FTP vs. PGP vs. SFTP vs. FTPS
Plain FTP does not provide security properties such as confidentiality (against eavesdropping) and integrity (against tampering). FTP provides authentication, but it is plain text. As such, plain FTP is insecure and strongly discouraged.
Even coupled with PGP file encryption and signature verification to protect the contents of the file, the protocol, the credentials, the files and the folders are still vulnerable.
On the other hand, SFTP provides secure file transfer over an insecure network. SFTP is part of the SSH specification. This is what I will explore in this post.
There is also FTPS (also known as FTP-SSL and FTP Secure). Maybe I will explore that in another post.
MEC 9.x, 10.x, 188.8.131.52
If you have MEC 184.108.40.206 or earlier, your MEC does not have full built-in support for SFTP or FTPS. I found some traces in MEC 10.4.2.0, 11.4.1 and 11.4.2. And I was told that support for SFTP was made as a plugin sort of, in some MEC 9.x version; maybe they meant FTPS. Anyway, if you are handy, you can make it work. Or you can manually install any SFTP/FTPS software of your choice and connect it to MEC. Do not wait to secure your file transfers.
MEC 220.127.116.11 comes with built-in support for SFTP, and I found traces of FTPS. Unfortunately, it did not yet ship with documentation. I was told a writer is documenting it now. Anyway, we can figure it out by ourselves. Let’s try.
By looking deeper at the Java classes, we find JCraft JSch, a pure implementation of SSH2 in Java, and Apache Commons VFS2:
In this post, I will explore the SFTPOut channel in MEC which is an SFTP client for MEC to exchange files with an existing SFTP server.
Prior to setting up MEC SFTPOut, we have to ensure our MEC host can connect to the SFTP server. In my case, I am connecting to example.com [18.104.22.168], on default port 22, with userid mecuser, and path /outbound. Contact the SFTP server administrator to get the values, and eventually contact the networking team to adjust firewall rules, name servers, etc.
Then, do an SSH test (in my example I use the OpenSSH client of Cygwin). As usual with SSH TOFU, verify the fingerprint on a side channel (e.g. via secure email, or via phone call to the administrator of the SFTP server assuming we already know their voice):
Optionally, compile and execute the Sftp.java example of JSch. For that, download Ant, set JAVA_HOME and ANT_HOME in build.bat, set the user@host in Sftp.java, and execute this:
javac -cp build examples\Sftp.java
java -cp build;examples Sftp
Those tests confirm our MEC host can successfully connect to the SFTP server, authenticate, and exchange files (in my case I have permissions to put and retrieve files, not to remove files).
Now, we are ready to do the same SFTP in MEC.
I have not yet played with all the file name options.
The option for private key file is for key-based client authentication (instead of password-based client authentication). For that, generate a public/private RSA key pair, for example with ssh-keygen, and send the public key to the SFTP server administrator, and keep the private key for MEC.
The proxy settings are useful for troubleshooting.
Now, we are ready to use the channel as we would use any other channel in MEC.
- The SFTPOut channel does not allow us to verify the key fingerprint it receives from the SFTP server. Depending on your threat model, this is a security vulnerability.
- There is a lack of documentation (they are working on it)
- At first, I could not get the Send test message to work because of the unique file name (I am not familiar with the options) and the jzlib JAR file (see below).
- MEC is missing JAR file jzlib, and I got this Java stacktrace:
com.jcraft.jsch.JSchException: java.lang.NoClassDefFoundError: com/jcraft/jzlib/ZStream
I was told it should be resolved in the latest Infor CCSS fix. Meanwhile, download the JAR file from JCraft JZlib, copy/paste it to the following folders, and restart MEC Grid application and Partner Admin:
- Passwords are stored in clear text in the database, that is a security vulnerability yikes!
SELECT PropValue FROM PR_Basic_Property WHERE PropKey='Password'. I was told it should be fixed in the Infor Cloud branch, and is scheduled to be merged back.
- With the proxy (Fiddler in my case), I was only able to intercept a CONNECT request, nothing else; I do not know if that is the intention.
- In one of our customer environments, the SFTPOut panel threw:
When I have time, I would like to:
- Try the SFTPPollIn channel, it is an SFTP client that polls an existing SFTP server at a certain time interval
- Try the private key-based authentication
- Try SFTP through the proxy
- Try FTPS
- Keep an eye for the three fixes (documentation, jzlib JAR file, and password protection)
This was an introduction about MEC’s support for SFTP, and how to setup the SFTPOut channel for MEC to act as an SFTP client and securely exchange files with an existing SFTP server. There is more to explore in future posts.
Please like, comment, subscribe, share, author. Thank you.
- Corrected definition of SFTPPollIn (it is not an SFTP server as I had incorrectly said)
- Added security vulnerability about lack of key fingerprint verification in MEC SFTPOut channel
- Emphasized the security vulnerability of the passwords in clear text