Layer7 API Management

Hi

I can't write an XML file with SFTP to a remote server. The connection works fine with WinSCP from a windows machine. But when I try to do the same with the "Route via SSH2"-Assertion, I always get the error message "SSH routing error: Failed to retrieve ssh session: Auth fail" (Code 9434).

I use CA API Gateway 8.3.00 build 4753

Is this functionality broken or does such a connection need a specific configuration of the SSH daemon on the remote server?

Thanks

Stephan

Stephan,

Good afternoon. Are you trying to SFTP from a client through the gateway to a SFTP server in the backend or simply trying to send a file from the Gateway to the SFTP server with some other transport on the inbound connection?

If you are looking to send a file to be passed from the frontend to the backend SFTP server you will need to setup a Listen Port for SSH2 with a private key on the Gateway which it appears you have done. The available commands allow will be important from the back and forth communication. On the Route to SSH2, will need to have either the private key or password entered into the Manage Stored Password interface. Which are you using private key or password?

I've attached a sample xml for the assertion that is :

<?xml version="1.0" encoding="UTF-8"?>

<wsp:Policy xmlns:L7p="http://www.layer7tech.com/ws/policy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy">

    <wsp:All wsp:Usage="Required">

        <L7p:SshRouteAssertion>

            <L7p:CommandTypeVariableName stringValue="request.command.type"/>

            <L7p:Directory stringValue="${request.ssh.path}"/>

            <L7p:DownloadContentType stringValue="text/xml; charset=utf-8"/>

            <L7p:FileLength stringValue="${request.command.parameter.length}"/>

            <L7p:FileName stringValue="${request.ssh.file}"/>

            <L7p:FileOffset stringValue="${request.command.parameter.offset}"/>

            <L7p:Host stringValue="foo.ca.com"/>

            <L7p:NewFileName stringValue="${request.command.parameter.newPath}/${request.command.parameter.newFile}"/>

            <L7p:RetrieveCommandTypeFromVariable booleanValue="true"/>

        </L7p:SshRouteAssertion>

    </wsp:All>

</wsp:Policy>

Sincerely,

Stephen Hughes

Director, CA Support

Hi Stephen

I am trying to do the simple case. I receive SOAP requests, transform the message and want to write the resulting XML files to an SFTP server. I was not able to get the file transfer running with username/password authentication. I created a "stored password" and simply use it in the "Route via SSH2" assertion on the authentication tab. I also checked the flag "Validate Server's Host Key" and inserted the host key. But even when I disable the checkbox it does not work.

When I send a request the policy fails with "WARNING 9434 SSH routing error: Failed to retrieve ssh session: Auth fail".

By the way: does a tutorial exist how to set up a key-based authentication for such a ssh-file-transfer with layer7? We actually managed to get this running, but it was a rather "experimental" process.

Thanks

Stephan

Stephan,

I'm not aware of a tutorial on this but definitely has been noted to have one made. Would you be able to share what type of SFTP server you are connecting to as this should work with most SSH endpoints.

Sincerely,

Stephen Hughes

Director, CA Support

Hi Stephen

I think it is a standard SSH daemon. In the process list of the server I see /usr/sbin/sshd and /usr/lib64/ssh/sftp-server. Perhaps it is chrooted, but for more details I would have to ask the operations staff.

Is there any known SSHd configuration that has to be set to get it working with Layer7?

Stephan

Just to bring the discussion back to the top. I have still no solution for this problem.

Stephan

Problem solved. It was a configuration issue on the SSHd.

The error message "error: Received disconnect from 192.168.42.29: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]" leaded me to discussions about JSCH, the library you probably use in Layer7.

A lof of them mentioned ChallengeResponseAuthentication when the subject was about PasswordAuthentication. So I checked with our operation staff about the SSHd config. I turned out that PasswordAuth was set to "no" and ChallengeResponse was commented out.

ChallengeResponse is YES by default. See what the docs say about this:

"Note that if ChallengeResponseAuthentication is 'yes', and the PAM authentication policy for sshd includes pam_unix(8), password authentication will be allowed through the challenge-response mechanism regardless of the value of PasswordAuthentication."

ChallengeResponse at least tries to only allow TTYs to authenticate (not scripts etc). That's why I was able to login with Putty but not through Layer7. This situation points directly to Layer7 as problem source because, hey, the login works fine with Putty, so the SSHd must be ok.

Conclusion:

- Layer7 can only connect with username/password when PasswordAuthentication is explicitly set to "yes".

- Just because you can login with Putty does not mean that PasswordAuthentication is "yes".