IBM Support

IT04024: WEBSPHERE MQ FTE PROTOCOL BRIDGE SFTP AUTHENTICATION FAILS WITH BFGBR0103E WHEN USING BOTH PUBLIC KEY AND PASSWORD AUTH TOGETHER

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • A WebSphere MQ File Transfer Edition protocol bridge agent fails
    to authenticate to an SFTP file server which demands both public
    key
    and password authentication. The protocol bridge agent prints
    the following message when this occurs:
    
     BFGBR0103: Bridge agent failed to authenticate the connection
     to host  with user ID .
    

Local fix

  • Using either public key or password authentication on their own
    can successfully authenticate to the SFTP server.
    

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    This issue affects all users of the WebSphere MQ File Transfer
    Edition protocol bridge agent who need to connect to SFTP file
    servers that require both public/private-key and password
    authentication in order to successfully connect.
    
    
    Platforms affected:
    MultiPlatform
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    A WebSphere MQ File Transfer Edition (FTE) protocol bridge agent
    could connect to SFTP file servers that required either
    public/private-key or password based authentication methods.
    However, when the WebSphere MQ FTE protocol bridge agent
    attempted to connect to an SFTP file server that required both
    public/private-key and password based authentication to be used,
    the attempt to establish a connection failed.
    
    This was because the WebSphere MQ FTE protocol bridge agent
    could only be configured to use public/private-key or password
    based authentication exclusively.
    

Problem conclusion

  • The WebSphere MQ File Transfer Edition (FTE) protocol bridge
    agent code has been updated such that if a private key and a
    server password have been provided for a single user within the
    ProtocolBridgeCredentials.xml file then the WebSphere MQ FTE
    protocol bridge agent will, by default, configure the JSch
    library to use both methods of authentication, if required by
    the SFTP file server, when establishing a connection.
    
    Should both a private key and a server password be configured
    for a single user within the ProtocolBridgeCredentials.xml file,
    but the SFTP file server requires only one of these
    authentication methods, then the WebSphere MQ FTE protocol
    bridge agent will configure the JSch library to use
    public/private-key authentication in preference to password
    based authentication. Should the SFTP file server reject the
    attempt to use public/private-key authentication, then the
    WebSphere MQ FTE protocol bridge agent, via the JSch library,
    will then attempt username and password based authentication. If
    one of these authentications alone is successful, a connection
    will be established to the SFTP file server.
    
    To configure both private key and a password authentication, the
    ProtocolBridgeCredentials.xml file associated with the WebSphere
    MQ FTE protocol bridge agent will need to specify:
    
      - The "serverPassword" attribute (with associated value) in
    the  element that maps from a WebSphere MQ FTE user name to a
    protocol server user name.
    
    and
    
      - The  element for the WebSphere MQ FTE user defined by the
    parent  element.
    
    
    For example, the syntax would be as follows:
    
    
    
    
    -----BEGIN RSA PRIVATE KEY-----
    ...
    -----END RSA PRIVATE KEY-----
    
    
    
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v7.0       7.0.4.5
    v7.5       7.5.0.5
    v8.0       8.0.0.2
    
    The latest available FTE maintenance can be obtained from
    'Fix List for WebSphere MQ File Transfer Edition 7.0'
    http://www-01.ibm.com/support/docview.wss?uid=swg27015313
    
    The latest available MQ maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT04024

  • Reported component name

    WMQ FILE TRANSF

  • Reported component ID

    5724R1000

  • Reported release

    704

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2014-08-26

  • Closed date

    2014-09-30

  • Last modified date

    2014-09-30

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WMQ FILE TRANSF

  • Fixed component ID

    5724R1000

Applicable component levels

  • R704 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEP7X","label":"WebSphere MQ File Transfer Edition"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0.4","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
30 September 2014