Skip to Content

Changes for page SFTP Known Hosts

Last modified by Danniar Firdausy on 2024/09/18 20:35
From version 25.2
edited by Erik Bakker
on 2024/06/20 08:44
Change comment: Update document after refactoring.
To version 27.1
edited by Erik Bakker
on 2024/06/20 09:15
Change comment: There is no comment for this version

Summary

Details

Page properties
Content
... ... @@ -1,6 +1,6 @@
1 1  {{container}}{{container layoutStyle="columns"}}(((
2 2  
3 -In the last microlearning, we discussed how to connect to an SFTP from eMagiz. In this microlearning, we want to expand our knowledge and look at a more complex security configuration when connecting to SFTP instances. The configuration we are talking about is the private key configuration.
3 +In an earlier [[microlearning>>Main.eMagiz Academy.Microlearnings.Intermediate Level.File based connectivity.intermediate-file-based-connectivity-sftp-connectivity||target="blank"]], we discussed how to connect to an SFTP from eMagiz. Later on we zoomed in on an alternative security method to authenticate yourself at the SFTP. More on this can be found in this [[microlearning>>Main.eMagiz Academy.Microlearnings.Intermediate Level.File based connectivity.intermediate-file-based-connectivity-sftp-security||target="blank"]]. In this microlearning, we want to expand our knowledge and look at a way to store the unique fingerprint of the SFTP to avoid that someone else can pretend to be the SFTP when you want to send data (i.e. a "man in the middle attack").
4 4  
5 5  Should you have any questions, please get in touch with [[academy@emagiz.com>>mailto:academy@emagiz.com]].
6 6  
... ... @@ -15,20 +15,32 @@
15 15  
16 16  By SFTP security, we mean: Making sure that the SFTP we connect to knows that we are indeed eMagiz
17 17  
18 -* Private key is unique per client
19 -* Private key should only be known to the client
20 -* Public key should be known to the SFTP (server), so they trust us when we set up the communication
21 -* A private key comes with a passphrase
18 +* Each SFTP has a unique fingerprint that identifies the SFTP.
19 +* To prevent a "man in the middle" attack, this fingerprint needs to be stored client side.
20 +* There are two distinct methods to generate the known hosts file.
22 22  
23 -== 3. SFTP Security ==
22 +== 3. SFTP Known Hosts ==
24 24  
25 -In the last microlearning, we discussed how to connect to an SFTP from eMagiz. In this microlearning, we want to expand our knowledge and look at a more complex security configuration when connecting to SFTP instances. The configuration we are talking about is the private key configuration.
24 +In this microlearning, we want to expand our knowledge and look at a way to store the unique fingerprint of the SFTP to avoid that someone else can pretend to be the SFTP when you want to send data (i.e. a "man in the middle attack"). To retrieve the unique fingerprint of an SFTP you first need to connect to the SFTP in question. This way you can retrieve the unique fingerprint and secure it in a file for future use to prevent the "man in the middle attack".
26 26  
27 -* Private key is unique per client
28 -* Private key should only be known to the client
29 -* Public key should be known to the SFTP (server), so they trust us when we set up the communication
30 -* A private key comes with a passphrase
26 +There are two distinct ways of retrieving and storing the unique fingerprint of the SFTP in a "known hosts file". The first option is portal based and the second option is command line based. The preferred option is the portal based one. Do note that the first option only works if the SFTP is **publicly** accessible without any IP restrictions.
31 31  
28 +=== 3.1 Known Hosts File Generation - Portal ===
29 +
30 +=== 3.2 Known Hosts File Generation - Command Line ===
31 +
32 +The secondary option, when there are IP restrictions, provides you with the option to execute several commands after gaining access to the correct server to generate the known hosts file. These steps are detailed below.
33 +
34 +* Gain access to the server in question from which you can reach the SFTP.
35 +* Execute the following command (compatible with both Linux and Windows): {{code}}ssh-keyscan -p [port] [host] > [known-hosts target path]{{/code}}
36 +** An example would be: {{code}}ssh-keyscan -p 22 localhost > C:\tmp\generated_known_hosts{{/code}}
37 +* Navigate to the generated file and open it. The file should contain one or more lines in the format {{code}}hostname/ip key-type value
38 +e.g. 127.0.0.1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAICZPI5pQ6PSXgS4QOPsai2QjC2EcVjFejvUM5RMYOmwbwW{{/code}}
39 +* Open eMagiz and navigate to the flow where the file is needed.
40 +* Upload the known_hosts file as a flow resource, and click on the "eye" icon to see its unique name.
41 +* Define a property for the known hosts field in the SFTP (caching) session factory.
42 +** Provide a value for the property upon deploying the release that follows the following structure: {{code}}classpath:emagiz-resources/[filename]{{/code}}
43 +
32 32  If you are looking for some introductory reading into certificates, please check this [[microlearning>>doc:Main.eMagiz Academy.Microlearnings.Novice.Securing Data Traffic.novice-securing-your-data-traffic-what-are-certificates.WebHome||target="blank"]].
33 33  
34 34  As the private key is yours, you can ask a trusted party to generate the key, or you could create it yourself. The latter part happens a lot when connecting to an SFTP. You could use a tool like PuttyGen to achieve this. As a result, you will have a keypair. The private key should be kept safely with you in eMagiz, and you need to share the public key with the SFTP server party. In this microlearning, I will not explain how PuttyGen works in detail. Instead, we will focus on the part in eMagiz. In eMagiz, we need to refer to the key file (linked under Resources), and we need to refer to the password we use to save our key file securely.