Managing Files When the Device Functions as an FTPS Client

Procedure

• Upload the CA certificate and CRL file.

  Upload the CA certificate and CRL file to the security directory on the device in FTP, SFTP, or SCP mode. If no security directory exists on the device, run the mkdir security command to create one.

  • The FTPS client must obtain certificates from the CA to authenticate the digital certificate of the server.

  • The CRL is issued by the CA and contains serial numbers of certificates that are revoked. If the digital certificate is listed in the CRL file, the client cannot authenticate the server successfully and the FTPS connection fails.

  Digital certificates support the PEM, ASN1, and PFX formats. Despite of the formats, the certificates have the same content.

  • A PEM digital certificate has a file name extension .pem and is applicable to text transmission between systems.

  • An ASN1 digital certificate has a file name extension .der and is the default format for most browsers.

  • A PFX digital certificate has a file name extension .pfx and is a binary format that can be converted into the PEM or ASN1 format.

  The CRL file supports the ASN1 and PEM formats. These two formats represent the same contents.

  For details, see the description about uploading files in other modes.

• Configure an SSL policy and load the CA certificate and CRL file.
  Table 7-54 Configuring an SSL policy and loading the CA certificate and CRL file

  Operation	Command	Description
  Enter the system view.	system-view	-
  (Optional) Customize SSL cipher suite.	ssl cipher-suite-list customization-policy-name	Customize an SSL cipher suite policy and enter the cipher suite policy view. By default, no customized SSL cipher suite policy is configured.
  	set cipher-suite { tls12_ck_dss_aes_128_gcm_sha256 | tls12_ck_dss_aes_256_gcm_sha384 | tls12_ck_rsa_aes_128_gcm_sha256 | tls12_ck_rsa_aes_256_gcm_sha384 }	Configure the cipher suites for a customized SSL cipher suite policy. By default, no customized SSL cipher suite policy is configured. To configure cipher suites for a customized SSL cipher suite policy, run the set cipher-suite command. If a customized SSL cipher suite policy is being referenced by an SSL policy, the cipher suites in the customized cipher suite policy can be added, modified, or partially deleted. Deleting all of the cipher suites is not supported. The system software does not support the tls12_ck_rsa_aes_256_cbc_sha256, tls1_ck_dhe_dss_with_aes_128_sha, tls1_ck_dhe_dss_with_aes_256_sha, tls1_ck_dhe_rsa_with_aes_128_sha, tls1_ck_dhe_rsa_with_aes_256_sha, tls1_ck_rsa_with_aes_128_sha, and tls1_ck_rsa_with_aes_256_sha parameters. To use the tls12_ck_rsa_aes_256_cbc_sha256, tls1_ck_dhe_dss_with_aes_128_sha, tls1_ck_dhe_dss_with_aes_256_sha, tls1_ck_dhe_rsa_with_aes_128_sha, tls1_ck_dhe_rsa_with_aes_256_sha, tls1_ck_rsa_with_aes_128_sha, or tls1_ck_rsa_with_aes_256_sha parameter, you need to install the WEAKEA plug-in. For higher security purposes, you are advised to use other parameters. You can search for Plug-in Usage Guide at the Huawei technical support website (Enterprise Network or Carrier), and choose the desired plug-in usage guide based on the switch model and software version. If you do not have permission to access the website, contact technical support personnel.
  	quit	Return to the system view.
  Create the SSL policy and enter the SSL policy view.	ssl policy policy-name	-
  (Optional) Set a minimum version of an SSL policy.	ssl minimum version { tls1.1 | tls1.2 }	By default, the SSL minimum version of an SSL policy is TLS1.2. The system software does not support the tls1.0 parameter. To use the tls1.0 parameter, you need to install the WEAKEA plug-in. For higher security purposes, you are advised to specify the tls1.2 parameter. You can search for Plug-in Usage Guide at the Huawei technical support website (Enterprise Network or Carrier), and choose the desired plug-in usage guide based on the switch model and software version. If you do not have permission to access the website, contact technical support personnel.
  (Optional) Bind a customized SSL cipher suite policy to an SSL policy.	binding cipher-suite-customization customization-policy-name	By default, no customized cipher suite policy is bound to an SSL policy. Each SSL policy uses a default cipher suite. After a customized cipher suite policy is unbound from an SSL policy, the SSL policy uses one of the following cipher suites supported by default: tls1_ck_rsa_with_aes_256_sha tls1_ck_rsa_with_aes_128_sha tls1_ck_dhe_rsa_with_aes_256_sha tls1_ck_dhe_dss_with_aes_256_sha tls1_ck_dhe_rsa_with_aes_128_sha tls1_ck_dhe_dss_with_aes_128_sha tls12_ck_rsa_aes_256_cbc_sha256 If the cipher suite in the customized cipher suite policy bound to an SSL policy contains only one type of algorithm (RSA or DSS), the corresponding certificate must be loaded for the SSL policy to ensure successful SSL negotiation.
  Load the CA certificate in the PEM format.	trusted-ca load pem-ca ca-filename	Load the CA certificate in the PEM, ASN1 or PFX format. A maximum of four CA certificates can be loaded in an SSL policy. The loaded CA certificates are added to the existing CA list.
  Load the CA certificate in the ASN1 format.	trusted-ca load asn1-ca ca-filename
  Load the CA certificate in the PFX format.	trusted-ca load pfx-ca ca-filename auth-code cipher auth-code
  Load the CRL file	crl load { pem-crl | asn1-crl } crl-filename	A maximum of two CRL files can be loaded in an SSL policy. The loaded CRL files are added to the existing CRL file list.

