Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Current »

In this tutorial, you will:


Note

Due to the nature of the UDMG as an MFT solution, the handling of the host-based authentication for SFTP is limited to having the same account name on the server (local account) and client-side (remote user). It is assumed that an SFTP client acting as User1 on the client node will attempt to login to the same User1 account on the SFTP server.

To configure host-based authentication for an SFTP partner, the following steps should be followed:

  1. Add the SSH public host key of the partner to the certificate list, as for any other SFTP partner configuration.

  2. Add a private key for the UDMG SFTP client as a separate certificate record. It can then be selected to be used for host-based authentication configuration.

  3. Set up the protocol configuration parameters with:

    • the name of the certificate record from the previous step is used as the client's private key.

    • the list of remote accounts for which host-based authentication is enabled.

Regarding the fact that the partner will have multiple certificates of different types (public/private) configured, the public keys can only be used to validate the remote server's identity, and the private keys can only be used to perform host-based authentication.

Step 1

From the UDMG Admin UI navigation pane, select Remote Partners. The Remote Partner list displays.

Step 2

Click Add icon (). The Remote Partner Details displays.

Fill in the details for the sample server from Tutorial - Creating and Manually Starting an SFTP Server

  • In the Partner Name field, enter stonebranch-sftp-01-client.

  • In the Protocol field, select SFTP.

  • In the IP Address field, enter 0.0.0.0.

  • In the Port field, enter 4100.

  • In the Member of Business Service, select one of the available Business Services. More business Services can be added after the rule is created. 


Step 3

Click the Accounts tab on the Remote Partner detail panel. Add a new account.

  • In the Name field, enter stonebranch-01-client-user.

  • Leave the Password field, empty.

  • Click Submit button. 

Step 4

Click the Certificates/Keys tab on the Remote Partner detail panel. 

The server public key can be retrieved with ssh-keyscan tool:

$ ssh-keyscan -t rsa -p 4100 0.0.0.0
# 0.0.0.0:4010 SSH-2.0-Go
[0.0.0.0]:4010 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCnH0...

Click the Add icon ().

  • In the Name field, enter ssh-rsa.

  • In the Public key field, paste the value of the server public key.

  • Click the Submit button.

The public key can also be fetched and stored automatically with the Fetch host key button:

Step 5

Add a new certificate record for the client host key, this is needed for the Host-Based Authentication.

Generate a private SSH key, for example:

$ ssh-keygen -t rsa -b 4096 -C "stonebranch-cert-client-01" -m PEM -f "stonebranch-client-01.crt" -N ""

Note that the generated public key (stonebranch-client-01.crt.pub) is needed for the setup on the server side.


Click the Add icon ().

  • In the Name field, enter ssh-rsa-hostbased-private

  • In the Private key field, paste the value of the private key from stonebranch-client-01.crt

  • Click the Submit button.


Click Save icon ().

  • The list shows both the public host key (with the globe icon) and the private key (with the key icon).

Step 6

In the Configuration tab of the Remote Partner Details, switch on the Host-based authentication toggle.

The Private Key Certificate field and Authorized Accounts button appear.

Step 7

  • In the Private Key Certificate field, input the name of the certificate record with the client private key: ssh-rsa-hostbased-private.

  • In the Authorized Accounts field, choose the remote account from the list:stonebranch-01-client-user.

For selected account(s), the connection will be attempted with the host-based authentication method.

Step 8

Click Save icon ().

Step 9Be sure to have completed the local SFTP server configuration with the public key that was generated above. See Tutorial - Using Host-Based Authentication for an SFTP Server.

Step 10

Configure the rules at partner and/or account level.

For example, stonebranch-sftp-01_partner_send

Go the Rules Service via the UDMG Admin UI navigation pane. 

Create the rule:

Please note that because the remote partner is set in this tutorial to be a local UDMG SFTP server, the Remote Directory is set to the virtual path (sft-01-in) of a receiving rule for the local server:

Authorize the sending rule in the Rules tab of the Remote Partner Details.

Step 11

Initiate a file transfer to upload a file.

Use the Command Line Interface to register the transfer:

$ udmg-client transfer add -p stonebranch-sftp-01-client -l stonebranch-01-client-user -w send -r stonebranch-sftp-01_partner_send -f test-hb.txt

Step 12

Follow the transfer request from the Activity Transfer and History dashboards.

There are 2 records in this case, because UDMG is used both as the client and the server in the transaction:

  • Sending the file to the Partner, identified by the rule stonebranch-sftp-01_partner_send and the flag isSend.

  • Receiving the file on the Server, identified by the rule stonebranch-sftp-01_receive and the flag isServer.


References:

  • No labels