FL EDI SECURE FTP CONNECTIVITY TROUBLESHOOTING GUIDE. SSL/FTP (File Transfer Protocol over Secure Sockets Layer)

Transcription

1 FL EDI SECURE FTP CONNECTIVITY TROUBLESHOOTING GUIDE This troubleshooting guide covers secure file transfers using the SFTP and SSL/FTP file transfer protocols for Claims, POC, and Medical EDI transmissions. Jump to SFTP Section SSL/FTP (File Transfer Protocol over Secure Sockets Layer) FL s implementation of FTP over SSL/TLS uses passive mode for data connections: How passive mode works: The initial FTP connection is made over the standard FTP command channel (port 21). The initial certificate exchange and logon occur over port 21. When the client is ready for a data connection, the client requests a high port number to use for the data connection. The server assigns the lowest available port in the available range and returns the port number to the client. The port number returned by the server is dynamic and will change based on current system load, number of users, and actual file transfers taking place. To communicate with FL s FTP server using the SSL/FTP protocol outgoing requests must be permitted on the following ports: Port 21 (FTP command channel) Ports (Passive mode data connections) Please note: These ports only need to be available for outgoing connections (connections originating from inside your organization). If routers/firewalls are configured correctly, this should not create security vulnerabilities or expose your organization to hackers. If you are concerned with your employees being able to connect to other computers on the internet, or believe this activity will create a security risk, you can take the following measures to restrict connections: 1) Only permit outgoing connections on these port numbers to FL s FTP server. a. Permit outgoing TCP connections from any internal host to FL s FTP server ( ) when the TCP port = 21 (FTP Command). b. Permit outgoing TCP connections from any internal host to FL s FTP server ( ) when the TCP port is between and (Data Connections).

2 2) Only permit outgoing connections on these port numbers to FL s FTP server from a specific IP address or subnet in your organization. a. Permit outgoing TCP connections from select internal host(s) (single IP or subnet) to FL s FTP server ( ) when the TCP port = 21 (FTP Command). b. Permit outgoing TCP connections from select internal host(s) (single IP or subnet) to FL s FTP server ( ) when the TCP port is between and (Data Connections). The following is a log of a successful SSL/FTP Session where the following high level events occur: An SSL/FTP connection is established over port 21 A User ID, Password, and SSL certificate are authenticated The current directory is changed (CWD) A directory listing is returned A file is transferred The user logs off Log from Successful SSL/FTP File Transfer Command Issued from Command Prompt: wsftppro s local:c:\users\humelsinem\desktop\s a P.TXT d SSL:/incoming/S A P.TXT binary Break Down of Command: wsftppro: s: [local]: File Path on Client: d: [SSL]: File Path on Server: binary: Client software program (WS FTP Pro/Ipswitch) Specifies the Source File Path Indicates the file is on the local machine c:\users\humelsinem\desktop\s a P.TXT Specifies the Destination File (does not have to be the same file name) Alias created to identify site in WS FTP (holds user id, password, SSL certificate) /incoming/s a P.TXT Overrides WS FTP Pro settings and forces Binary Mode Creating FTP Connection on port 21: Finding Host dwcftp.fldfs.com... [ :49:32.387] Connecting to :21

3 [ :49:32.387] Connected to :21 in seconds, Waiting for Server Response Forced into SSL Session to Retrieve Client Certificate: [ :49:32.387] Initializing SSL Session... [ :49:33.666] 220 EFT Server Enterprise Build [ :49:33.666] AUTH TLS Server Accepts the Client Certificate and starts 256 bit Encrypted Connection: [ :49:33.682] 234 AUTH Command OK. Initializing SSL connection. [ :49:34.087] SSL session NOT set for reuse [ :49:34.119] SSL Session Started. FTP User ID and Password Authentication: [ :49:34.119] USER [ :49:34.134] 331 Password required for [ :49:34.134] PASS (hidden) [ :49:34.134] 230 Login OK. Proceed. Client Interrogates the Server to Discover the Host Type and the Features it Supports: System Type [ :49:34.134] SYST [ :49:34.134] 215 UNIX Type: L8 [ :49:34.134] Host type (2): Unix (Standard) [ :49:34.134] PBSZ 0 [ :49:34.134] 200 PBSZ Command OK. Protection buffer size set to 0. [ :49:34.134] PROT P [ :49:34.150] 200 PROT Command OK. Using Private data connection Features [ :49:34.150] Sending "FEAT" command to determine what features this server supports. [ :49:34.150] FEAT [ :49:34.150] 211 Features supported: [ :49:34.150] COMB target;source_list [ :49:34.150] REST STREAM [ :49:34.150] SIZE [ :49:34.150] MDTM [ :49:34.150] XCRC filename;start;end [ :49:34.150] SSCN [ :49:34.150] MLST Size*;Modify*;Create;Type*;Unique;Perm*;Lang;Media Type;CharSet; [ :49:34.150] MODE Z

