Submit a ticketCall us

Don’t fall victim to a ransomware attack
Backups are helpful, but sometimes that’s not enough to protect your business against ransomware. At our live webcast we will discuss how to protect against ransomware attacks with SolarWinds® Patch Manager and how to leverage log data to detect ransomware. Register now for our live webcast.

Home > Success Center > Serv-U Managed File Transfer & Serv-U FTP Server > Serv-U File Server Administrator Guide > Server overview > Configure server encryption

Configure server encryption

Created by Anthony.Rinaldi_ret, last modified by Anthony.Rinaldi_ret on Jul 20, 2016

Views: 54 Votes: 0 Revisions: 2

Serv-U supports two methods of encrypted data transfer: Secure Socket Layer (SSL) and Secure Shell 2 (SSH2). SSL is used to secure the File Transfer Protocol (FTP) and Hypertext Transfer Protocol (HTTP). SSH2 is a method of securely interacting with a remote system that supports a method of file transfer commonly referred to as SFTP. Despite its name, SFTP does not have anything in common with the FTP protocol itself.

In order for each method of encryption to work, a certificate, a private key, or both must be supplied. SSL requires the presence of both, while SSH2 only requires a private key. If you do not have either of these required files, you can create them in Serv-U.

Encryption options specified at the server level are automatically inherited by all domains. Any encryption option specified at the domain level automatically overrides the corresponding server-level option. Certain configuration options are only available to the server.

When creating SSL/TLS, SSH, and HTTPS encrypted domains within Serv-U, it is important to know that encrypted domains cannot share listeners. Because SSL/TLS and SSH encryption is based on encrypting traffic sent between IP addresses, each domain must have unique listeners in order to operate properly. In the case that multiple encrypted domains are created that share listeners, the domain that is created first takes precedence, and causes other encrypted domains to fail to function properly. To operate multiple encrypted domains, modify the listeners of each domain to ensure they listen on unique port numbers.

Configure SSL for FTPS and HTTPS

To use an existing certificate:

  1. Obtain an SSL certificate and private key file from a certificate authority.
  2. Place these files in a secured directory in the server.
  3. Use the appropriate Browse button to select both the certificate and private key files.
  4. If a CA (Certificate Authority) PEM file has been issued, enter or browse to the file.
  5. Enter the password used to encrypt the private key file.
  6. Click Save.

If the provided file paths and password are all correct, Serv-U starts to use the certificate immediately to secure FTPS and HTTPS connections using the provided certificate. If the password is incorrect or Serv-U cannot find either of the provided files, an error message is displayed that explains the encountered error.

To create a new certificate:

  1. Click Create Certificate.
  2. Specify the Certificate Set Name that is used to name each of the files Serv-U creates.
  3. Specify the output path where the created files are to be placed. In most cases, the installation directory is a safe location (for example, C:\ProgramData\SolarWinds\Serv-U\).
  4. Specify the city in which the server or corporation is located.
  5. Specify the state (if applicable) in which the server or corporation is located.
  6. Specify the two-digit country code for the country in which the server or corporation is located.
  7. Specify the password used to secure the private key.
  8. Specify the full organization name.
  9. Specify the common name of the certificate. The IP address or the Fully Qualified Domain Name (FQDN) that users use to connect must be listed here.

    If the Common Name is not the IP address or FQDN used by clients to connect, clients may be prompted that the certificate does not match the domain name they are connecting to.

  10. Specify the business unit the server is located in.
  11. Specify the key length in bits.
  12. Click Create to complete the certificate creation.

Serv-U creates three files using the provided information: A self-signed certificate (.crt) that can be used immediately on the server but is not authenticated by any known certificate authority, a certificate request (.csr) that can be provided to a certificate authority for authentication, and a private key file (.key) that is used to secure both certificate files. It is extremely important that you keep the private key in a safe and secure location. If your private key is compromised, your certificate can be used by malicious individuals.

Viewing the certificate

To view the SSL certificate when it is configured, click View Certificate. All identifying information about the certificate, including the dates during which the certificate is valid, are displayed in a new window.

Advanced SSL options

The advanced SSL options can only be configured at the server level. All domains inherit this behavior, which cannot be individually overridden.

