SFTP server support by the protocol bridge

The protocol bridge supports the SFTP protocol as defined by the IETF Internet Draft entitled SSH File Transfer Protocol, version 6 draft 13.

Protocol bridge agents support the following ciphers when connecting to a file server using the SFTP protocol:
  • blowfish-cbc
  • 3des-cbc
  • aes128-cbc
  • aes192-cbc
  • aes256-cbc
  • aes128-ctr
  • aes192-ctr
  • aes256-ctr
  • 3des-ctr
  • arcfour
  • arcfour128
  • arcfour256
By default, the list of ciphers used by protocol bridge agents is aes128-cbc,aes192-cbc,aes256-cbc. For information on how to configure a protocol bridge agent to use specify different ciphers, see Protocol bridge properties file format.

Methods of authentication

If you have provided the IBM® MQ Managed File Transfer (MFT) protocol bridge agent code with a private key and a server password, for a single user within the ProtocolBridgeCredentials.xml file, the MFT protocol bridge agent by default, configures the JSch library to use both methods of authentication, if required by the SFTP file server, when establishing a connection.

Should both a private key and a server password be configured for a single user within the ProtocolBridgeCredentials.xml file, but the SFTP file server requires only one of these authentication methods, the MFT protocol bridge agent configures the JSch library to use public/private-key authentication in preference to password based authentication.

Should the SFTP file server reject the attempt to use public/private-key authentication, then the MFT protocol bridge agent, using the JSch library, attempts username and password based authentication.

If either of these authentications alone is successful, a connection is be established to the SFTP file server.

To configure both private key and a password authentication for the ProtocolBridgeCredentials.xml file, associated with the MFT protocol bridge agent, you need to specify:
  • The serverPassword attribute (with associated value) in the element that maps from an MFT user name to a protocol server user name, and
  • The element for the MFT user defined by the parent element.
For example, the syntax could be as follows:
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----

Keyboard interactive method

The MFT protocol bridge agent uses the JSch, third-party library, to connect to SFTP file servers. You can configure the JSch library so that it can attempt to authenticate with an SFTP file server using the keyboard-interactive method when no private key is specified in the ProtocolBridgeCredentials.xml file.

Note that authentication using the keyboard-interactive method works only if the SFTP file server prompts for the password using the string password: (in either upper, lower or mixed case). In the situation where you use the keyboard-interactive authentication method, and the SFTP file server responds with a string different from password:, the connection attempt fails.

When the SFTP file server responds to the initial connection attempt with this string, the protocol bridge agent, using the JSch library, sends the password configured in the serverPassword attribute of the user element within the ProtocolBridgeCredentials.xml file.