Secure FTP

Can we do Secure FTP using basic services procided in webMethods B2B Server?

To do SecureFTP from webMethods, do we require any other piece of software? If yes, is it from webMethods or third-party?
If it is from thrid-party, how does it work with webMethods?

Anybody used CONNECT:Enterprise software for secure FTP? It is a prodcut from Sterling Commerce.

Thanks,
Mani

FTP is more difficult to secure than other protocols because it uses two connections: a control connection where the commands are sent, and a data connection for sending the data between the source and destination system. Depending on whether active or passive mode is being used, the data connection can be established from the receiver to the sender or from the sender to the receiver. There are also some interesting vulnerabilities in the FTP protocol design which are present in nearly all FTP implementations. [Note that these are problems in the protocol design, and not implementation bugs, so they can’t be fixed.]

webMethods does not include secure FTP support in the base product. The reason is simple: there’s no standard. Some people use the term “secure FTP” to mean using a secure transport like “FTP over SSL” or “FTP over SSH”. Others mean sending encrypted data over an FTP connect, like “S/MIME over FTP” or “PGP over FTP”. None of these are interoperable, and all require that both sides of the communication agree in advance on which method will be used. Further, there are even residual risks in some of these alternatives: for example, sending S/MIME over FTP protects the data, but still sends the username and password unencrypted.

webMethods discourages use of FTP for customers who are concerned about security, due to the intrinsic problems in the FTP protocol. If that’s impractical, webMethods recommends using a VPN to protect FTP traffic. VPNs are interoperable (thanks to IPsec), and can be configured to provide protection for both the data and control streams.

If this is inadequate, custom solutions can be developed, depending on the risk tradeoffs and compatibility requirements (e.g., SSL vs. SSH vs. S/MIME vs. PGP vs. a proprietary solution such as the one identified).

One more item: a colleague just pointed me to http://www.ietf.org/internet-drafts/draft-murray-auth-ftp-ssl-09.txt, which is the latest (Apr 2002) in secure FTP standardization. Note that it’s not a standard, just a proposal, but it’s the first thing that’s been published on the IETF site about secure FTP in quite a while.

All of which is to reinforce my point that there are no standards in this area, so any product selection is by definition non-standard.

Those are all valid reasons as to why you would want to avoid secure FTP, however, we’re in the situation that we want to connect to a VAN, and TN’s primary way of doing that is plain FTP - I’m not sure how this is better.

More importantly, our VAN requires a SSL/FTP connection, so we essentially can’t connect to the VAN using webMethods (or at least TN - unless I’m missing something obvious)

VPN etc. are great solutions when you have control over both sides of the conversation, but when you want to talk to someone else, you’d better speak their language - in our case, that’s SFTP, so we’re going to be forced into doing some sort of kludge where we run a scheduled SFTP job to do the transport (still undecided if we’ll bother with it at this point.)

Any other directions you could point me (and people in a similar situation?)

Thanks

Greg

hi greg,
it was a nice explanation.

i’m trying to connect to VAN (GE Tradeweb). This i’ve got to do using the TNConsole4.5 and B2BServer4.02.
Could you please guide me as per how i’m supposed to connect to VAN in order to retrieve the EDI documents sent in by the client.

one more thing is that i’m using EDI Module: Trading Networks component 4.5 which does not have the VANFTP service in it, where as the EDI Module: Trading Networks component 4.6 has that service. so is it advisable to remove the existing tn component and install the 4.6 version component. would it effect my setting in any way or would it be fine if i do so.

the users guide for the TN Component 4.6 says that in the TNConsole, in the “Tools” menu we are supposed to have the option to create “Public Queues”. unfortunately i dont see any thing of that sort in my TNConsole4.5. what could the possible problem.

could you please look into all the above three problems and let me know the solution asap.

your help will be greatly appriciated.

thanks,
sridhar

What we’ve ended up doing is removing webMethods from the transport picture. We have a shell script that connects to our VAN (Advantis) - The script then has to submit the document to TN (which we haven’t written yet.)

Once it’s in TN, “normal” processing occurs, whereupon we submit the document back to the VAN via another shell script.

Our process is still full of holes where we haven’t had the time to develop required functionality.

As for upgrading - I have no idea, we haven’t deployed any IS processes yet, so we haven’t had to deal with any upgrades.

Just an obervation related to IBM VAN (Advantis) via internet connection.

IBM provides an alternate service “Internet Transfer” which supported EDIINT-AS2 specification.

TN also supports EDIINT-AS2 (as a standard) and we have been using this to connect securely to IBM’s Internet Transfer for EDI documents. IBM’s Internet Transfer in turn can connect to Internet Exchange (Advantis) as a VAN. This IBM internal connection currently only works when 50/50 billing between Trading Parnters is used. If you choose to go the alternate IBM Internet Transfer route, you would need to re-establish your trading parnter relationships on IBM’s Internet Transfer.

