Friday 27 September 2019

Oracle MFTCS Configurations

  • MFT Configurations can be done using mftconsole
  • Login to mftconsole using admin credentials.
  • After login, select Administration tab on the right corner.
  • Following configurations are available

Server Properties. 
  1. Payload Storage Directory
    • domain_dir/mft/storage
  2. Callout Directory
    • domain_dir/mft/callout
  3. Store inline Payload - File or DB type
  4. We can select the number of processors for Source , Transfer and Target
  5. Configure Control Directory
    • domain_dir/mft/contrl_dir
    • Inbound datasource jndi
    • outbound datasource jndi
Import and Export
  • You can this section to import and export MFT artifacts. 
Keystore Management
  1. Keystore
    • MFT uses SSL and SSH keys to secure embedded SFTP server. 
    • Use this section to configure SSL and SSH keys . 
    • Steps to configure SSL certificates. 
      • Go to WLST command line path
        • /mft/common/bin
      • Start WLST
      • connect("weblogic","welcome1","t3://localhost:7003")
      • Access Oracle Platform Security Services (OPSS) key store service
      • svc = getOpssService(name='KeyStoreService')
      • Create a SSL keystore
      • svc.createKeyStore(appStripe='<StripeName>’, name='<StoreName>’, password='<StorePassword>’, permission=false/true)
        • Example : svc.createKeyStore(appStripe='mft', name='mftDefaultStore', password='Welcome1', permission=false/true)
      • Generate SSL key pairs:
        • svc.generateKeyPair(appStripe='mft', name='mftDefaultStore', password='Welcome1', dn='cn=www.thesnventerprise.com', keysize='1024′,alias='mftssl', keypassword='Welcome2′)
        • Exit WLST .
      • Go to Admin console. 
      • Select Keystore
      •  Add Stripe and Name values as mentioned in the above commands. 
      • Enter the keystore  password and  Private Key Password  in the respective fields and confirm the password by entering it again. 
      • Save changes. 

    • We need to generate a password protected SSH keystore before we configure it in console. 
    • For placing files to embedded SFTP server from a remote server , we need to create an ssh keystore and configure it in mft console. 
    • Use following steps.
      • Go to WLST path
        • /mft/common/bin
      • Start WLST command. 
      • connect("weblogic","welcome1","t3://manged_server_host:PORT")
      • We can generate the key using WLST command or through ssh-keygen
      • generateKeys('SSH', 'Welcome1','/custom/path/ssh-pvt-keys.ppk')
      • ssh-keygen -t rsa -b 2048 -f /custom/path/ssh-pvt-keys.ppk -N Welcome1
      • Import the key
        • importCSFKey('SSH', 'PRIVATE', 'mftssh', '/custom/path/ssh-pvt-keys.ppk')
        • Output - CSF key imported successfully.
        • This will generate an alias name called mftssh
      • Exit WLST
      • Go to Keystore
      • provide the SSH keystore password provided used in generateKeys command. 

    • Use following steps to configure remote server to access  Embedded SFTP server. 
      • Ask the remote server admin to generate a SSH key pair. 
      • Get the public key from the remote user. 
      •  Add the public key in MFT server authorization key. 
        • cat ~/.ssh/remote_pub_key.pub >> ~/.ssh/authorized_keys
      • Import Public keys to MFT using WLST command. 
        • importCSFKey('SSH', 'PUBLIC', 'MFT_RM_USER', '/home/oracle/.ssh/authorized_keys')
      • Note : Get the user name which remote server will use to login and use that user name in import command.

Embedded Servers :
  • Use this option to configure Embedded FTP and SFTP servers.
  • Go to SFTP tab and add the following configurations
    • Enable sFTP by ticking Enabled flag
    • Set the authentication Type as PUBLIC
    • Host Key Alias -- Use the alias name which you have used to generate the SSH keys in the above mentioned steps.  mftssh      
  • Configure the Ports and User access. 
    • Select the MFT_RM_USER  User from the list .
  • After doing the changes RESTART the embedded server. 

PGP Key Configurations :
  • Go to WLST path
  • Run the WLST command
  • Connect to managed_server:port
  • Run the following command to generate the PGP key pair. 
    • generateKeys('PGP', 'PGPWelcome1','/custom_path/PGP/Keys');
    • importCSFKey('PGP', 'PUBLIC', 'Public_PGP', '/custom_path/PGP/Keys/pub.asc');
    • importCSFKey('PGP', 'PRIVATE', 'Private_PGP', '/custom_path/PGP/Keys/secret.asc');
  • Use the password which you have provided in generate key command and update the PGP keystore password in admin console. 
  • You can use the PGP private key for PGP encryption. 

Note Content encrypted using the public key can only be decrypted by the associated private key, which is a secret known only to the possessing party


MFT - Import SSL Certificates for Secured Connection. 
  • Get the certificate from target server
  • Use the following command to get the certificate
  • openssl s_client -connect hostname.com:21 -starttls ftp
  • Copy the certificate including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
  • Put the content in a .cer file. 
  • vi target_server_ssl_certficate.cer and ESC+i , paste it and save it
  • Go to MFT wlst command folder 
  • Sample -  cd /u01/app/oracle/middleware/mft/common/bin
  • Run WLST command - ./wlst.sh
  • Connect to weblgic server. 
  • connect('weblogic','$password', 't3s://AdminServer:7002')
  • Access OPSS Security Service 
  • svc=getOpssService(name='KeyStoreService')
  • Import the certificate using following command
  • svc.importKeyStoreCertificate(appStripe='mft',name='mftDefaultStore', password='$keyStorePassword',alias='$ALIAS_NAME',keypassword='$PasswordForNewCertificate',type='TrustedCertificate',filepath='$FilePath/File_Name.cer')
  • exit()

MFT - Import PRIVATE Keys:
  • cd /u01/app/oracle/middleware/mft/common/bin
  • ./wlst.sh 
  • connect("weblogic","password","t3://managed_server:port")   - $PORT -9073
  • importCSFKey('SSH', 'PRIVATE', 'CLIENT_PRIVATE_KEY', '/u01/app/oracle/tools/home/oracle/CLIENT_AWS_SFTP_privatekey.ppk')
  • CSF key imported successfully
  • exit()

Reference : https://docs.oracle.com/middleware/12213/opss/IDMCR/keystore_service_wlst.htm#IDMCR566

Error Scenario:
Traceback (innermost last):
File "<console>", line 1, in ?
NameError: svc

Solution: Make sure you have run the command to set the value for svc



2 comments:

  1. Thanks and very useful information

    ReplyDelete
  2. thanks for your tutorial any help always get

    'mftssh', Key details not available, invalid private key.

    regards

    ReplyDelete

Docker - Container Cheat Sheet

Basic and advanced docker commands for reference. Use them as a cheat sheet Commands to install docker on Linux  curl -fsSL https://get.dock...