Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 Suraj Amin (SurajAmin)
Adqura
Lead Decisioning Consultant
Adqura
GB
SurajAmin Member since 2014 14 posts
Adqura
Posted: Nov 14, 2016
Last activity: Nov 25, 2016
Posted: 14 Nov 2016 7:35 EST
Last activity: 25 Nov 2016 6:06 EST
Closed
Solved

Pega 7.2.1 How to create sFTP Server Data Instance using SSH RSA Keys

Hi,

I am looking for some guidance on how to create a sFTP Server Data instance using SSH RSA Keys?

We can currently manually sftp from our pega server into the target sftp server using rsa ssh keys. Our server's public ssh key is installed into the target sftp server.

I have a few questions around creating the sFTP Server Data instance:

1. Truststore - The help says - "Provide the SSH public key of your FTP server in a Truststore record to restrict connectivity to this known host." - does this mean its optional? And does it also mean that the Truststore/Keystore instance for this can be created using the rsa SSH (public) key?

2. Keystore - How do I go about creating a Keystore data instance using our server's SSH RSA Keys (id_rsa, id_rsa.pub)?

I have come across another post here - https://collaborate.pega.com/question/pega-72-sftp-feature-generating-keystore-ppk-file-received-pega-cloud - which descibes creating a Keystore record using a (putty based) .ppk file and using a custom activity. Can I use the same process to generate the Keystore using our server's private rsa key (id_rsa) instead of the .ppk file?

Thanks.

Regards,
Suraj

***Updated by moderator: Lochan to update Categories***

To see attachments, please log in.
Data Integration
Security

Accepted Solution

Posted: 8 years ago
Posted: 25 Nov 2016 6:05 EST
Suraj Amin (SurajAmin)
Adqura
Lead Decisioning Consultant
Adqura
GB

Hi All,

Peter Tandara-Kuhns answered my questions so I am posting it here for everyone's benefit.

Show More

Hi All,

Peter Tandara-Kuhns answered my questions so I am posting it here for everyone's benefit.

1. Truststore - The help says - "Provide the SSH public key of your FTP server in a Truststore record to restrict connectivity to this known host." - does this mean its optional? And does it also mean that the Truststore/Keystore instance for this can be created using the rsa SSH (public) key?
 
Answer: Yes, this field is optional. If left blank, the SFTP connector will allow connectivity with any SSH host. If supplied, the Keystore record must contain the public key file only (id_rsa.pub), not a keystore file containing the key.
 
2. Keystore - How do I go about creating a Keystore data instance using our server's SSH RSA Keys (id_rsa, id_rsa.pub)?
 
I have come across another post here - https://collaborate.pega.com/question/pega-72-sftp-feature-generating-keystore-ppk-file-received-pega-cloud - which descibes creating a Keystore record using a (putty based) .ppk file and using a custom activity. Can I use the same process to generate the Keystore using our server's private rsa key (id_rsa) instead of the .ppk file?
 
Answer: When we added the SFTP option to our existing FTP capabilities, we chose to reuse the Keystore/Truststore record references rather than introduce a new rule type for storing SSH keys. Since that time, validation of Keystore records was enhanced to prevent anything other than actual JKS/PKCS binaries from being uploaded and saved to the record. The validation has been fixed in 7.2.2, but there is a workaround in 7.2.1 that involves temporarily disabling the added validation for Keystore records. The workaround is described here:
 
 
Unfortunately, the above support article references a specific step number of the Validate activity to comment out, with no screen shot or explanation in case the activity changes in later releases.The step that needs to be commented out in 7.2.1 is step 5 (Java), not step 3.
 
SFTP connection logging
 
It turns out there really isn’t any native logging capability in the 3rd-party JSch library we use for SFTP:
 
There is logging output in our adapter class for this library, however. You can set the log level of the following class to DEBUG using the log settings feature of Designer Studio:
 
com.pega.pegarules.integration.engine.internal.client.ftp.JschSFTPClient
 

 

Regards,
Suraj


Show Less
To see attachments, please log in.
Posted: 8 years ago
Posted: 15 Nov 2016 0:52 EST
Habeeb Baig (BaigHabeeb)
Virtusa IT Consulting
Lead Decisioning Architect
Virtusa IT Consulting
AE

You can follow the steps provided in the post you are referring to. While uploading the file in Keystore rule give extension type as .pub

 

To see attachments, please log in.
Posted: 8 years ago
Posted: 15 Nov 2016 7:29 EST
Habeeb Baig (BaigHabeeb)
Virtusa IT Consulting
Lead Decisioning Architect
Virtusa IT Consulting
AE

can you please help me understand if you are using two way SSL? and whether id_rsa contains client side certificate, id_rsa.pub contains server side certificate or vice versa?

