SSHFTP Support in TIBCO BusinessConnect Container Edition
To support the SSHFTP transport in TIBCO BusinessConnect Container Edition, the following types of keys, certificates, and algorithms are available:
- Key types: RSA, DSA
- Public key formats: OpenSSH PEM and Ssh.Com* (with import and export)
- Private key formats: OpenSSH PEM and Ssh.Com** (with import); OpenSSH PEM (with export)
- Host signature algorithms: SSH-RSA and SSH-DSS
- Server public key algorithms: DSA and RSA.
Authentication Methods for SSHFTP
- Password
- The configured password is used to complete the user authentication phase with the SSH server.
- Public key
- The configured public key (retrieved from the user's SSH private key) is used to complete the user authentication phase with the SSH server.
- Public key and Password
- TIBCO BusinessConnect Container Edition is allowed authenticate using password, public key, or both password and public key. If the SSH server indicates both options, TIBCO BusinessConnect Container Edition starts using the 'public key' method. If it is successful and the server requires no further authentication steps to be executed, the negotiation is successful and the tunnel is established.
If the server rejects the authentication attempt, TIBCO BusinessConnect Container Edition will move to password mode, in which case the outcome depends on the success of this attempt. If the password fails, the transport creation fails and the framework sends the corresponding error message to the business protocol.
When either 'Public Key' or 'Public Key and Password' is selected, the sending participant must be configured with an SSH private key since the transport assumes that this credential is made available to (and may be requested by) the SSH server. The client's private key for any inbound or outbound SSHFTP transport is configured through the field 'Client Authentication Identity for SSHFTP' on the corresponding business agreement of the sending and receiving participants.
SSH Server Public Key Retriever
As an administrator, you may face problems finding, installing and configuring the public keys of SSH servers of the trading partners while setting up and configuring inbound and outbound SSH transports in TIBCO BusinessConnect Container Edition. Sometimes, it is a priority to be able set up a working connection quickly, instead of taking enough time to ensure that the identities of the peer trading partners' SSH servers be trusted by retrieving the servers' credentials only from verified/trusted sources. The SSH Server Public Key Retriever was added to facilitate speedy setup of a working connection, and to help establish a trusted connection.
Selecting Algorithms and Methods during Tunnel Negotiation
Tunnel negotiation is driven by the SSH server and controlled by the SSH client. This means that the ciphers, MAC, compression algorithms and authentication methods are specified by a list that is offered by the server and chosen by the client. If the option ANY is set for either cipher, MAC, or compression, the server's first choice of preference will be used, which is also supported by the client. TIBCO BusinessConnect Container Edition always acts as the SSH client, regardless of the direction of the transport (such as inbound or outbound).
Supported MACs for SSHFTP
HMAC-SHA2-256*
HMAC-SHA2-512*
HMAC-SHA256@SSH.COM*
HMAC-SHA512@SSH.COM*
HMAC-SHA1
HMAC-SHA1-96*
HMAC-MD5-96
* Macs that can not be selected from the TIBCO BusinessConnect Container Edition GUI.
If configured to ANY, then any of the supported MACs can be selected by the server.
Supported Compression Algorithms for SSHFTP
Zlib
Zlib@openssh.com
If NONE is selected, no compression is enforced by the client. This assumes that the SSH server also considers 'NONE' to be a valid option.