SSH key or password authentication for an SFTP user using SEAS XAPI Custom Exit (ibm.

com)

SSH key or password authentication for an SFTP user using SEAS XAPI
Custom Exit

Abstract
SSH key or password authentication for an SFTP user using SEAS XAPI Custom Exit
Body
The following information will provide all the steps necessary for configuring
an SFTP connection through SSP that will utilize the SEAS XAPI custom exit
to authenticate SSH key or password back to B2Bi.
Before you start (What’s Needed):
 Client’s SSH Public Key
 SSP’s SSH private key (sspEng1_ssh_privatekey)
 B2BI’s Host public key (B2BiNode1_ssh_publicKey)
 Admin access to B2Bi Dashboard GUI
 Admin access to SEAS Dashboard GUI
 Admin access to SSP Dashboard GUI

Configuring B2Bi
·Configure SEAS SSO Plugin on B2Bi
The following links will guide you through configuring the SEAS SSO plugin on B2Bi.
 https://www.ibm.com/docs/en/secure-proxy/6.0.3?topic=cspbss-prepare-sterling-
file-gateway-support-single-sign-unix-linux
 https://www.ibm.com/docs/en/secure-proxy/6.0.3?topic=cspbss-modify-sterling-
file-gateway-support-single-sign-unix-linux

 https://www.ibm.com/docs/en/secure-proxy/6.0.3?topic=cspbss-prepare-sterling-
file-gateway-support-single-sign-microsoft-windows

 https://www.ibm.com/docs/en/secure-proxy/6.0.3?topic=cspbss-modify-sterling-
file-gateway-support-single-sign-microsoft-windows
·Importing Client’s public key on B2Bi
 Log in as the admin user to the B2Bi GUI
 From the Administration Menu select Trading Partner > SSH > Authorized User
Key
o Check in Authorized User Key – Client’s Public Key (client_id_rsa.pub)
·Verify Requirements for User Account on B2Bi
 From the Administration Menu select Accounts > User Accounts
o Type in the Account Name to be used and click Go
o Click Edit
 Authentication Type (Both)
 Authentication Host (SEAS Authentication)
  Select Client’s Public Key (client_id_rsa.pub) in the SSH Authorized
User Key screen
Note: Password in the User Account can be a dummy password if using keyauth only)
·Verify Requirements for SFTP Server Adapter on B2Bi
 From the Administration Menu select Deployment > Services >
Configuration
o Type in the Service Name for the SFTP adapter to be used and
click Go
o Click Edit
 Type Required Authentication (Password)
Configuring SEAS
·Configure User Key Authentication Profile on SEAS
Note: The key and password are identical with the exception of the name of the profile. Best
practice would be to use 2 separate profiles that can be used in the SSP SFTP policy.
 Log in as the admin user to the SEAS GUI
 From SEAS “Authentication Definition” screen, select the create “Plus sign” button
 In the “LDAP Authentication” specify the Profile name (XAPI_keyAuthProfile)
 Specify the Authentication type (Generic)
 uncheck “User ID required”
 uncheck “Password required”
 Check “Authenticate using custom exits”
 Click on the ellipsis “…”
 Specify the “Class name”
(com.sterlingcommerce.component.authentication.impl.SIUserAuthExit)
 Click on the “Properties” ellipsis “…” and add the following properties:
o http.auth.user=<B2Bi admin user>
o pre-authenticate=true
o http.auth.password=<B2Bi admin password>
o url=http://<B2BiBaseIP:Port>/dashboard/interop/InteropHttpServlet
 Click OK
 Click OK
 Click Next until you get to the button to save the configuration
 Click Save
·Configure User Password Authentication Profile on SEAS
 From SEAS “Authentication Definition” screen, select the create ”Plus” button
 In the “LDAP Authentication” specify the Profile name (XAPI_passAuthProfile)
 Specify the Authentication type (Generic)
 Deselect “User ID required”
 Deselect “Password required”
 Select “Authenticate using custom exits”
 Click on the ellipsis “…”
 Specify the “Class name”
(com.sterlingcommerce.component.authentication.impl.SIUserAuthExit)
 Click on the “Properties” ellipsis “…”
o http.auth.user=<B2Bi admin user>
o pre-authenticate=true
o http.auth.password=<B2Bi admin password>
o url=http://<B2BiBaseIP:Port>/dashboard/interop/InteropHttpServlet
  Click OK
 Click OK
 Click Next until you get to the button to save the configuration
 Click Save
Configuring SSP
·Creating New External Authentication Server on SSP
 Select Advanced > Actions > New External Authentication Server
o Type External Authentication Server Name (SEAS1)
o Type External Authentication Server Address (SEAS Hostname)
o Type External Authentication Serer Port (SEAS Port)
o Click Save
·Importing B2Bi Known Host Key on SSP
 Select Credentials > SSH Key Stores > Known Host Key Stores >
KnownHostKeyStore
o Click New
o Type Known Host Key Name (B2BiNode1_ssh_publicKey)
o Select Browse (locate the B2BiNode1_ssh_publicKey file)
o Click OK
o Click Save
·Importing SSP Private Key on SSP
 Select Credentials > SSH Key Stores > Local Host Key Stores >
LocalHostKeyStore
o Click New
o Type Local Host Key Name (sspEng1_ssh_privatekey)
o Input Password
o Select Browse (locate the sspEng1_ssh_privatekey file)
o Select Ok
o Select Save
·Creating new SFTP Policy on SSP
 Select Configuration > Actions > New Policy > SFTP Policy
o Type the name (sftp_PwdOrKey_policy)
o Select the Advanced Tab
 Required Authentication Method (Password or Key)
 Select under the User Authentication Mechanism “Through External
Authentication “ to use External Authentication
 External Authentication Profile specify the SEAS profile created in
this scenario (XAPI_passAuthProfile)
 Key Authentication Profile specify the SEAS profile created in this
scenario (XAPI_keyAuthProfile)
 Select User Mapping to SSO token from External Authentication
 Click Save

