Layer7 API Management

 View Only
  • 1.  How to get the CA API gateway to act as an SSH Server

    Posted Feb 05, 2018 10:32 PM

    Good day!

     

    I am trying to have an SSH server going in the CA gateway and have gone through every article around it on the CA platform, forums and other materials available online. i am trying to use an SFTP client (WinSCP) to do the various

    operations (say LIST, PUT, GET) against the SSH Server for it process and respond back appropriately.

     

     

    Please find below the list of steps that I have already followed to get the SSH server going.

    1.  To handle the inbound SFTP message, configured an internal SSH server running on a CA API Gateway listen port using the "SSH2" protocol
    2. To test "Password authentication", created an internal user in the gateway (not a user who can login through the Policy Manager) - planning to use Internal Identity Provider for now
    3. For Public key authentication, configured the "SSH tab" of the user to have the correct public key
    4. Used "Require SSH credentials" and "Authenticate against internal Identity Provider" to verify the caller

     

     

    Issues:

    1. When I connect using the SFTP client (WinSCP in this case), I get the following error:

      Is there an assertion that I need to use to return a valid response? I have mostly done HTTP(s) based work
      on the CA API gateway and remember using "Return Template Response" for returning a custom response. However I am not sure if we have something similar here or if the underlying SSH listener takes care of it already (which does not seem to be the case).
    2. Does the Gateway support a LIST, PUT and GET commands for SFTP? I can see that my first request is a "LIST" for which I get the error as shown above. When configuring the SSH2 listener, I have enabled LIST, PUT and GET but I am not sure if there is something I need to learn/understand here.
    3. What should I do to save a PUT command when the client tries to send a file?  I assume that will be available as part of the request.mainPart context variable
    4. Where does the the physical file reside once the gateway receives it? Does the Gateway has means of storing it in dedicated SFTP folders/directories? I can see that the current SSH path is "/" - is it possible to have custom paths
    5. Is it possible for the SSH request received to have an AD based authentication instead of the Internal Identity Provider?

    I have gone through a lot of posts to get a good understanding of the SSH fundamentals however am not sure how to get it working from an API gateway point of view. I will be very grateful for any support or feedback in this regard to get me going in the right track. Looking forward to the community for some guidelines here.

     

    Thank you for your time. Cheers.

     

    Kind regards,
    Sachin



  • 2.  Re: How to get the CA API gateway to act as an SSH Server

    Broadcom Employee
    Posted Dec 24, 2018 02:31 PM

    Sachin,

     

    1. When I connect using the SFTP client (WinSCP in this case), I get the following error:
    Error listing directory '/'

    Response: The gateway does not expose the local file system through the Gateway application. You would need to connect to another source to pull the data. We see a lot of people using SFTP to SFTP on another server so the gateway is a bridging mechanism between or SFTP to S3 buckets. 

     

    2. Does the Gateway support a LIST, PUT and GET commands for SFTP

    Response: Yes it supports these commands plus more.

     

    3. What should I do to save a PUT command when the client tries to send a file?  I assume that will be available as part of the request.mainPart context variable

    Response: Correct any file sent in will be stored in the request message context and can be accessed through the normal means.

     

    4. Where does the the physical file reside once the gateway receives it? Does the Gateway has means of storing it in dedicated SFTP folders/directories? I can see that the current SSH path is "/" - is it possible to have custom paths

    Response: As the file system is not exposed through the JAVA application, the information pushed or pulled through the gateway is held in memory as it executes the policy.

     

    5. Is it possible for the SSH request received to have an AD based authentication instead of the Internal Identity Provider?

    Response: You can connect to any LDAP provider or Authentication system that can validate user/password combination or certificates.

     

    Sincerely,


    Stephen Hughes
    Broadcom Support