FTPS Connector - Mule 4

Support Category: Premium

FTPS Connector v1.6

Anypoint Connector for FTPS (FTPS Connector) connects to FTP servers the same way as the FTP connector but adds support for Transport Layer Security (TLS).

Create a Connection

To create a basic FTPS Connection the host and workingDir (where the FTPS server is placed) are required. Additionally the port, which defaults to 21, can be also configured, and if the server runs with some security, you can specify a username and password.

<ftps:config name="FTPS_Config">
  <ftps:connection username="anonymous" password="password"
   host="0.0.0.0" port="21" workingDir="${workingDir}">
    <tls:context>
        <tls:trust-store path="path/to/keystore" password="mulepassword" />
    </tls:context>
  </ftps:connection>
</ftps:config>

FTPS Mode

Available in version 1.4.0 and later.

Explicit

The default way to connect to the FTP Server, which connects in an unprotected way to the server. The client can negotiate TLS for either the command or data channel.

Data Channel Protection Level (PROT)

In the FTPS Connector, two protection levels are configurable:

  • Clear (Default): The default protection level if no other level is specified is Clear. The Clear protection level indicates that the data channel carries the raw data of the file transfer, with no security applied.

  • Private: The Private protection level indicates that the integrity of the data and confidentiality are protected.

 <ftps:config name="FTPS_Config">
   <ftps:connection username="anonymous" password="password"
    host="0.0.0.0" port="21" workingDir="${workingDir}">
     <tls:context>
         <tls:trust-store path="path/to/keystore" password="mulepassword" />
     </tls:context>
     <ftps:ftps-mode >
         <ftps:ftps-explicit-mode protSetting="PRIVATE" />
     </ftps:ftps-mode>
   </ftps:connection>
 </ftps:config>
FTPS Data Channel Protection Level

Implicit

FTPS Implicit mode assumes that a secure connection through an SSL/TLS handshake must take place before any FTP command is sent. This ensures that the entire FTP session is encrypted.

<ftps:config name="FTPS_Config">
  <ftps:connection username="anonymous" password="password"
   host="0.0.0.0" port="21" workingDir="${workingDir}">
    <tls:context>
        <tls:trust-store path="path/to/keystore" password="mulepassword" />
    </tls:context>
    <ftps:ftps-mode >
        <ftps:ftps-implicit-mode />
    </ftps:ftps-mode>
  </ftps:connection>
</ftps:config>

Add the Connector to Your Project

Anypoint Studio provides two ways to add the connector to your Studio project: from the Exchange button in the Studio taskbar or from the Mule Palette view.

Add the Connector Using Exchange

  1. In Studio, create a Mule project.

  2. Click the Exchange icon (X) in the upper-left of the Studio task bar.

  3. In Exchange, click Login and supply your Anypoint Platform username and password.

  4. In Exchange, search for "ftps".

  5. Select the connector and click Add to project.

  6. Follow the prompts to install the connector.

Add the Connector in Studio

  1. In Studio, create a Mule project.

  2. In the Mule Palette view, click (X) Search in Exchange.

  3. In Add Modules to Project, type "ftps" in the search field.

  4. Click this connector’s name in Available modules.

  5. Click Add.

  6. Click Finish.

Configure TLS with Keystores and Truststores

You can use Transport Layer Security (TLS) and configure FTPS by providing a key store with your certificate. You can also enable 2-way authentication by providing a trust store. For details, see Configure TLS with Keystores and Truststores.

Configure Java JDK for Session Reuse

To reuse sessions using FTPS you must disable the Extended Master Secret extension for compatibility (JDK-8192045), which by default is set to true. The extension protects users from vulnerabilities by using the same session on different groups of clients and servers, which contradicts the demand to use the same session for control and data connections. With the Extended Master Secret extension activated, session reuse is possible only by endpoint verification, which is implemented for HTTPS and LDAP only.

To disable the Extended Master Secret extension when working in a standalone Mule environment, add the following argument to the JVM execution:

./bin/mule -Djdk.tls.useExtendedMasterSecret=false

To disable the extension when working in Anypoint Studio, follow these steps:

  1. In Studio, click Run > Run Configurations…​.

  2. In the Run Configurations screen, click the (x)=Arguments tab.

  3. In the VM arguments box, add the following argument to the JVM execution:

    -M-Djdk.tls.useExtendedMasterSecret=false

  4. Click Apply.

  5. Click Run.

ftps jvm configuration
Figure 1. JVM argument to disable Extended Master Secret in Run Configurations window