This section explains the Batch Adapter’s Secure Shell (SSH) tunneling features. SSH tunneling is also called SSH port forwarding.
The Batch Adapter encrypts the command channel of FTP utilizing SSH. To encrypt data, you can encrypt a file prior to sending it, using your preferred method or that of the receiver. The received file can then be decrypted by the recipient. If Secure FTP (FTP over SSH or FTP over SSL) is required, use the Secure FTP OTDs ((BatchFTPOverSSL, BatchSFTP, and BatchSCP).
Developed by SSH Communications Security Ltd., Secure Shell (SSH) is a program that allows a computer to log onto another computer over a network to move files over the network and execute commands. SSH is intended as a replacement for rlogin, rsh, rcp, and rdist.
SSH provides strong authentication and secure communications over non-secure channels. SSH protects a network from attacks such as IP and DNS spoofing, IP source routing, and interception of plaintext passwords and authentication data. If an attacker manages to take over a network, he can only force SSH to disconnect. The content and the connection are secure when encryption is enabled.
When you are using the SSH slogin (instead of rlogin), the entire logged-on session, including the transmission of the password, is encrypted. As a result, it is almost impossible for an outsider to collect passwords.
For improved security, the number of times the adapter can log on during a single session is limited because, during a disconnect, the SSH tunnel is not closed. This method of operation allows you to establish another connection without logging on.
For more information on SSH and how to use it, see the following Web site:
The adapter makes use of additional software applications. The adapter also supports either of the following applications for SSH tunneling:
OpenSSH: an encryption and authentication tool for UNIX. For more information go to:
Plink.exe: Plink is a Win32-only command-line interface to the PuTTY Telnet/SSH client. For more information visit:
In either case, the you are responsible for downloading, installing, and properly configuring the necessary software. You must refer to the appropriate software provider for support and documentation.
To use SSH tunneling to provide for secure logon IDs and passwords, the BatchFTP Adapter uses the additional SSH-tunneling software (see Additional Software Requirements).
To enable SSH tunneling, select Yes under the SSH Tunneling Enabled parameter in the adapter connection configuration (see SSH Tunneling Configuration Parameters). You can use the SSH-tunneling software in either of the following ways:
By using an existing SSH channel where a secure connection has already been established
By internally launching an SSH process for the adapter’s use
To use an existing channel, select Yes under the SSH Channel Established parameter in the configuration. The adapter then operates under the assumption that you have already established the SSH channel using the additional software. Once you set this parameter to Yes, the adapter automatically uses that channel.
If you choose No, under the SSH Channel Established parameter, the adapter launches a process within Java CAPS to establish a channel. In this case, you must specify, under the SSH Command Line parameter, a full and correct command-line statement for your SSH-tunneling application and environment.
You can obtain this information from the SSH-tunneling application’s configuration. See the application’s documentation for details.
You must enter a correct and complete command-line statement. That is, all necessary command line parameters must be provided so that the SSH-tunneling software can run correctly without requiring further interaction.
Check the accuracy of this information by executing the command line from the shell. If the software prompts for more information, add the required information to the command line and try again. Continue this process until the software starts and operates properly without additional action.
You may need to launch the application at least once from the shell before using it in the adapter. This requirement depends on the SSH-tunneling application and platform. Some applications prompt for trust-related information on the first attempt, to connect to a remote host.
Through SSH tunneling, the FTP command connection is protected. This mechanism is based on an existing SSH port-forwarding configuration. You must configure SSH port forwarding on the SSH listen host before you configure the supporting adapter Connection.
For example, on the Java CAPS client host localhost, you can issue a command, such as:
ssh -L 4567:atlas:21 -o BatchMode=yes atlas |
Under the adapter’s configuration for the previous example, you must specify:
localhost for the parameter SSH Listen Host
4567 for the parameter SSH Listen Port
In this case, the adapter connects to the FTP server atlas:21 through an SSH tunnel.
You must set the following SSH tunneling parameters to configure the adapter Connection:
SSH Tunneling Enabled: Specifies whether the FTP command connection is secured through an SSH tunnel:
No: indicates that all other parameters in this section are ignored.
SSH Channel Established: Specifies whether the adapter needs to launch an SSH subprocess:
No: indicates that there is no existing SSH channel for an FTP transfer.
Yes: indicates that an SSH channel has been established, so it is not necessary for the adapter to spawn an SSH subprocess. If you select Yes, the following parameters are required:
SSH Listen Host
SSH Listen Port
SSH Command Line: Specifies the command line used to establish an SSH channel. This parameter is required only when you set the SSH Channel Established parameter to No.
The command-line syntax can be different, depending on the specific SSH client implementation. See your SSH-tunneling support software user’s guides for details.
SSH Listen Host: Specifies the host name where the SSH support software runs, as well as the host it listens to.
This parameter is required only when you set the SSH Channel Established parameter to Yes. If you choose No, the Listen Host is always localhost because the SSH support software is always started from the local host.
SSH Listen Port: Specifies the port number that the SSH-tunneling support software uses to check for incoming connections. This port number can be any unused port number on the SSH listen host.
SSH User Name: Specifies an SSH user name. This parameter can be required when the setting for the SSH Channel Established parameter is No.
SSH Password: Specifies an SSH password corresponding to the user name entered under SSH User Name. This parameter can be required only when the setting for the SSH Channel Established parameter is No. For more information, see SSH User Name.
For more information, see SSH Tunneling Configuration Parameters.