Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

In this tutorial, you will:


Note

Due to the nature of the UDMG as a MFT solution, the handling of the host-based authentication for SFTP is limited to having the same account name on the server (local account) and client side (remote user). It is assumed that a SFTP client acting as User1 on the client node will attempt to login to the same User1 account on the SFTP server.

To configure hostbased authentication for an SFTP partner, the following steps should be followed:

  1. Add the SSH public host key of the partner in the certificate list, as for any other SFTP partner configuration.

  2. Add a private key for the UDMG SFTP client as a separate certificate record. It can then be selected to be used for host-based authentication configuration.

  3. Set up the protocol configuration parameters with:

    • the name of the certificate record from the previous step that will be used as the client's private key.

    • the list of remote accounts for which host-based authentication will be enabled.

Regarding the fact that the partner will have multiple certificates of different type (public/private) configured, the public keys can only be used to validate the remote server's identity and the private keys can only be used to perform host-based authentication.

Step 1

From the UDMG navigation pane, select Management > Partners. The Partner list displays.

Step 2

Click New. The Partner Details displays.

Fill in the details for the sample server from Tutorial - Creating and Manually Starting an SFTP Server

  • In the Partner Name field, enter stonebranch-sftp-01-client

  • In the Protocol field, select SFTP

  • In the IP Address field, enter 0.0.0.0

  • In the Port field, enter 4000

  • In the Member of Business Service, select one of the available Business Services. More business Services can be added after the rule is created. 


Step 3

Click the Accounts tab on the Partner detail panel. Add a new account.

  • In the Name field, enter stonebranch-01-client-user.

  • Leave the Password field, empty.

Step 4

Click the Certificate tab on the Partner detail panel and add the public host key of the server.

The server public key can be retrieved with ssh-keyscan tool:

$ ssh-keyscan -t rsa -p 4000 0.0.0.0
# 0.0.0.0:4010 SSH-2.0-Go
[0.0.0.0]:4010 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCnH0...

Click the Add Certificate button.

  • In the Name field, enter ssh-rsa

  • In the Public key field, paste the value of the server public key

The public key can also be fetched and stored automatically with the Fetch host key button:

Step 5

Add a new certificate record for the client host key, this is needed for the Host-Based Authentication.

Generate a private SSH key, for example:

$ ssh-keygen -t rsa -b 4096 -C "stonebranch-cert-client-01" -m PEM -f "stonebranch-client-01.crt" -N ""

Note that the generated public key (stonebranch-client-01.crt.pub) is needed for the setup on the server side.


Click the Add Certificate button.

  • In the Name field, enter ssh-rsa-hostbased-private

  • In the Private key field, paste the value of the private key from stonebranch-client-01.crt

  • Click Save
  • The list shows both the public host key (with the globe icon) and the private key (with the key icon).

Step 6

Click the Configuration tab on the Partner detail panel and switch on the Host-based authentication toggle.

The Private Key Certificate and Authorized Accounts fields appear.

Step 7

  • In the Private Key Certificate field, input the name of the certificate record with the client private key: ssh-rsa-hostbased-private

  • In the Authorized Accounts field, choose the remote account from the list: stonebranch-01-client-user

For selected account(s), the connection will be attempted with the host-based authentication method.

Step 8

Click Save and Confirm.

Step 9Be sure to have completed the local SFTP server configuration with the public key that was generated above. See Tutorial - Using Host-Based Authentication for an SFTP Server.

Step 10

Configure the rules at partner and/or account level.

For example, stonebranch-sftp-01_partner_send

Create the rule:

Please note that because the remote partner is set in this tutorial to be a local UDMG SFTP server, the Remote Directory is set to the virtual path (sft-01-in) of a receiving rule for the local server:

Authorize the sending rule for the partner:


Step 11

Initiate a file transfer to upload a file.

Use the Command Line Interface to register the transfer:

$ udmg-client transfer add -p stonebranch-sftp-01-client -l stonebranch-01-client-user -w send -r stonebranch-sftp-01_partner_send -f test-hb.txt

Step 12

Follow the transfer request from the Activity Transfer and History dashboards.

There are 2 records in this case, because UDMG is used both as the client and the server in the transaction:

  • Sending the file to the Partner, identified by the rule stonebranch-sftp-01_partner_send and the flag isSend

  • Receiving the file on the Server, identified by the rule stonebranch-sftp-01_receive and the flag isServer



References:

  • No labels