Anonymous_User Absent Member.
Absent Member.
1256 views

Clustered FTPS?

Hello everyone,
We have a two node NW6.5 SP3 cluster and we currently have FTP clustered.
The load script actually loads nwftp from the clustered volume: load
nwftpd -c ftp:\etc\ftpserv.cfg (where "ftp" is the virtual server name).
This has been working great for us. However, now we must secure our
connections and I was looking at using FTPS. Our mainframe guy tells me that
he needs the server certificate to transfer using SSL. I sent him the server
certificates from each node, but our problem is that since FTP is running
from a virtual server, the certificate does not match.

What do I need to do? Should I change the load script so that nwftpd loads
from the sys volume on each server? That way the SSL certificates will match
up with whichever node is controlling FTP?

Thanks!
Paul


Labels (1)
0 Likes
3 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Clustered FTPS?

Paul Fowler wrote:
> Hello everyone,
> We have a two node NW6.5 SP3 cluster and we currently have FTP clustered.
> The load script actually loads nwftp from the clustered volume: load
> nwftpd -c ftp:\etc\ftpserv.cfg (where "ftp" is the virtual server name).
> This has been working great for us. However, now we must secure our
> connections and I was looking at using FTPS. Our mainframe guy tells me that
> he needs the server certificate to transfer using SSL. I sent him the server
> certificates from each node, but our problem is that since FTP is running
> from a virtual server, the certificate does not match.


Ok, can you send him your Tree CA's exported Public Key? Since all
server and other Certs are derived (technically signed I guess) from
that cert, usually smart SSL/TLS agents can figure it out.

Else, you could mint a cert that includes both servers IP's (Well
nodeA, NodeB, and VirtualNode as well). But I am not sure how to tell
FTP to use a specific Cert. Actually thinking about it, I do not think
you can do it.)

> What do I need to do? Should I change the load script so that nwftpd loads
> from the sys volume on each server? That way the SSL certificates will match
> up with whichever node is controlling FTP?
>
> Thanks!
> Paul
>
>

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Clustered FTPS?

I'll give that a try and let you know the results.
Thanks for the information!
Paul

"Geoffrey Carman" <geoffc@yorku.ca> wrote in message
news:wYRFe.9322$Y_1.1791@prv-forum2.provo.novell.com...
> Paul Fowler wrote:
> > Hello everyone,
> > We have a two node NW6.5 SP3 cluster and we currently have FTP

clustered.
> > The load script actually loads nwftp from the clustered volume: load
> > nwftpd -c ftp:\etc\ftpserv.cfg (where "ftp" is the virtual server name).
> > This has been working great for us. However, now we must secure our
> > connections and I was looking at using FTPS. Our mainframe guy tells me

that
> > he needs the server certificate to transfer using SSL. I sent him the

server
> > certificates from each node, but our problem is that since FTP is

running
> > from a virtual server, the certificate does not match.

>
> Ok, can you send him your Tree CA's exported Public Key? Since all
> server and other Certs are derived (technically signed I guess) from
> that cert, usually smart SSL/TLS agents can figure it out.
>
> Else, you could mint a cert that includes both servers IP's (Well
> nodeA, NodeB, and VirtualNode as well). But I am not sure how to tell
> FTP to use a specific Cert. Actually thinking about it, I do not think
> you can do it.)
>
> > What do I need to do? Should I change the load script so that nwftpd

loads
> > from the sys volume on each server? That way the SSL certificates will

match
> > up with whichever node is controlling FTP?
> >
> > Thanks!
> > Paul
> >
> >



0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Clustered FTPS?

>>Ok, can you send him your Tree CA's exported Public Key? Since all
>>server and other Certs are derived (technically signed I guess) from
>>that cert, usually smart SSL/TLS agents can figure it out.
>>
>>Else, you could mint a cert that includes both servers IP's (Well
>>nodeA, NodeB, and VirtualNode as well). But I am not sure how to tell
>>FTP to use a specific Cert. Actually thinking about it, I do not think
>>you can do it.)


You should be able to create a cert using the virtual server's DNS name
for each physical server (it's a little strange, but it does work. The
Novell CA does not allow you to create certs for virtual servers
directly). IIRC, that's how I enabled SSL for Groupwise Messenger.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.