SFTP server handlers

An SFTP server handler manages SSH File Transfer Protocol (SFTP) communications protocol communications with DataPower® services. These services support client-side, SFTP communications when configured with an SFTP server handler. SFTP uses Secure Shell version 2, which is known as SSH-2. This program provides the secure channel between the SFTP client and the SFTP handler associated with a DataPower service.

The B2B Gateway with an SFTP server handler can receive transfers from the SFTP client. The B2B Gateway receives messages from an internal partner for processing and uses AS2 or AS3 for communication with the external partner. Although the B2B Gateway is the SFTP server, there is no visible file system. Therefore, the B2B Gateway ignores the settings for the file system type and the default directory in the SFTP handler configuration.

When you configure an SFTP handler, considerations must be understood about how a DataPower service transfers large files. Consider the following settings when you configure the DataPower service to transfer large files.

To support bidirectional streaming, set both the Stream output to back property and the Stream output to front to Stream messages.
Set the timeout values. To control the timeout values, modify the Back side timeout property and the Front side timeout property.

Authentication and authorization
URL specification

Authentication and authorization

Authentication is handled by the AAA policy for the SFTP server handler. The AAA policy uses the information from the SSH key exchange. Without an AAA policy, any user is authenticated.

Authentication of the SFTP client with the SFTP server handler can be either password or public key or both password and public key. If the configuration includes both authentication methods, public key authentication is attempted first.

Host authentication public/private key must be on the DataPower Gateway.
Keys that are used as host private keys cannot be password-protected.
If a configuration does not specify the public/private key for host authentication, the configuration uses the DataPower keys.

Because the client does not specify which resource to access at connection time, this AAA policy can authenticate only, not authorize.

For the Multi-Protocol Gateway to provide authorization, configure an AAA policy in a processing rule. This AAA policy extracts the identity with the ssh-password-metadata processing metadata configuration. The handler uses the following read-only context variables as processing metadata for AAA authentication.

var://context/INPUT/ssh/username
var://context/INPUT/ssh/password
var://context/INPUT/ssh/publickey

These read-only variables allow an AAA policy to validate authentication information from the SSH client to the handler.

The username and password variables are also available as processing metadata for custom authentication in an AAA information file.

None of these variables can be used by processing actions.

URL specification

The use of SFTP URLs in a custom stylesheet is supported by the Multi-Protocol Gateway for communication between the SFTP client and the SFTP handler. The URL has the following syntax: sftp://address:port/path

address: The IP address of the DataPower network interface.
port: The listening port on the SFTP server handler.
path: The fully qualified name of the file to transfer.

When the client requests a directory listing, the URL contains a query parameter to flag the request type. For example, a DIR request might generate sftp://host.example.com:22/;type=d.

For the Multi-Protocol Gateway with a static target
- If the request is from an SFTP client to an FTP server, the service adds the ?Listing=LIST query parameter. This query parameter is added to the URL before the service forwards the DIR request to the remote FTP server.
- If the request is from an SFTP client to an SFTP server, the service adds the ;type=d query parameter. This query parameter is added the URL before the service forwards the DIR request to the remote SFTP server.
For the Multi-Protocol Gateway with dynamic targets when not propagating URIs
- If the request is from an SFTP client to an FTP server, use a stylesheet to modify the URL. The stylesheet must modify the URL before the request is passed to the remote FTP server. For example, the stylesheet might test whether the value of the var://service/URI variable contains ;type=d. If it contains this query parameter, the stylesheet replaces ;type=d with ?Listing=list and sets the value of the var://service/routing-url variable to the resultant URL.
- If the request is from an SFTP client to an SFTP server, no change is needed.

When the client requests to delete a file and the configuration allows deletion, the URL contains a query parameter to flag the request type. For example: sftp://host.example.com:22/orders.xml?Delete=true. The Delete=true query parameter is added to the URL to designate to delete the orders.xml file.