MFT supports file transfers via SFTP. Often MFT customers receive a public key from their partners and want to use them to receive files via SFTP. This blog describes the setup required to enable such an MFT flow that would receive files from partners using key-based authentication.
MFT includes an embedded SFTP server. We will configure it with the supplied public key to receive files from remote partners. Upon receipt of a file, a simple MFT transfer will initiate and place the file in a pre-defined directory within the local filesystem.
The overall solution consists of the following steps:
The following sections will walk through the details of individual steps. The environment consists of the following machines:
To generate a private-public key pair, we use the command-line tool ssh-keygen. The tool creates 2 files for private and public key. For our purposes in this exercise, we will only be using the public key by copying it to the MFT machine from here. As a common practice, all the key files are saved in $HOME/.ssh directory. A transcript of a typical session is shown below.
[slahiri@slc08vby .ssh]$ pwd
/home/slahiri/.ssh
[slahiri@slc08vby .ssh]$ ssh-keygen \-t rsa \-b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/slahiri/.ssh/id_rsa): sftpslc
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in sftpslc.
Your public key has been saved in sftpslc.pub.
The key fingerprint is:
56:db:55:48:4c:db:c4:e1:8b:70:40:a8:bf:12:07:94 slahiri@slc08vby
The key's randomart image is:
+--[ RSA 2048]----+
| . oo +o++|
| E . . +=.|
| . . .. .o..|
| o . oo.. .|
| S . .. . |
| o o |
| o . |
| . . |
| . |
+-----------------+
[slahiri@slc08vby .ssh] ls
sftpslc sftpslc.pub
[slahiri@slc08vby .ssh] cat ~/.ssh/sftpslc.pub | ssh oracle@oel6vb "cat >> ~/.ssh/authorized_keys"
oracle@oel6vb's password:
[slahiri@slc08vby .ssh]
As shown in the previous step, ssh-keygen is used on the MFT machine to generate a key pair. From the pair generated here, we will only be using the private key for our exercise. The session transcript is shown below.
[oracle@oel6vb .ssh]$ pwd
/home/oracle/.ssh
[oracle@oel6vb .ssh]$ ssh-keygen \-t rsa \-b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/oracle/.ssh/id_rsa): sftpmft
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in sftpmft.
Your public key has been saved in sftpmft.pub.
The key fingerprint is:
36:a8:ac:a7:0c:bd:34:c9:bd:cd:1b:fe:05:a8:1d:47 oracle@oel6vb
The key's randomart image is:
+--[ RSA 2048]----+
| |
| |
| E |
| + |
| + S |
| o + + + o |
|. * = o . |
| + +.= . . |
| =o. =o. |
+-----------------+
[oracle@oel6vb .ssh]$ ls
sftpmft sftpmft.pub
[oracle@oel6vb .ssh]$
The private key from Step II is imported into MFT keystore using WLST utility. It must be noted that for MFT, a different version of WLST is shipped and installed with the product. It is found in /mft/common/bin directory. The version of WLST in this directory must be used. The WLST session should be connected to the MFT Server port using an Administrative credential. A typical session transcript is shown below.
[oracle@oel6vb .ssh]$ cd /u01/oracle/SOAInstall/mft/common/bin
[oracle@oel6vb bin]$ ./wlst.sh
CLASSPATH=:/u01/oracle/SOAInstall/mft/modules/oracle.mft_12.1.3.0/core-12.1.1.0.jar
Initializing WebLogic Scripting Tool (WLST) ...
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands
wls:/offline> connect("weblogic","welcome1","t3://localhost:7003")
Connecting to t3://localhost:7003 with userid weblogic ...
Successfully connected to managed Server "mft_server1" that belongs to domain "base_domain".
