Configuring public key authentication & Hostbased authentication in OSB for SFTP

In this post you can understand how to configure public key and Host based authentication in OSB for SFTP.

Please find the below steps for public key authentication –>

  1. Ensure you have same username on both osb and sftp server
    e.g oracle
  2. Generate private/public key on sftp server (logged in as oracle) using :
    ssh-keygen -t rsa -b 2048
    ssh-keygen -t dsa -b 2048
    The files containing private and public keys will be saved in $home/.ssh

3.Copy the contents of the id_rsa.pub and id_dsa.pub (public keys) from the sftp server to the known_hosts file under
DOMAIN_HOME/config/osb/transports/sftp
The format of the known_hosts file is :
hostname,ip algorithm publickey
where algorithm = ssh-rsa/ssh-dss and publickey is one got from step 2.
The above steps complete what we need to establish the sftp server(server) as a known host to the osb server(client).

  1. Generate a JKS store containing private/public key pair for the osb server :

export PATH=/home/oracle/bea/jdk160_05/bin:$PATH

keytool -genkey -dname “cn=test1, ou=GCS, o=Oracle, c=IN” -alias sftp -keypass welcome1 -keystore /home/oracle/bea/sftp.jks -storepass welcome1

  1. Create a PKI Credential Mapper in weblogic and set the path of the JKS store to the one generated in previous step.
  2. Using portecle (java -jar portecle.jar), open the jks store generated in step 4.
  3. Select the jks store, right click and export the private key and certificate using the PEM format.
    save it in a file e.g sftp.pem
  4. Using puttygen.exe , load the pem file and then save public key in openssh format e.g sftp.pub
  5. Copy the contents of the sftp.pub in the $home/.ssh/authorized_keys on the sftp server e.g
    ssh-dss XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    (you have to use ssh-dss/ssh-rsa depending what algorithm you used when running the keygen tool.
    By default keytool generates keys using the DSA algorithm unless you have specifically generated using RSA algorithm)
  6. To create a proxy service which uses public key authentication, first create a service key provider in the osb console using the alias and certificate generated in step 4.
    To configure Service Key Provider please follow the section “Service Key Providers” in the below note:
  7. create a proxy service and choose authentication method as public key authentication
  8. and specify the service key provider created in step 10.
    Set username as oracle (same user on the sftp server for which you have generated keys in step 2)
    set the hostname for the URI to same as the host in the known_hosts file in step 3.
    otherwise you will get an error – key not found for <hostname>.
    deploy and activate the proxy and you should be able to login to the sftp server and poll for files.

Please find the steps for configuring Hostbased authentication –>

  1. The steps for host based authentication require additional configuration steps on the sftp server
    assuming a linux server having vsftpd server as the ftp/sftp server.
  2. steps from 1-8 mentioned in public key authentication are same. Please follow the below steps after following 1-8:
  3. Instead of saving the public key of the osb server in authorized_keys file on the sftp server, we need to save it in below files on the sftp server:
    /etc/ssh/ssh_known_hosts
    /etc/ssh/ssh_known_hosts2
    /etc/ssh_known_hosts
    /etc/ssh_known_hosts2
    /home/oracle/.ssh/known_hosts
    /home/oracle/.ssh/known_hosts2
  4. In the format
    hostname ssh-rsa/ssh-dss XXXXXXXXXXXXXXXXXXXXXXXXX
  5. We need to add the hostname/ip address of the osb server in following files :
    /home/oracle/.shosts
    /home/oracle/.rhosts
    /etc/shosts.equiv
    /etc/ssh/shosts.equiv
  6. We need to add following directives to /etc/ssh/sshd_config
    IgnoreRhosts no
    HostbasedAuthentication yes
  7. Also, please ensure that a reverse lookup on the osb server(client) is successful i.e. an ip-address->hostname and hostname->ip-address lookup should resolve to same.
  8. This check will be done by the sftp server (server) in host based authentication to see the hostname and IP address mapping is successful.
  9. Now follow steps 10 and 11 mentioned above. In step 11 choose Host Based Authentication instead of Public key AuthenticationDebugging if you face any issues in SFTP Transport:

    Loglevel in /etc/ssh/sshd_config
    set to DEBUG, DEBUG1, DEBUG2, DEBUG3
    (You can view /var/log/security file for debug messages)

  10. Debug3 is the highest level vsftpd server
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s