Client certificate authentication (SECURE_LOGIN, SECURE_PASSWORD)
These settings are available only when configuring an FTP server.
Use these settings to indicate whether the FTP server requires client authentication.
These settings apply to both TLS and Kerberos, however, only the "Verify client user ID" selection
modifies the behavior for Kerberos. Also note the term "certificate" is actually TLS terminology. In Kerberos
terminology, the equivalent of a certificate is a ticket which contains credentials.
- "Require client certificate authentication"
- Check to indicate you want the server to authenticate client certificates.
This selection does not affect Kerberos behavior. Kerberos always processes the client's ticket.
For TLS, client certificate authentication occurs during the SSL handshake.
To pass authentication, the Certificate Authority (CA) that signed the client certificate must be considered
trusted by the server. This means a certificate for the CA that issued the client certificate is listed as
trusted in the server's keyring.
- "Verify client user ID"
- Check to indicate that in addition to client certificate authentication, the user's ID is further verified.
For TLS:
- The server will verify the
certificate has been registered with your SAF compliant security product, such as RACF, and has an associated
user ID matching the login user ID.
- Additionally, if the SERVAUTH RACF (or another security product) class is active and
a RACF resource has been defined for the port,
the connection is allowed only if the user ID associated with the client certificate has READ access to the RACF resource.
For Kerberos the user ID in the client's ticket is verified to match the login user ID.
- "Do not prompt for a password"
- Check to indicate the client certificate authentication process is used to eliminate the login password prompt.
A client supplies only the login user ID to establish the session.
This setting is applicable only to TLS.
The certificate received from the client must be registered in the security product and must be associated
with the login user ID. You can use RACDCERT ADD command to register and associate the certificate.
If either the certificate is not registered or is not associated with the user ID,
then the user will be prompted for a password. However, if you checked "Verify client user ID", the login
will fail because the user ID could not be verified.