Warning: An insecure protocol was used to connect to the
server. To ensure on-the-wire security, the SSL port or
Admin port should be used instead.
wls:/base_domain/serverConfig> importCSFKey('SSH', 'PRIVATE', 'MFTAlias', '/home/oracle/.ssh/sftpmft')
CSF key imported successfully.
wls:/base_domain/serverConfig> listCSFKeyAliases('SSH', 'PRIVATE')
Key Details
--------------------------------------------------------------------------
'MFTAlias', Format PKCS#8, RSA
The same WLST session can be used to import the public key copied over from the remote machine in Step I. It must be noted that the public key alias used here should be the same as the userID that is to be used by the remote SFTP client to connect to the embedded SFTP server. Transcript of a sample session is shown below.
wls:/base_domain/serverConfig> importCSFKey('SSH', 'PUBLIC', 'MFT_AD', '/home/oracle/.ssh/authorized_keys')
CSF key imported successfully.
wls:/base_domain/serverConfig> listCSFKeyAliases('SSH', 'PUBLIC')
Key Details
--------------------------------------------------------------------------
'MFT_AD', Format X.509, RSA
wls:/base_domain/serverConfig> exit()
Exiting WebLogic Scripting Tool.
[oracle@oel6vb bin]$
After logging in to MFT UI, go to Administration Tab. Under Embedded Servers, go to sFTP tab and complete the following:
Example screenshot is shown below.
From MFT UI, under Administration Tab, configure the user and the SFTP root directory, that will be used by in remote SFTP client session. Note that the userID will be the same as the Public Key Alias, used while importing the public key in Step IV.
Sample screenshots for user and directory are shown below.
From the MFT UI, go to Administration tab and select KeyStore node in the left navigator tree.
Enter the password for SSH-Keystore as the same passphrase used during key pair generation on local machine in Step II.
Example screenshot is given below.
The embedded SFTP Server should be restarted for any embedded server related configuration changes to take effect. In case the SFTP server is not running, it can be started now.
This wraps up the administrative setup necessary for the exercise. The following sections are part of a simple MFT design process to create a source, target and transfer.
From MFT UI, go to the Designer tab. Create a SFTP Source pointing to the directory created in Step VI. Sample screenshot is shown below.
For the sake of simplicity, a local file directory is chosen as the directory. From the MFT UI, navigate to the Designer tab and create a target as shown below.
From the Designer tab within MFT UI, create a transfer using the source and target created in Steps IX and X. Sample screenshot is shown below.
After deploying the transfer, we are ready to test the entire flow.
We initiate the test by starting a simple, command-line SFTP client in the remote machine (slc08vby) and connecting to the embedded SFTP server running within MFT. The userID is the one specified in Step IV and VI (MFT_AD). The passphrase is the same as that used in generating the key pair in the remote machine during Step I.
After the sftp session is established, we put a file into the SFTP root directory of the user on MFT server machine, as specified in Step VI. The transcript from a sample SFTP client session is shown below.
[slahiri@slc08vby ~]$ cat ~/.ssh/config.sftp
Host 10.159.179.84
Port 7522
PasswordAuthentication no
User MFT_AD
IdentityFile /home/slahiri/sftpslc
[slahiri@slc08vby ~]$
[slahiri@slc08vby ~]$ sftp -F ~/.ssh/config.sftp oel6vb
Connecting to oel6vb...
Enter passphrase for key '/home/slahiri/sftpslc':
sftp> pwd
Remote working directory: /MFT_AD
sftp> put sftptest.txt
Uploading sftptest.txt to /MFT_AD/sftptest.txt
sftptest.txt 100% 24 0.0KB/s 00:00
sftp> quit
[slahiri@slc08vby ~]$
After the SFTP operation is completed, the MFT transfer takes over. MFT picks up the file from the embedded SFTP source and places it in the directory within the local file system, defined as target. Example screenshot from Monitoring Tab of MFT UI is shown below.
Finally, we verify that our test file is saved in the local directory specified as the target in Step X.
[oracle@oel6vb in]$ pwd
/home/oracle/in
[oracle@oel6vb in]$ ls
sftptest.txt
[oracle@oel6vb in]$
The test case described here is one way to establish secure transfers with MFT. There are other use cases as well and will be discussed in other articles of this blog series on MFT. For further details, please contact the MFT Product Management team or SOA/MFT group within A-Team.
MFT Product Management and Engineering teams have been actively involved in the development of this solution for many months. It would not have been possible to deliver such a solution to the customers without their valuable contribution.