Example: How to configure a protocol bridge agent to use private key credentials with a UNIX SFTP server

This example demonstrates how we can generate and configure the ProtocolBridgeCredentials.xml file. This example is a typical example and the details might vary according to your platform, but the principles remain the same.


About this task


Procedure

  1. On the SFTP client, log on with the login ID to be passed to the SFTP server by the protocol bridge agent and run the ssh-keygen command to create a public/private key sequence. Supply a pass phrase when asked for one. The ssh-keygen command generates the following two files: id_rsa and id_rsa.pub. If you need DSA format, use -t dsa when you run the ssh-keygen command
  2. Copy the contents of the id_rsa.pub file into the ~/.ssh/authorized_keys file of the SFTP user on the SFTP server. Ensure that the SFTP file server process has read access to this file.
  3. Managed File Transfer requires a host ssh fingerprint generated using the MD5 algorithm. Run one of the following commands to obtain the host ssh fingerprint of the SFTP server.

    • For Red Hat Enterprise Linux version 6.x and below, and Linux Ubuntu 14.04, run the following command:
      ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
    • Starting with Red Hat Enterprise Linux version 7.x, Linux Ubuntu 16.04 and SuSE Linux 12.4, the ssh-keygen command generates, by default, the ssh fingerprint using the SHA56 algorithm. To generate the ssh fingerprint using the MD5 algorithm, run the following command:
      ssh-keygen -l -E MD5 -f /etc/ssh/ssh_host_rsa_key.pub
      The output of the command will be similar to the following example:
      2048 MD5:64:39:f5:49:41:10:55:d2:0b:81:42:5c:87:62:9d:27 no comment (RSA)

      Extract the hexadecimal portion only of the output to use as the hostKey in the ProtocolBridgeCredentials.xml file (see step 4). Therefore, in this example, you would extract 64:39:f5:49:41:10:55:d2:0b:81:42:5c:87:62:9d:27.

  4. On the protocol bridge agent system, edit the ProtocolBridgeCredentials.xml file. Substitute the values shown in italics in the following example with your own values:
    <tns:credentials xmlns:tns="http://wmqfte.ibm.com/ProtocolBridgeCredentials"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://wmqfte.ibm.com/ProtocolBridgeCredentials 
     ProtocolBridgeCredentials.xsd ">
    
    <tns:agent name="Agent_name">
    
    <tns:server name="SFTP_name">
    
    <tns:user name="mq_User_ID" serverUserId="SFTP_user_ID" 
      hostKey="ssh_host_finger">
    <tns:privateKey associationName="name" keyPassword="pass_phrase">
     Complete contents of the id_rsa file including the entries
     -----BEGIN RSA PRIVATE KEY----- 
    
     -----END RSA PRIVATE KEY----- 
    </tns:privateKey>
    </tns:user>
        
    </tns:server>
    </tns:agent>
    </tns:credentials> 
    where:

    • Agent_name is the name of the protocol bridge agent.
    • SFTP_host_name is the name of the SFTP server as shown in the ProtocolBridgeProperties.xml file.
    • mq_User_ID is the MQMD user ID associated with the transfer request.
    • SFTP_user_ID is the SFTP user ID as used in step 2. It is the value passed to the SFTP serve as the login user ID.
    • ssh_host_finger is the fingerprint collected in step 3.
    • name is a name that we can specify to be used for trace and logging purposes.
    • pass_phrase is the pass phrase you provided in the ssh-keygen in step 1.
    • Complete contents of the id_rsa file is the complete contents of the generated id_rsa file from step 1. To prevent a connection error, ensure that you include both of the following entries:
      -----BEGIN RSA PRIVATE KEY----- 
      
      -----END RSA PRIVATE KEY----- 

    We can add additional keys by duplicating the <tns:privatekey> element.

  5. Start the protocol bridge agent if the agent is not already started. Alternatively, the protocol bridge agent periodically polls the ProtocolBridgeCredentials.xml file and pick up the changes.