BlueZone Secure FTP supports the SSL protocol through
the BlueZone Security Server or any other SSL enabled FTP connection
including IBM Mainframe OS/390 and Z/OS, the iSeries OS/400 and other
SSL-enabled FTP servers. BlueZone Secure FTP can be preconfigured
for distribution with the SSL feature enabled, eliminating the need
for any end user intervention in the installation or configuration
process.
- Security Options
- To enable encryption, select one of the following security types:
- None: Disables encryption.
- Explicit FTPS (SSL/TLS): In this method, BlueZone Secure
FTP connects to the typical FTP server port 21 and starts an unencrypted FTP session
as normal, but requests that SSL/TLS security be used and performs the appropriate
handshake before sending any sensitive data. This is the preferred method according
to RFC 4217. Explicit FTPS is also sometimes referred to as AUTH TLS.
- Implicit FTPS (SSL/TLS): In this method, BlueZone Secure
FTP connects to a non-typical port (usually 990), and an SSL/TLS handshake is
performed before any FTP commands are sent.
- Enable Clear Control Channel: If enabled, BlueZone
Secure FTP attempts to use a clear control connection but an encrypted data
connection.
- Enable Clear Data Channel: If enabled, BlueZone Secure
FTP sends the data in the data channel without any encryption.
- SFTP (SSH): Enables Secure FTP known as SSH. When you are
connected to an SFTP host, a small padlock is displayed on the status bar. If you
click the padlock, an SFTP Connection Status dialog opens.
- Encryption Type
- Specifies which version of the SSL protocol must be used. The following options only
apply to Explicit FTPS and Implicit FTPS. You must specify one or the other.
- SSL v3: Specifies that SSL version 3 must be used.
- TLS v1 (Default): Specifies that TLS version 1 must be
used.
Note: SSL v3 has numerous vulnerabilities and is no longer considered secure. This
setting is NOT RECOMMENDED. We strongly recommend using TLS v1 instead.
- Invalid Certificates
- Specifies how to handle an invalid server certificate. Options include:
- Always Reject: Specifies that an invalid server certificate must
always be rejected.
- Ask Before Accepting: Specifies that the user must be asked
whether to accept an invalid server certificate.
- Always Accept: Specifies that an invalid server certificate must
always be accepted.
- Check for Certificate Revocation: When checked,
a revocation check is performed on the server certificate chain at connect time,
which will result in a connection failure if a certificate has been revoked; if the
revocation server cannot be contacted; or if revocation information is not listed in
the certificate.
- Preferred Cipher Suite
- Specifies a specific SSL/TLS or SSH cipher suite (encryption algorithm) to use. To
allow the client and server to negotiate the cipher suite, select Strong
only.
- Alternate Principal Name
- Type a valid address in this field to use to validate the server certificate.
When a host site's server certificate's Common Name (CN) or
AltSubjectName does not match the address used to connect to the host, a certificate
error occurs, stating that the host address does not match the common name. If it is
not possible to connect to the host address listed in the certificate, the address
from the certificate can be typed into the Alternate Principal
Name field. This address, rather than the host connection address, is
used to validate the server certificate.