App Connect

 View Only
Expand all | Collapse all

Reading security identity in ACE v11

  • 1.  Reading security identity in ACE v11

    Posted Wed April 21, 2021 10:42 AM
    Hi All,

    In ACE v11, is there a way we can store the security identify related to an sftp server in a cache and refer to it as part of the below two commands?

    We are facing a security issue, which detects the security identity file/private key file that ACE internally refers which has to be present in the server physically.

    Instead of reading from a file, is there any other way a security identity can be read and referred by ACE runtime? 

    Option-1:

    mqsisetdbparms -w /home/aceuser/MYACENODE -n sftp::sftpCloud -u sftpuser -i /home/aceuser/.ssh/sftpuser_privatekey -r **********


    Option-2:

    mqsicredentials --work-dir /home/aceuser/MYACENODE --create --credential-type sftp --credential-name sftpCloud --username sftpuser --ssh-identity-file /home/aceuser/.ssh/sftpuser_privatekey --passphrase *********  --vault-key myvaultKey

    Regards,
    Prosanta Saha

    ------------------------------
    Prosanta Saha
    ------------------------------


  • 2.  RE: Reading security identity in ACE v11

    IBM TechXchange Speaker
    Posted Fri May 07, 2021 12:05 PM
    Hi Prosanta,
    Apologies for the delay -- we missed this one.  One of our technical experts answered the following:

    If using an SFTP based node (FileRead, FileOutput), then yes.  You can override the securityIdentity using the local environment override.

    This knowledge center page should apply to v11 as well:

    As described in the KnowldegeCenter page https://www.ibm.com/support/knowledgecenter/SSMKHH_10.0.0/com.ibm.etools.mft.doc/ac25670_.htm,  security identity and remote server name can be configured in FTPServer configurableService.  As per https://www.ibm.com/support/knowledgecenter/en/SSMKHH_10.0.0/com.ibm.etools.mft.doc/bc23790_.html, we already have LocalEnvironment override for Remote server location (LocalEnvironment.Destination.File.Remote.Server) in place, and is allowed to set  this local environment field to the name of a configurable service.   If a configurable service exists with the name specified, all the properties of the configurable service are used instead of the properties on the node.   


    Can we request you follow the steps mentioned below and see if that helps to achieve what you are actually looking for if you have the list of FTP servers to which the flow is going to connect?


    1. Define security identity to set all required credentials using mqsisetdbparms .
    2. Create/define FTPServer configurableservice and specify the servername and the security identity created in step1 for all FTP servers they wish to connect to.
    3. Set the remote server location LocalEnviroment variable to these configurable service names and switch between the servers as required.


    ------------------------------
    Stephanie Wilkerson
    IBM
    ------------------------------