Control connection security level (SECURE_CTRLCONN)
This setting is used to indicate the level of security used on control connections and applies only to
Kerberos. When using TLS, the control connection is required to be enciphered and this setting has no
effect on the TLS behavior.
Terminology
Definitions for terms used on the page.
- Integrity protected, data integrity, or data authentication
- Indicates an algorithm is applied to the data being transferred, which modifies the data such that
the receiving program can verify the data was not modified or changed during the transfer.
- Privacy protected
- Indicates an algorithm is applied to the data being transferred which encrypts or scrambles the data such that
only the receiving program can use a special key to decrypt or unscramble the data to its original format.
The original data cannot be seen or interpreted while the data is in transit.
- Raw
- Indicates data is transmitted without being modified by any encryption or data integrity algorithms.
- Encipher or cipher algorithm
- Data being transferred is encrypted, integrity protected, or both. This term does not imply which
algorithm is used and does not imply the data is encrypted.
The system Kerberos (Network Authentication Service) provides the encryption and
integrity algorithms. You can request the control connection data (FTP commands and replies)
to be enciphered for integrity protection,
or for both privacy and integrity
protection. However, the algorithms used by Kerberos cannot be customized or negotiated.
The data transferred on control connections is always FTP command and reply protocols.
The control connection security level setting is available both when configuring a client and a server.
Selections when configuring an FTP Server
- CLEAR
- Indicates the client decides whether data will be transferred raw, integrity protected only, or both
integrity and privacy protected.
- PRIVATE
- Indicates the server requires data to be transferred using both integrity and privacy protection.
Clients attempting to send raw data or data integrity protect only, are rejected.
- SAFE
- Indicates the server requires data to be transferred using integrity protection only, or using both integrity
and privacy protection.
Clients attempting to send raw data are rejected.
Selections when configuring an FTP Client
Before you begin you should understand the level of security for control connections is determined by both the
configuration settings on this page and by commands an FTP user may issue during an FTP session. The following commands
can be issued by the user:
- cprotect clear
- resets the security level so that data is transferred raw.
- cprotect private
- resets the security level so that data is transferred both integrity protected and privacy protected.
- cprotect safe
- resets the security level so that data is transferred integrity protected only.
- CLEAR
- Indicates the data can be transferred raw, integrity protected, or both integrity and privacy protected.
By default, data is transferred raw. However the user can issue the cprotect private and
cprotect safe commands during the FTP session to change the control connection security level.
Issuing the cprotect private command changes the control connection security level so data is
transferred both integrity and privacy protected.
Issuing the cprotect safe command changes the control connection security level
so data is transferred integrity protected only.
The user can also
issue the cprotect clear command to reset the control connection security level back,
so data is transferred raw again.
- PRIVATE
- Indicates the client requires data to be transferred both integrity and privacy protected.
- SAFE
- Indicates the data can be transferred integrity protected only, or both integrity and privacy protected.
By default, data is transferred integrity protected only.
However, the client can issue the cprotect private command during the FTP
session to change the control connection security level so data is transferred both integrity and
privacy protected. The user can also issue the
cprotect safe command to reset the control connection security level back,
so data is transferred integrity protected only.