Use the SECURE_PASSWORD statement to specify whether a password is required by the FTP server for an TLS protected session. The statement is ignored for sessions that are not protected by the TLS security mechanism.
Syntax
.-SECURE_PASSWORD REQUIRED------. >>-+-------------------------------+--------------------------->< '-SECURE_PASSWORD--+-REQUIRED-+-' '-OPTIONAL-'
Parameters
- REQUIRED
- Specifies that a password is required to log in a user whose session is protected by the TLS security mechanism.
- OPTIONAL
- Specifies that the password is not required if the client provides
a certificate that can be used to authenticate the user. See the
Usage notes in this topic for more information.
If the client certificate is used to authenticate the user and the authentication fails, the login attempt fails.
Rule: The handshake that occurs when the TLS protected session is established must include the transfer of the client certificate to the server. If you code SECURE_PASSWORD OPTIONAL, you must code SECURE_LOGIN VERIFY_USER or SECURE_LOGIN REQUIRED to require the client certificate.
Result: If you code SECURE_PASSWORD OPTIONAL and SECURE_LOGIN NO_CLIENT_AUTH in the FTP.DATA file, the message EZYFS16I is logged to inform you that the combination is not allowed. The value set by the SECURE_PASSWORD statement is changed to REQUIRED.
Examples
To require the user to enter a password on an TLS protected session only when the USER name does not match the name associated with the certificate, code the following statements:
SECURE_LOGIN REQUIRED
SECURE_PASSWORD OPTIONALUsage notes
The certificate that is received from the client must be registered in the security product and must be associated with the user ID that is passed on the USER command to the FTP server. You can use RACDCERT ADD command to register and associate the certificate.
When the certificate is registered in the security product and is associated with the user ID that is passed in on the USER command, the SECURE_PASSWORD statement value determines the action taken during the login procedure.
| SECURE_PASSWORD | SECURE_LOGIN | Action |
|---|---|---|
| REQUIRED | VERIFY_USER or REQUIRED | Prompt for a password. |
| OPTIONAL | VERIFY_USER or REQUIRED | Authenticate with the certificate (do not prompt for password if the authenticate fails). |
When either the certificate is not registered in the security product or is not associated with the user ID that is passed in on the USER command, the SECURE_LOGIN statement value determines the action during the login procedure.
| SECURE_PASSWORD | SECURE_LOGIN | Action |
|---|---|---|
| REQUIRED or OPTIONAL | VERIFY_USER | Fail the login. |
| REQUIRED or OPTIONAL | REQUIRED | Prompt for a password. |