4 [ :49:34.150] XNOP [ :49:34.150] 211 END [ :49:34.150] Finished interpreting "FEAT" response. Getting the Current Directory Listing: [ :49:34.150] PWD [ :49:34.150] 257 "/" is current folder. Changing Directory to [/incoming]: [ :49:34.150] CWD incoming [ :49:34.197] 250 Folder changed to "/incoming". Getting Directory Listing: [ :49:34.197] PWD [ :49:34.197] 257 "/incoming" is current folder. ASCII Mode Data Connection is Requested for the Directory Listing: [ :49:34.197] TYPE A [ :49:34.197] 200 Type set to A. Client Enters Passive Mode to Receive the Directory Listing: [ :49:34.197] PASV [ :49:34.197] 227 Entering Passive Mode (172,17,200,17,116,181). Server Instructs Client to Use Port for the Data Connection: [ :49:34.197] connecting data channel to :116,181(29877) [ :49:34.197] data channel connected to :116,181(29877) Client Requests Directory Listing: [ :49:34.197] LIST [ :49:34.212] 150 Opening ASCII mode data connection for file list. [ :49:34.259] # transferred 312 bytes in < seconds, kbps ( kbps), transfer succeeded. [ :49:34.431] 226 Transfer complete. 378 bytes transferred. 378 bps. Client Requests Binary Mode Data Transfer for File Upload: [ :49:34.431] TYPE I [ :49:34.431] 200 Type set to I. Client Enters Passive Mode for File Upload Listing: [ :49:34.431] PASV

5 [ :49:34.431] 227 Entering Passive Mode (172,17,200,17,112,20). Server Instructs Client to Use Port for the Data Connection: [ :49:34.431] connecting data channel to :112,20(28692) [ :49:34.446] data channel connected to :112,20(28692) Client Uploads File to Server: [ :49:34.446] STOR S A P.TXT [ :49:34.446] 150 Opening BINARY mode data connection for S A P.TXT. [ :49:34.665] 226 Transfer complete. 107 bytes transferred. 107 bps. [ :49:34.665] # transferred 107 bytes in seconds, bps ( Bps), transfer succeeded. Transfer request completed with status: Finished Closing SSL/FTP Connection: [ :49:34.665] QUIT [ :49:34.665] 221 Service closing control connection. [ :49:34.665] Connection closed. Ready for next connection.

6 SFTP (Secure File Transfer Protocol) SFTP uses the SSH (Secure SHell) protocol for both command and data connections: The client must support and use RSA keys with a key length of 2048 bits and the AES encryption algorithm with a 256 bit key length in order to use the SFTP protocol. If the client does not support these features and another client cannot be used, you will need to use SSL/FTP to send file to the Division. How SSH works: A key pair is created by the client. The key pair consists of a public key, which you give to FL, and a private key, which you keep secret. The keys are mathematically related so that data encrypted by the public key can be decrypted by the private key and data encrypted by the private key can be decrypted by the public key. At logon, the server sends the client a challenge, a message encrypted by the public key tied to the user s account. The client decrypts the message using its private key then re encrypts the message using the server s public key. If the message matches the server s challenge and the user s FTP password is also correct, the user is authenticated. All subsequent data exchanges (file transfers) will be encrypted using a session key, a one time use password that is securely exchanged using the public/private key pairs. To communicate with FL s FTP server using the SFTP protocol outgoing requests must be permitted on the following port: Port 22 (SSH) port 22 will be used for the entire communication session. Please note: This port only need to be available for outgoing connections (connections originating from inside your organization). If routers/firewalls are configured correctly, this should not create security vulnerabilities or expose your organization to hackers. If you are concerned with your employees being able to connect to other computers on the internet, or believe this activity will create a security risk, you can take the following measures to restrict connections: 1) Only permit outgoing connections on port 22 to FL s FTP server. a. Permit outgoing TCP connections from any internal host to FL s FTP server ( ) when the TCP port = 22 (SSH). 2) Only permit outgoing connections on these port numbers to FL s FTP server from a specific IP address or subnet in your organization.

