Create an AWE FTP Action with SFTP host key validation


THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT Server Enterprise version 6.3 - 7.4.3.x (using the Advanced Workflow Engine v8; AWE v10 released in 7.4.7)

DISCUSSION

Validating the host key for an SFTP server ensures that you connect only with the SFTP server that you intended to connect to. You can configure an AWE Workflow so that if somebody tries to "spoof" a host, an error is thrown. SFTP host key validation can be defined in an FTP action, as described below.

To create the FTP Action with SFTP host key validation

  1. Create a new AWE Workflow.
  2. Add the FTP action to the Workflow. (In the Available Actions pane, expand the Network node, then click the FTP action and drag it to the Steps pane.) The FTP Action Properties dialog box appears.
  3. In the Activity to perform list, click the action that is being performed. To log in to an SFTP server and store the SFTP server's host key for validation, click Log On.
  4. In the Credentials area, specify the Host, Username, and Password required to log in to the SFTP server. To use variables in these fields, click in the field and then click the percent sign. For example, you can add %USER_LOGIN% and %USER_PASSWORD% to the Username field, then select and drag %USER_PASSWORD% to the Password field. (When testing a Workflow in the Task Builder, you have to use real values, because the variables have not yet been populated. Change it back to variables to use it an Event Rule.)
  5. Session specifies the session name to identify this action in subsequent steps.
  6. In the Advanced area, in the Connection type field, specify SFTP (Key). The Private Key and Passphrase fields appear.
  7. The Port field displays the default port. If the SFTP server listens on a different port, specify the new port.
  8. The FTP log file is not required. However, you can specify the location of a session log, such as C:\ProgramData\GlobalSCAPE\EFT Server Enterprise\AWE\SFTPSessionLog.log. If you want to overwrite the log as new logs are created, selected the Overwrite existing log file check box. (You should overwrite the log; logs can take up a lot of storage.)
  9. The Timeout area is used to specify how long AWE will wait before aborting a connection attempt. If a connection is not established within the timeout value specified, it is automatically aborted.
  10. Use compression and Enable FIPS mode are disabled by default. Select the check box to enable the features.
  11. SFTP versions 2, 3, and 4 and enabled by default. Click the down arrow to specify others; click and delete the ones you do not want. (EFT Server supports SFTP versions 2, 3, 4, and 6. EFT Server's outbound client defaults to version 4, but negotiates the SFTP version with the receiving server during session establishment. That is, if the receiving server only supports version 2, EFT Server will negotiate down and operate at version 2.)
  12. Specify the Site's Private key file and Passphrase.
  13. Click Validate SFTP Server's Host Key. With Validate selected, if AWE (via EFT Server) has never connected to that SFTP server before or the newly presented key does not match the stored key, an error will be thrown, because the host is unknown or an invalid host. Select Store it for the first time you connect to the server, and AWE will store the server key in a file named hostkeys.txt. For subsequent connections, edit the task to Throw an error if the host key is not found. When you reconnect, and the host key validates to the key previously stored, the task will continue. However, if the host key is different, an error will be thrown.
  14. To save the Server Host Key to the hostkeys.txt file:

    1. Run the Workflow once in the AWE Task Builder with the Validate SFTP Server's Host Key set to Store it. AWE will store the server key in a file named hostkeys.txt in your user profile in \Users\<user>\AppData\Local\Network Automation\AutoMate 8\Sftp\hostkeys.txt.
    2. Change the option to Throw an error.
    3. On the On Error tab, click Add, then in the Error Action list, click Write to Windows Event Log. When this error is thrown, the text you specify in Log entry will be written to the Windows Event Log.
    4. Save and Close the Task Builder.
    5. Copy the hostkeys.txt file to \Windows\SysWOW64 (or system32)\config\systemprofile\AppData\Local\Network Automation\AutoMate 8\Sftp\
    6. Add the Workflow to an Event Rule.

    When connection attempts are made to the SFTP Server defined in the AWE Workflow, AWE will examine hostkeys.txt to determine whether the connection should be allowed. With Throw an error set, if the host key does not match the host keys in the hostkeys.txt file (as in the case of spoofing), an error will be thrown similar to the following error:

    (To test this, save a copy of the hostkeys.txt file, edit the host key in \Windows\SysWOW64 (or system32)\config\systemprofile\AppData\Local\Network Automation\AutoMate 8\Sftp\, then attempt to connect to the SFTP server. If your configuration is correct, you will see an error, because host key will be invalid. Be sure to paste the unedited copy of the hostkeys.txt file back in the \sftp\ folder.)

The AML for this Workflow will look similar to the following AML:

To create the hostkeys.txt file

<AMFTP ACTIVITY="logon" SERVER="myremotestpfserver.com" USERNAME="%USER_LOGIN%" PASSWORD="AM2HknsdLUXmbJpSeZ0thedsmhJ6nSxF5OyaUn9dMMX3LQ=aME" TYPE="sftp_public_key" PORT="22" LOGFILE="C:\ProgramData\GlobalSCAPE\EFT Server Enterprise\AWE\SFTPSessionLog.log" PRIVATEKEYFILE="C:\ProgramData\GlobalSCAPE\EFT Server Enterprise\MySite Key" PASSPHRASE="AM2CkmLdNUX6LIOSY900RfksgJJuXTmF9ywaME" SFTPHOSTKEY="validate" />

To set the Workflow to prevent outgoing connections to unauthorized SFTP servers:

<AMFTP ACTIVITY="logon" SERVER="myremotestpfserver.com" USERNAME="%USER_LOGIN%" PASSWORD="AM2HknsdLUXmbJpSeZ0thedsmhJ6nSxF5OyaUn9dMMX3LQ=aME" TYPE="sftp_public_key" PORT="22" LOGFILE="C:\ProgramData\GlobalSCAPE\EFT Server Enterprise\AWE\SFTPSessionLog.log" PRIVATEKEYFILE="C:\ProgramData\GlobalSCAPE\EFT Server Enterprise\MySite Key" PASSPHRASE="AM2CkmLdNUX6LIOSY900RfksgJJuXTmF9ywaME" SFTPHOSTKEY="validate" SFTPHOSTKEYNOTFOUND="throw_error" />;