9 Implementing Secure FTP for File Viewing (UNIX Only)

Note:

In Windows, use UNC. No additional setup is required except that described in the Oracle Clinical Administrator's Guide "Setting Up User Accounts" chapter, section on creating a PSUB log directory.

You must have a full Oracle Clinical Release 4.6.2 installation in place, including functioning PSUB. See Chapter 8, "Setting Up the Parameterized Submission Process" for details.

This chapter includes the following topics:

• Section 9.1, "About Secure FTP and Oracle Clinical"

• Section 9.2, "Obtaining and Installing SFTP Software"

• Section 9.3, "Setting Up SFTP"

• Section 9.4, "Testing that Password Prompt Is Bypassed"

• Section 9.5, "Setting the Oracle Entries in the System Registry for SFTP"

• Section 9.6, "Testing SFTP for File Viewing"

• Section 9.7, "Viewing New Lines in PSUB Files"

9.1 About Secure FTP and Oracle Clinical

When you submit a 3GL and PL/SQL job (C programs like Batch Validation or PL/SQL programs like Study Unfreeze) from Oracle Clinical, the system creates the log (.LOG) and out (.OUT) files on the UNIX server computer.

When you select a log or out file from the client computer to view a file that is physically located on a UNIX server computer, Oracle Clinical uses secure FTP to transfer the file to a temporary local directory on the application tier.

You then view the file using SFTP. With SFTP, you do not need to enter a password. Instead, Oracle Clinical uses Secure Shell (ssh) for RSA-based authentication. Oracle Clinical 4.6.2 uses an SFTP command stored in the registry on the application tier.

Oracle Clinical deletes the file from the temporary local directory when you close the log or out file after viewing.

In addition, Oracle Clinical configures the rxcpsbjb.fmx file so that the administrator account (for example, the opareps account) on the application tier is the only account that has permission to exercise the SFTP protocol.

9.2 Obtaining and Installing SFTP Software

You must install software for transferring files securely between computers. Several applications for the Secure Shell, Telnet, and Rlogin network protocols are available for Windows platforms. This installation guide refers to this transfer software as SFTP software.

You must obtain SFTP software for the Windows 2008 platform that uses RSA-based authentication and provides a way for you to create a public/private key pair for authentication purposes.

You can choose the SFTP software that you want to use. PSFTP, which is PuTTY's SFTP, is one common SFTP software.

Once you acquire your preferred STFP software, install the SFTP software onto the Oracle Clinical application tier computer. This installation guide uses the variable SFTP_HOME to designate the installation location.

9.3 Setting Up SFTP

This section provides a general description of how to generate the private/public key pair. Refer to the documentation for your SFTP software for detailed instructions.

9.3.1 Generate and Configure the Private/Public Key Pair

To generate and configure the private/public key pair:

1. Log in as a user with system administrator privileges.

2. Start the SFTP software. For example, if you use PuTTY's SFTP software, start puttygen to generate the private/public key.

3. Set the software to generate key type SSH2 RSA.

4. Set the number of bits to 1024.

5. Generate the private/public key pair.

   Note:

   Some SFTP software includes a passphrase option. If you want to be able to run SFTP in batch mode, do not define a passphrase for the key.

6. Save your work. Specify the directory path and name for the private/public key (.ppk) file. For example:

   SFTP_HOME\key\private_key.ppk

   For security purposes, specify an obscure file name.

7. Change the permission of the private key file so that only the administrator account has read and write permission. This ensures that only the administrator user has permission to perform SFTP without specifying the password.

8. Copy the public key from your SFTP software and save it in a temporary text file. Note that the text in this file should be a single line.

9.3.2 Create the restricted_sftp.sh File

To create the restricted_sftp.sh file:

1. Log in to the UNIX server computer. You can log in as the opapps user or as the user who owns the RXC_ROOT/psub directory.

2. Navigate to the RXC_ROOT/psub directory. (To check the path to the RXC_ROOT directory, run opa_setup and then execute the echo $RXC_ROOT command from the shell prompt.)

