Red Hat Secure FTP - User Guide

Updated -

Background

The purpose of Red Hat Secure FTP is to provide a sustainable, cross-platform and command-line accessible endpoint for customers to upload files to Red Hat. The goal is to provide a secure, scalable endpoint that is usable across the broad customer base. The legacy FTP for customers dropbox.redhat.com is on its path to being deprecated in favor of this new SFTP.

Scope

  • Provide an endpoint accessible by customers for uploading files from command-line
  • Minimal disruption to customer workflow
  • No additional packages by Red Hat
  • Secure Support cases are OUT OF SCOPE

User Guide for Customers

Authenticated Flow

Customers having valid portal credentials should be able to upload an attachment to a case of an account to which they belong, however, there is a strict file format policy (i.e casenumber_filename) which needs to be followed. If the filename is valid, the file would be uploaded to case as an attachment and deleted from the Red Hat Secure FTP, however, if the filename is invalid, it remains in the Red Hat Secure FTP bucket for 30 days, after which it is permanently deleted.
Here are a few example filenames with valid and invalid formats for automatic attachment to support cases:

  • 02436811_sosreport.gz (Valid)
  • 02436811_sosreport-report.gz (Valid)
  • 02436811-sosreport.gz (Invalid)
  • sosreport.gz (Invalid)
  • sosreport_02436811.gz (Invalid)

The below matrix explains what an authenticated customer is entitled to do:

Can Cannot
List files in their own directory List/view other user's files or directories
Upload an attachment to Red Hat SFTP, and with the correct filename format auto attach the file to a support case the customer has access to Download any attachment
Attach files to cases they don't have access to

Note: If the uploaded file is prefixed with an invalid case number or a case number that the customer doesn't have access to, the uploaded file will not be attached to the support case, and will remain in Secure FTP as per the retention policy.

Here's a quick walkthrough for uploading an attachment.

Token Generation

Using cURL

Open a command terminal (on Linux or Macintosh) or PowerShell (on Windows). At the prompt, enter the cURL command as detailed below to generate an SFTP login token (replace brett.lymn with your Customer Portal username).

v2 API (Configurable Token validity 0-90 days):

Token Generation v2 API gives users the flexibility to configure the token expiry date. The 'expiryInDays' parameter accepts values in days from 0 days to maximum of 90 days. Default value of 'expiryInDays' is 30 days.

  • Sample curl for token generation with default expiry date (30 days):
$ curl -u brett.lymn --request POST 'https://access.redhat.com/hydra/rest/v2/sftp/token'
{"username": "brett.lymn","token": "SBmaGUbA","expiryDate": "2021-8-01T06:37:19.966Z"}
  • Sample curl for token generation with 'expiryInDays' as 60 Days
$ curl -u brett.lymn --request POST 'https://access.redhat.com/hydra/rest/v2/sftp/token' \
--header 'Content-Type: application/json' \
--data-raw '{
   "expiryInDays" : 60
}'
{"username": "brett.lymn","token": "SBmaGUbA","expiryDate": "2021-10-01T06:37:19.966Z"}

v1 API (Token validity fixed at 30 days):

$ curl -u brett.lymn https://access.redhat.com/hydra/rest/v1/sftp/token
{"username" : "brett.lymn",  "token" : "7c8afc4f","expiryDate": "2021-8-01T06:37:19.966Z"}
Using Web UI (uses v1 APIs):

Alternatively, using a web browser, go to the Red Hat Secure FTP Token Generator application and log in using Customer Portal credentials. Then click on "Generate Token" to generate a new token or view an existing valid token.

Note:

  • The v1 API returns an existing token if present and updates the expiry date of token by $CURRENT_DATE + 30 days.
  • If an existing token is not found, then a new token is generated with an expiry of 30 days.
  • v1 API will be deprecated soon, so make sure you migrate your scripts/guides to use the v2 API.
  • The v2 API uses the POST method instead of GET.
  • The value for 'expiryInDays' should be more than or equal to 30 (anything between 0 to 30 will be treated as 30) and less than or equal to 90 (any value more than 90 will result in a validation error).

