Working with SCP/SFTP Messages
The supports SCP (Secure Copy Protocol) and SFTP (SSH File Transfer Protocol) messages, both inbound and outbound. This allows the to work with back-end services which rely on these protocols. These messages are secured using the SSH2 protocol (SSH1 is not supported).
API Gatewaysupports SCP (Secure Copy Protocol) and SFTP (SSH File Transfer Protocol) messages, both inbound and outbound. This allows the
API Gatewayto work with back-end services which rely on these protocols. These messages are secured using the SSH2 protocol (SSH1 is not supported).
Using Inbound SSH
To handle inbound SCP/SFTP messages:
- Configure an internal SSH server running on aLayer7 API Gatewaylisten port. This is done by creating a new listen port using the "SSH2" protocol. The SSH listener supports inbound SCP upload and inbound SFTP "PUT" commands to theLayer7 API Gateway. This listener automatically opens and closes the SSH port on start and stop.
For more information, see Manage Listen Ports.
To resolve the service for SCP/SFTP messages:
- SOAP-based messages are resolved using the Gateway service resolution logic. For a detailed explanation, see "Understanding the Service Process" in theCA API Gateway Administrators Manual.
- Path-based resolution depends on the protocol:
- SCP: You can specify a directory on the SCP server. When a file is uploaded, the full path is used to resolve the service.The following example uploads an XML/SOAP file to a service with the URI "/xmlservice":$> scp -P 2222 message.xml [email protected]:/xmlservice[email protected]'s password:message.xml
Enter the password carefully, as there is no feedback at this point if authentication fails due to an incorrect password being entered here.
- SFTP: Use the "cd" command to change to a directory on the SFTP server. When a file is uploaded, the full path is used to resolve the service.This is the same example as above, for SFTP:
To authenticate users for SCP/SFTP messages:
- Method 1: Password authentication: The user's password from the Internal Identity Provider is used during SSH processing. The inbound SSH server configured on theLayer7 API Gatewayattempts to validate the user's password during the authentication process.
- Method 2: Public key authentication: This requires a one-time setup by copying the user's public key to his or her user record in the Internal Identity Provider. During SSH processing, the inbound SSH server configured on theLayer7 API Gatewayattempts to validate the user's public key during the authentication process. For more information see the [SSH] tab in Creating an Internal User.
SSH processing populates the following context variables:
For more information about these variables, see Transport Layer Context Variables.
Inbound SFTP Polling Listener
API Gatewayhas a polling feature that retrieves ("GET") and process messages from a directory on an external SFTP server. In this configuration, the Gateway acts as an SFTP client and periodically check for new messages to process.
For more information, see Manage SFTP Polling Listeners.
Using Outbound SSH
The provides the following outbound support for SSH sessions:
- outbound SCP upload and download with an external SCP server
- outbound SFTP "PUT" and "GET" with an external SFTP server
These are handled using the Route via SSH2 Assertion.