3. Create a file named restricted_sftp.sh in the RXC_ROOT/psub directory.

4. Add the following lines to the restricted_sftp.sh file:

   #!/bin/sh
   # SSH1 only; for SSH2, you may need to use $SSH2_ORIGINAL_COMMAND 
   # or check your operating system documentation.
   #
   case "$SSH_ORIGINAL_COMMAND" in
   *sftp-server*)
   echo `date`, "From" $SSH_CLIENT command=$SSH_ORIGINAL_COMMAND  >> allowed_sftp.out 
   $SSH_ORIGINAL_COMMAND
   ;;
   *)
   echo `date`, "Sorry, not a SFTP command: From " $SSH_CLIENT 
   command=$SSH_ORIGINAL_COMMAND  >> rejected_sftp.out
   ;;
   esac
   # You can add logic to allow only certain client computers by 
   changing the value of $SSH_CLIENT
   exit 0
       
   

5. Change the permission of the restricted_sftp.sh file to 777:

   chmod 777 restricted_sftp.sh

9.3.3 Modify Accounts to Use SFTP

This section describes how to modify the operating system account for each user to use SFTP.

To modify the authorized_keys file for a single user:

1. Log in to the UNIX server computer.

2. Navigate to the authorized_keys file for the user. For each user, the authorized_keys file is located in the following directory:

   USER_HOME/.ssh

3. Add the public key into the authorized_keys file.

   The public key entry has the following syntax:

   command="sh RXC_ROOT/psub/restricted_sftp.sh",from="host_name" ssh-rsa public_key_string

   where:

   • RXC_ROOT is the complete path to the RXC_ROOT directory.

   • host_name is either the host name or the IP address (to restrict SFTP to a particular host).

   • public_key_string is the complete public key string. You generated this key string in Section 9.3.1, "Generate and Configure the Private/Public Key Pair."

   Here is an example of the text to add to the authorized_keys file:

   command="sh /home/opapps/oc/462_9206/psub/restricted_sftp.sh",from="OPA
   -DB1.mycompany.com" ssh-rsa JUNKB3NzaC1yc2EAAAABJQAAAIB57br 
   Efk9 ...
   .
   .
   .
   InyJUNK==rsa-key-20051216 
   

4. Change the permission of the authorized_keys file to 600, and make the user the owner of the file.

   For further help on setting up Secure Shell on UNIX computers, refer to the documentation for your SFTP software or contact your UNIX system administrator.

Tip:

You can further restrict or allow certain users or computers at the system level. For example:

/etc/sshd_config :

# SSH1, OpenSSH 
AllowUsers user1@mycompany.com 

# SSH1, OpenSSH 
DenyUsers user2@mycompany.com 

9.4 Testing that Password Prompt Is Bypassed

To test that you have successfully bypassed a SFTP password prompt:

1. Log in to the application tier computer.

2. Open the Microsoft Windows Command Prompt.

3. Change to the SFTP_HOME directory.

4. Make sure the system does not prompt for a password when executing the SFTP command:

   psftp -i private_key_file_path user_name@UNIX_computer_name

   For example:

   psftp -i C:\Program Files\sftp_software\s491.ppk bruce@solaris491

5. Close the Command Prompt window.

9.5 Setting the Oracle Entries in the System Registry for SFTP

Oracle Clinical installation adds the following two variables into the Microsoft Windows System Registry for SFTP and FTP:

• PSUB_FTP_SECURE

• PSUB_FTP_COMMAND

9.5.1 Modifying PSUB_FTP_SECURE and PSUB_FTP_COMMAND

To modify PSUB_FTP_SECURE and PSUB_FTP_COMMAND so Oracle Clinical uses SFTP:

1. Open the Windows Registry Editor.

2. Navigate to the following key:

   HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ORACLE

3. Locate the PSUB_FTP_SECURE entry in the Windows Registry.

   For SFTP, set the value to Y to enable the protocol. You must also define a value for PSUB_FTP_COMMAND.

