PGP encryption
|
For push or pull actions (where the File Transfer job initiates a connection to a remote server directly and uploads or downloads a file), you can use PGP templates in File Transfer jobs to encrypt a file before uploading to remote server, or decrypt it after downloading to a local host. For more information, see PGP template management.
NOTE: BMC does not provide the PGP utility. You must install it separately.
For incoming files from external partners (where they initiate the connection to the Control-M MFT Enterprise Gateway and upload an encrypted file to the Hub), you can either use processing rules or File Watcher jobs to decrypt. For more information, see Creating an MFT Enterprise post processing rule.
EXAMPLE: Define a rule with the condition files from specific partner that has a pgp extension and run a script that decrypts them so they are decrypted in the Hub's file system.
Or, define a file watcher job that watches the specific folder, downloads the file locally, and decrypts it. This can be followed by another job that sends the decrypted file to an application that can process it.
|
SFTP (SSH)
|
MFT Client:
- Uses libraries that depend on JCE
- Generates a key pair (openssh libs, minimum key length is 1024)
- The private/public keys are stored in a local file system, with rw permission only for the Control-M /Agent account.
- The public key must be stored in a remote SSH server’s authorized_keys file.
- Fingerprints of remote servers (hostkeys) are stored in a local file (known_hosts) to allow verifying remote host after connecting.
- By default, the first connection is accepted, and block future connections if the host key has changed. This behavior can be changed.
Supported Algorithms:
- Cipher:blowfish-cbc,3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-ctr,arcfour,arcfour128,arcfour256
- Key exchange: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
- MAC: hmac-md5, hmac-sha1, hmac-md5-96, hmac-sha1-96
- Host key type: ssh-dss,ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
MFT Server:
- File Transfer jobs support both password and key authentication.
- FTS/Hub accepts clients with both password and key authentication.
- FTS/Hub also has authorized_keys file where the Administrator can add other user keys (ssh-rsa format) for remote users to connect.
Supported algorithms:
- Cipher: aes128cbc, aes128ctr, aes192cbc, aes192ctr, aes256cbc, aes256ctr, arcfour128, arcfour256, blowfishcbc, tripledescbc, aes128-gcm@openssh.com, aes256-gcm@openssh.com, chacha20-poly1305@openssh.com
- Key exchange: diffie-hellman-group1-sha1, diffie-hellman-group-exchange-sha256, diffie-hellman-group14-sha1, diffie-hellman-group14-sha256 , diffie-hellman-group15-sha512, diffie-hellman-group16-sha512, diffie-hellman-group17-sha512, diffie-hellman-group18-sha512 , ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, curve25519-sha256, curve25519-sha256@libssh.org, curve448-sha512
- MAC: hmac-md5, hmac-md5-96, hmac-sha1, hmac-sha1-96, hmac-sha2-256, hmac-sha2-512, hmac-sha1-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com
|