Basic Guidelines
To configure a FileZilla server setup for FTP features with Curator Connect uploads the below configuration Is required.
SSL/TSL/Encryption for FTP in FileZilla Server
- Create a user with password in the O/S e.g., "curatordev" or "curatorprod"
- Within FileZilla select the Edit menu and Users
- In the right side of the popped-up "Users" window select the Add button
- Enter in the name of the user account created previously that should be added
- Click the OK button
- Under Account Settings tick Password
- Enter in the user's Password as previously created
- Tick Force TLS for user login
- Under the Page control on the left select the Shared folders option, while also on the right side under the Users menu, the relevant user account you want to configure against is also selected
- Click the Add button
- Select folder location
- Click the Ok button
- On the right under the Files menu, make sure Read, Write, and Append are ticked
- Under the Directories menu, make sure Create, List, and +Subdirs are ticked
- Click the OK button
- While still in FileZilla, select the Edit menu and then the Settings option to get a new pop-up window
- On the left select FTP over TLS Settings
- On the right under Explicit and implicit FTP over TLS, make sure that Allow explicit FTP over TLS (default: yes) is ticked.
- Make sure Force PROT P to encrypt file transfers when using FTP over TLS is unticked
-
You may or may not have to tick Require TLS session resumption on data connection when using PROT P - Previously this was a ticked requirement for XCode, but a recent Microsoft O/S update appears to have reversed this so that the setting must be unticked in order for XCode to be able to read and write via FileZilla FTP(S). For Curator Connect unticked appears to work.
- If creating a new self-signed certificate within FileZilla choose the Generate new certificate button to create a CSR request file.
NOTE- We recommend this is only done when you have access to an internal/private certificate authority to generate the cert internally or using a third party authority like "lets encrypt". - If using an existing certificate - Browse and select the Private key file and Certificate file .pem or .cert files, and supply the Key password
- OK button
- See the following section for private authorities/self-signed certs.
- You may need to give the previously created user O/S read/write rights over the FTP site Content Directory Physical path too
Self-Signed Certificate
As it’s becoming almost a requirement with today’s security within almost all browsers, you can't typically use self-signed certificates for secure connections, which poses a significant issue when certificates can't be verified publicly by client machines.
With recent releases pf Curator Connect, you can arrange to use private certificate authorities (i.e. of your own making) to certify the ftp server's certificate. This Is now required when using certs that can't be readily verified either from a private authority (self-signed from an organisation) or when no Internet connectivity can be used from Internal environments to external www certificate authorities.
Since Curator Connect uses a chromium interface, the above Is relevant for connections between the clients and Curator Gateway.
Private Certificate Authorities (Internally signed certificates/ self-signed certificates)
When generating a CSR for cert creation, we recommend at least a 2048bit encryption.
Since the CSR will be an Internally generated one, or initiated from FileZilla direct, you should have all the relevant company details to be associated with the cert (these details can be Important If using an Internal authority to validate the cert)
You'll need to have as part of the certs CSR a valid common name for the HOST of the FileZilla server, this needs to be a FQDN that resolves via Internal/external DNS to the correct address.
Once you have generated the certificate we Ideally need the private key and the .pem bundle made available by the Issuing authority.
As per the previous section, add the private key file and cert/pem file to the "FTP over TLS settings" section and use the secret password that was used during cert creation.
If using a third-party cert authority like the free "lets encrypt" authority, typically they don't Include the Important Intermediate certs required directly during cert generation. At the time of documentation this can be downloaded from this link: https://letsencrypt.org/certificates/
Use the red highlighted .pem file:
The reason we are using a .PEM file as the cert Is this typically comes bundled with an Intermediary cert and a root cert as well as the certificate file used. These are key for a proper end to end secure encryption for the client to trust.
Since in the scenario to use an Internal cert or a self-signed cert, it’s likely that the authority Is either Internal or not accessible, and as such may not be "publicly" accessible/trusted.
Once we have the .PEM file from the local cert authority or third-party authority, for It to work seamlessly with FileZilla and Curator Connect we need to take a copy of the .PEM file, and rename It to:
"FTPPublicKey.pem"
We then need to copy said .PEM file to the relevant config location In the Curator Server Service Installation folder.
For each workgroup that we configure Curator Connect in CSA, we need to add this file to the relevant folder location In the Installation folder structure, here is an example for the System Administrators workgroup:
Now each client running Curator Connect will be able to trust the private/Internal certificate authority associated with the self-signed certificate used.