We're trying to set up an SFTP entry trough the gateway. Therefore SSH key authentication should be possible, but at the moment (as it seems) it is not possible to get the SSH key from an variable to authenticate it to an LDAP.
Could you tell me if and how this is possible. Otherwise we would like to submit a feature request. For most of the other variable's this is possible. (for example the "extract attributes from certificate" assertion).
Pablo van der Veen
Bellow is a link to a article "Enabling LDAP(S) authentication and authorization for the Gateway configuration menu" which reviews the process of setting up LDAP authentication for SSH. There is also a wiki page for this at https://wiki.ca.com/display/GATEWAY84/Option+4+-+Configure+Authentication+Method if you are using 8.3 or 8.4. I am not personally familiar with the process while using keys, so I can't say if that will break anything yet. May be best to test this in a lower-level environment if you can quickly set one up using an OVA image perhaps. That way you will know before attempting it in your environment.
Hope this help
What you are reffering to, is the SSH to the AMG itself. What I am looking for is an SSH key in the gateway policy's. Something totally different.
Thanks for the effort though, but doesn't help.
So I am not sure I totally get your use case or exactly what you are looking for but I suspect you should create a communities idea for it.
I am guessing here,
But I suspect you have a
client -SSH-> Gateway (correct?)
And that policy I assume does a require SSH credentials. (the ssh key from the gateway will be the gateways sshkey)
Then you are doing an authorize of this or a lookup in your ldap?
Is it an LDAP attribute you are trying to get?
Or something with the above handshake?
Then I assume you are routing via SSH to your backend.
GW -RouteViaSSH-> Backend
Which would present its ssh key. There is a checkbox option in the route to verify a key but it has to be loaded not in a variable format.
Both the require SSH and route SSH dont have any variables associated with the view info so there are no variables out of these calls. We might be able to audit some raw.tcp but I am trying to understand what key you are trying to get from where first so I know if I might have missed something. But it will likely require a communities idea.
connection way is correct,
assertion is correct,
LDAP doesn't matter, authorize would be nice, but Lookup is ok
We are trying to put the public key in an LDAP attribute, but first we need it in a context variable.
routing to backend we do with one comon username/ssh-key.
I have seen an idea/feature request for this functionality, and have upvoted it. SSH-publick key in context-variable