·Creating New Inbound and Outbound Netmap Nodes on SSP

 Select Configuration > Actions > New Netmap > SFTP Netmap
o Type the netmap name (sftp_PwdOrKey_netmap)
o Click the New button to create a new inbound node
 Type the name (sftp_client)
 Select the policy (sftp_PwdOrKey_policy)
 Click OK
  Select the Outbound node tab, and click New
o Type the name (sftp_B2BiSFTP_50022)
o Type the host (B2BI_Hostname)
o Type the port (50022)
o Select the known host key store (KnownHostKeyStore)
o Select the known host key (B2BiNode1_ssh_publicKey)
o Click OK
 Click Save to save the complete netmap
·Creating New SFTP Adapter on SSP
 Select Configuration > Actions > New Adapter > SFTP Reverse Proxy
o Type the name (sftp_PwdOrKey_adapter)
o Type the port (30122)
o Select the netmap (sftp_B2BiSFTP_50022)
o Select the routing node (sftp_B2BiSFTP_50022)
o Select the local host key store (LocalHostKeyStore)
o Select the local host key (sspEng1_ssh_privatekey)
o Click the Add button to add an engine and EA server
 Add an engine (sspEng1)
 Add an EA server (SEAS1)
o Click Save

 https://www.ibm.com/docs/en/secure-proxy/6.0.3?topic=cspbss-prepare-sterling-
file-gateway-support-single-sign-microsoft-windows

Prepare Sterling File Gateway to Support Single Sign-On on Microsoft

Windows

Last Updated: 2023-01-03

Before you enable single sign-on between a trading partner and Sterling File Gateway, when
using Secure Proxy, you modify the Sterling File Gateway installation. The files required to
enable SSO are installed with Sterling External Authentication Server. To prepare Sterling
File Gateway to support SSO on Microsoft Windows:

1. From the Sterling External Authentication Server, copy the files from
the EA_install_dir\lib\sterling\sfg-sso-plugin directory to a location that is accessible
by the Sterling File Gateway server.

