Linux Integration with FTPs/SSL IIS Service

Often you might have a requirement to ensure an ODI Linux server, is able to connect to a Windows 2012 R2 FTPs server running SSL certificates. This document details the configuration steps that would be required to connect a Linux machine to a Windows FTPs server.

This Proof of Concept has been carried out within an Amazon AWS environment. The Windows FTPs server is firewalled, the test Linux machine on the same subnet but also firewalled, and security groups and firewalls were enabled for the specific port ranges 21 and data ports 49152-65535.

The detail below shows the configuration and testing that has taken place within the AWS environment.

• The Windows 2012 FTPs server is built, and a certificate is added to secure the FTPs sites.

• This certificate needs to be exported from the windows host, usually this will be in the form of a .pfx file
• This pfx file then needs to be loaded onto the various Linux hosts that require connectivity to the Windows FTPs server
• You must ensure the Linux hosts all have the “lftp” binary installed i.e. as “root” yum install lftp
• Unix user must have a .lftp hidden directory created
• Within this directory extract and create the certificate from the Windows FTPs server
• Export the CERT from windows, then copy to the Linux machine.
• Now extract the key file
openssl pkcs12 -in ftpcert.pfx -nocerts -out ftpcert.key
• Now extract the certificate
openssl pkcs12 -in ftpcert.pfx -clcerts -nokeys -out ftpcert.crt
• So you now have a ftpcert.crt file, should look like this

• Configure the lftp rc file i.e. vi rc, then add these contents
set ssl:ca-file “ftpcert.crt”
set ftp:ssl-protect-data true
set ftps:initial-prot
set ftp:ssl-force false
set ftp:ssl-protect-data true
set ssl:verify-certificate off

Testing

• You should now find you can test a “get” from the command line, so login to the Linux host, and use the lftp command to login, list the directory on the FTPs server, then “get” the file :-
[ec2-user@ip-172-31-15-178 .lftp]$ lftp 52.33.121.210
lftp 52.33.121.210:~> user ftpuser National01
lftp ftpuser@52.33.121.210:~> ls
-rwxrwxrwx 1 owner group 121 Nov 20 10:01 test.txt
lftp ftpuser@52.33.121.210:/> get test.txt
121 bytes transferred
lftp ftpuser@52.33.121.210:/> quit

• You can now quit the LFTP command, and view the test.txt file just retrieved.
[ec2-user@ip-172-31-15-178 .lftp]$ more test.txt
You have downloaded this file from Windows 2008 Server within Amazon AWS
Runing IIS – FTPs SSL Self Certsificates
[ec2-user@ip-172-31-15-178 .lftp]$

• If you experience issues connecting, you can use the lftp -d flag to get debug information. You might see you get data socket errors :-
<— 234 AUTH command ok. Expecting TLS Negotiation.
—> LANG
Certificate: CN=WIN-H498CHKOCPN
Issued by: CN=WIN-H498CHKOCPN
Trusted
WARNING: Certificate verification: The certificate’s owner does not match hostname ‘52.33.121.210’

<— 200 Language is now English, UTF-8 encoding.

—> OPTS UTF8 ON
<— 200 OPTS UTF8 command successful – UTF8 encoding now ON.
—> HOST 52.33.121.210
<— 504 Server cannot accept argument.
—> USER ftpuser
<— 331 Password required for ftpuser.
—> PASS National01
<— 230 User logged in.
—> PBSZ 0
<— 200 PBSZ command successful.
—> PROT P
<— 200 PROT command successful.
—> PROT P
<— 200 PROT command successful.
—> PASV
<— 227 Entering Passive Mode (52,33,121,210,192,16).
—- Connecting data socket to (52.33.121.210) port 49168
`ls’ at 0 [Making data connection…

If you see errors like this, this will be firewall issues. The FTPs server allows you to configure the Data socket ports the client opens. These are the errors we see when we try to connect and “get” files from the Amazon hosted Windows Server whilst logged into a Linux machine on a local LAN. However you can see from the above, the Linux hosted Amazon machine is able to connect and get/list files on the FTPs/SSL server.

The final requirement is to ensure we can use a Linux client to connect to the IIS FTPs/SSL server. Then have the ability to get/put files on remote windows servers, such as the remote application servers on the LAN

We can achieve this with “Virtual Directories” configured within IIS/FTP on the Windows Server.

See below, configuration on a Windows 2008 IIS Server running the FTPs/SSL Server on IP Address 52.27.336.118 below.

Configured above is a “Virtual Directory” within IIS/FTP Console, to a remote server ( this could be for example the Agresso Application Server ) \\172.31.32.22\ftphome This machine is on the same network as the FTPs server 52.27.336.118, but has windows share ports UDP/TCP 445 UDP/TCP 135-139 ports opened to allow the creation of the Virtual Directory.

You can see it also has an “Alias” , this alias can be used by the FTP protocol when the Linux client connects. So when you connect via the Linux client, a “cd hlcapp1” command will actually place the user on \\172.31.32.22\ftphome. You can then get/put files to that remote location, having connected to the FTPs/SSL server on 52.27.336.118.

See below you can see the various steps confirming the above configuration. i.e. connecting from the Linux Server. Changing to the “Alias” and getting the file. Then quitting

[ec2-user@ip-172-31-15-178 .lftp]$ lftp 52.27.236.118
lftp 52.27.236.118:~> user ftpuser National01
lftp ftpuser@52.27.236.118:~> ls
11-21-15 08:03AM 2575 ftpcert2.pfx
lftp ftpuser@52.27.236.118:/> cd hlcapp1
cd ok, cwd=/hlcapp1
lftp ftpuser@52.27.236.118:/hlcapp1> ls
11-20-15 10:23PM <DIR> aspnet_client
11-20-15 10:01AM 121 test.txt
lftp ftpuser@52.27.236.118:/hlcapp1> get test.txt
121 bytes transferred
lftp ftpuser@52.27.236.118:/hlcapp1> quit
[ec2-user@ip-172-31-15-178 .lftp]$ more test.txt
You have downloaded this file from Windows 2008 Server within Amazon AWS
Runing IIS – FTPs SSL Self Certsificates

…
[ec2-user@ip-172-31-15-178 .lftp]$

Leave a Reply Cancel reply