Tutorial - Creating an SFTP Partner
In this tutorial, you will:
- Create a remote partner for SFTP.
- Configure the partner host key.
- View partner detail.
- Specify account and rule for downloading files.
For this tutorial, the remote server is a public read-only SFTP server that is provided for general testing.
See the details here: https://test.rebex.net
By default, the following algorithms are enabled.
Category | Algorithms by order of preference, most preferred at the top |
---|---|
Key Exchange (KEX) |
|
Encryption (cipher) |
The following ones can be enabled globally with the configuration parameter 'AllowLegacyCiphers', but still need to be enabled explicitly per server, see Tutorial - Use a Legacy Encryption Algorithm for an SFTP Partner
|
MAC |
|
Host key |
|
Step 1 | From the UDMG Admin UI navigation pane, select Remote Partners. The Partners list displays. |
---|---|
Step 2 | Click New. The Server Details displays.
|
Step 3 | Click Save and Confirm. |
Step 4 | Additional details can be attached to the partner.
Go to the Details tab on the local server pane. Fill in the needed details. New fields can be added with the 'plus' button at the bottom of the form. A custom field is comprised of a key and value pair. Press the Save button inside the tab to store the details. |
Step 5 | Click the Accounts tab on the Partner detail panel. The list of account records displays and is empty. |
Step 6 | Click the Add Account button. The Account Details displays
|
Step 7 | Click the Save button. The account is created and shows in the account list. |
Step 8 | To verify that the targeted host is the correct one, SFTP protocol uses server host key(s). To continue with the partner configuration, at least one of the public SSH keys of the the remote server must be stored. The public keys
For example, here is how to get the RSA key with the $ ssh-keyscan -t rsa test.rebex.net > rebex.ssh-rsa # test.rebex.net:22 SSH-2.0-RebexSSH_5.0.8062.0 $ cat rebex.ssh-rsa test.rebex.net ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAkRM6RxDdi3uAGogR3nsQMpmt43X4WnwgMzs8VkwUCqikewxqk4U7EyUSOUeT3CoUNOtywrkNbH83e6/yQgzc3M8i/eDzYtXaNGcKyLfy3Ci6XOwiLLOx1z2AGvvTXln1RXtve+Tn1RTr1BhXVh2cUYbiuVtTWqbEgErT20n4GWD4wv7FhkDbLXNi8DX07F9v7+jH67i0kyGm+E3rE+SaCMRo3zXE6VO+ijcm9HdVxfltQwOYLfuPXM2t5aUSfa96KJcA0I4RCMzA/8Dl9hXGfbWdbD2hK1ZQ1pLvvpNPPyKKjPZcMpOznprbg+jIlsZMWIHt7mq2OJXSdruhRrGzZw== |
Step 9 | Click the Certificates / Keys tab on the Partner detail panel. The list of certificate records displays and is empty. |
Step 10 | To manually add a key that was given by the partner or retrieved with a tool, click the Add Certificate button. The Certificate Details displays.
|
Step 11 | Click Save |
Step 12 | The certificate record appears in the list. |
Step 13 | UDMG also provides the ability to fetch and store the remote server host keys during the partner configuration. Click the Show Host Keys button. The Host Keys displays with the list of SSH public keys that were scanned from the remote server. |
Step 14 | Each key can be copied for manual insertion. Click the Close button to dismiss the window. |
Step 15 | To automatically store all the retrieved host keys, click the Fetch Host Keys button. The confirmation window displays. Click Confirm to save the keys. |
Step 16 | The records are stored with unique names as "date_partner_type" where
For example: 20230516113741_test.rebex.net_ecdsa-sha2-nistp256 |
Step 17 | To disable a key without deleting it, click the Revoke button (the stop icon). Here, the sha2-nistp keys are disabled: A revoked key can be enabled again with the Authorize button . |
Step 18 | To see more details about a specific host key, click the View button (the eye icon). The Certificate Details displays, showing the following:
|
Step 19 | The Rule tab allows to configure the transfer rules that define the local and remote paths. To download from the "pub/example" directory, a Receive rule is needed to specify the remote directory. From the UDMG navigation pane, select Management > Rules. The Rules list displays. |
Step 20 | Click New. The Rule Details displays.
|
Step 21 | Click the Save button. |
Step 22 | The rule is created and appears on the Rules list |
Step 23 | From the UDMG navigation pane, select Management > Partners. The Partner list displays. Select the rebex partner and click on the Rules tab. The green dot on the tab shows that a rule is now assigned to this server. By default, a rule is implicitly assigned to all partners unless there is an explicit whitelist assignment. This is shown by the globe icon and means the same rule is also assigned to any other partners, for example to 'wftpserver' here:
|
Step 24 | To restrict the use of this rule and this virtual path to only the rebex partner, you have to assign the rule to that partner. Select the rebex partner and click on the Rules tab |
Step 25 |
To assign a Rule to a Remote Partner, move the Rule from the Rules window to the Authorized Rules window:
To unassign the Rule to a Remote Partner, move the Rule from the Authorized Rules window to the Rules window:
|
Step 26 | The rule is now whitelisted for this server and does not appear anymore for the other servers: |
Step 27 | Initiate a file transfer to download the file pocketftp.png Use the Command Line Interface to register the transfer: $ udmg-client transfer add -p rebex -l demo -w receive -r rebex_receive_example -f pocketftp.png The transfer of file pocketftp.png was successfully added. |
Step 28 | From the UDMG navigation pane, select Activity> History. The Transfer History list displays. The download is completed successfully and the file is received in the default input directory 'in' under the MFT server home directory, configured here as '/atest/work' |