Sunday, October 16, 2016

Client Certificate Authentication SFTP with WSO2 ESB 4.9.0

SFTP provides an alternative option to transfer files using public key authentication. This helps to automate the file transferring process.

In this article we will go through how we can configure the client and server machine to use this client certificate authentication.

Client Side Configuration


Create a directory inside the linux home named .ssh and run the below commands to create the public and private key's for the authentication. Here we are creating the default public key and private keys without passphrase.

ajanthan@ajanthan-ThinkPad-T440p:~/.ssh$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/ajanthan/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/ajanthan/.ssh/id_rsa.
Your public key has been saved in /home/ajanthan/.ssh/id_rsa.pub.
The key fingerprint is:
54:48:31:70:67:0f:43:5d:14:e2:58:2f:d6:6f:6a:e0 ajanthan@ajanthan-ThinkPad-T440p
The key's randomart image is:
+--[ RSA 2048]----+
|      .o=+B.oo+. |
|       ..= B.+   |
|        . . = o  |
|       .   . . . |
|        S   .   o|
|           . . o |
|            E o  |
|             .   |
|                 |
+-----------------+
ajanthan@ajanthan-ThinkPad-T440p:~/.ssh$

Now we have created the client side keys. We will move to server side configuration.

Server Side Configuration


Now we need to copy the public key to the remote server ( SFTP Server ). Create .ssh directory if not exists and create a file called authorized_keys.

touch authorized_keys

chmod 700 authorized_keys

Now go to your client machine and run the below command to load the public key to authorized_keys.


ssh-copy-id -i id_rsa.pub esb-support@172.22.217.160

Below is the sample proxy configuration, when using the default id_rsa as the private key and no pass phrase assign to it.


<?xml version="1.0" encoding="UTF-8"?>
<proxy xmlns="http://ws.apache.org/ns/synapse"
       name="SFTPProxy"
       transports="vfs"
       startOnLoad="true"
       trace="disable">
   <description/>
   <target>
      <inSequence>
         <log level="custom">
            <property name="STATUS:" value="---------SFTP Proxy Invoked-------------------"/>
            
         </log>
      </inSequence>
      <outSequence/>
      <faultSequence/>
   </target>
   <parameter name="transport.PollInterval">15</parameter>
   <parameter name="transport.vfs.ActionAfterProcess">MOVE</parameter>
   <parameter name="transport.vfs.FileURI">vfs:sftp://esb-support@172.22.217.160/www/in</parameter>
   <parameter name="transport.vfs.MoveAfterProcess">vfs:sftp://esb-support@172.22.217.160/www/process</parameter>
   <parameter name="transport.vfs.MoveAfterFailure">vfs:sftp://esb-support@172.22.217.160/www/failure</parameter>
   <parameter name="transport.vfs.FileNamePattern">.*.xml</parameter>
   <parameter name="transport.vfs.ContentType">application/xml</parameter>
   <parameter name="transport.vfs.ActionAfterFailure">MOVE</parameter>
   
</proxy>


If you are using a private key with a custom name ( not as "id_rsa" ) and with a pass phrase then you need to add the below parameters in proxy service.


<parameter name="transport.vfs.SFTPIdentities">/home/ajanthan/.ssh/ajan_id_rsa</parameter>
<parameter name="transport.vfs.SFTPIdentityPassPhrase">batticaloal</parameter>

Reference


[1] http://www.jscape.com/blog/setting-up-sftp-public-key-authentication-command-line


Posted by at
Labels:

1 comment:

Subscribe to: Post Comments (Atom)