Documentation forServ-U MFT & Serv-U FTP Server

Domain encryption

Serv-U supports two methods of encrypted data transfer: Secure Socket Layer (SSL) and Secure Shell 2 (SSH2). SSL is used to secure the File Transfer Protocol (FTP) and Hypertext Transfer Protocol (HTTP). SSH2 is a method of securely interacting with a remote system that supports a method of file transfer commonly referred to as SFTP. Despite its name, SFTP does not have anything in common with the FTP protocol itself.

In order for each of these methods of encryption to work, a certificate, a private key, or both must be supplied. SSL requires the presence of both, while SSH2 only requires a private key. If you do not have either of these required files, you can create them in Serv-U.

Encryption options specified at the server level are automatically inherited by all domains. Any encryption option specified at the domain level automatically overrides the corresponding server-level option. Certain configuration options are only available at the server level.

When creating SSL/TLS, SSH, and HTTPS encrypted domains within Serv-U, it is important to know that encrypted domains cannot share listeners. Because SSL/TLS and SSH encryption is based on encrypting traffic sent between IP addresses, each domain must have unique listeners in order to operate properly. In the case that multiple encrypted domains are created that share listeners, the domain that is created first takes precedence, and causes other encrypted domains to fail to function properly. To operate multiple encrypted domains, modify the listeners of each domain to ensure they listen on unique port numbers.

Configure SSL for FTPS and HTTPS

Use an existing certificate

  1. Obtain an SSL certificate and private key file from a certificate authority.
  2. Place these files in a secured directory on the server.
  3. In Serv-U, go to select the domain and go to Limits & Settings > Encryption.

  4. Use the appropriate Browse buttons to select both the certificate and private key files.
  5. Enter the password used to encrypt the private key file.
  6. If a CA (Certificate Authority) PEM file has been issued, enter or browse to the file.
  7. Click Save.

If the provided file paths and password are all correct, Serv-U will start to secure FTPS and HTTPS connections using the provided certificate. If the password is incorrect or Serv-U cannot find either of the provided files, an error message is displayed.

Create a new certificate

  1. In Serv-U, select the domain and go to Limits & Settings > Encryption.
  2. Click Create Certificate.
    The New Certificate Creation window is displayed.

  3. Specify the Certificate Set Name to name each of the files Serv-U creates. For example entering"myName" would result in the creation of:

    myName.crt The self-signed certificate file. This can be used immediately on the server but is not authenticated by any known certificate authority.
    myName.csr The certificate request file. This can be provided to a certificate authority for authentication.
    myName.key The private key file. This is used to secure both certificate files. It is extremely important that you keep the private key in a safe and secure location. If your private key is compromised, your certificate can be used by malicious individuals.

  4. Specify the output path where these files are to be placed. In most cases, the installation directory is a safe location. For example: C:\ProgramData\SolarWinds\Serv-U\.
  5. Enter the city, state (if applicable), two-digit country code, organization, and unit where file server or corporation is located.
  6. Specify a password for create the private key.
  7. Specify the common name/domain name for the certificate. The IP address or the Fully Qualified Domain Name (FQDN) that users use to connect should be used here.

    If you do not supply the IP address or FQDN used by clients to connect, clients may be prompted that the certificate does not match the domain name to which they are connecting.

  8. Select the required key length.
  9. Click Create.
    The three files are now be created in the specified directory.

View the certificate

To view the SSL certificate when it is configured, click View Certificate. All identifying information about the certificate, including the dates during which the certificate is valid, are displayed in a new window.

Advanced SSL options

The advanced SSL options can only be configured at the server level. All domains inherit this behavior, which cannot be individually overridden.

For reasons of security, support for TLSv1.1 and earlier has been removed from Serv-U.

SFTP (Secure File Transfer over SSH2)

Use an existing private key

Make sure the private key is stored in PCKS#8 format before applying while FIPS mode is on.

  1. Obtain a private key file.
  2. Place the private key file in a secured directory in the server.
  3. In Serv-U, select the domain and go to Limits & Settings > Encryption.

  4. Use Browse to select the file.
  5. Enter the password for the private key file.
  6. Click Save.
    After clicking Save, Serv-U will display the SSH key fingerprint associated with the private key.

Create a private key

  1. In Serv-U, select the domain and go to Limits & Settings > Encryption.
  2. Click Create Private Key.

  3. Enter a name for the private key (for example, MyDomainKey), which is also used to name the storage file.
  4. Enter the output path of the certificate. For example, C:\ProgramData\SolarWinds\Serv-U\
  5. Select the Key Type. The default of RSA is preferred.
  6. Select the Key Length.
  7. Enter the password to use for securing the private key file.
  8. Click Create.

    After you create a new key, Serv-U displays the SSH key fingerprint associated with the new private key.

SSH ciphers, MACs and Key Exchange Algorithms

SSH ciphers CUST and Blowfish-cbc are disabled by default for security reasons. If your specific security needs dictate that only certain ciphers or MACs can be used, you can individually enable (disable) individually ciphers and MACs by selecting (deselecting) the appropriate ciphers or MACs.