SFTP (SSH File Transfer Protocol/Secure File Transfer Protocol)

SFTP (SSH File Transfer Protocol/Secure File Transfer Protocol)

Introduction

SFTP (SSH File Transfer Protocol also known as Secure File Transfer Protocol) is a secure file transferring protocol between two remote systems, which runs over Secure Shell protocol (SSH). It provides strong authentication and secure encrypted data communication between two computers, which are connecting over an insecure network. It was designed by the Internet Engineering Task Force (IETF) as a secure extension. SSH provides the secure file transfer capabilities.

In this article, we will explain how to configure SFTP, how to use it with BizTalk Server and how you can set up monitoring SFTP using BizTalk360.

Contents

  • How to Configure SFTP
  • Types of authentication available in SFTP
  • Using SFTP in BizTalk Server
  • Monitoring SFTP using BizTalk360 Application

How to Configure SFTP

SFTP has replaced legacy FTP (File Transfer Protocol) and FTP/S and it provides all the functionality offered by these protocols, but the protocol is more secure and reliable. Also, configuration is easier.

Following are the steps to configure SFTP:

  • Download the OpenSSH for server using OpenSSH for Windows binaries (Packages OpenSSH-Win64.zip or OpenSSH-Win32.zip)

Link: https://github.com/PowerShell/Win32-OpenSSH/releases

  • Extract the package in folder location ‘C:Program Files’ as an administrator and install the SSH and SSHD services using the following command:
    exe -Execution Policy Bypass -File install-sshd.psl
  • Once you have run the above command, the SSH server and server agent will install the system and start the service in the services.msc

The SFTP port number for the SSH port is 22, basically just an SSH Server. Once the user has logged in to the server using SSH, the SFTP protocol can be initiated. There is no separate SFTP port exposed on the servers. There is also no need to configure another rule into the firewalls.

Once the command is executed in PowerShell, the rule is created in the firewall section.

Using Public Keys for SSH Authentication

One effective way of securing SSH access to the server, is to use a Public/Private Key pair. This means that the generated key pair, consists of a public key (allowed to know) and a private key (keep secret and don’t give to anybody). The private key can generate a Signature and cannot be forged for anybody who doesn’t have that key. But using the public key, anybody can verify that a signature is genuine. The public key is placed on the server and a private key is placed on local workstation. Using a key pair, it becomes impossible for someone to log in by using just a password, in case you have set up SSH to deny password-based authentication.

Create the .ssh directory in a local folder and create a file named as “authorized_keys”, where we store the public key for authentication.

Generating Keys

PuTTYgen is a key generator. It generates pairs of public and private keys. When you run the PuTTYgen, you will see a window where you have two choices:

  • Generate – to generate a new Public/Private key pair
  • Load – to load an existing private key

Before generating a key pair, using PuTTYgen, you need to select which type of key you need.

PuTTYgen currently supports the following type of keys:

  • An RSA key for use with the SSH-1 protocol
  • An RSA key for use with the SSH-2 protocol
  • A DSA key for use with the SSH-2 protocol
  • An ECDSA (Elliptic Curve DSA) key for use with the SSH-2 protocol
  • An Ed25519 key (another elliptic curve algorithm) for use with the SSH-2 protocol

Here, we will generate a RSA key, for use with the SSH-1 Protocol.

  • Download the PuTTYgen from the web site
  • Launch the program and click “Generate” button. The program generates the keys for you

  • Once you click the Generate button, you must generate some randomness, by moving the mouse over the blank area

  • Enter the unique Key passphrase and Confirm passphrase fields

  • Save the public and private keys, by clicking Save Public Key and Save Private Key buttons

  • From the Public Key, for pasting it into the OpenSSH authorized_keys file field at the top of the window, copy all the text (starting with ssh-rsa). The copied key must be pasted either into the public key tool, in the Control Panel, or directly into the authorized keys file on your server.

Using SFTP Adapter in BizTalk Server

BizTalk Server provides the SFTP adapter to send and receive a file from a secure FTP server using the SSH file transfer protocol. Let’s see how can configure the SFTP adapter for receiving and sending a file from the secure server.

  • In the BizTalk Admin Console, create a SFTP Receive Port in the BizTalk application where you want to have it
  • Create a Receive Location within that Receive Port
  • Select the Transport Type as SFTP from the drop-down list

In the Properties section, configure the following steps:

Others

  • Connection Limit – Specify the maximum number of concurrent connections that can be opened to the server

Polling

  •  Polling Interval – Specify the interval at which the adapter polls the server. To poll continuously, set this value to zero

Default Value: 5

  • Unit – Specifies the unit in which the polling interval is specified. For example: Seconds, Minutes, Hours or Days

Security

  • Accept Any SSH  Server Host key – When the option is set as True, SSH will accept the connection from the host server; when it is set as False, the Receive Location uses the fingerprint of the server for authentication. For the authentication, you need to provide the finger print in the SSHServerHostKeyFingerPrint field.

