FTP SSL needs to use AUTH TLS

Document ID : KB000045610
Last Modified Date : 14/02/2018
Show Technical Document Details

Issue: 

FTP jobs began to fail after a change in security policy was introduced. The change was to enforce secure connections to the SSL server using AUTH TLS. The following message is displayed in the job log:

534 Server requires authentication before USER command

Environment:  

CA Workload Automation ESP Edition (EE)

CA Workload Automation Agent r11.3

Cause: 

Change in internal security policy now enforces secure connections to SSL server using AUTH TLS. 

Resolution:

Review and follow the documented procedures for Configuring SSL FTP. This documentation can be found at https://docops.ca.com/ca-wla-agents/1134/en/administrating/setting-up-and-running-ftp-workload/configuring-ssl-ftp. Once this has been completed, you may proceed to the following steps.

1. Add the following parameters to the agentparm.txt file.

  • ftp.client.ssl=true
  • ftp.client.ssl.truststore=<as appropriate>
  • ftp.client.ssl.truststore.password=<as appropriate>
  • ftp.client.ssl.start_with_ssl_session=true  (This setting should force the 'AUTH TLS' to be sent.)
  • ftp.client.ssl.accept_new_ca=true (This setting will import the certificate into the agent keystore)

2. Restart the agent.

3. Run the FTP job.

4. After the job completes, as we only need to import the certificate once, edit the agentparm.txt file and change the ftp.client.ssl.accept_new_ca setting to false. 

  • ftp.client.ssl.accept_new_ca=false

5. Restart the agent.

The agent should now be configured for AUTH TLS authentication.