Trusted Certificates

Trusted certificates provide a more flexible way to define X.509 certificates for both SFTP (SSH) and FTPS transfers.

Typically, CA (Certificate Authority) certificates are added as trusted certificates to TIBCO MFT Internet Server. When certificate authentication is turned on for your Internet Server SSH server through the Administration > Transfer Servers > SSH Server > Configure SSH Server option and an SSL negotiation is performed, any certificate signed by the trusted certificate is accepted. Then the distinguished name of the certificate is matched against the Certificate DN parameter in the Authentication Options section on the Add User page.

If you want to monitor a CRL for revoked certificates, you must save the CRL list into the <MFTIS_install>\<context>\ftp\crl directory. Then, set the Certificate CRL Processing parameter in the Global Settings section on the System Configuration page which can be accessed by clicking Administration > System Configurations. All outgoing CRL processing is for server certificate authentication. Incoming CRL processing is for either user or server authentication.

For incoming CRL processing, validation of certificates is done as follows:

  • If a certificate is assigned to a user or server, the trusted certificate is not checked. In addition, TIBCO MFT Internet Server checks the following things:

    • Check whether the certificate is enabled.
    • Check the CRL if certificate CRL processing is enabled.

  • If no certificate is found assigned to a user or server, the trusted certificates are used for validation, performing the following tasks:

    • Verify the certificate is signed by one of the trusted certificates in the TIBCO MFT Command Center database.
    • Check the CRL if certificate CRL processing is enabled.
    • Validate the DN extracted from the certificate against the Certificate DN parameter in the Authentication Options section on the Add User page.