Note: If you use FTP to copy the files to the Sterling File Gateway server, be sure to
transfer the .jar files in binary mode (TYPE I).

2. On the Sterling File Gateway server, move to the SFG_install_dir\properties

directory.
3. Type the following commands to copy the SSO security.properties files to
the Sterling File Gateway server, where base_dir is the location where you copied
the files in step 1:
4. copy base_dir \sfg-sso-plugin\properties\security.properties_seas-sso_ext.in .
5. copy base_dir \sfg-sso-plugin\properties\authentication_policy.properties_seas-auth_ext.in .
 6. copy base_dir \sfg-sso-plugin\properties\servers.properties_seas-sso_ext .
copy base_dir \sfg-sso-plugin\properties\servers.properties_seas-auth_ext .

7. Stop Sterling File Gateway if it is running.

8. In the server.properties_seas-sso_ext file, uncomment the following line and replace
<SI_install> with the actual installation path for Sterling File Gateway:

# seas-sso=<SI_install>\properties\seas-sso\1.0\seas-sso.properties

9. In the server.properties_seas-auth_ext file, uncomment the following line and replace

<SI_install> with the actual installation path for Sterling File Gateway:

# seas-auth=<SI_install>\properties\seas-auth\1.0\seas-auth.properties

10. From the SFG_install_dir\bin directory, type the following commands:

11. install3rdParty.cmd seas-sso 1.0 -j base_dir \sfg-sso-plugin\seas-sso.jar
12. install3rdParty.cmd seas-sso 1.0 -p base_dir \sfg-sso-plugin\properties\seas-sso.properties
install3rdParty.cmd seas-auth 1.0 -p base_dir \sfg-sso-plugin\properties\seas-auth.properties

13. From the SFG_install_dir\jar\seas-sso\1.0 directory, create a subdirectory

named private.
14. Go to the \private directory.
15. Type the following command to copy the jar files to the Sterling File Gateway server:

copy base_dir \sfg-sso-plugin\private\*.jar .

Integrating Active Directory / LDAP with IBM Sterling B2B Integrator (B2Bi)

Integrating Active Directory / LDAP with IBM

Sterling B2B Integrator (B2Bi)

By Tanvi Kakodkar posted Thu June 25, 2020

10:03 AM
 0 Like
Authors:
Ankit Modi – [email protected]
Manoj Bansal – [email protected]

In this blog, we will be covering how enterprises are authenticating users of IBM Sterling
B2B Integrator (B2Bi)/Sterling File Gateway (SFG) using LDAP.

LDAP stands for Lightweight Directory Access Protocol. As the name suggests, it is a
lightweight client-server protocol for accessing directory services, specifically X.500-based
directory services. LDAP runs over TCP/IP or other connection-oriented transfer services.
The LDAP authentication is one of the most popular mechanisms around the world for
enterprise application authentication.
Before deep diving into LDAP authentication on Active Directory, it is important to
understand some basics about LDAP. Here are the some of the most commonly used terms
while working with LDAP:
 Dn - Distinguished name, a unique name which is used to find the user in LDAP
server.
 Ou - Organization Unit
 Bind - LDAP Bind is an operation in which LDAP clients send a bind request to
LDAP users including username and password and if the LDAP server finds that the
user and password are correct, it allows the user to access the LDAP server.
 Search - LDAP search is an operation which is performed to retrieve Dn of the user
by using user credentials.
 Root - LDAP directory's top element (like the root of a tree)
 BaseDn - a branch in LDAP tree which can be used as a base for LDAP search
operation like dc=IBM,dc=org
For this exercise, we have used Apache LDAP server.
Assuming that the user that we authenticate using LDAP is “ibmuser”, this needs to be
present in the LDAP. We have highlighted the corresponding LDAP entries (explained
above) in the image below which is the screenshot of our LDAP configuration.
One of the most common requirements that we come across while implementing B2Bi for our
clients is - to have the application user authenticated by their centralized LDAP or LDAP
over SSL (LDAPS). In order to implement LDAPS, we need to exchange the public
keys/certificates with the LDAP team.
In order to achieve this in B2Bi, we need to work closely with the LDAP team because not
every LDAP is configured in the same way. The LDAP tree structure differs from one
organization to another.