  • Client Authentication

There are three client authentication methods:

  • Password
  • PublicKeyAuthentication
  • MultiFactorAuthentication

Password authentication mode is simply providing the password in the console for authenticating the client. For the PublicKeyAuthentication, you must provide the private key file in the PrivateKey field and provide the passphrase in the PrivateKeyPassword for authenticating.

For MultiFactorAuthentication, the user must provide the user name, password and Privatekey. If the private key is protected by a passphrase, you also need to provide that in the privatekeyPassword field.

  • Password –  Specify the password, if you have set the ClientAuthentication mode to password
  • Private Key – Specify the private key for the SFTP user, if you have set the ClientAuthenticationMode to Publickeyauthentication
  • Private Key Password – Specify the passphrase key to validate the private key
  • SSH Server Host Key Fingerprint – It specifies the fingerprint of the public host key for the SSH server
  • Username – Specifies a username to log on to the SFTP server

SSH Server

  • File Mask – Specifies the file mask to use when retrieving files from a secure SFTP server
  • Folder path – Specifies the folder path on the secure SFTP server from where the Receive Location can retrieve files
  • Port – Specifies the port address for the secure SFTP server on which the file transfer takes place
  • Server Address – Specifies the server name or IP address of the secure SFTP server

Configuring the Send Port

For Configuring the Send Port, create a Send Port or double click an existing send port to modify it in an application in the BizTalk Administration Console.

  • On the General Tab, Choose the type of SFTP artifact in the transport section and click the configuration button.
  • In the SFTP Transport Properties window configure the following options based on requirement

Others

  • Connection Limit – Maximum number of concurrent connections that can be opened to the server
  • Log – Creating client-side log file to trouble shoot any errors. Enter the full path for creating the log file and its available from BizTalk Server 2016
  • Temporary Folder – A temporary folder on the SFTP server to upload large files before automatically moved to the required location on the same server and its available from BizTalk server 2013 R2

Proxy

  • Address –Specifies either DNS or IP Address of the Proxy server
  • Password –Specifies the Password of the proxy server
  • Port – Specifies the port of the Proxy Server
  • Type – Specifies the protocol used by the proxy server
  • User Name – Specifies the User Name of the Proxy server

Security

  • Access Any SSH Server Host Key – When True, the send port accept any SSH Public host key from the server and if set as false, the port matches the host key with the key specified in the SSHServerHostKey
  • Client Authentication Mode – Specifies the authentication method that the send port uses for authenticating the client to the SSH Server.

Three modes of authentication

  • Password – If set as Password , you must provide the password in the Password Property
  • PublicKeyAuthentication – if set as PublicKeyAuthentication, you must provide the private key of the user in the PrivateKey
  • MultiFactorAuthentication – if set as MultiFactorAuthentication, you must provide UserName with its Password. If the private key is protected by a password, provide the password in the PrivateKeyPassword as well
  • EncryptionCipher – Provide the kind of encryption cipher and available from BizTalk Server 2013 R2. Options are Auto, AES and TripleDES in the BizTalk Server 2013 R2 and for the BizTalk Server 2016 Auto, AES, Arcfour, Blowfish, TripleDES, and
  • Password – Specify the SFTP user password if you set the ClientAuthenticationMode to Password
  • Private Key – Specify the private key for the SFTP user if you set the ClientAuthenticationMode to PublicKeyAuthentication
  • Private Key Password – Specify a private key password, if required for the key specified in the PrivateKey
  • SSH Server Host Key Finger Print – Specifies the fingerprint of the server used by the adapter to authenticate the server if the AccessAnySSHServerHostKey property is set to False. If the fingerprints do not match, the connection fails.
  • User Name – Specifies the username for the secure FTP Server

SSH Server

  • Append If Exist – if the file being transferred to the secure FTP server already exists at the destination, this property specifies whether the data from the file being transferred should be appended to the existing file. If set to True, the data is appended. If set to False, the file at the destination server is overwritten
  • Folder Path – Specifies the folder path on the secure FTP server where the file is copied
  • Port – Specifies the port address for the secure FTP server on which the file transfer takes place
  • Server Address – Specifies the server name or IP address of the secure FTP server
  • Target File Name – Specifies the name with which the file is transferred to the secure FTP server. You can also use macros for the target file name

  • Click Apply and OK again to save settings

Monitor the SFTP Location using BizTalk360

From the v8.4, under File Location in the Monitoring section, BizTalk360 has the capability to monitor SFTP servers. File Location Monitoring will list all the locations configured in the BizTalk artifacts (Send Ports and Receive Locations) for the SFTP Transport type. This helps users to easily monitor all the SFTP locations mapped within the Receive Locations/Send Ports.

