enterprise supports authentication using SSL certificates for FTPS, and HTTPS, and AS2 connections, rather than password-based login. This is similar to SFTP authentication in which a particular SFTP key is associated with a user account; when the user logs in and provides the key, as long as the keys match, they are allowed to proceed. Unlike SFTP, SSL offers the option to authenticate using both password and certificate rather one or the other.

Normally, when a client supplies an SSL certificate for the SSL handshake (if requested by EFT), EFT determines whether that certificate is in the global trusted list. If the certificate is trusted, EFT completes the process of negotiating a shared secret and then moves on to the authentication stage, requesting a username followed by a password. If the user enters the wrong password (or no password at all), the authentication attempt fails, even though a certificate was found in the trusted store that matched the client’s certificate.

With certificate-based authentication, the sequence of steps would be virtually the same. If certificate-based authentication is enabled, and after the client’s username has been provided, but prior to EFT requesting the user’s password, EFT verifies that the public key of the provided certificate matches the certificate in the trusted store that is associated with (mapped to) this particular user’s account. If a match is made, that user is automatically authenticated for that session. If the protocol expects a username/password sequence, EFT always returns TRUE, regardless of the password supplied by the client (whether null or invalid pass).

The procedures below describe how to specify SSL-based logins for Site, Settings Template, and user accounts.

To specify SSL certificate-based logins for the Site

  1. In the administration interface, connect to EFT and click the Server tab.

  2. On the Server tab, click the Site that you want to configure.

  3. In the right pane, click the Connections tab.

  4. Next to SSL certificate settings, click Configure. The SSL Certificate Settings dialog box appears.

  5. The Certificate box specifies the path to the SSL certificate that is required to connect to the Site.

  6. The Private key box specifies the path to the private key for the certificate.

  7. The Passphraseboxes contains the hidden password for the certificate.

    • To require connecting clients to use the certificate, select the Require SSL certificates from connected clients check box.

  8. Click OK to save the changes.

  9. Click Apply to save the changes on EFT.

To specify SSL certificate-based logins for the Settings Template or a User

  1. In the administration interface, connect to EFT and click the Server tab.

  2. Click the Settings Template or user that you want to configure.

  3. In the right pane, click the Connections tab.

  4. Select the FTPS (SSL/TLS) check box, if not inherited from the Site, and then click SSL Auth. The SSL Authentication Options dialog box appears.

  5. In the SSL authentication options list, specify the authentication method:

    • Specified in Settings Template (if the user account is selected)

    • Password only (the default for the Settings Template)

    • SSL Certificate - If SSL Certificate is specified, the bottom box becomes available. Certificates that are defined on the Site appear in the box. Click the user certificate in the box.

  6. Click OK to close the dialog box.

  7. Click Apply to save the changes on EFT.