on 06-04-2011 10:44 AM
Hello All
I have to acheive secure ftp communication with sapftp in my ECC 6.0 running on AIX 5.3 OS.At present we use normal ftp commuication which is not secured and demand came from Audit team to implement secure way of communication.Have referred the below note which says you can achive it through SSH .I searched lot but couldn't find the right information.
Note 795131 - FAQ: How to make Secure FTP communication with SAPFTP
Can please give me ideas or steps to achive the same.I am not sure how and where to start.I have checked my AIX box SSH comes default with the installation and just need to configure the same.
Link to configure SSh on AIX
http://publib.boulder.ibm.com/infocenter/tivihelp/v14r1/index.jsp?topic=
/com.ibm.tivoli.tpm.sec.doc/security/tsec_opensshaix.html
Hi Khaiserkm,
OpenSSH provides sftp via the sshd daemon - you can test it by just typing sftp on the machine (openssh also installs a sftp client)
#sftp localhost
Connecting to localhost...
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is 3f:c9:16:27:80:30:67:48:76:2f:3e:7c:4c:25:51:05.
Are you sure you want to continue connecting (yes/no)? yes
Are you sure you dont need FTPS (FTP over SSL TLS often called Secure FTP ) very different and NOT provided by OpenSSH.
If so, you need to install something like vsftpd or if you have AIX6 and aboue you can do this
HTH
Chris
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
if it is just a SSH install here are my commands to install SSH on AIX
get ssh
http://sourceforge.net/projects/openssh-aix/
get open ssl
https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp (get openssl need an IBM login)
#cd /tmp
uncompress them
#zcat openssl.0.9.8.802.tar.Z | tar -xvf -
#zcat openssh-5.0_tcpwrap.tar.Z | tar -xvf -
install openssl
/usr/lib/instl/sm_inst installp_cmd -aQd /tmp/openssl.0.9.8.802/ -f alllatest -cNgXGY
[lots of output....]
Installation Summary
-
Name Level Part Event Result
-
openssl.man.en_US 0.9.8.802 USR APPLY SUCCESS
openssl.license 0.9.8.802 USR APPLY SUCCESS
openssl.base 0.9.8.802 USR APPLY SUCCESS
openssl.base 0.9.8.802 ROOT APPLY SUCCESS
install openssh
/usr/lib/instl/sm_inst installp_cmd -aQd /tmp/openssh-5.0_tcpwrap -f alllatest -cNgXGY
[lots of output....]
Installation Summary
-
Name Level Part Event Result
-
openssh.base.client 5.0.0.5301 USR APPLY SUCCESS
openssh.base.server 5.0.0.5301 USR APPLY SUCCESS
openssh.base.client 5.0.0.5301 ROOT APPLY SUCCESS
openssh.base.server 5.0.0.5301 ROOT APPLY SUCCESS
openssh.msg.en_US 5.0.0.5301 USR APPLY SUCCESS
openssh.man.en_US 5.0.0.5301 USR APPLY SUCCESS
File /etc/group has been modified.
File /etc/passwd has been modified.
One or more of the files listed in /etc/check_config.files have changed.
See /var/adm/ras/config.diff for details
test it installed ok
openssl version
OpenSSL 0.9.8h 28 May 2008
ssh -V
OpenSSH_5.0p1, OpenSSL 0.9.8h 28 May 2008
ps -ef|grep ssh
root 159882 270364 0 15:57:06 pts/1 0:00 grep ssh
root 250034 131178 0 15:54:01 - 0:00 /usr/sbin/sshd
lssrc -s sshd
Subsystem Group PID Status
sshd ssh 250034 active
Dear Chris ,
Thank you for replying.SSH is installed in my machine(see below).Can you answer the below questions please.
1.What else config is required at AIX level to connect to FTP server??
2.What configuration need to done at SAP level??
Can you please let me know how to proceed now??
<<<<<hostname:D10:/#openssl version
ksh: openssl: not found.
eccdcs1s:D10:/#lssrc -s sshd
Subsystem Group PID Status
sshd ssh 1589418 active
hostname:D10:/#ps -ef | grep ssh
root 1589418 774546 0 May 18 - 0:00 /usr/sbin/sshd
root 4194756 3129450 0 09:48:33 pts/0 0:00 grep ssh
eccdcs1s:D10:/#ssh -v
OpenSSH_4.3p2, OpenSSL 0.9.7g 11 Apr 2005
hsotname:D10:/#ssh -V
OpenSSH_4.3p2, OpenSSL 0.9.7g 11 Apr 2005
hostname:D10:/#openssl version
ksh: openssl: not found.
hostname:D10:/#openSSL version
ksh: openSSL: not found.
hostname:D10:/#sftp localhost
Connecting to localhost...
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is 9e:ef:8a:c3:4c:f9:bc:f7:2e:a3:15:34:1a:ab:9f:59.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
sftp>
1.What else config is required at AIX level to connect to FTP server??
An ssh tunnel needs to be made (see below)
2.What configuration need to done at SAP level??
