action.skip

Configure SSL/TLS (FTP Client)

note

SSL/TLS connections use digital certificates for authentication. Depending on how your certificate was issued and the way your host is configured, you may need to install a host and/or personal certificate before you can connect using SSL/TLS.

To configure a secure SSL/TLS connection in the FTP Client

  1. Start the FTP Client.

    This opens the Connect to FTP Site dialog box. (If the FTP Client is already running and this dialog box is not open, go to Connection > Connect .)

  2. Perform one of the following tasks:

    To Do This
    Create a new site From the Connect to FTP Site dialog box, click New. In the Add FTP Site dialog box, enter the name or IP address of your FTP server host, and then click Next. In the Login Information dialog box, select User.
    Modify an existing site From the Connect to FTP Site dialog box, select a site.
  3. Select Security .

  4. From the SSL/TLS section of the Security Properties dialog box, select Use SSL/TLS Security .

  5. (Optional) To specify the minimum allowable level of encryption for SSL/TLS connections, select a level in the Encryption strength list. The connection fails if this level cannot be provided.

    Encryption strength options Description
    Recommended ciphers The FTP Client will negotiate with the host system to choose the strongest encryption level supported by both the host and the client. This new setting will contain the recommended encryption level from Rocket Software, and will change periodically.

    NOTE: If you are running in FIPS mode and select Recommended Ciphers, the FTP Client will negotiate using only FIPS compliant encryption levels.
    Custom ciphers If you select Custom ciphers, you will be prompted to select from a list of available ciphers in the Custom ciphers list view.

    NOTE: Session files from previous versions of Reflection that use default, 168, 128 or 256 bit Encryption Strength will be imported as Custom Ciphers and maintain the list that was used in prior versions for those settings options.
  6. (Optional) Select the PKI section in the left side-menu.

    This will open the PKI Configuration settings, from which you can manage the digital certificates used for authentication.

    To use the Reflection Certificate Manager

    1. From the PKI Configuration settings select Reflection Certificate Manager .

    2. In the Reflection Certificate Manager dialog box, select the Trusted Certificate Authorities tab.

    3. Select Import and browse to select the CA certificate for the server.

    4. Modify default settings as required. (For example, to use only the Reflection Certificate Manager, you might choose to clear Use System Certificate Store for SSL/TLS connections . When this option is selected, Reflection FTP Client looks for certificates in both the Reflection Certificate Manager store and the Windows certificate store.)

    note

    When you customize any of the default PKI settings, the pki_config file is created.

    1. Close the Certificate Manager dialog box and click OK to close the other open dialog boxes.

      The imported certificate is saved in the trust_store.p12 file.

      After a connection is established, click the Save button on the toolbar and save the session document.

  7. Perform one of the following tasks:

    If you are Do This
    Creating a new site Click OK to close the Security Properties dialog box and then click Next. In the FTP User Login dialog box, type your user name on the FTP server and then click Next. Click Finish.
    Modifying an existing site Click OK to close the open dialog boxes.

note

  • Before making an SSL/TLS connection, Reflection authenticates the host system. The certificate presented by the host for this purpose must be from a trusted certificate authority. If your computer does not recognize the certificate authority, you will not be able to make SSL/TLS connections. Depending on how a host certificate was issued, you may need to install the certificate on your computer.

  • When you make an SSL/TLS connection, a padlock icon appears indicates that the data stream is encrypted. A key icon indicates that the command channel (including the entered password) is encrypted.