4. Locate the PSUB_FTP_COMMAND entry in the Windows Registry.

   For SFTP, enter the command for the SFTP application you are using for file transfer. Table 9-1 provides the command syntax and examples for WinSCP (Windows Secure CoPy) and PuTTY.

Table 9-1 WinSCP and PuTTY Commands for the PSUB_FTP_COMMAND Entry

SFTP Application	Command Syntax and Examples
WinSCP	"SFTP_HOME\WinSCP.com" /privatekey="SFTP_HOME\WinSCP\sftp_keys \PRIVATE_KEY" /script=SCRIPT_FILE where: SFTP_HOME is the complete directory path to the location where you installed the WinSCP application. PRIVATE_KEY is the name for your private key (.ppk). Note: SCRIPT_FILE is a placeholder for the script file that the File Viewing form generates dynamically prior to file transfer. The system deletes the file immediately after transfer. For example: "C:\ProgramFiles\WinSCP\WinSCP.com" /privatekey="C:\ProgramFiles\WinSCP \sftp_keys\b1z92cy.ppk" /script=SCRIPT_FILE
PuTTY	"SFTP_HOME\psftp" -i "SFTP_HOME\PRIVATE_KEY" -b SCRIPT_FILE -be -batch where: SFTP_HOME is the complete directory path to the location where you installed the PuTTY application. PRIVATE_KEY is the name for your private key (.ppk). Note: SCRIPT_FILE is a placeholder for the script file that the File Viewing form generates dynamically prior to file transfer. The system deletes the file immediately after transfer. For example: "C:\Programs\putty\psftp" -i "C:\Programs\putty\b1z92cy.ppk" -b SCRIPT_FILE -be -batch

9.5.2 Ensuring Files Transfer in ASCII Mode with WinSCP

To ensure that files are transferred in ASCII mode when using WinSCP:

1. Start the WinSCP application.

2. Open the Preferences dialog box.

3. Select the Transfer tab.

4. Select Text in the Transfer mode section.

5. Click OK to save your changes.

9.5.3 Switching Between SFTP and FTP File Viewing Post-Installation

To switch between SFTP and FTP for file viewing:

1. Navigate to the following directory:

   ORACLE_AS10GR2_HOME\forms\server

2. Open the formsweb.cfg configuration file with a text editor.

3. Locate the following line in the file and update the PSUBMAP parameter:

   opa_file_viewing=PSUBMAP=SFTP RSMAP=UNC

   Set the parameter to SFTP or to FTP.

   Note:

   The RSMAP setting does not affect file viewing.

4. Open the Windows Registry Editor.

5. Update the PSUB_FTP_SECURE entry in the Windows Registry as follows:

   • For FTP, set the value to N or null (blank).

   • For SFTP, set the value to Y to enable the protocol. You must also define a value for PSUB_FTP_COMMAND.

6. Update the PSUB_FTP_COMMAND entry as follows:

   • For FTP, enter the command for FTP. If you want file viewing to use the default FTP command on your application tier computer, set the PSUB_FTP_COMMAND value to null (blank).

   • For SFTP, enter the command for the SFTP application you are using for file transfer. Table 9-1 provides the command syntax and examples for WinSCP (Windows Secure CoPy) and PuTTY.

7. Restart Oracle Clinical Forms Server.

9.6 Testing SFTP for File Viewing

To test SFTP for file viewing:

1. Open an Oracle Clinical URL that uses SFTP for file transfer.

2. Log in to Oracle Clinical with a user account set up for SFTP.

3. Submit a PSUB job for 3GL or a PSUB module that creates a log file and an out file.

4. Go to the Batch Job Statuses screen.

5. Click either View Logfile or View Outfile.

   If you set up SFTP correctly, Oracle Clinical opens the files for you to view.

9.7 Viewing New Lines in PSUB Files

For each client computer, you must associate the .LOG and .OUT files types with an editor that can interpret UNIX new line characters. For example, WordPad interprets UNIX new line characters.

If the .LOG or .OUT file types are associated with an editor that cannot interpret UNIX new line characters, such as NotePad, the PSUB file content will be displayed as one line.