SSH profiles

You can use the DataPower® Gateway as an SSH client or server.

To manage SSH connections, you create SSH profiles based on the role of the DataPower Gateway. Remember the following points about an SSH connection.
  • The SSH client always initiates the banner exchange.
  • During the SSH2 banner exchange, use CR+LF termination for the banner.
  • The SSH client ignores any message from the SSH server until the banner exchange.
You can define the following objects on the DataPower Gateway.
SSH client profile
An SSH client profile defines SFTP connections with an SFTP server when the DataPower Gateway acts as an SSH client. SSH client profiles are associated with SFTP client policies in the user agent of the reference XML manager. You can define as many SSH client profiles as needed to manage SFTP connections.
SSH domain client profile
The SSH domain client profile defines SFTP connections with an SFTP server when the DataPower Gateway acts as an SSH client. The SSH domain client is used when an SFTP request matches no SFTP client policy in the referenced user agent of the XML manager. Each domain supports a single SSH domain client profile.
The DataPower Gateway uses the ciphers, KEX algorithms, and MAC algorithms in the SSH domain client profile for SFTP connection only when the SFTP request matches no SFTP client policy. With an associated SFTP client policy, the ciphers, KEX algorithms, and MAC algorithms in an SSH client profile overrides the setting in the SSH domain client profile in the following way.
  • When you define an SSH client profile and specify ciphers, KEX algorithms, and MAC algorithms, these ciphers, KEX algorithms, and MAC algorithms override the ones in the SSH domain client profile.
  • When you define an SSH client profile and specify no ciphers, KEX algorithms, and MAC algorithms, the DataPower Gateway uses its default ciphers. In other words, the DataPower Gateway does not use the ciphers, KEX algorithms, and MAC algorithms in the SSH domain client profile.
SSH server profile
The SSH server profile sets which ciphers, KEX algorithms, and MAC algorithms the DataPower Gateway uses to communicate with an SSH client when the DataPower Gateway acts as an SSH server. Each domain supports a single SSH server profile.
For information about the default and supported ciphers, KEX algorithms, and MAC algorithms, documentation for the following commands.
  • For cipher suites, see the mode-specific ciphers command.
  • For KEX algorithms, see the mode-specific kex-alg command.
  • For MAC algorithms, see the mode-specific mac-alg command.