Use the SECURE_DATACONN statement to indicate the level of security used on data connections, and it applies to both TLS and Kerberos.
See SECURE_CTRLCONN (FTP client and server) statement for an explanation of terminology for protected, raw, and enciphered data.
Syntax
.-SECURE_DATACONN CLEAR--------. >>-+------------------------------+---------------------------->< '-SECURE_DATACONN--+-CLEAR---+-' +-NEVER---+ +-PRIVATE-+ '-SAFE----'
Parameters
Configuring an FTP server
- NEVER
- Indicates the server requires data to be transferred raw with no cipher algorithm applied to the data. Clients attempting to use ciphers are rejected.
- CLEAR
- Indicates the client decides whether data is transferred raw or
enciphered.
For TLS, the client decides whether data is enciphered or not. If it indicates it should be enciphered, the cipher algorithm is chosen using TLS protocols.
For Kerberos, the client can specify whether data is transferred raw, integrity protected only, or both integrity and privacy protected.
- PRIVATE
- Indicates the server requires data to be transferred enciphered.
Clients attempting to send raw data are rejected.
For TLS, the cipher algorithm is chosen using TLS protocols.
For Kerberos, the data must be transferred using both integrity and privacy protection. Clients attempting to send data that is only integrity protected are rejected.
- SAFE
- For TLS, specifying this option is identical to the PRIVATE specification.
For Kerberos, the data must be transferred using both integrity and privacy protected. Clients attempting to send data that is only integrity protected are rejected.
Configuring an FTP client
- NEVER
- Indicates the client requires data to be transferred raw with no cipher algorithm applied to the data.
- CLEAR
- Indicates the data can be transferred raw or enciphered.
By default, data is transferred raw. However, you can issue the private command during the FTP session to change the data connection security level so the data is enciphered. You can also issue the clear command to reset the data connection security level back, so that data is transferred raw again.
For TLS, if the private command is issued, the cipher algorithm is chosen using TLS protocols.
For Kerberos, if the private command is issued, data is transferred both integrity and privacy protected. In addition to the private and clear commands, you can issue the safe command to change the data connection security level so data is transferred integrity protected only.
- PRIVATE
- Indicates the client requires data to be transferred enciphered.
For TLS, the cipher algorithm is chosen using TLS protocols.
For Kerberos, the data must be transferred using both integrity and privacy protected.
- SAFE
- For TLS, specifying this option is identical to the PRIVATE specification.
For Kerberos, the data can be transferred integrity protected only, or both integrity and privacy protected. By default, data is transferred integrity protected only. However, you can issue the private command during the FTP session to change the data connection security level so data is transferred both integrity and privacy protected. You can also issue the safe command to reset the data connection security level back, so data is transferred integrity protected only.
Examples
SECURE_DATACONN NEVERUsage notes
If the FTP server uses the secure port, the server behaves as if the value on this statement is PRIVATE. See TLSPORT (FTP client and server) statement for information about the secure port.