Oracle by Example brandingSetting Up the Oracle MFT Embedded sFTP Server - Key Based Authentication

section 0Before You Begin

This 15-minute tutorial shows how to configure key based authentication for Oracle MFT Embedded sFTP servers.

Background

Oracle MFT includes an embedded sFTP server. However by default, the sFTP server is not configured after Oracle MFT Cloud Service provisioning. You must enable the sFTP server so that it can receive encrypted messages from partners using public/private key encryption. In this encryption and connection process, the private key decrypts messages that were encrypted using the associated public key.

As illustrated in the diagram below, the public key is placed in the embedded sFTP server and used to encrypt the message, the partners/sFTP clients get a copy of the private key to decrypt the message.

Process for Encryption and Decryption
Description of the illustration encryption_process

What Do You Need?

  • A paid or trial subscription to Oracle SOA Cloud Service.
  • Your Oracle Cloud service user name, password, and identity domain (available in the New Account Information email that you received from Oracle Cloud when your user account was set up)
  • An SSH key pair on your local machine. See the tutorial on how to generate the SSH key pair in the Want to Know more section.
  • An Oracle Managed File Transfer Cloud Service pod has been provisioned with OTD (that is, the load balancer). Note down the pod configuration information, such as MFT Cluster instance name, administrator user name.
  • For this tutorial, the following information will be used throughout the setup steps:
    • MFT Cluster instance name: mftpodoc
    • WebLogic administrator user name and password
    • Host of WebLogic admin server and managed server: mftpodoc-wls-1
    • IP address of admin server and managed server:192.1.1.1
    • IP address of load balancer: 192.2.2.2

section 1Configure the SSH Keystore

In Oracle MFT Cloud service, configure SSH keystore to enable embedded sFTP server secured connection. The configuration includes entering the password in the SSH keystore if the private key has a passphrase and importing the private key of the SSH key pair.

Import Private Key and Enter Private Key Password in the SSH Keystore

The private key is used by the Oracle MFT server to start the sFTP server so clients can connect to it using the SSH protocol. Note that the key must have an RSA style (key encryption technology) and be in OpenSSH format, else the embedded sFTP server will not accept it.

If the private key was created with a password/passphrase, which is intended to provide a secondary level of security, then you will have to provide the password in MFT SSH Keystore.

  1. Access the Oracle SOA Cloud Service instance.
  2. Log in with your identity domain, user name and password.
  3. On the Oracle SOA Cloud Service home page, click MFT Cloud service instance.
  4. On your instance home page, click the Menu icon in the top right corner of the page.
  5. From the pop-up menu, select Open MFT Console.
    6. Oracle MFT Cloud Service console
    Description of the illustration mftcs_console
  6. Sign in to MFT console with the user name and password you defined when provisioning the service.
  7. Click the Administration tab on the top of the console page.
  8. Select the Keys tab. You can list, create, update, export, import or delete a key.
    • To import the key, click the Import Import Icon icon and provide the ssh key details:
      • Alias: alias name. For example hostkey
      • Format: select SSH type of key
      • Browse: enter the path of the key file
      • Type: select private key
    • If you want to create a new key, click the Create Key Create key Icon icon and provide the necessary ssh key details.
  9. Click Import to import the key.
  10. To set the SSH Keystore password, select the Keystores node in the left navigator tree and enter the private key password.
    11. Oracle MFT keystores
    Description of the illustration keystores
  11. Click Save to save changes.

section 2Enable and Start the MFT sFTP Server

Next, enable the embedded sFTP server, configure its security settings, and then restart the sFTP Server.

  1. Navigate to the Administration tab on the MFT console.
  2. Select the Embedded Servers node in the left navigator tree and click the sFTP tab.
  3. Enable sFTP by checking the Enabled checkbox.
  4. Choose Both as Authentication Type to enable the users to login using password or SSH key. If you want to use the Public key to login to the server, select the Public key option.
  5. Set Host Key Alias to the private key alias you just imported.
  6. Click Save to save changes.
  7. Click Restart to restart the server for the changes to take effect.
  8. Configure connections to allow sFTP traffic to the MFT embedded server:
  9. To verify the embedded sFTP server is started properly, select the Embedded Servers > Ports node in the left navigator tree. You should see the sFTP server is running on port 7522. 
    10. Oracle MFT Ports
    Description of the illustration mft_port
  10. To test the sFTP connection, use an sFTP client or a command line tool on your local machine to connect to the OTD IP address (if OTD is used), else host IP address: 
    $sftp -oPort=7522 mftadmin@192.1.1.1
  11. Enter the password when prompted.

section 2Import the User Public Key

Next, import the user public key in the SSH keystore of the Oracle MFT service for key based authentication for embedded sFTP server.

  1. Navigate to the Administration tab on the Oracle MFT console.
  2. Select the Keystore Management tab, then click Keys to import the key.
  3. Select the Import Import Icon icon on the right corner of the page. Import Key dialog appears.
    4. Import key dialog
    Description of the illustration import_key
  4. Enter the Alias name. The SSH public key alias should be same as the user name. For example, if the public key alias is User1, the user name must be User1.
  5. In the Format field, select SSH.
  6. Click Browse to select the public key for User1.
  7. Select Public as the Type.
  8. Click Import to import the key.

section 2 Folder Access and Permission to User

Provide folder access and required permissions to the user.

  1. Navigate to the Administration tab on the Oracle MFT console.
  2. Select Embedded Server, then click User Access to provide the selected user access to the desired folders.
  3. Select the user name by searching in the Search field.
  4. In the Folder Access Settings for User table, select the radio button Set As Home Folder to set /User1 as the home folder for the user.
    5. User Access
    Description of the illustration user_access
  5. Add the required permissions, such as Read, Write, Delete, and List and Access Subfolders by selecting the checkbox.
  6. Click Save to save the changes.
  7. To test the configuration, using a command line tool, execute the following command to connect to the OTD IP address (if OTD is used), else host IP address: 
    sftp -oPort=7522 -i ./private_key User1@192.1.1.1
  8. Enter the password when prompted. Now, User1 should be able to connect to sFTP server and access the home folder.

more informationWant to Learn More?