Working with SCP/SFTP Messages

The  supports SCP (Secure Copy Protocol) and SFTP (SSH File Transfer Protocol) messages, both inbound and outbound. This allows the  to work with back-end services which rely on these protocols. These messages are secured using the SSH2 protocol (SSH1 is not supported).
gateway83
The
API Gateway
 supports SCP (Secure Copy Protocol) and SFTP (SSH File Transfer Protocol) messages, both inbound and outbound. This allows the
API Gateway
 to work with back-end services which rely on these protocols. These messages are secured using the SSH2 protocol (SSH1 is not supported).
Using Inbound SSH
 To handle inbound SCP/SFTP messages:
  • Configure an internal SSH server running on a 
    Layer7 API Gateway
    listen port. This is done by creating a new listen port using the "SSH2" protocol. The SSH listener supports inbound SCP upload and inbound SFTP "PUT" commands to the
    Layer7 API Gateway
    . This listener automatically opens and closes the SSH port on start and stop.
For more information, see Manage Listen Ports.
To resolve the service for SCP/SFTP messages
:
  • SOAP-based messages are resolved using the Gateway service resolution logic. For a detailed explanation, see "Understanding the Service Process" in the
    CA API Gateway Administrators Manual
    .
  • Path-based resolution depends on the protocol:
    • SCP
      : You can specify a directory on the SCP server. When a file is uploaded, the full path is used to resolve the service.
      The following example uploads an XML/SOAP file to a service with the URI "/xmlservice":
      $> scp -P 2222 message.xml [email protected]:/xmlservice
      [email protected]'s password:
      message.xml
Enter the password carefully, as there is no feedback at this point if authentication fails due to an incorrect password being entered here.  
  •  
    SFTP
    : Use the "cd" command to change to a directory on the SFTP server. When a file is uploaded, the full path is used to resolve the service.
    This is the same example as above, for SFTP:
$> sftp -oPort=2222 [email protected]
[email protected]'s password:
Connected to gateway.l7tech.com.
sftp> cd xmlservice
sftp> put message.xml
Uploading message.xml to /xmlservice/message.xml
...
sftp> bye
To authenticate users for SCP/SFTP messages
:
  • Method 1: Password authentication
    : The user's password from the Internal Identity Provider is used during SSH processing. The inbound SSH server configured on the 
    Layer7 API Gateway
    attempts to validate the user's password during the authentication process.
  • Method 2: Public key authentication
    : This requires a one-time setup by copying the user's public key to his or her user record in the Internal Identity Provider. During SSH processing, the inbound SSH server configured on the 
    Layer7 API Gateway
    attempts to validate the user's public key during the authentication process. For more information see the [
    SSH
    ] tab in Creating an Internal User.
Context Variables
SSH processing populates the following context variables:
  • request.tcp.localPort
  • request.tcp.remoteAddress
  • request.tcp.remoteip
  • request.tcp.remoteHost
  • request.ssh.path
    request.ssh.file
For more information about these variables, see Transport Layer Context Variables.
Inbound SFTP Polling Listener
The
API Gateway
 has a polling feature that retrieves ("GET") and process messages from a directory on an external SFTP server. In this configuration, the Gateway acts as an SFTP client and periodically check for new messages to process.
For more information, see Manage SFTP Polling Listeners.
Using Outbound SSH
The provides the following outbound support for SSH sessions:
  • outbound SCP upload and download with an external SCP server
  • outbound SFTP "PUT" and "GET" with an external SFTP server
These are handled using the Route via SSH2 Assertion.