IBM Support

How to configure a public key authentication mode for a DataPower SFTP service

Technote (FAQ)


How can I configure a public key user authentication mode for a WebSphere DataPower SOA appliance service that creates files on an SFTP backend?


See Using the WebSphere DataPower SOAP appliance to send files to an SFTP Back-End for information on the basic configuration steps for an SFTP service. To modify the basic configuration to use a public key type of user authentication, follow the steps below.

Generate an RSA key

  1. In the DataPower WebGUI, select Administrator->Crypto Tools and then Generate Key after entering the following values. See the related URLs section below for more information on Crypto Tools.
    • In the "Common Name (CN)" field, enter the user name to be authenticated in the SSH server.
    • Do not set a password, leave the password field blank.
    • Export Private Key = on which exports the private key to the temporary folder on the appliance so that it can be recovered if necessary.
  2. In the SSH Client Profile object configuration
    • Enter the "User Name" to be used to authenticate in the SSH server (the same user name you used in the key's Common Name)
    • Check the Public Key checkbox, and uncheck the Password check box to ensure only public key authentication will be used.
    • Choose the new key you created in the User Private Key pull down menu.
    • Leave the other settings with default values.

Export the RSA public key data

The DataPower setup is complete. You will now configure the SSH server to allow for public key authentication of the DataPower client using the user name you configured.

Although configuration requirements will depend on your SSH server, you may need to append the public key data from the RSA key to an authorized keys file on the SSH server. One easy way to extract the RSA public key data is to use a new DataPower crypto tool newly available in 3.8.1.x firmware:

  1. Go to "Administration->Crypto Tools" in the DataPower WebGUI.
  2. On the main panel, click on "Convert Crypto Key Object" tab.
  3. Select the private key you want to use on the pull down menu
  4. Enter a file name, for example temporary:///
  5. Click on "Convert Crypto Key Object".
  6. Download the file created.

Use the exported RSA public key data to configure your SSH server
Refer to the documentation for your SSH server for information on how to include the RSA public key data you have exported in the SSH server configuration. In some cases, you might add the one line from the file into an authorized_keys file on the SSH server. Follow instructions on the the location and permissions required for the configuration files you update.

Related information

Using DataPower to send files to SFTP

Document information

More support for: IBM DataPower Gateways

Software version: 4.0, 4.0.1, 4.0.2, 5.0.0, 6.0.0

Operating system(s): Firmware

Software edition: Edition Independent

Reference #: 1446015

Modified date: 2010-10-12