Hi Mani,

It seems that you are using Sterlingcommerce Information broker because you enquired about the COnnect:Express.

The Sterling commerce support said that they can support EDIINT AS2 for secure connection.

So ask them to connect you using EDIINT AS2 standard and your webMethods
https://:portName/invoke/wm.EDIINT/receive can make use of this EDIINT AS2 message and this is certified by www.drummondgroup.com.

Whenever your partner dialsup connet ti VAN and submits the EDI and VAN can inturn connect you uing EDIINT As2 standard.

–Karthik.M

Dear friends,

We are facing a problem in making webmethods 6.1 as SFTP client. The enviroment is
OS : Windows XP
webMethods IS version : 6.1
SFTP server : WinSSHD 3.28d
JDK version : 1.4.2

The OpenSSH wrapper package provided by webMethods is not able to connect to SFTP server.The SFTP service hangs. Hence we tried with Java APIs like J2SSH, jscape,etc., We tried to connect to SFTP server by using those APIs thru java service. But we are getting the following error in SFTP server log as well as in webmethods error log,

“WinSSHD 3.28d: Session thread 1009 handling connection from <Client_IP_Address>:4173: The client has been disconnected, we sent the following disconnect reason: SSH_DISCONNECT_KEY_EXCHANGE_FAILED, description: invalid DH value”

We have tried both password and public key authentication.
If we run the java program external to webmethods, it is running fine and giving good results.

If anyone of you have implemented SFTP in webmethods successfully, pleass let me know the steps to do it.

Thanks in advance.
prasanna.

Prasanna,

Getting public key authentication working with OpenSSH can be a little tricky. It is best to try from the command line client first, then move to the Integration Server. You should run the command line client with debug on to see what

$ openssh -v yourserver

If that doesn’t help, you can run the server process with debug as well. Two common problems are:

  • You did not copy you public key from your client to the server authorized_keys file.

  • Permissions on the .ssh directory/files must be restricted (my .ssh directory is rwx only to me, my authorized_keys file is read only to me).

Prasanna,

We have (outgoing) SFTP in production currently and we’ve had very little problems with it. This is what I experienced during the installation:

  • SFTP is very straightforward, installation & configuration very simple. Only drawback I noticed is that you can’t configure a userid per connection (global).

  • Any problems I encountered during integration were caused by underlying SSH problems

  • Debugging steps:

    • run as (root) ssh -l -F /opt/webMethods/IntegrationServer/packages/OpenSSH/config/options.properties <ip/servername>
    • If doesn’t work your SSH connectivity is messed up – check the following:
    • Can you login to target host using telnet/ftp? (unsuccessful, userid is bad)
    • Can you login to target host using SSH w/passwd? (unsuccessful, SSH config is messed up)
    • Can you login to target host using SSH w/RSA authentication (unsuccessful, RSA authentication is messed up)
      • Check if $HOME/.ssh directory exists on target host, rights must be owner read/access only (unix 700)
      • Does $HOME/.ssh contain authorized_keys -file? This file needs contain id_rsa.pub contents from IdentityFile configured in options.properties.
      • If everything is good make sure that $HOME (& parent dirs) has read-only access for other users. SSH requires that nobody can access .ssh except you – if .ssh is 700 & $HOME is 770 SSH will not work.
    • I didn’t have any problems w/OpenSSH package itself – once underlying SSH connectivity was setup I was good to go all the way…

Looking at your SSH error I’m guessing that my debug above won’t help you much, I’d google that or ask help from whomever setup your SSH in the first place (does SSH work to other hosts?)

Hope this helps,

Cheers,
++Yoni

Hi,

Thanks for your valuable response. I tried the debugging steps as you mentioned.

  1. I am able to run the command ssh -v -l -F /opt/webMethods/IntegrationServer/packages/OpenSSH/config/options.properties <ip/servername> — without any error. But it is asking for password eventhough the public certificate is copied in the user’s home directory.ssh\authorized_keys file.
    The following is the verbose content for the above command.

C:>ssh -v -l administrator -F C:\webMethods61\IntegrationServer\packages\OpenSSH\config\options.properties 192.168.1.16
OpenSSH_3.9p1, OpenSSL 0.9.7d 17 Mar 2004
debug1: Reading configuration data C:\webMethods61\IntegrationServer\packages\OpenSSH\config\options.properties
debug1: Connecting to 192.168.1.16 [192.168.1.16] port 22.
debug1: Connection established.
debug1: identity file /home/prasanna/.ssh/identity type -1
debug1: identity file /home/prasanna/.ssh/id_rsa type 1
debug1: identity file /home/prasanna/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version 1.43 sshlib: WinSSHD 3.28d
debug1: no match: 1.43 sshlib: WinSSHD 3.28d
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.9p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug1: Host ‘192.168.1.16’ is known and matches the DSA host key.
debug1: Found key in /home/prasanna/.ssh/known_hosts:1
debug1: ssh_dss_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/prasanna/.ssh/identity
debug1: Offering public key: /home/prasanna/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/prasanna/.ssh/id_dsa
debug1: Next authentication method: password
administrator@192.168.1.16’s password:

  1. I am unable to login to target host using telnet and FTP. (I am using Windows XP and not Unix or Linux).

  2. I am able to login to target host using SSH w/passwd.

  3. I am not able to login to target host using SSH w/RSA authentication. — asking password to connect.

  4. .ssh directory in target host has got only read access to the owner.

