OneFS: How to enable FTPS support

Summary: This article explains how to configure OneFS to allow File Transfer Protocol Secure (FTPS) connections. FTPS is an extension to File Transfer Protocol (FTP) that adds support for Transport Layer Security (TLS) and Secure Sockets Layer (SSL) cryptographic protocols. ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

This article explains how to configure OneFS to allow File Transfer Protocol Secure (FTPS) connections. FTPS is an extension to File Transfer Protocol (FTP) that adds support for Transport Layer Security (TLS) and Secure Sockets Layer (SSL) cryptographic protocols. This procedure is only for FTPS and does not apply to the separate SSH File Transfer Protocol (SFTP). For information about configuring SFTP, see the following document:

Enabling FTPS disables standard FTP Access!

Requisite tools or skills

  • A OneFS Cluster
  • A certificate and private-key files or file

Setup Process

Advanced configuration changes to the FTP daemon are handled using an override file, this file is created when the ftp service is first enabled.

p950-1# grep override /etc/mcp/sys/files/vsftpd-restart
      <file name="/etc/mcp/override/vsftpd_config.xml" />
p950-1# cat /etc/mcp/override/vsftpd_config.xml
cat: /etc/mcp/override/vsftpd_config.xml: No such file or directory
p950-1# isi ftp modify --service=true
p950-1# cat /etc/mcp/override/vsftpd_config.xml
<?xml version="1.0" encoding="utf-8"?><isi-data file="vsftpd-config">
</isi-data>

XML override files use an isi-data tag which is then filled with modify-text tags, the id field of which indicates the configuration option they are overriding. To setup SSL or TLS, we must modify the following three values:

  • rsa_cert_file: This is the location of your x509 certificate file.
  • rsa_private_key_file: This is the location of your RSA private-key file.
  • ssl_enable: This is a YES|NO value that defines whether the FTP daemon uses the files above.

Below is an example using a combined keypair file saved at /ifs/vsftpd/vsftpd.pem:

<?xml version="1.0" encoding="utf-8"?>
<isi-data file="vsftpd-config">
    <modify-text id="rsa_cert_file">/ifs/vsftpd/vsftpd.pem</modify-text>
    <modify-text id="rsa_private_key_file">/ifs/vsftpd/vsftpd.pem</modify-text>
    <modify-text id="ssl_enable">YES</modify-text>
</isi-data>

You can find additional valid field IDs in the template file at /etc/mcp/sys/vsftpd_config.xml along with their default values.

Generating a Self-Signed-Key

If FTP traffic must be encrypted, but does not need to reliably prove the server identity a self-signed-key can be generated on the cluster itself. If a full chain of trust is required, your SSL team must provide a certificate and private key files or file for your specific host.

Below is the process to generate a self-signed certificate. The openssl command prompts you to answer questions about the final certificate. The resulting file, in this case named /ifs/vsftpd/vsftpd.pem contains both the certificate and the private-key.

mkdir -p /ifs/vsftpd/

chmod 700 /ifs/vsftpd

openssl req \
-x509 \
-nodes \
-keyout /ifs/vsftpd/vsftpd.pem \
-out /ifs/vsftpd/vsftpd.pem \
-newkey rsa:2048

chmod 500 /ifs/vsftpd/vsftpd.pem

Additional Information

Notes on the Full Chain of Trust

Certificate files provided by your SSL team must be in the correct format. Certificates should be ordered from the most narrow entry out. Typically this looks like the following:

-----BEGIN CERTIFICATE-----
Server Certificate Content
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Intermediate Certificate Content
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
CA Certificate Content
-----END CERTIFICATE-----

When doing an all-in-one or keypair file, the private key can be at either end of that chain.

Verifying a Keypair

The following Posix shell function uses openssl to verify the compatibility of a certificate and private-key pair.

ssl_keypair_check () {
 if [ -z "$1" ]; then
  echo "Run as:"
  echo " $0 [key-pair file] | [certificate file] [private-key file]"
  return 1
 else
  cert_file="$1"
  if [ -z "$2" ]; then
   key_file="$cert_file"
  else
   key_file="$2"
   fi
  fi
 if cert_modulus=$(openssl x509 -noout -modulus -in "$cert_file"); then
  if key_modulus=$(openssl rsa -noout -modulus -in "$key_file"); then
   if [ "$cert_modulus" = "$key_modulus" ]; then
    echo "Values match, good to apply"
   else
    echo "Values do not match, check your certs."
    return 1
    fi
  else
   echo "Unable to read private key"
   return 1
   fi
 else
  echo "Unable to read certificate"
  return 1
  fi
 }

Below is an example of using that to check a self-signed-key generated using the steps earlier in this document.

p950-1# ssl_keypair_check
Run as:
 ssl_keypair_check [key-pair file] | [certificate file] [private-key file]
p950-1# ssl_keypair_check /ifs/vsftpd/vsftpd.pem
Values match, good to apply

Notes

You can check a OneFS cluster’s supported SSL versions with the command below:

openssl ciphers -v | awk '{print $2}' | sort | uniq

Here is an example running on OneFS 9.5.0.0:

p950-1# openssl ciphers -v | awk '{print $2}' | sort | uniq
SSLv3
TLSv1.2

Affected Products

Isilon

Products

Isilon
Article Properties
Article Number: 000010736
Article Type: How To
Last Modified: 25 Nov 2025
Version:  5
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.