FTP Client Connector

Directory Integrator, Version 7.0

FTP Client Connector

The FTP Client Connector is a transport Connector that requires a Parser to operate. The Connector reads or writes a data stream that can either be a file or a directory listing. Think of the FTP Client Connector as a remote read/write facility, not something you use to transfer files.

This Connector supports FTP Passive Mode, as per RFC959. Passive Mode reverses who initiates the data connection in a file transfer. Normally the server initiates a data connection to the client (after a command from the client), whereas passive mode enables the client to initiate the data connection. This makes it easier to transfer files when the client is behind a firewall.

Notes:

Iterator mode supports the operations get and list; AddOnly supports put.
This Connector is not intended for transferring binary files.

With proper configuration, this Connector supports FTP over SSL (FTPS) connections, to provide secure transfers.

SSL support

The FTP Client Connector supports FTPS and can perform secure transfers. This involves the use of a SSL/TLS layer below the standard FTP protocol to encrypt the control and/or data channels used by FTP. There are two common uses of FTPS:

Implicit FTPS is a widely implemented style in which the client connects to a different control port (from the default 21), and an SSL handshake is performed before any FTP commands are sent. The entire FTPS session is encrypted. Implicit FTPS does not allow for negotiation and the client should immediately challenge the FTPS Server with the TLS/SSL handshake. If the control channel is unencrypted, any subsequent data channels must also be unencrypted (no SSL); if the control channel is encrypted, the subsequent data channels may be clear or encrypted. The Internet Assigned Numbers Authority (IANA) officially designates port 990 as the FTPS control channel port and port 989 as the FTPS data channel port.
Explicit FTPS or FTPES. According to this method, the client connects using clear text on port 21 and may negotiate a secure TLS connection during the FTP setup or at any time thereafter. The server may allow non-encrypted FTP in case negotiation fails. Encrypted data channels and encryption on the control channel can be set up and torn down by the client at any time.

The FTP Client Connector supports only implicit FTPS, so an SSL handshake must be performed before any transfer. As stated above the FTP protocol uses two channels to operate. The control (command) channel is used for sending commands to the FTP server and the data channel for data transfer. In order to allow greater granularity, the FTP Client Connector allows you to turn on SSL support for each of the channels.

Using the Security parameter, you can specify the following options: None, Use SSL on control channel, Use SSL on control and data channels. The first implies that no SSL support will be provided and no security benefits can be expected.

When Use SSL on control channel is selected, the control (command) channel uses SSL. In this case the certificate used by the FTP server must be added to the truststore of IBM® Tivoli® Directory Integrator (this truststore is set by the javax.net.ssl.trustStore property in the solution.properties file). That way the client can authenticate the server and communication will succeed. Also when using this option, remember to change the port used by the connector to the one that the server uses for FTP/SSL connections (the default is 990).

The other option providing SSL support is Use SSL on control and data channels. When this is selected, the client will attempt to negotiate a secure data channel besides securing the control channel. This is done by sending "PBSZ 0" and "PROT P" commands to the server. The PBSZ command defines the largest buffer size to be used for application-level encoded data sent or received on the data connection. However, since TLS/SSL handles blocking of data, a '0' parameter is used. The other command (PROT) defines the protection used for FTP data connections, where the "P" parameter stands for Private - TLS/SSL will be used, which provides Integrity and Confidentiality protection.

The Security parameter lists the allowed set of security options for the FTP Client Connector. However, when the connector is created using scripts there is one other option. Since its security parameters are passed as arguments when it connects to the FTP server (for example, connect(String host, String user, String password, boolean useSSLonCommandChannel, boolean useSSLonDataChannel) ), it is possible to enable SSL on the data channel and not on the control channel. This configuration implies that the client must connect to the SSL/TLS port of the server sending a plaintext message. The attempt certainly won't succeed, so the FTP Client Connector checks for this case and an error message is displayed when the AssemblyLine is started.

As stated above, the FTP Client Connector can operate in two modes: Active and Passive. In Passive mode, the FTP server waits for connections from the FTP Client Connector (for the command and data channels). When this occurs the server sends its certificate to the client and SSL communication is possible. In Active mode the situation is the same for the command channel, but this time the client listens for connections (for the data channel). In normal cases this would require the client to send its certificate to the server for validation. To overcome this problem, the SSL session is run in client mode - this means that the SSL roles are reversed (the TCP server acts as client and the TCP client as server, so again the server will send its certificate to the client). This is achieved by the setUseClientMode(true) method.

Character Encoding

The FTP Client Connector uses a configured Parser for reading and writing. Therefore data is read from/written to the FTP server using this parser's Character Encoding parameter. If no such parameter is specified, the default character encoding of the platform running the IBM Tivoli Directory Integrator is used.

Configuration

The Connector needs the following parameters:

FTP Hostname

The hostname or IP address on which the FTP Server resides that the Connector will connect to.

FTP Port

The FTP TCP port (defaults to 21).

Login User

The login username.

Login Password

The login password.

Operation

The intended operation. Select get to read a file (Iterator), put to write a file (Add Only), or list to do a directory listing (Iterator).

Remote Path

Initial remote directory (for list) or file (for get/put) to access.

Transfer Mode

ASCII or Binary. ASCII is the only supported mode.

Passive Mode

When this checkbox is enabled, specifies that the FTP Client Connector will connect to the FTP Server in passive mode instead of active mode. This parameter is ignored on an IPv6 connection, since IPv6 always uses passive mode.

Security

Depending on the option selected, the FTP Client Connector: won't use a SSL secure connection; will use one for the control channel, or will use one for both the control and data channels. Available values are:

None
SSL_control_channel - use SSL on control channel
SSL_control_data_channels - use SSL on control and data channels

Detailed Log

If this parameter is checked, more detailed log messages are generated.

From the Parser pane, you select the mandatory Parser. For example, Line Reader is a useful parser for list, or if you simply want to copy one file. The select dialog is activated by pressing the top-left Select Parser button.