SSHFTP Support in TIBCO BusinessConnect Container Edition

To support the SSHFTP transport in TIBCO BusinessConnect Container Edition, the following types of keys, certificates, and algorithms are available:

  • Key types: RSA, DSA
  • Public key formats: OpenSSH PEM and Ssh.Com* (with import and export)
  • Private key formats: OpenSSH PEM and Ssh.Com** (with import); OpenSSH PEM (with export)
  • Host signature algorithms: SSH-RSA and SSH-DSS
  • Server public key algorithms: DSA and RSA.

Authentication Methods for SSHFTP

The supported authentication methods are password, public key, and a combination of password and public key. The client is always identified by a username, whether the authentication takes place by password, public key or both. The SSH server drives the authentication (requests the preferred authentication methods) and the SSH client obeys by submitting the credentials, which are specific to the requested/agreed-upon method or methods.

Password
The configured password is used to complete the user authentication phase with the SSH server.
Public key
The configured public key (retrieved from the user's SSH private key) is used to complete the user authentication phase with the SSH server.
Public key and Password
TIBCO BusinessConnect Container Edition is allowed to authenticate using password, public key, or both password and public key. If the SSH server indicates both options, TIBCO BusinessConnect Container Edition starts using the 'public key' method. If it is successful and the server requires no further authentication steps to be run, the negotiation is successful and the tunnel is established.

If the server rejects the authentication attempt, TIBCO BusinessConnect Container Edition moves to password mode, in which case the outcome depends on the success of this attempt. If the password fails, the transport creation fails and the framework sends the corresponding error message to the business protocol.

When either 'Public Key' or 'Public Key and Password' is selected, the sending participant must be configured with an SSH private key since the transport assumes that this credential is made available to (and may be requested by) the SSH server. The client's private key for any inbound or outbound SSHFTP transport is configured through the field 'Client Authentication Identity for SSHFTP' on the corresponding business agreement of the sending and receiving participants.

SSH Server Public Key Retriever

As an administrator, you may face problems finding, installing, and configuring the public keys of SSH servers of the trading partners while setting up and configuring inbound and outbound SSH transports in TIBCO BusinessConnect Container Edition. Sometimes, it is a priority to be able to set-up a working connection quickly, instead of taking enough time to ensure that the identities of the peer trading partners' SSH servers be trusted by retrieving the servers' credentials only from verified/trusted sources. The SSH Server Public Key Retriever was added to facilitate speedy setup of a working connection, and to help establish a trusted connection.

Selecting Algorithms and Methods during Tunnel Negotiation

Supported MACs for SSHFTP

HMAC-SHA2-256* 
HMAC-SHA2-512* 
HMAC-SHA256@SSH.COM* 
HMAC-SHA512@SSH.COM* 
HMAC-SHA1
HMAC-SHA1-96* HMAC-MD5-96

* Macs that cannot be selected from the TIBCO BusinessConnect Container Edition GUI.

If configured to ANY, then any of the supported MACs can be selected by the server.

Supported Compression Algorithms for SSHFTP

Zlib
Zlib@openssh.com

If NONE is selected, no compression is enforced by the client. This assumes that the SSH server also considers 'NONE' to be a valid option.