SSH key or password authentication for an SFTP user using SEAS XAPI Custom Exit

Body

The following information will provide all the steps necessary for configuring an SFTP connection through SSP that will utilize the SEAS XAPI custom exit to authenticate SSH key or password back to B2Bi.

Before you start (What’s Needed):

• Client’s SSH Public Key
• SSP’s SSH private key (sspEng1_ssh_privatekey)
• B2BI’s Host public key (B2BiNode1_ssh_publicKey)
• Admin access to B2Bi Dashboard GUI
• Admin access to SEAS Dashboard GUI
• Admin access to SSP Dashboard GUI

Configuring B2Bi

·Configure SEAS SSO Plugin on B2Bi

The following links will guide you through configuring the SEAS SSO plugin on B2Bi.

• https://www.ibm.com/docs/en/secure-proxy/6.0.3?topic=cspbss-prepare-sterling-file-gateway-support-single-sign-unix-linux
• https://www.ibm.com/docs/en/secure-proxy/6.0.3?topic=cspbss-modify-sterling-file-gateway-support-single-sign-unix-linux

• https://www.ibm.com/docs/en/secure-proxy/6.0.3?topic=cspbss-prepare-sterling-file-gateway-support-single-sign-microsoft-windows
• https://www.ibm.com/docs/en/secure-proxy/6.0.3?topic=cspbss-modify-sterling-file-gateway-support-single-sign-microsoft-windows

·Importing Client’s public key on B2Bi

• Log in as the admin user to the B2Bi GUI
• From the Administration Menu select Trading Partner > SSH > Authorized User Key
  • Check in Authorized User Key – Client’s Public Key (client_id_rsa.pub)

·Verify Requirements for User Account on B2Bi

• From the Administration Menu select Accounts > User Accounts
  • Type in the Account Name to be used and click Go
  • Click Edit
    • Authentication Type (Both)
    • Authentication Host (SEAS Authentication)
    • Select Client’s Public Key (client_id_rsa.pub) in the SSH Authorized User Key screen

Note: Password in the User Account can be a dummy password if using keyauth only)

·Verify Requirements for SFTP Server Adapter on B2Bi

• From the Administration Menu select Deployment > Services > Configuration
  • Type in the Service Name for the SFTP adapter to be used and click Go
  • Click Edit
    • Type Required Authentication (Password)

Configuring SEAS

·Configure User Key Authentication Profile on SEAS

Note: The key and password are identical with the exception of the name of the profile.  Best practice would be to use 2 separate profiles that can be used in the SSP SFTP policy.

• Log in as the admin user to the SEAS GUI
• From SEAS “Authentication Definition” screen, select the create “Plus sign” button
• In the “LDAP Authentication” specify the Profile name (XAPI_keyAuthProfile)
• Specify the Authentication type (Generic)
• uncheck “User ID required”
• uncheck “Password required”
• Check “Authenticate using custom exits”
• Click on the ellipsis “…”
• Specify the “Class name” (com.sterlingcommerce.component.authentication.impl.SIUserAuthExit)
• Click on the “Properties” ellipsis “…” and add the following properties:
  • http.auth.user=<B2Bi admin user>
  • pre-authenticate=true
  • http.auth.password=<B2Bi admin password>
  • url=http://<B2BiBaseIP:Port>/dashboard/interop/InteropHttpServlet
• Click OK
• Click OK
• Click Next until you get to the button to save the configuration
• Click Save

·Configure User Password Authentication Profile on SEAS

• From SEAS “Authentication Definition” screen, select the create ”Plus” button
• In the “LDAP Authentication” specify the Profile name (XAPI_passAuthProfile)
• Specify the Authentication type (Generic)
• Deselect “User ID required”
• Deselect “Password required”
• Select “Authenticate using custom exits”
• Click on the ellipsis “…”
• Specify the “Class name” (com.sterlingcommerce.component.authentication.impl.SIUserAuthExit)
• Click on the “Properties” ellipsis “…”
  • http.auth.user=<B2Bi admin user>
  • pre-authenticate=true
  • http.auth.password=<B2Bi admin password>
  • url=http://<B2BiBaseIP:Port>/dashboard/interop/InteropHttpServlet
• Click OK
• Click OK
• Click Next until you get to the button to save the configuration
• Click Save

Configuring SSP      

·Creating New External Authentication Server on SSP

• Select Advanced > Actions > New External Authentication Server
  • Type External Authentication Server Name (SEAS1)
  • Type External Authentication Server Address (SEAS Hostname)
  • Type External Authentication Serer Port (SEAS Port)
  • Click Save

·Importing B2Bi Known Host Key on SSP

• Select Credentials > SSH Key Stores > Known Host Key Stores > KnownHostKeyStore
  • Click New
  • Type Known Host Key Name (B2BiNode1_ssh_publicKey)
  • Select Browse (locate the B2BiNode1_ssh_publicKey file)
  • Click OK
  • Click Save

·Importing SSP Private Key on SSP

• Select Credentials > SSH Key Stores > Local Host Key Stores > LocalHostKeyStore
  • Click New
  • Type Local Host Key Name (sspEng1_ssh_privatekey)
  • Input Password
  • Select Browse (locate the sspEng1_ssh_privatekey file)
  • Select Ok
  • Select Save

·Creating new SFTP Policy on SSP

• Select Configuration > Actions > New Policy >  SFTP Policy
  • Type the name (sftp_PwdOrKey_policy)
  • Select the Advanced Tab
    • Required Authentication Method (Password or Key)
    • Select under the User Authentication Mechanism “Through External Authentication “ to use External Authentication
    • External Authentication Profile specify the SEAS profile created in this scenario (XAPI_passAuthProfile)
    • Key Authentication Profile specify the SEAS profile created in this scenario (XAPI_keyAuthProfile)
    • Select User Mapping to SSO token from External Authentication
    • Click Save

·Creating New Inbound and Outbound Netmap Nodes on SSP

• Select Configuration > Actions > New Netmap > SFTP Netmap
  • Type the netmap name (sftp_PwdOrKey_netmap)
  • Click the New button to create a new inbound node
    • Type the name (sftp_client)
    • Select the policy (sftp_PwdOrKey_policy)
    • Click OK

• Select the Outbound node tab, and click New
  • Type the name (sftp_B2BiSFTP_50022)
  • Type the host (B2BI_Hostname)
  • Type the port (50022)
  • Select the known host key store (KnownHostKeyStore)
  • Select the known host key (B2BiNode1_ssh_publicKey)
  • Click OK
• Click Save to save the complete netmap

·Creating New SFTP Adapter on SSP

• Select Configuration > Actions > New Adapter > SFTP Reverse Proxy
  • Type the name (sftp_PwdOrKey_adapter)
  • Type the port (30122)
  • Select the netmap (sftp_B2BiSFTP_50022)
  • Select the routing node (sftp_B2BiSFTP_50022)
  • Select the local host key store (LocalHostKeyStore)
  • Select the local host key (sspEng1_ssh_privatekey)
  • Click the Add button to add an engine and EA server
    • Add an engine (sspEng1)
    • Add an EA server (SEAS1)
  • Click Save