 

To see attachments, please log in.
Posted: 8 years ago
Posted: 15 Nov 2016 15:06 EST
Charles Reitzel (CharlesReitzel)
PEGA
Software Engineer Fellow
Pegasystems Inc.
US

@baigh Just to clarify what Suraj is asking for, sFTP refers to "Secure FTP", which is also known as "FTP over SSH".   FTP over SSL/TLS is known as "ftps".

To see attachments, please log in.
Posted: 8 years ago
Posted: 15 Nov 2016 15:42 EST
Charles Reitzel (CharlesReitzel)
PEGA
Software Engineer Fellow
Pegasystems Inc.
US

@SurajAmin  Use the client-side private key in the Keystore.  It is used to identify the client to the server.   Use the target server's public key in the Truststore to verify it's identity.   This is what the sFTP client side code (Connect-FTP) is expecting at runtime.

Each of these appears to be optional to the rule.   

To see attachments, please log in.
Posted: 8 years ago
Posted: 16 Nov 2016 5:34 EST
Habeeb Baig (BaigHabeeb)
Virtusa IT Consulting
Lead Decisioning Architect
Virtusa IT Consulting
AE

I understand the requirement is to connect to FTP server as FTPS (SSL enabled), however if there is no two way SSL then why there is a need to upload public key to trustore. If its just a matter of connecting to FTP server which is a one way connection so adding private key to keystore should suffice. Please correct me if I am wrong.

 

 

To see attachments, please log in.

Accepted Solution

Posted: 8 years ago
Posted: 25 Nov 2016 6:05 EST
Suraj Amin (SurajAmin)
Adqura
Lead Decisioning Consultant
Adqura
GB

Hi All,

Peter Tandara-Kuhns answered my questions so I am posting it here for everyone's benefit.

Show More

Hi All,

Peter Tandara-Kuhns answered my questions so I am posting it here for everyone's benefit.

1. Truststore - The help says - "Provide the SSH public key of your FTP server in a Truststore record to restrict connectivity to this known host." - does this mean its optional? And does it also mean that the Truststore/Keystore instance for this can be created using the rsa SSH (public) key?
 
Answer: Yes, this field is optional. If left blank, the SFTP connector will allow connectivity with any SSH host. If supplied, the Keystore record must contain the public key file only (id_rsa.pub), not a keystore file containing the key.
 
2. Keystore - How do I go about creating a Keystore data instance using our server's SSH RSA Keys (id_rsa, id_rsa.pub)?
 
I have come across another post here - https://collaborate.pega.com/question/pega-72-sftp-feature-generating-keystore-ppk-file-received-pega-cloud - which descibes creating a Keystore record using a (putty based) .ppk file and using a custom activity. Can I use the same process to generate the Keystore using our server's private rsa key (id_rsa) instead of the .ppk file?
 
Answer: When we added the SFTP option to our existing FTP capabilities, we chose to reuse the Keystore/Truststore record references rather than introduce a new rule type for storing SSH keys. Since that time, validation of Keystore records was enhanced to prevent anything other than actual JKS/PKCS binaries from being uploaded and saved to the record. The validation has been fixed in 7.2.2, but there is a workaround in 7.2.1 that involves temporarily disabling the added validation for Keystore records. The workaround is described here:
 
 
Unfortunately, the above support article references a specific step number of the Validate activity to comment out, with no screen shot or explanation in case the activity changes in later releases.The step that needs to be commented out in 7.2.1 is step 5 (Java), not step 3.
 
SFTP connection logging
 
It turns out there really isn’t any native logging capability in the 3rd-party JSch library we use for SFTP:
 
There is logging output in our adapter class for this library, however. You can set the log level of the following class to DEBUG using the log settings feature of Designer Studio:
 
com.pega.pegarules.integration.engine.internal.client.ftp.JschSFTPClient
 

 

Regards,
Suraj


Show Less
To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice