tFTPPut using FTPS Support for TLS/SSL Implicit encryption

Nine Stars

tFTPPut using FTPS Support for TLS/SSL Implicit encryption

I am trying to make a Talend job to FTP a file to a server which uses TLS/SSL Implicit encryption.

 

I am able to login to the server and manually copy the file over successfully using WinSCP.

 

In my tFTPPut component what do I need to have checked or selected?

Do I need to have FTPS Support checked and Security Mode Implicit selected?

Do I need a Keystore File and a Keystore Password? What are these and how to I get or make them?


Accepted Solutions
Twelve Stars

Re: tFTPPut using FTPS Support for TLS/SSL Implicit encryption

Yes for both:

 

- Yes You need check FTPS

- and yes You need provide path and password for You keystore (or just create new)

for create empty keystore (and truststore) You can check documentation:

https://docs.oracle.com/cd/E19509-01/820-3503/ggfen/

 

also You can use good tools like - http://keystore-explorer.org/features.html

-----------

All Replies
Moderator

Re: tFTPPut using FTPS Support for TLS/SSL Implicit encryption

Hi,

Are your FTP Server using  FTPS (SSL/TLS)? The FTPS Support check box is used to connect to the FTP server via an FTPS connection. Once selected, you need to fill the Keystore File and Keystore Password fields.

 

Best regards

Sabrina

--
Don't forget to give kudos when a reply is helpful and click Accept the solution when you think you're good with it.
Twelve Stars

Re: tFTPPut using FTPS Support for TLS/SSL Implicit encryption

Yes for both:

 

- Yes You need check FTPS

- and yes You need provide path and password for You keystore (or just create new)

for create empty keystore (and truststore) You can check documentation:

https://docs.oracle.com/cd/E19509-01/820-3503/ggfen/

 

also You can use good tools like - http://keystore-explorer.org/features.html

-----------
Four Stars

Re: tFTPPut using FTPS Support for TLS/SSL Implicit encryption

Hi,

 

I was in the exact same situation. In the end, I found this page: https://www.solypse.com/talend-ftps/ (in French).

I ended up doing these 5 steps:

 

1: generate an empty, local key store:

keytool -keystore clientkeystore -genkey -alias client -keystore local_keystore.jks

The keytool asks for a password to protect the keystore (twice). Give it one, at least 6 characters.

It also asks for firstname+lastname, organizational unit, organization, city, state, country. I went with the default 'Unknown' for all of them.

Then it asks for a password for the alias <client>, I went with the proposal to keep it the same as the password for the keystore.

You now have a keystore local_keystore.jks that has a private key for 'client'.

The tool issues a warning that we generated a keystore with a propietary format, and suggest a fix. Next step is to do just that fix.

 

2: convert the format of the freshly created keystore to type pkcs12:

keytool -importkeystore -srckeystorelocal_keystore.jks -destkeystorelocal_keystore.jks -deststoretype pkcs12

This step asks for the password of the keystore.

 

3: retrieved the certificate of the FTP server I want to connect to:

openssl s_client -connect 10.100.1.2:21 -starttls ftp </dev/null 2>/dev/null |openssl x509 -outform PEM > ftp_server.pem

 

4: convert that certificate from PEM into DEF format (just tested, could have done that directly in previous step)

openssl x509 -inform PEM -in ftp_server.pem -outform DEF -out ftp_server.cer

 

5: import the ftp_sever certificate into the keystore, indicating that it is thrusted:

keytool -import -file ftp_server.cer -keystore local_keystore.jks

The tool asks on the commandline if the certificate is to be trusted, answer 'yes'

 

You now have a keystorefile and password that can be used in a tFTPConnection Talend component, that will allow components like tFTPFileList and tFTPGet to access your FTP server. Be sure to check the 'FTPS Support (support tFTPGet temporarily)' checkbox, pick connection mode passive, and security mode implicit.

 

To find out all this took me several days, and a lot of frustration, so I hope I can prevent someone from having to go through the same, and thanks to the French guy for posting his original post.

 

Ron.