Routing requests via SSH2 on the Layer 7 Gateway

Document ID : KB000057585
Last Modified Date : 14/02/2018
Show Technical Document Details



Support for the?SSH File Transfer Protocol?for outbound message processing was introduced in version 6.1.5 of the Layer 7 Gateway. This allows the Gateway to open connections via?SSH2?and transmit or download files from a remote system per the SSH File Transfer Protocol. It also allows the Gateway to act as an SCP or SFTP proxy via an inbound Listen Port. The latter is outside the scope of this tutorial.


Leveraging outbound SSH2 is done with the?Route via SSH2?assertion. This assertion has the following primary capabilities:

  1. PUT?via SFTP
  2. GET?via SFTP
  3. PUT?via SCP
  4. GET?via SCP

The PUT command for either implementation allows the Gateway to upload a file to a remote server accepting SSH2 connections. The GET command for either implementation allows the Gateway to download a file from a remote server accepting SSH2 connections. Connecting to a server via SFTP also allows for other more specific commands which are outside the scope of this tutorial. More information on these commands can be found within the?Layer 7 Policy Authoring User Manual.

Adding the?Route via SSH2?assertion?will?open up the?SSH2 Routing Properties?dialog. This dialog contains several tabs for customizing the outbound SSH2 request. The first and most important setting is the specific protocol to be used: SCP or SFTP. Other connection settings (such a host name, port number, or timeout values) are configured in the?Connection?tab as well. An example configuration of the?Connection Settings?is shown below:

A screen capture displaying the Connection Settings section of the SSH2 Routing Properties dialog

The?Connection?tab is also used to specify which SSH2 command is used once connected to the remote server. This allows you to specify a command (such as PUT, GET, DELETE, or LIST). An example configuration below shows how to configure the assertion to download a particular file from the remote host. Each command available in the drop down box has its own required fields and is documented within the Layer 7 Policy Authoring User Manual within the table titled "Command Types for the Command Selection drop down list."

A screen capture displaying the Commands section of the SSH2 Routing Properties dialog

The Authentication?tab can be configured to use the inbound credentials gathered with the?Require SSH2 Credentials or with a static set of credentials to use for each request. The Gateway can capture an SSH2 request's credentials and forward it to the outbound server but only if that request came in on an SSH2-enabled listen port. If external authentication is required when consuming this service via HTTP(S) or any non-SSH2 protocol then the normal Require assertions can be leveraged and passed through. Static credentials can be used if a particular server only allows one particular account. This allows an administrator or policy developer to authorize the outbound SSH2 request but still require other authentication methods that the back end SSH2 server may not be able to process (such as HTTP Basic or client certificates).

The?Advanced?tab allows an administrator to specify options to accommodate for specific implementations. It is not recommend that these values be changed unless there are known limitations in the back end SSH2 server that need to be accommodated for. Questions regarding these properties and their implementation should be forwarded to Layer 7 Support at CA Technologies.

Once the assertion is saved, the published service policy will be able to connect to a remote SSH2 server and perform the requested command with the specified options.

1. Create a new listener port, set ssh2 as the protocol and save it. Please see the Layer 7 Policy Manager User Manual for more info on how to do this.?
2. Create a new policy using the attached *.xml file.?
3. Test this from command line using a command such as the following: scp -P {newPortNumber} {} {user}@{gatewayFQDN}:/{customResolutionPath}?


{newPortNumber} : This was created in step 1?
{}: The name of the file you wish to send?
{user}: username to be checked against the ldap?
{gatewayFQDN}: The FQDN of the gateway you are connecting to?
{customResolutionPath}: The resolution path of the service created in step 2?

In the attached policy:?

Require SSH Credentials: This pulls the credentials used when connection via the command in step 3 to be authenticated.?
Auth Against LDAP: Self-explanitory?
Audits: First one pulls username and the second pulls the pass. These context variables can be used in the routing assertion when forwarding the file via HTTP(s).?