None - it wont know that the ftp came via ssh
Further to (1) you will need to choose a port to redirect (via ssh) to the ftp server - the ssh link is secure and the ftp passes inside it
here are some good refs (just google ftp SSH Tunneling or SSH ftp port forwarding )
http://docstore.mik.ua/orelly/networking_2ndEd/ssh/ch11_02.htm
what happens is an SSH (SSL) tunnel is established and all of the ftp connections are intercepted by ssh and forwarded to the ftp server (this is not sftp or ftps) its "SSH Tunneling" also called "SSH port forwarding"
ssh -L localport:host:hostport user@ssh_server
where:
-L - port forwarding parameters (see below)
localport - local port (chose a port that is not in use by other service)
host - server that has the port (hostport) that you want to forward
hostport - remote port
user - user that have ssh access to the ssh server (computer)
ssh_server - the ssh server that will be used for forwarding/tunneling
You need to put in your users/hosts etc
Let me know how you go, I have machines I can cut'n paste an example
Dear Chris,
Thank you very much,The links were very helpfull .I still have some doubts ,My SAP ECC 6.0 is running on AIX and FTP server is on windows so my Client would be AIX and server would be FTP server on windows.right??
As per the below link ,I have to install and configure SSH client on AIX and SSH server on Windows,how can I go about it???I think SSH client is installed on AIX but how about SSH server on windows??Can you please help me in detail if possible step by step.
http://docstore.mik.ua/orelly/networking_2ndEd/ssh/ch11_02.htm.
Also what are the commonds to be exected to connect from client (AIX) to FTP server(Windows)???
I see the below commands in link,are these sufficient to connect??
client% ssh -L2001:server:21 server
client% ftp localhost 2001 Connected to localhost 220 server FTP server (SunOS 5.7) ready. Password: 230 User res logged in. ftp> passive Passive mode on. ftp> ls ... and so on
Appreciate if you could explain me in detail as I am new to this.
Thanks
Oh I did know know one end was windows, SFTP/SCP servers are predominately developed for POSIXs systems so either a Linux/Unix like environment/emulator such a CYGWIN or a native Windows implementation has to be installed.
Another option would be to compile an open source tool on the target windows platform from source code - messy
You can use software like freeSSHd (or Bitvise Tunnelier) to do the ssh tunnel or just install freeFTPd from WeOnlyDo software to do it all - it does SCP/SFTP file transfers and also FTP, FTPS (FTP over SSL)
freeFTPd is a free implementation of an SFTP/SCP and FTP over SSL server and as the following benefits to name a few:
u2022 It provides strong encryption and authentication
u2022 Has a built in SFTP and FTPS servers (SSL v3 1024 RSA md5RSA/SHA1)
u2022 Has built in ftp (with anonymous mode) server should it ever be required
u2022 Can resume interrupted file transfers
u2022 Supports virtual directories
u2022 Very Small install image (less than 2MB)
u2022 Does not requite a POSIX/UNIX environment or emulator such as CYGWIN to operate
u2022 It can be run non interactive as a background service
u2022 It logs all connections and transfers
u2022 Passwords stored as SHA1 hashes
u2022 Its free so no tricky commercial negotiations or licensing
u2022 Can be automatically started at boot time
Chris ,
Thank you
I actually Installed and configured SSH server on Windows using cygwin.I think am able to to do ssh from client(AIX) to FTP server(windows) see below....
After connecting through ssh ,per the link you have sent i have to do PORT FORWARDING using below command .
ftp localhost 2001(see output of this below) -- this is actually failing i think.
then after use passive Passive mode on command ,am I correct??/
<<<<<<<<<<<<<<<<<<<<
eccdcs1s:D10:/#ssh -L2001:crmqmi2s:21 cyg_server@crmqmi2s
cyg_server@crmqmi2s's password:
Last login: Thu Jul 14 15:05:16 2011 from eccdcs1s
0;~
cyg_server@crmqmi2s ~
ls
0;~
cyg_server@crmqmi2s ~
pwd
/home/cyg_server
0;~
cyg_server@crmqmi2s ~
ftp localhost 2001
Transfers files to and from a computer running an FTP server service
(sometimes called a daemon). Ftp can be used interactively.
FTP [-v] [-d] [-i] [-n] [-g] [-s:filename] [-a] [-A] [-x:sendbuffer] [-r:recvbuffer] [-b:asyncbuffers] [-w:windowsize] [host]
-v Suppresses display of remote server responses.
-n Suppresses auto-login upon initial connection.
-i Turns off interactive prompting during multiple file
transfers.
-d Enables debugging.
-g Disables filename globbing (see GLOB command).
-s:filename Specifies a text file containing FTP commands; the
commands will automatically run after FTP starts.
-a Use any local interface when binding data connection.
-A login as anonymous.
-x:send sockbuf Overrides the default SO_SNDBUF size of 8192.
-r:recv sockbuf Overrides the default SO_RCVBUF size of 8192.
-b:async count Overrides the default async count of 3
-w:buffer size Overrides the default transfer buffer size of 65535.
host Specifies the host name or IP address of the remote
host to connect to.
Notes:
- mget and mput commands take y/n/q for yes/no/quit.
- Use Control-C to abort commands.
0;~
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.