  • If only one CA certificate exists on the FTPS server, configure all CA certificates in the validation path up to and including the root CA certificate.
  • If a certificate chain exists on the FTPS server, configure only the root CA certificate on the client.
  • If the CRL file is not loaded, the FTPS connection is not affected. However, the client cannot authenticate the digital certificate of the server. You are advised to load the CRL file and keep it up to date.

• Connect to the FTPS server.
  Table 7-55 Connecting to the FTPS server

  Operation	Command	Description
  Connect the FTPS client to the FTPS server based on IPv4.	ftp ssl-policy policy-name [ -a source-ip-address | -i interface-type interface-number ] host [ port-number ] [ public-net | vpn-instance vpn-instance-name ]	Run either of the commands based on the IP address type.
  Connect the FTPS client to the FTPS server based on IPv6.	ftp ssl-policy policy-name ipv6 host-ipv6-address [ port-number ]

  When connecting to the FTPS server, run the ftp command to enter the FTP client view and the open command to implement FTP connection.

  Users must enter the correct user name and password to enter the FTP client view and manage files on the server.

• Run FTP commands to perform file-related operations.

  After connecting to the FTPS server, users can run FTP commands to perform file-related operations on the FTPS server.

  User rights are configured on the FTP server.

  The file system limits the number of files in the root directory to 50. Creation of files in excess of this limit in the root directory may fail.

  Users can perform the following operations in any sequence.

  Table 7-56 Running FTP commands to perform file-related operations

  Operation	Command	Description
  Change the working directory on the server.	cd remote-directory	-
  Change the current working directory to its parent directory.	cdup	-
  Display the working directory on the server.	pwd	-
  Display or change the local working directory.	lcd [ local-directory ]	The lcd command displays the local working directory on the client, and the pwd command displays the working directory on the remote server.
  Create a directory on the server.	mkdir remote-directory	The directory name can consist of letters and digits. The following special characters are not supported: < > ? \ :
  Delete a directory from the server.	rmdir remote-directory	-
  Display information about the specified directory or file on the server.	dir/ls [ remote-filename [ local-filename ] ]	The ls command displays only the directory or file name, whereas the dir command displays detailed directory or file information such as name, size, and creation date. If no directory is specified in the command, the system searches for the file in the user's authorized directories.
  Delete a file from the server.	delete remote-filename	-
  Upload one or more files.	put local-filename [ remote-filename ] Or mput local-filenames	To upload a file, run the put command. To upload multiple files, run the mput command.
  Download one or more files.	get remote-filename [ local-filename ] Or mget remote-filenames	To download a file, run the get command. To download multiple files, run the mget command.
  Set the file transfer mode to ASCII or Binary.	ascii Or binary	Select either of them. The default file transfer mode is ASCII. The ASCII mode is used to transfer text files, and the binary mode is used to transfer programs, system software, and database files.
  Set the data transmission mode to passive or active.	passive Or undo passive	Select either of them. The default data transmission mode is active.
  View the online help about FTP commands.	remotehelp [ command ]	-
  Enable the system prompt function.	prompt	By default, the prompt function is disabled.
  Enable the verbose function.	verbose	After the verbose function is enabled, all FTP response messages are displayed on the FTP client.

• (Optional) Change the login user.

  The current user can switch to another user in the FTP client view. The FTP connection between the new user and FTPS server is the same as that established by running the ftp ssl-policy command.

  Operation	Command	Description
  Change the current user in the FTP client view.	user user-name [ password ]	When the login user is switched to another user, the original user is disconnected from the FTP server.

• Disconnect the FTPS client from the FTPS server.

  Users can run different commands in the FTP client view to disconnect the FTPS client from the FTPS server.

  Operation	Command	Description
  Disconnect the FTP client from the FTP server and return to the user view.	bye or quit	Select one of them.
  Disconnect the FTP client from the FTP server and return to the FTP client view.	close or disconnect