It contains four sections:

  • SSH Server Section has the details about the SFTP Location
  • The Proxy Details Section is optional to connect to a SFTP Server behind a firewall

Note: In BizTalk, Proxy details are available from BizTalk 2013 R2

  • Security Details Section has the authentication details
  • In the SFTP Monitoring Config Section, you can configure the monitor with threshold conditions for the metric File Count

Based on the  need, you can monitor the location with threshold conditions. If the specific condition is met, the user gets notified through an email, a SMS or another communication channel.

For monitoring the SFTP server, BizTalk360 uses the third-party tool nSoftware. Using the nSoftware IPWorks SSH product, BizTalk360 connects to the secure server with Private Keys and password for monitoring the location.

For monitoring the SFTP in BizTalk360 you can refer the knowledge base in this link.

See below, some code snippets for connecting to the secure server using nSoftware.

Password Authentication


sftp.SSHUser = “test”;
sftp.SSHPassword = “password”;
sftp.SSHPort = 22;
sftp.SSHHost = “SSHHost”;
sftp.Config(“SSHAcceptServerHostKeyFingerPrint=6a:d3:65:96:d1:9f:9d:f9:57:4e:6b:3b:11:57:5a:15”);
sftp.SSHLogon(sftp.SSHHost, sftp.SSHPort);
Console.WriteLine(“Authenticated”);
sftp.SSHLogoff();


Public key Authentication
 
sftp.SSHUser = "test";
sftp.SSHCert = new Certificate(CertStoreTypes.cstPPKKeyFile, "....filesserver_cert.pem", "test", "*");
sftp.SSHAuthMode = SftpSSHAuthModes.amPublicKey;
sftp.SSHPort = 22;
sftp.SSHHost = "SSHHost";
sftp.Config("SSHAcceptServerHostKeyFingerPrint=6a:d3:65:96:d1:9f:9d:f9:57:4e:6b:3b:11:57:5a:15");
sftp.SSHLogon(sftp.SSHHost, sftp.SSHPort);
Console.WriteLine("Authenticated");
sftp.SSHLogoff()

Conclusion



This article demonstrates the creation of a SFTP Server. Using the SFTP server in BizTalk Receive Locations and Send Ports, you can send files securely and monitor the SFTP server using BizTalk360.
If you have any feedback or suggestions, please write to us at support@biztalk360.com.
Access Denied and COM Activation failure after installing Windows July 2018 Security Updates

Access Denied and COM Activation failure after installing Windows July 2018 Security Updates

Recently Microsoft rolled out the July 2018 .NET Framework Security Updates. These Security Updates caused series of errors in the BizTalk Server Administration Console, SharePoint, Internet Information Server (IIS) with classic ASP and .NET applications which use impersonation.

Related to BizTalk Server, the issue is that BizTalk server relies on a COM component, that runs with restricted permissions. This COM component may fail to start after installing the July 2018 Security Updates.

For BizTalk360 to monitor the BizTalk server, it needs that the BizTalk Server Administrator components are installed in the server. But when the BizTalk360 server is also updated with the security patches, the same errors will occur while accessing the BizTalk applications and their artifacts. Many of our customers raised support tickets to BizTalk360 support channel, as they were not aware of these issues due to the windows security patch.

How the errors occur in BizTalk360 and in BizTalk Server

The com exception will occur in BizTalk360 only after the July 2018 security patch update is installed on the servers. The issue will pop up on many occasions as mentioned below.

While accessing,

  •  BizTalk360 application 
  • BizTalk Applications and their artifacts
  • Hosts and Host Instances

Following screenshot refers, how the exception appears in BizTalk360.

access denied and com activation failure in BizTalk Server

When launching BizTalk Server, a series of errors appear from Hosts and Host Instances.

Here are the errors that occurred in the BizTalk Admin console, When trying to access the host instance

access denied and com activation failure in BizTalk Server

Root Cause of the problem

Let ’s have a look at the root cause of these issues in detail. The Microsoft .NET Framework runtime uses the process token to determine whether the process is running within an elevated security context. These system calls can fail if the required process inspection permissions are not present. This causes an “access denied” error. However, these errors might reveal themselves with other error messages, as we have seen from the screen prints earlier in this article.

A temporary workaround is discussed in this MSDN thread. The simplest workaround is to uninstall the security patch and everything will be back to normal.

Resolution

The latest patch was re-released by Microsoft on July 30, 2018. This update helps to resolve this issue. This patch has different versions applicable to your operating system and .NET Framework installed.

