File Transfer Mode
TIBCO MFT Platform Server for UNIX supports the following modes of operation for incoming and outgoing Platform Server requests. It is for both file transfer requests and administrative requests such as audit collection, server status, and node and profile updates.
-
Clear text mode. The password is encrypted using a proprietary encryption algorithm but the data is not encrypted.
-
AES 256 encryption. The password and data are encrypted using AES256. The asymmetric encryption key is generated through an algorithm on both the Client and Server. File Transfer Data is encrypted using the symmetric AES256 key.
-
SSL (or TLS) mode. MFT establishes an SSL connection with the partner server. A symmetric AES 256 encryption key is exchanged through the secure TLS connection. MFT uses this AES256 encryption key to encrypt and decrypt all data. MFT also adds a message digest and sequence number to each record to prevent man in the middle attacks.
-
Tunnel mode. All data is sent over a negotiated TLS connection. Each transfer creates a new TLS connection. The TLS Protocols and Ciphers can be configured in the Global section of the
config.txt
file.
Tunnel mode is the most secure option and is strongly suggested when communicating to partners over the internet. Tunnel mode requires TIBCO MFT Internet Server V8.2 and TIBCO MFT Platform Server V8.0 or higher.
Adding ZLIB compression adds an additional level of complexity to the encrypted data and makes it more difficult to decrypt the data.
SSLAUTH Configuration File
When using SSL/TLS or tunnel modes, additional validation can be performed. The SSLAUTH configuration is described in the TIBCO® Managed File Transfer Platform Server for UNIX User's Guide in the section titled "Configured SSL Authorization Parameters". This file allows you to compare fields in the certificate DN (Distinguished Name) against predefined parameters in the SSLAUTH
file. If a match is not made, the request is terminated with an error. SSLAUTH
checking requires the
config.txt
ClientVerification
set to Y
.
CRL for TLS/SSL and Tunnel Transfers
The TIBCO® Managed File Transfer Platform Server for UNIX User's Guide in the section titled "CRL Support" describes how to configure CRL Support.
However, it is simpler to update the SSLAuth
file to deny access to specific certificates.