Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Oracle Managed Files Transfer- Key based authentication

355 views

Published on

Oracle Managed Files Transfer- Key based authentication

Published in: Engineering
  • Be the first to comment

  • Be the first to like this

Oracle Managed Files Transfer- Key based authentication

  1. 1. ORACLE-MFT Setting up SFTP Transfers using Key-based Authentication Kumar Gaurav k10gaurav@gmail.com
  2. 2. Agenda  Executive Overview  Solution Approach  Overview  Task and Activity Details  References
  3. 3. Executive Overview  MFT supports file transfers via SFTP. Often MFT customers receive a public key from their partners and want to use them to receive files via SFTP.  MFT includes an embedded SFTP server. We will configure it with the supplied public key to receive files from remote partners. Upon receipt of a file, a simple MFT transfer will initiate and place the file in a pre-defined directory within the local filesystem.
  4. 4. Solution Approach  Overview  Task and Activity Details 1. Generate public-private key pair on the remote machine and copy the public key to MFT server 2. Generate public-private key pair on the machine running MFT server 3. Import the private key from MFT machine in MFT keystore 4. Import the public key from partner machine in MFT keystore 5. Configure SFTP server with private key alias 6. Configure MFT users and corresponding SFTP directories to be used by remote partners
  5. 5. Continue… 7. Enter SSH-Keystore Password 8. Restart embedded SFTP Server 9. Create Embedded SFTP Source 10. Create File Target 11. Create a transfer using the above source and target 12. Deploy and Test
  6. 6. Continue…
  7. 7. 1. Generate public-private key pair- Remote Machine Generate public-private key pair on the remote machine and copy the public key to MFT server To generate a private-public key pair, we use the command-line tool ssh-keygen. The tool creates 2 files for private and public key. For our purposes in this exercise, we will only be using the public key by copying it to the MFT machine from here. As a common practice, all the key files are saved in $HOME/.ssh directory. [slahiri@slc08vby .ssh]$ pwd /home/slahiri/.ssh [slahiri@slc08vby .ssh]$ ssh-keygen -t rsa -b 2048 Generating public/private rsa key pair. Enter file in which to save the key (/home/slahiri/.ssh/id_rsa): sftpslc Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in sftpslc. Your public key has been saved in sftpslc.pub. The key fingerprint is: 56:db:55:48:4c:db:c4:e1:8b:70:40:a8:bf:12:07:94 slahiri@slc08vby The key’s randomart image is: +–[ RSA 2048]—-+ | . oo +o++| | E . . +=.| | . . .. .o..| | o . oo.. .| | S . .. . | | o o | | o . | | . . | | . | +—————–+ [slahiri@slc08vby .ssh] ls sftpslc sftpslc.pub [slahiri@slc08vby .ssh] cat ~/.ssh/sftpslc.pub | ssh oracle@oel6vb “cat >> ~/.ssh/authorized_keys” oracle@oel6vb’s password: [slahiri@slc08vby .ssh]
  8. 8. 2. Generate public-private key pair- machine running MFT server Generate public-private key pair on the machine running MFT server As shown in the previous step, ssh-keygen is used on the MFT machine to generate a key pair. From the pair generated here, we will only be using the private key for our exercise. The session transcript is shown below. [oracle@oel6vb .ssh]$ pwd /home/oracle/.ssh [oracle@oel6vb .ssh]$ ssh-keygen -t rsa -b 2048 Generating public/private rsa key pair. Enter file in which to save the key (/home/oracle/.ssh/id_rsa): sftpmft Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in sftpmft. Your public key has been saved in sftpmft.pub. The key fingerprint is: 36:a8:ac:a7:0c:bd:34:c9:bd:cd:1b:fe:05:a8:1d:47 oracle@oel6vb The key’s randomart image is: +–[ RSA 2048]—-+ | | | | | E | | + | | + S | | o + + + o | |. * = o . | | + +.= . . | | =o. =o. | +—————–+ [oracle@oel6vb .ssh]$ ls sftpmft sftpmft.pub [oracle@oel6vb .ssh]$
  9. 9. 3. Import the private key from MFT machine in MFT keystore The private key from Step II is imported into MFT keystore using WLST utility. It must be noted that for MFT, a different version of WLST is shipped and installed with the product. It is found in /mft/common/bin directory. The version of WLST in this directory must be used. The WLST session should be connected to the MFT Server port using an Administrative credential. A typical session transcript is shown below. [oracle@oel6vb .ssh]$ cd /u01/oracle/SOAInstall/mft/common/bin [oracle@oel6vb bin]$ ./wlst.sh CLASSPATH=:/u01/oracle/SOAInstall/mft/modules/oracle.mft_12.1.3.0/core- 12.1.1.0.jar Initializing WebLogic Scripting Tool (WLST) … Welcome to WebLogic Server Administration Scripting Shell Type help() for help on available commands wls:/offline> connect(“weblogic”,”welcome1″,”t3://localhost:7003″) Connecting to t3://localhost:7003 with userid weblogic … Successfully connected to managed Server “mft_server1” that belongs to domain “base_domain”. Warning: An insecure protocol was used to connect to the server. To ensure on-the-wire security, the SSL port or Admin port should be used instead. wls:/base_domain/serverConfig> importCSFKey(‘SSH’, ‘PRIVATE’, ‘MFTAlias’, ‘/home/oracle/.ssh/sftpmft’) CSF key imported successfully. wls:/base_domain/serverConfig> listCSFKeyAliases(‘SSH’, ‘PRIVATE’) Key Details ————————————————————————– ‘MFTAlias’, Format PKCS#8, RSA