7 a. Permit outgoing TCP connections from select internal host(s) (single IP or subnet) to FL s FTP server ( ) when the TCP port = 22 (FTP Command). The following is a log of a successful SFTP Session where the following high level events occur: An SFTP connection is established over port 22 A User ID, Password, and RSA Key Pair are authenticated The current directory is changed (CWD) A directory listing is returned A file is transferred The user logs off Log from Successful SFTP Tile Transfer Command issued from command prompt: wsftppro s local:c:\users\humelsinem\desktop\s a P.TXT d SSH:/incoming/S A P.TXT binary Creating SSH Connection on port 22: Finding Host dwcftp.fldfs.com... [ :36:30.687] Connecting to :22 [ :36:30.691] Connected to :22 in seconds, Waiting for Server Response [ :36:30.696] Server Welcome: SSH _sshlib GlobalSCAPE [ :36:30.696] Client Version: SSH 2.0 WS_FTP Server Creates a Challenge: [ :36:30.699] KexInitPacket (Server): no kex guess present [ :36:30.699] KexAlgorithms Challenge Created by Client: [ :36:31.051] KexInitPacket (Client): no kex guess present [ :36:31.051] KexAlgorithms Key Exchange Protocols Supported: [ :36:31.051] diffie hellman group exchange sha1,diffie hellman group1 sha1 [ :36:31.051] 00: diffie hellman group exchange sha1 [ :36:31.051] 01: diffie hellman group1 sha1

8 Key Types Supported: [ :36:31.051] ServerHostKeyAlgorithms [ :36:31.051] ssh dss,ssh rsa [ :36:31.051] 00: ssh dss [ :36:31.051] 01: ssh rsa Encryption Algorithms Supported by Client: (algorithms are numbered in order of preference with the lowest number being the highest priority) [ :36:31.051] CsEncryptionAlgorithms [ :36:31.051] aes256 cbc,3des cbc,aes128 cbc,aes192 cbc,blowfish cbc [ :36:31.051] 00: aes256 cbc [ :36:31.051] 01: 3des cbc [ :36:31.051] 02: aes128 cbc [ :36:31.051] 03: aes192 cbc [ :36:31.051] 04: blowfish cbc Encryption Algorithms Supported by Server: (algorithms are numbered in order of preference with the lowest number being the highest priority) [ :36:31.051] ScEncryptionAlgorithms [ :36:31.051] aes256 cbc,3des cbc,aes128 cbc,aes192 cbc,blowfish cbc [ :36:31.051] 00: aes256 cbc [ :36:31.051] 01: 3des cbc [ :36:31.051] 02: aes128 cbc [ :36:31.051] 03: aes192 cbc [ :36:31.051] 04: blowfish cbc Hashing Algorithms Supported by Client: (algorithms are numbered in order of preference with the lowest number being the highest priority) [ :36:31.051] CsMACAlgorithms [ :36:31.051] hmac md5,hmac sha1,hmac ripemd160 [ :36:31.051] 00: hmac md5 [ :36:31.051] 01: hmac sha1 [ :36:31.051] 02: hmac ripemd160 Hashing Algorithms Supported by Server: (algorithms are numbered in order of preference with the lowest number being the highest priority) [ :36:31.051] ScMACAlgorithms [ :36:31.051] hmac md5,hmac sha1,hmac ripemd160