  • 4346877Update for Windows 10, version 1607 and Windows Server 2016: July 30, 2018
  • 4346406Update for .NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1 and 4.7.2 on Windows 8.1, RT 8.1 and Server 2012 R2 (KB 4346406): July 30, 2018
  • 4346405Update for .NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1 and 4.7.2 on Windows Server 2012 (KB 4346405): July 30, 2018
  • 4346407Update for .NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1 and 4.7.2 on Windows 7 SP1 and Server 2008 R2 SP1 and .NET Framework 4.6 on Server 2008 SP2 (KB 4346407): July 30, 2018
  • 4346408Update for .NET Framework 4.5.2 on Windows 8.1, RT 8.1 and Server 2012 R2 (KB 4346408): July 30, 2018

For detailed information about latest patch release, please click this link. Microsoft had also suggested a workaround for the issue but with the following warning message:

Warning: The workarounds may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend these workarounds. However, we are providing this information so that you can implement the workarounds at your own discretion. Use these workarounds at your own risk.

Customer Feedback

We have received quite a few support tickets on this specific cases from our customers who have recently update the security patches. Because, the problem lies with BizTalk Server, It has affected the BizTalk360 as well while accessing the applications. We informed the customers about the reason for the error. The new patches are uninstalled, BizTalk360 and BizTalk Server will be back to normal. Here is a happy feedback from our most valued customers.

BizTalk360 Custom Email Templates

BizTalk360 Custom Email Templates

With this release of BizTalk360(v8.5), the user can customize email template. The earlier version of BizTalk360 only has a capability to change the color of the email body, font, logo, background, footer background etc. Most of our customer had requested to customize the email alert with more comprehensive improvements, so we have revamped the email template module with more additional functionalities to simplify and customize the email notification. This allows to create and manage custom templates for notifications.

The user can able to create a template with an in-built XSLT validator with preview options. Email template can be used in different alarms with light or dark theme, which helps to

• grab the support team’s attention to take on the relevant actions.
• choose different theme templates to indicate different business cases.
• easily identify which template belongs to which environment.

So, let’s us look how to create a template in the newer version of BizTalk360.

Creating Template

In BizTalk360, Manage Email Template can be found in the monitoring and notification section of setting side. While installing the newer version, the default template “BizTalk360 Email Template” will be used for all the existing or newly created alarm.

BizTalk360 Email Template Grid

For creating a new template, click on “NEW” icons as shown in above picture, a blade opens for providing the basic details like template name, description of the template, toggle button for making it as default template as shown in the picture below.

Custom Template Creation

In the following section, the user can edit and provide their own data like display name, email address, logo text, footer text etc.same as previous versions for a better manageability.

Email settings

Theme

Initially, BizTalk360 provides a default template “BizTalk360 Email Template” with a light elegant theme. Themes are also available in two variants light and dark. A user can able to choose light or dark theme while creating a template.

However, the earlier version of BizTalk360 email colors are chosen by selecting colors from color picker and here we came up with the idea of providing “themes” instead of simply selecting the color code for the email template.

We categorized themes into two
• Light Theme
• Dark Theme

Light Theme

Light Theme

Dark Theme

Dark Theme

We are not restricting the user to simply selecting light or dark theme, we have also provisioned to edit the themes.

Theme Settings

Under the edit theme color settings, a user can choose 6 Body BG color which represents different themes for light and dark. Once the theme is selected, “PREVIEW TEMPLATE” option is being provided to cross check the desired changes on a new blade.

Once the template is created, it will be displayed in the main grid of Manage Email Templates page.

Email Template Grid

XSLT

BizTalk360 uses XSLT (eXtensible Stylesheet Language Transformations) as a styling language for customizing the email template. The XSLT file editing option is being provided to a user for changing font family and font size. “Please do not change any logic in XSLT file, as this might corrupt the mailing functionality”. This facility is available in the edit section of each template by clicking the edit gear icon.

XSLT Edit

Once the changes are made in the XSLT file, the inbuilt XSLT validator verifies the XSLT file and allows the user to save the file after successful verification.

The “Preview Template” option is provided in edit section to make sure the desired changes have been made in XSLT file.

Alarm Configuration

In the alarm configuration section, we have customized for a user-friendliness to choose the template that has been created at the manage email module. Also, we made the notification channel to be available in the Alarm configuration page itself. We have made the email configuration optional if the notification channel is being enabled so that either one of the choices can serve the purpose.

Alarm

Conclusion

BizTalk360 already had a feature to format email template, with its latest release v8.5 it fills the gap by adding the ability to customize, create and manage template for different alarms based on user preference. Keep your mailing color codes intact with your thoughts using our customized email template feature. If you have any feedback or suggestion, please feel free to write to us at support@biztalk360.com.