Layer7 API Management

 View Only
  • 1.  SSH key in variable

    Posted Feb 01, 2018 03:36 AM

    Hello CA,


    We're trying to set up an SFTP entry trough the gateway. Therefore SSH key authentication should be possible, but at the moment (as it seems) it is not possible to get the SSH key from an variable to authenticate it to an LDAP.


    Could you tell me if and how this is possible. Otherwise we would like to submit a feature request. For most of the other variable's this is possible. (for example the "extract attributes from certificate" assertion).


    Kind Regards,


    Pablo van der Veen

  • 2.  Re: SSH key in variable

    Posted Feb 01, 2018 09:55 AM

    Bellow is a link to a article "Enabling LDAP(S) authentication and authorization for the Gateway configuration menu" which reviews the process of setting up LDAP authentication for SSH. There is also a wiki page for this at if you are using 8.3 or 8.4.

    I am not personally familiar with the process while using keys, so I can't say if that will break anything yet. May be best to test this in a lower-level environment if you can quickly set one up using an OVA image perhaps. That way you will know before attempting it in your environment.


    Hope this help

  • 3.  Re: SSH key in variable

    Posted Feb 02, 2018 06:56 AM

    Hello Abbas,


    What you are reffering to, is the SSH to the AMG itself. What I am looking for is an SSH key in the gateway policy's. Something totally different. 


    Thanks for the effort though, but doesn't help.


    Kind Regards,


  • 4.  Re: SSH key in variable
    Best Answer

    Broadcom Employee
    Posted Feb 02, 2018 12:32 PM


    So I am not sure I totally get your use case or exactly what you are looking for but I suspect you should create a communities idea for it.

    I am guessing here, 

    But I suspect you have a

    client -SSH-> Gateway   (correct?)

    And that policy I assume does a require SSH credentials. (the ssh key from the gateway will be the gateways sshkey) 

    Then you are doing an authorize of this or a lookup in your ldap?

    Is it an LDAP attribute you are trying to get?

    Or something with the above handshake?

    Then I assume you are routing via SSH to your backend.

    GW -RouteViaSSH-> Backend

    Which would present its ssh key. There is a checkbox option in the route to verify a key but it has to be loaded not in a variable format. 


    Both the require SSH and route SSH dont have any variables associated with the view info so there are no variables out of these calls. We might be able to audit some raw.tcp but I am trying to understand what key you are trying to get from where first so I know if I might have missed something. But it will likely require a communities idea.


  • 5.  Re: SSH key in variable

    Posted Feb 15, 2018 03:39 AM

    Hello Charles,


    connection way is correct,

    assertion is correct,

    LDAP doesn't matter, authorize would be nice, but Lookup is ok

    We are trying to put the public key in an LDAP attribute, but first we need it in a context variable.

    routing to backend we do with one comon username/ssh-key.


    I have seen an idea/feature request for this functionality, and have upvoted it. SSH-publick key in context-variable 


    Kind regards,