  10. 10. 4. Import the public key from partner machine in MFT keystore The same WLST session can be used to import the public key copied over from the remote machine in Step I. It must be noted that the public key alias used here should be the same as the userID that is to be used by the remote SFTP client to connect to the embedded SFTP server. Transcript of a sample session is shown below. wls:/base_domain/serverConfig> importCSFKey(‘SSH’, ‘PUBLIC’, ‘MFT_AD’, ‘/home/oracle/.ssh/authorized_keys’) CSF key imported successfully. wls:/base_domain/serverConfig> listCSFKeyAliases(‘SSH’, ‘PUBLIC’) Key Details ————————————————————————– ‘MFT_AD’, Format X.509, RSA wls:/base_domain/serverConfig> exit() Exiting WebLogic Scripting Tool. [oracle@oel6vb bin]$
  11. 11. 5. Configure SFTP server with private key alias After logging in to MFT UI, go to Administration Tab. Under Embedded Servers, go to sFTP tab and complete the following:  enable SFTP  set Public Key as authenticationType  set KeyAlias to the private key alias set during import in Step III.  save settings
  12. 12. 6. Configure MFT users and corresponding SFTP directories Now Configure MFT users and corresponding SFTP directories to be used by remote partners  From MFT UI, under Administration Tab, configure the user and the SFTP root directory, that will be used by in remote SFTP client session. Note that the userID will be the same as the Public Key Alias, used while importing the public key in Step IV. Sample screenshots for user and directory are shown below.
  13. 13. 7. Enter SSH-Keystore Password  From the MFT UI, go to Administration tab and select KeyStore node in the left navigator tree.  Enter the password for SSH-Keystore as the same passphrase used during key pair generation on local machine in Step II.
  14. 14. 8. Restart embedded SFTP Server  The embedded SFTP Server should be restarted for any embedded server related configuration changes to take effect. In case the SFTP server is not running, it can be started now. This wraps up the administrative setup necessary for the exercise. The following sections are part of a simple MFT design process to create a source, target and transfer.
  15. 15. 9. Create Embedded SFTP Source  From MFT UI, go to the Designer tab. Create a SFTP Source pointing to the directory created in Step VI. Sample screenshot is shown below.
  16. 16. 10. Create File Target  For the sake of simplicity, a local file directory is chosen as the directory. From the MFT UI, navigate to the Designer tab and create a target as shown below.
  17. 17. 11. Create a transfer using the previous source and target  From the Designer tab within MFT UI, create a transfer using the source and target created in Steps IX and X. Sample screenshot is shown below.
  18. 18. 12. Deploy and Test  After deploying the transfer, we are ready to test the entire flow.  We initiate the test by starting a simple, command-line SFTP client in the remote machine (slc08vby) and connecting to the embedded SFTP server running within MFT. The userID is the one specified in Step IV and VI (MFT_AD). The passphrase is the same as that used in generating the key pair in the remote machine during Step I.  After the sftp session is established, we put a file into the SFTP root directory of the user on MFT server machine, as specified in Step VI. The transcript from a sample SFTP client session is shown below. [slahiri@slc08vby ~]$ cat ~/.ssh/config.sftp Host 10.159.179.84 Port 7522 PasswordAuthentication no User MFT_AD IdentityFile /home/slahiri/sftpslc [slahiri@slc08vby ~]$ [slahiri@slc08vby ~]$ sftp -F ~/.ssh/config.sftp oel6vb Connecting to oel6vb… Enter passphrase for key ‘/home/slahiri/sftpslc’: sftp> pwd Remote working directory: /MFT_AD sftp> put sftptest.txt Uploading sftptest.txt to /MFT_AD/sftptest.txt sftptest.txt 100% 24 0.0KB/s 00:00 sftp> quit [slahiri@slc08vby ~]$
  19. 19. Continue…  After the SFTP operation is completed, the MFT transfer takes over. MFT picks up the file from the embedded SFTP source and places it in the directory within the local file system, defined as target. Example screenshot from Monitoring Tab of MFT UI is shown below.
  20. 20. Continue…  Finally, we verify that our test file is saved in the local directory specified as the target in Step X. [oracle@oel6vb in]$ pwd /home/oracle/in [oracle@oel6vb in]$ ls sftptest.txt [oracle@oel6vb in]$
  21. 21. References  The test case described here is one way to establish secure transfers with MFT. There are other use cases as well and will be discussed in other articles of this blog series on MFT. For further details, please contact the MFT Product Management team or SOA/MFT group within A-Team.  http://www.ateam-oracle.com/mft-setting-up-sftp-transfers-using-key-based-authentication/
  22. 22. Thank You!

×