The Pre-requisite is that the B2Bi application should be able to connect with LDAP, in other
words, the ports (if any) should be open on firewall.
When any application connects to LDAP for user authentication, there can mainly be 2
modes/ mechanisms in which LDAP authenticates the user. Those 2 modes are Bind mode
and Comparison mode. In this blog, we are covering the Bind Mode.

Let us understand the configuration required on B2Bi:

Create or modify the customer_overrides.properties file (after taking backup of existing one)
to overrides the authentication_policy.properties as in the following example:
### LDAP without SEAS
authentication_policy.authentication_1.className=com.sterlingcommerce.woodstock.securit
y.LDAPAuthentication
authentication_policy.authentication_1.connect_pool=false
authentication_policy.authentication_1.connect_pool_var=com.sun.jndi.ldap.connect.pool
authentication_policy.authentication_1.connect_timeout=50000
authentication_policy.authentication_1.connect_timeout_var=com.sun.jndi.ldap.connect.time
out
authentication_policy.authentication_1.server=<<LDAP SERVER IP>>
authentication_policy.authentication_1.port=<<LDAP PORT>>
authentication_policy.authentication_1.display_name=MY_LDAP <<This is the name visible
on B2Bi UI under user authentication>>
authentication_policy.authentication_1.enabled=true
authentication_policy.authentication_1.jndi_factory=com.sun.jndi.ldap.LdapCtxFactory
authentication_policy.authentication_1.password_attribute=userPassword << Field which
contains the user password in LDAP for the users to be authenticated>>
authentication_policy.authentication_1.principle=uid=admin,ou=system <<Location of bind
user in LDAP tree >>
authentication_policy.authentication_1.credentials=secret <<Password of above bind user>>
authentication_policy.authentication_1.search_filter=(uid=<userid>) <<This is the parameter
in LDAP under which user id is stored.>>
authentication_policy.authentication_1.search_root=ou=users,ou=system <<This is the DN
minus userid in LDAP. UserId goes as a part of the LDAP authentication request. Please refer
to the LDAP configuration image>>
authentication_policy.authentication_1.security_type=simple
authentication_policy.authentication_1.with_user_bind=true
#to enable SSL between B2Bi and LDAP
authentication_policy.LDAP_SECURITY_TRUSTSTORE=<< File system location of your
KeyStore in .jks format. The Public certificate of LDAP goes in here for server
authentication>>
authentication_policy.LDAP_SECURITY_TRUSTSTORE_PASSWORD=<<truststore
password>>
authentication_policy.LDAP_SECURITY_KEYSTORE=<<File system location of your
KeyStore in .jks format, Certificate which we provide to LDAP for two-way authentication
goes in here. Required only if client authentication is enabled>>
authentication_policy.LDAP_SECURITY_KEYSTORE_PASSWORD=<<keystore
password>>

where authentication_1 is your first LDAP server. To use multiple LDAP servers, copy the
lines for authentication_1 and modify them for the properties for authentication_2. Continue
for as many servers as you want to set up.

Restart the B2Bi for your changes in the customer_overrides.properties file to take effect over
the authentication_policy.properties file.
Go to “User Accounts” and change the authentication type for the user as “External” and
select the LDAP from the drop down menu as shown in the image below:

Here is the snippet of authentication.log which has information of the “ibmuser” successful
login:

This completes the LDAP integration with Sterling B2Bi . Select the same Ldap while
creating the user accounts. In the second part of the blog, we will discuss the integration
between Sterling External Authentication Server (SEAS) with B2Bi via LDAP.