Submit a ticketCall us

Quickly Address Software Vulnerabilities
Patch Manager is an intuitive patch management software which extends the capabilities of WSUS and SCCM to not only patch Windows® servers and workstations, and Microsoft® applications, but also other 3rd-party applications which are commonly exploited by hackers. Learn More.

 

Home > Success Center > Serv-U Managed File Transfer & Serv-U FTP Server > Serv-U File Server Administrator Guide > Domain overview > Configure domain encryption

Configure domain encryption

Created by Anthony.Rinaldi, last modified by Anthony.Rinaldi on Jul 20, 2016

Views: 11 Votes: 0 Revisions: 2

Serv-U supports two methods of encrypted data transfer: Secure Socket Layer (SSL) and Secure Shell 2 (SSH2). SSL is used to secure the File Transfer Protocol (FTP) and Hypertext Transfer Protocol (HTTP). SSH2 is a method of securely interacting with a remote system that supports a method of file transfer commonly referred to as SFTP. Despite its name, SFTP does not have anything in common with the FTP protocol itself.

In order for each method of encryption to work, a certificate, a private key, or both must be supplied. SSL requires the presence of both, while SSH2 only requires a private key. If you do not have either of these required files, you can create them in Serv-U.

Encryption options specified at the server level are automatically inherited by all domains. Any encryption options specified at the domain level automatically overrides the corresponding server-level option. Certain configuration options are only available to the server.

When creating SSL/TLS, SSH, and HTTPS encrypted domains within Serv-U, it is important to know that encrypted domains cannot share listeners. Because SSL/TLS and SSH encryption is based on encrypting traffic sent between IP addresses, each domain must have unique listeners in order to operate properly. In the case that multiple encrypted domains are created that share listeners, the domain that is created first takes precedence, and causes other encrypted domains to fail to function properly. To operate multiple encrypted domains, modify the listeners of each domain to ensure they listen on unique port numbers.

Configure SSL for FTPS and HTTPS

To use an existing certificate:

  1. Obtain an SSL certificate and private key file from a certificate authority.
  2. Place these files in a secured directory in the server.
  3. Use the appropriate Browse button to select both the certificate and private key files.
  4. If a CA (Certificate Authority) PEM file has been issued, enter or browse to the file.
  5. Enter the password used to encrypt the private key file.
  6. Click Save.

If the provided file paths and password are all correct, Serv-U starts to use the certificate immediately to secure FTPS and HTTPS connections using the provided certificate. If the password is incorrect or Serv-U cannot find either of the provided files, an error message is displayed that explains the encountered error.

To create a new certificate:

  1. Click Create Certificate.
  2. Specify the Certificate Set Name that is used to name each of the files Serv-U creates.
  3. Specify the output path where the created files are to be placed. In most cases, the installation directory is a safe location (for example, C:\ProgramData\RhinoSoft\Serv-U\).
  4. Specify the city in which the server or corporation is located.
  5. Specify the state (if applicable) in which the server or corporation is located.
  6. Specify the 2-digit country code for the country in which the server or corporation is located.
  7. Specify the password used to secure the private key.
  8. Specify the full organization name.
  9. Specify the common name of the certificate. The IP address or the Fully Qualified Domain Name (FQDN) that users use to connect must be listed here.

    If the Common Name is not the IP address or FQDN used by clients to connect, clients may be prompted that the certificate does not match the domain name they are connecting to.

  10. Specify the business unit the server is located in.
  11. Specify the key length in bits.
  12. Click Create to complete the certificate creation.

Serv-U creates three files using the provided information: A self-signed certificate (.crt) that can be used immediately on the server but is not authenticated by any known certificate authority, a certificate request (.csr) that can be provided to a certificate authority for authentication, and a private key file (.key) that is used to secure both certificate files. It is extremely important that you keep the private key in a safe and secure location. If your private key is compromised, your certificate can be used by malicious individuals.

View the certificate

To view the SSL certificate once it is configured, click View Certificate. All identifying information about the certificate, including the dates during which the certificate is valid, are displayed in a new window.

SFTP (Secure File Transfer over SSH2)

To use an existing private key:

  1. Obtain a private key file.
  2. Place the private key file in a secured directory in the server. Use Browse in Serv-U to select the file.
  3. Enter the password for the private key file.
  4. Click Save. After clicking Save, Serv-U displays the SSH key fingerprint associated with the private key.

To create a private key:

  1. Click Create Private Key.
  2. Enter the name of the private key, (for example, MyDomain Key), which is also used to name the storage file.
  3. Enter the output path of the certificate, (for example, C:\ProgramData\RhinoSoft\Serv-U\).
  4. Select the Key Type (default of DSA is preferred, but RSA is also available).
  5. Select the Key Length (default of 1024 bits provides best performance, 2048 bits is a good median, and 4096 bits provides best security).
  6. Enter the password to use for securing the private key file.
  7. After you create a new key, Serv-U displays the SSH key fingerprint associated with the new private key.

SSH ciphers and MACs

By default, all supported SSH ciphers and MACs (Message Authentication Codes) are enabled for use by the server. If your specific security needs dictate that only certain ciphers or MACs can be used, you can individually disable unwanted ciphers and MACs by deselecting the appropriate ciphers or MACs.

Last modified
10:45, 20 Jul 2016

Tags

Classifications

Public