Example: How to configure a protocol bridge agent to use private key credentials with a UNIX SFTP server
This example demonstrates how we can generate and configure the ProtocolBridgeCredentials.xml file. This example is a typical example and the details might vary according to your platform, but the principles remain the same.
About this task
Procedure
- On the SFTP client, log on with the login ID to be passed to the SFTP server by the protocol bridge agent and run the ssh-keygen command to create a public/private key sequence. Supply a pass phrase when asked for one. The ssh-keygen command generates the following two files: id_rsa and id_rsa.pub. If you need DSA format, use -t dsa when you run the ssh-keygen command
- Copy the contents of the id_rsa.pub file into the ~/.ssh/authorized_keys file of the SFTP user on the SFTP server. Ensure that the SFTP file server process has read access to this file.
-
Managed File Transfer requires a
host ssh fingerprint generated using the MD5 algorithm. Run one of the following commands to obtain
the host ssh fingerprint of the SFTP server.
- For Red Hat Enterprise Linux version 6.x and below, and Linux Ubuntu 14.04, run the following
command:
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
- Starting with Red Hat Enterprise Linux version 7.x, Linux Ubuntu 16.04 and SuSE Linux 12.4, the ssh-keygen command generates, by default, the
ssh fingerprint using the SHA56 algorithm. To generate the ssh fingerprint using the MD5 algorithm,
run the following
command:
ssh-keygen -l -E MD5 -f /etc/ssh/ssh_host_rsa_key.pub
The output of the command will be similar to the following example:2048 MD5:64:39:f5:49:41:10:55:d2:0b:81:42:5c:87:62:9d:27 no comment (RSA)
Extract the hexadecimal portion only of the output to use as the hostKey in the ProtocolBridgeCredentials.xml file (see step 4). Therefore, in this example, you would extract 64:39:f5:49:41:10:55:d2:0b:81:42:5c:87:62:9d:27.
- For Red Hat Enterprise Linux version 6.x and below, and Linux Ubuntu 14.04, run the following
command:
-
On the protocol bridge agent system, edit the
ProtocolBridgeCredentials.xml file. Substitute the values shown in italics in
the following example with your own values:
<tns:credentials xmlns:tns="http://wmqfte.ibm.com/ProtocolBridgeCredentials" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://wmqfte.ibm.com/ProtocolBridgeCredentials ProtocolBridgeCredentials.xsd "> <tns:agent name="Agent_name"> <tns:server name="SFTP_name"> <tns:user name="mq_User_ID" serverUserId="SFTP_user_ID" hostKey="ssh_host_finger"> <tns:privateKey associationName="name" keyPassword="pass_phrase"> Complete contents of the id_rsa file including the entries -----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY----- </tns:privateKey> </tns:user> </tns:server> </tns:agent> </tns:credentials>
where:- Agent_name is the name of the protocol bridge agent.
- SFTP_host_name is the name of the SFTP server as shown in the ProtocolBridgeProperties.xml file.
- mq_User_ID is the MQMD user ID associated with the transfer request.
- SFTP_user_ID is the SFTP user ID as used in step 2. It is the value passed to the SFTP serve as the login user ID.
- ssh_host_finger is the fingerprint collected in step 3.
- name is a name that we can specify to be used for trace and logging purposes.
- pass_phrase is the pass phrase you provided in the ssh-keygen in step 1.
- Complete contents of the id_rsa file is the complete contents of the
generated id_rsa file from step 1. To prevent a connection error, ensure that
you include both of the following entries:
-----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----
We can add additional keys by duplicating the <tns:privatekey> element.
- Start the protocol bridge agent if the agent is not already started. Alternatively, the protocol bridge agent periodically polls the ProtocolBridgeCredentials.xml file and pick up the changes.