9 [ :36:31.051] 00: hmac md5 [ :36:31.051] 01: hmac sha1 [ :36:31.051] 02: hmac ripemd160 Compression Algorithms Supported by Client: (algorithms are numbered in order of preference with the lowest number being the highest priority) [ :36:31.051] CsCompressionAlgorithms [ :36:31.051] zlib,none [ :36:31.051] 00: zlib [ :36:31.051] 01: none Compression Algorithms Supported by Server: (algorithms are numbered in order of preference with the lowest number being the highest priority) [ :36:31.051] ScCompressionAlgorithms [ :36:31.051] zlib,none [ :36:31.051] 00: zlib [ :36:31.051] 01: none Initiating Key Exchange: [ :36:31.051] >SSH2_MSG_KEXINIT (330) Stating Agreed Upon Algorithms: [ :36:31.051] SSH Transport agreed algorithms Agreed Algorithm to Exchange (symmetric) Encryption Keys: [ :36:31.051] Purpose: key agreement Algo: diffie hellman group exchange sha1 Agreed Key Type is RSA type: [ :36:31.051] Purpose: server host key Algo: ssh rsa Agreed Encryption Algorithm is AES 256 bit: [ :36:31.051] Purpose: encryption cs Algo: aes256 cbc [ :36:31.051] Purpose: encryption sc Algo: aes256 cbc Agreed Hashing Algorithm is MD5: [ :36:31.051] Purpose: MAC cs Algo: hmac md5 [ :36:31.051] Purpose: MAC sc Algo: hmac md5 Agreed Compression Algorithm is zlib: [ :36:31.051] Purpose: compression cs Algo: zlib

10 [ :36:31.051] Purpose: compression sc Algo: zlib Key Exchange: [ :36:31.080] >SSH2_MSG_KEX_DH_GEX_INIT (261) [ :36:31.120] SSH Server Host Key Size 277 bytes [ :36:31.120] SSH Signature Size 256 bytes [ :36:31.168] RSA Signature Verified [ :36:31.168] Session Keys Created [ :36:31.168] Ciphers Created [ :36:31.168] >SSH2_MSG_NEWKEYS (1) [ :36:31.168] New Client >Server ciphers in place. [ :36:31.168] New Server >Client ciphers in place. [ :36:31.168] Completed SSH Key Exchange. New Keys in place. Requesting the SFTP Service: [ :36:31.168] >SSH2_MSG_SERVICE_REQUEST (17) [ :36:31.172] SSH2_MSG_SERVICE_ACCEPT (48) Trying Password Authentication: [ :36:31.172] Trying authentication method: "password" [ :36:31.172] >SSH2_MSG_USERAUTH_REQUEST (64) [ :36:31.172] SSH2_MSG_USERAUTH_BANNER (80) Authentication Resulted in Partial Success (FL requires two part authentication the password was correct): [ :36:31.175] SSH2_MSG_USERAUTH_FAILURE (32) [ :36:31.175] Authentication Method password(4) resulted in Partial Success Trying Public Key Authentication: [ :36:31.175] Trying authentication method: "publickey" [ :36:32.196] Loaded key Pair " ", types(public,private): "RSA","RSA" [ :36:32.196] Key pair algorithm type: "ssh rsa" [ :36:32.215] >SSH2_MSG_USERAUTH_REQUEST (615) Two Part Authentication Success (public key + password was correct for the username provided): [ :36:32.221] SSH2_MSG_USERAUTH_SUCCESS (16) [ :36:32.221] User Authenticated OK! [ :36:32.221] Completed SSH User Authentication. Opening SFTP Connection: [ :36:32.221] >SSH2_MSG_CHANNEL_OPEN (24) [ :36:32.223] SSH2_MSG_CHANNEL_OPEN_CONFIRMATION (32)

