Technote (FAQ)
Question
In AIX 6.1 a new ftp security feature was added:

Transport Layer Security (TLS) is a cryptographic protocol that provides secure communication between clients and servers. This enables any user on the system to exchange files in a secure manner if their counterpart offers this extension as well.

Answer
Configuring FTP over TLS (AIX to AIX)

Requires OpenSSL to be installed (at least version openssl-0.9.71-1.aix5.1.ppc.rpm)
https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixtbx

Source – http://www.redbooks.ibm.com/redbooks/pdfs/sg247430.pdf

Below are the steps to be followed to setup FTP with TLS in AIX 6.1 (For detailed instructions refer to source)

1. Create directory structure for certificates and key files

> cd

> mkdir .tls

> cd .tls

> mkdir rootCA

> chmod 700 rootCA

> cd rootCA

2. Creating a root level private key and root level certificate request (holding the public key):

> openssl req -newkey rsa:2048 -sha1 -keyout root_key.pem -out root_req.pem

3. Generating the certificate for root (valid approximately 10 years) by self-signing it:

> openssl x509 -req -days 3650 -in root_req.pem -signkey root_key.pem -out root_cert.pem

4. You can have a look at your root certificate just to make sure everything is right by using:

> openssl x509 -in root_cert.pem -text -noout

5. Change directory (to .tls)

> cd ..

6. Now we are creating an RSA key for the first FTP server without a PEM pass

phrase, hence we use a different command than the one we used in step 2 to

create a new key:

> openssl genrsa 2048 > server_key.pem

7.Next, we are creating a certificate request for the key we have just created

(including its public key):

> openssl req -new -key server_key.pem -out server_req.pem

8. Next, we are signing the server key request with our root CA’s private and

self-signed public key. This will create the server certificate (again, this is

valid for approximately 10 years):

> openssl x509 -req -days 3650 -in server_req.pem -CA rootCA/root_cert.pem -CAkey rootCA/root_key.pem -CAcreateserial -out server_cert.pem

9. In order to make server configurations easier as well as the distribution of

certified key files, it is handy to have the server key, the server certificate, and

the root certificate in one single file (OpenSSL supports this). So we are

combining all three files to one file now:

> cat server_key.pem server_cert.pem rootCA/root_cert.pem > server.pem

10. Finally, we adjust the path names in /etc/ftpd.cnf file: (assumes .tls is created in “/” directory)

CERTIFICATE /.tls/server.pem

CERTIFICATE_PRIVATE_KEY /.tls/server.pem

Now try ftp in secure mode,

> ftp -s <hostname>

Configuring FTP over TLS (AIX to Windows)

http://www.ibm.com/developerworks/aix/library/au-aix_secure_filetransfer/index.html?ca=dgr-lnxw06Secure-FTP&S_TACT=105AGX59&S_CMP=grsitelnxw06

Important Links

http://www.ibm.com/developerworks/aix/library/au-aix_secure_filetransfer/index.html?ca=dgr-lnxw06Secure-FTP&S_TACT=105AGX59&S_CMP=grsitelnxw06
http://www.redbooks.ibm.com/redbooks/pdfs/sg247430.pdf
https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixtbx