Use the SECURE_CTRLCONN statement to indicate the security level for a control connection. This statement applies only to Kerberos.
Requirement: When using TLS, the control connection must be enciphered and this setting has no effect on the TLS behavior.
Terminology
- Integrity protected, data integrity, or data authentication
- Indicates that an algorithm is applied to the data being transferred, which modifies that data such that the receiving program can verify the data was not modified or changed during the transfer.
- Privacy protected
- Indicates that an algorithm is applied to the data being transferred, which encrypts or scrambles the data such that only the receiving program can use a special key to decrypt or unscramble the data to its original format. The original data cannot be seen or interpreted while the data is in transit.
- Raw
- Indicates that data is transmitted without being modified by any encryption or data integrity algorithms.
- Encipher or cipher algorithm
- Indicates that data being transferred is encrypted, integrity protected, or both. This term does not imply which algorithm is used and does not imply that it is encrypted.
Syntax
.-SECURE_CTRLCONN CLEAR--------. >>-+------------------------------+---------------------------->< '-SECURE_CTRLCONN--+-CLEAR---+-' +-PRIVATE-+ '-SAFE----'
Parameters
Configuring an FTP server
- CLEAR
- Specifies that the client decides whether data is transferred raw, integrity protected only, or both integrity and privacy protected.
- PRIVATE
- Specifies that the server requires data to be transferred using both integrity and privacy protection. Clients attempting to send raw data or data integrity protect only are rejected.
- SAFE
- Specifies that the server requires data to be transferred using integrity protection only, or using both integrity and privacy protection. Clients attempting to send raw data are rejected.
Configuring an FTP client
- CLEAR
- Specifies that data can be transferred raw, integrity protected
only, or both integrity and privacy protected.
By default, data is transferred raw. However, you can issue the cprotect private and cprotect safe commands during the FTP session to change the control connection security level. Issuing the cprotect private command changes the control connection security level so data is transferred both integrity and privacy protected. Issuing the cprotect safe command changes the control connection security level so data is transferred integrity protected only. Then, you can also issue the cprotect clear command to reset the control connection security level back, so that data is transferred raw again.
- PRIVATE
- Specifies that the client data is transferred both integrity and privacy protected.
- SAFE
- Specifies that the data can be transferred integrity protected
only, or both integrity and privacy protected.
By default, data is transferred integrity protected only. However, the client can issue the cprotect private during the FTP session to change the control connection security level so data is transferred both integrity and privacy protected. The use can also issue the cprotect safe command to reset the control connection security level back, so that data is transferred integrity protected only.
Examples
SECURE_CTRLCONN PRIVATE- You must code EXTENSIONS AUTH_GSSAPI for this statement to be used by the FTP server.
- You must code SECURE_MECHANISM GSSAPI for this statement to be used by the FTP client.