Serv-U now supports TLSv1.1 and TLSv1.2, and 15 new cipher suites, including Camellia, SEED, higher levels of SHA, and GCM cipher suites where encryption and authentication are native rather than two discrete operations. Serv-U also supports other cipher suites which enable perfect forward secrecy (PFS).

You can configure the following among the advanced SSL options:

  • Enable low-security SSL ciphers: Select this option to enable low-security SSL ciphers to be used. Some older or international clients may not support today's best SSL ciphers. Because these ciphers are considered insecure by today's computing standards, Serv-U does not accept these ciphers by default.
  • Disable SSLv2 or SSLv3 support: Serv-U supports several different versions of SSL. SSLv2 and SSLv3 have documented security weaknesses that make it less secure than TLS. However, it may be necessary to support SSLv2 or SSLv3 for compatibility with exported clients or old client software. Select the relevant option to disable support for the SSLv2 or SSLv3 protocols.
  • Disable TLSv1.0, TLSv1.1 or TLSv1.2 support: For compatibility reasons, it may be necessary to disable certain versions of TLS. Select the relevant option to disable support for TLSv1.0, TLSv1.1 or TLSv1.2.

To enable or disable specific cipher suites, click Configure Cipher Suites.

You can configure the following cipher suites:

  • TLSv1.2 only cipher suites: Cipher suites used only by TLSv1.2. If TLSv1.2 is disabled, changing a setting here has no effect.
  • TLSv1.x and SSLv3 cipher suites: Cipher suites used by SSLv3 and all versions of TLSv1.
  • SSLv2 cipher suites: Cipher suites used only by SSLv2. If you disabled SSLv2, changing a setting here has no effect.
  • Low security cipher suites: Cipher suites that are considered to be insecure for modern cryptographic use, but may be required for legacy applications. If you disabled low security ciphers, changing a setting here has no effect.

FIPS options

Enable FIPS 140-2 mode: FIPS 140-2 is a set of rigorously tested encryption specifications set by the National Institute of Standards and Technology (NIST). Enabling FIPS 140-2 mode limits Serv-U to encryption algorithms certified to be FIPS 140-2 compliant and ensures the highest level of security for encrypted connections.

By enabling FIPS mode, the OpenSSL library of Serv-U will run in FIPS compliant mode.

When FIPS 140-2 mode is enabled, ciphers which are not FIPS compliant are not accepted, and applications which are not FIPS compliant cannot connect to Serv-U.

In practice it means that older hardware and legacy applications which have embedded support for, for example, SSH, may stop working correctly when FIPS mode is enabled. Additionally, non-compliant SSH keys and certificates stop working after enabling FIPS mode.

To avoid these issues, the recommended workflow is to first enable FIPS mode, and then configure your security certificates and SSH private keys to make sure they are FIPS compliant.

For the list of encryption algorithms and ciphers compliant with FIPS, see the NIST website.

SFTP (Secure File Transfer over SSH2)

To use an existing private key:

  1. Obtain a private key file.
  2. Place the private key file in a secured directory in the server. Use Browse in Serv-U to select the file.
  3. Enter the password for the private key file.
  4. Click Save. After clicking Save, Serv-U displays the SSH key fingerprint associated with the private key.

To create a private key:

  1. Click Create Private Key.
  2. Enter the name of the private key (for example, MyDomain Key), which is also used to name the storage file.
  3. Enter the output path of the certificate (for example, C:\ProgramData\SolarWinds\Serv-U\).
  4. Select the Key Type (default of DSA is preferred, but RSA is available).
  5. Select the Key Length (default of 1024 bits provides best performance, 2048 bits is a good median, and 4096 bits provides best security).
  6. Enter the password to use for securing the private key file.
  7. After you create a new key, Serv-U displays the SSH key fingerprint associated with the new private key.

SSH ciphers and MACs

By default, all supported SSH ciphers and MACs (Message Authentication Codes) are enabled for use by the server. If your specific security needs dictate that only certain ciphers or MACs can be used, you can individually disable unwanted ciphers and MACs by deselecting the appropriate ciphers or MACs.

Last modified
09:19, 20 Jul 2016

Tags

Classifications

Public