11 [ :36:32.223] SSH Channel confirmed open: LocalID:(0760a2ce) ServerID( ) ServerMaxPacket(35840) ServerWindow( ) [ :36:32.223] >SSH2_MSG_CHANNEL_REQUEST (27) [ :36:32.228] SSH2_MSG_CHANNEL_SUCCESS (32) [ :36:32.228] Started subsystem "sftp" on channel 0760a2ce [ :36:32.228] >SSH2_MSG_DISCONNECT #4 (5) [ :36:32.228] >SSH2_MSG_CHANNEL_DATA (18) [ :36:32.231] SSH2_MSG_CHANNEL_DATA (32) [ :36:32.231] <SSH_FXP_VERSION #3 (5) [ :36:32.231] SFTP Protocol Version 3 OK [ :36:32.231] >SSH_FXP_REALPATH #3294 (10) [ :36:32.231] >SSH2_MSG_CHANNEL_DATA (23) [ :36:32.266] SSH2_MSG_CHANNEL_DATA (48) [ :36:32.266] <SSH_FXP_NAME #3294 (23) [ :36:32.266] sftp protocol initialized Changing Directory to [/incoming]: [ :36:32.267] Changing remote directory to "/incoming" [ :36:32.267] >SSH_FXP_OPENDIR #1110 (18) [ :36:32.267] >SSH2_MSG_CHANNEL_DATA (31) [ :36:32.276] SSH2_MSG_CHANNEL_DATA (32) [ :36:32.276] <SSH_FXP_HANDLE #1110 (10) [ :36:32.276] >SSH_FXP_CLOSE #1929 (10) [ :36:32.276] >SSH2_MSG_CHANNEL_DATA (23) [ :36:32.279] SSH2_MSG_CHANNEL_DATA (48) [ :36:32.279] <SSH_FXP_STATUS #1929 (21) Getting Directory Listing in [/incoming]: [ :36:32.279] Getting Dirlisting [ :36:32.279] >SSH_FXP_OPENDIR #1110 (18) [ :36:32.279] >SSH2_MSG_CHANNEL_DATA (31) [ :36:32.287] SSH2_MSG_CHANNEL_DATA (32) [ :36:32.287] <SSH_FXP_HANDLE #1110 (10) [ :36:32.288] >SSH_FXP_READDIR #3021 (10) [ :36:32.288] >SSH2_MSG_CHANNEL_DATA (23) [ :36:32.293] SSH2_MSG_CHANNEL_DATA (272) [ :36:32.293] <SSH_FXP_NAME #3021 (525) [ :36:32.293] >SSH_FXP_READDIR #3021 (10) [ :36:32.293] >SSH2_MSG_CHANNEL_DATA (23) [ :36:32.295] SSH2_MSG_CHANNEL_DATA (48) [ :36:32.295] <SSH_FXP_STATUS #3021 (22)

12 [ :36:32.295] # transferred 529 bytes in seconds, kbps ( kbps), transfer succeeded. [ :36:32.295] >SSH_FXP_CLOSE #1929 (10) Transferring File from Local User s Desktop to [/incoming]: [ :36:32.295] >SSH2_MSG_CHANNEL_DATA (23) [ :36:32.297] SSH2_MSG_CHANNEL_DATA (32) [ :36:32.297] <SSH_FXP_STATUS #1929 (21) [ :36:32.304] Opening remote file "/incoming/s a P.TXT" for writing [ :36:32.304] >SSH_FXP_OPEN #1383 (61) [ :36:32.304] >SSH2_MSG_CHANNEL_DATA (74) [ :36:32.315] SSH2_MSG_CHANNEL_DATA (32) [ :36:32.315] <SSH_FXP_HANDLE #1383 (10) [ :36:32.315] Uploading local file "c:\users\humelsinem\desktop\s a P.TXT" [ :36:32.315] SFTP Send File, Server window size: , Server packet size: 35800, 10 packets ahead [ :36:32.315] >SSH_FXP_WRITE #1234 (129) [ :36:32.315] >SSH2_MSG_CHANNEL_DATA (142) [ :36:32.320] SSH2_MSG_CHANNEL_DATA (32) [ :36:32.320] <SSH_FXP_STATUS #1234 (21) [ :36:32.320] # transferred 107 bytes in seconds, kbps ( kbps), transfer succeeded. [ :36:32.320] >SSH_FXP_CLOSE #1929 (10) [ :36:32.320] >SSH2_MSG_CHANNEL_DATA (23) [ :36:32.352] SSH2_MSG_CHANNEL_DATA (32) [ :36:32.352] <SSH_FXP_STATUS #1929 (21) Transfer request completed with status: Finished Closing SFTP Connection: [ :36:32.356] Sending channel close message for channel 0760a2ce [ :36:32.356] >SSH2_MSG_CHANNEL_CLOSE (5) [ :36:32.356] SSH Transport closed. [ :36:32.356] Connection closed. Ready for next connection.