I just want to remind you that I am using Windows XP for webmethods and SFTP server. I am not able to Secure Copy(SCP) the public certificate to the server. Because it is not connecting to the server through SCP. I am just pasting the contents of id_rsa.pub to authorized_keys file in user’s .ssh directory in the server. I just want to know whether I am in doing in the right way.

Please guide me the way I have to do to make SFTP works through webmethods.

thanks,
prasanna.

Prasanna,

Your RSA auth is definitely not configured correctly. Did you put the id_rsa.pub contents into the administrator .ssh/authorized_keys file? You must put it in each user’s file for RSA auth to work.

You might want to post your question on the WinSSHD support list since that is the software you are using.

– Tim

Prasanna,

Since you are unable to login to targethost using RSA authentication from OS-level, the problem is within SSH installation itself (as expected) – and to more precise, within the targethost SSH.

Check the following:

  1. TARGET: $HOME/.ssh/authorized_keys looks the same as the id_rsa.pub (if you followed installation instructions by wM – intserv.rsa.pub) – These files are safe to cat/less/more.
  2. Check directory permissions. I believe you said that $HOME/.ssh/ is already read-only but check also $HOME and parent directories…if any of them has public read-write, SSH won’t work. In unix this would be a simple task to perform but I don’t have experience in Windows environments & SSH.

If neither of these steps work I think you need to seek help from SSH gurus, I don’t think this problem is really a wM issue but SSH config issue…

Good luck,
++Yoni

Hi,
I configured all the config parameters for sftp and when i try to run the sftp service, I’m getting the following error:
/usr/bin/sftp: illegal option – F
usage: sftp [-1vC] [-osshopt = value] [user@]host

In the config file, i could see the following entries:

#openssh.sftpcmd=d:\\cygwin2\\bin\\sftp.exe
openssh.sftpcmd=/usr/bin/sftp

# pattern for SFTP
#   0 = extra parameters to SFTP (blank by default)
#   1 = remote host
openssh.sftp=-F packages/OpenSSH/config/options.properties {0} {1}

I belive the error I’m getting is because of “openssh.sftp=-F …”
Can anyone please guide me what configuration changes needs to be made to be able to login to SFTP server through webMethods?

Thanks in advance,
Anil.

Hi Anil,

yes, you are right. The error is the “-F”-option which is not recognized by your
sftp-program.
You should try to use the “-osshopt=packages/OpenSSH/config/options.properties” option instead.

Another place to look for would be “sftp -?” or something like this to have sftp explaining its commandline parameters.

Just for information:
Starting with IS 6.5, webMethods supports FTPS (Secure FTP-Port) for inbound connections.

Regards,
Holger

Hi All,

We are sending across the Flat Files to the Trading Partner 6.1/6.5 using Trading Network.
The basic requirement is to send flat files to a directory on the Trading Partner server.
Is it possible to send across the flat files using SFTP using Trading
Networks?.. as i cant find any option of SFTP while selecting the type of protocol in the TN Console.
Though i can see above that Webmethods does support the SFTP but our aim is to use TN because our Trading Partner is outside our network, as its a third party.
Can the FTP protocol implemented with certificates be a substitute for SFTP?

Thanks and Regards,
Natasha

Natasha,

TN supports FTPS (FTP over TLS) not SFTP (FTP-like protocol over SSH). They are similar in function but completely different protocols.

TN 6.5 supports FTPS (not 6.1). You can use the OpenSSH package for SFTP client connections. If you need to receive files over SFTP, you can set up a third party server and use file polling from TN to the SFTP server.

HTH,

– Tim

Hi Tim,

I am sending Flat Files through Trading Networks and the protocol being used is FTP.
How can i name the flat files in my own format before posting the files through TN using FTP protocol ?
As per my knowledge, the filename of the file is the internal ID that Trading Networks generates for the doc when TN receives it with dat extension but i need it to be in a particular format as per the business requirement.
I have been suggested to use my own customized FTP delivery service to name the files as required…but i hardly have any idea about the services to be used for this customized service
Please help me in this.

Thanks
Natasha

Hi All,

I configure the SFTP client successfully and able to do the sftp from command-line. BUt when i try to use webMEthods service provide in the packages OpenSSH ( pub.openssh:sftp),