SFTP Connection

On Linux or Macintosh

From a command terminal, open the SFTP connection and enter the token when prompted for password:

$ sftp brett.lymn@sftp.access.redhat.com
brett.lymn@sftp.access.redhat.com's password: <token>
Connected to brett.lymn@sftp.access.redhat.com.
sftp>
On Windows

Users can use the winscp software to connect from a windows machine.

Attachment Upload

On Linux or Macintosh

Uploading a file to case using PUT command using <casenumber>_<filename> format.

sftp> put 02436811_sosreport.gz
Uploading 02436811_sosreport.gz to /02436811_sosreport.gz
02436811_sosreport.gz                                                                                                                                                                                   100%   10MB   1.9MB/s   00:05   
sftp>
On Windows

Use the winscp software to upload files from a windows machine.

Note

  • If the filename is in the correct format of <casenumber>_<filename>:
    • the file will get attached to its corresponding case.
    • if the file was successfully attached to a case, it is removed from Secure FTP and will no longer be visible there.
  • If the filename is not in the correct format:
    • the file will not get attached to a case.
    • the file will remain in Secure FTP as per the retention policy.
  • If there are special character in username like 'example@company.com', the above steps should still work.
  • Uploads over Secure FTP are single stream, as compared to the multi-part upload capability that Customer Portal Case Management provides. This could result in slower speeds during SFTP uploads.

Examples of special characters in username:

$ curl -u example@company.com https://access.redhat.com/hydra/rest/v1/sftp/token
{ "username" : "example@company.com", "token" : "7c8afc4f", "expiryDate" : "2021-09-07T10:13:46.149Z" }

$ sftp example@company.com@sftp.access.redhat.com
example@company.com@sftp.access.redhat.com's password: <token>
Connected to example@company.com@sftp.access.redhat.com 
sftp>

Unauthenticated Flow

Red Hat SFTP also supports file uploads by users who do not have an account created with Red Hat. They will be able to upload a file to Red Hat SFTP and view the files present under their directory, however they won't be able to download any file. Also, files uploaded by anonymous users aren't auto-attached to a support case.

The below matrix explains what an anonymous user is entitled to do:

Can Cannot
List files in their own directory List/view other user's files or directories
Upload an attachment to Red Hat SFTP Download any attachment
Attach files to a support case

Username and Token generation

Open a command terminal (on Linux or Macintosh) or PowerShell (on Windows). At the prompt, enter the following cURL to generate username and token for anonymous user:

v2 API

$ curl --request POST 'https://access.redhat.com/hydra/rest/v2/sftp/token' \
--header 'Content-Type: application/json' \
--data-raw '{
 "isAnonymous" : true
}'
{"username" : "aiFPyJiK", "token" : "FAAivaiy", "expiryDate" : "2021-09-07T10:13:46.149Z"}

v1 API

$ curl  https://access.redhat.com/hydra/rest/v1/sftp/token?isAnonymous=true
{"username" : "DpDPSPGN", "token" : "89d41439", "expiryDate" : "2021-09-07T10:13:46.149Z"}

Alternatively, using a web browser, go to the Red Hat Secure FTP Token Generator application and log in as Guest. Then click on "Generate Token" to generate a new username and token.

Note: Anonymous tokens are valid for one time use only. For every session, a new token needs to be generated.

SFTP connection

Connect to Red Hat SFTP (refer to Authenticated flow for WinSCP).

$ sftp DpDPSPGN@sftp.access.redhat.com
DpDPSPGN@sftp.access.redhat.com's password: <token>
Connected to DpDPSPGN@sftp.access.redhat.com.
sftp>

File upload

Upload file using PUT command (refer to Authenticated flow for WinSCP).

Connected to DpDPSPGN@sftp.access.redhat.com.
sftp> put sysreport.tar.gz
Uploading sysreport.tar.gz to /sysreport.tar.gz
sysreport.tar.gz                                                                                                                                                                                            100%   10MB   1.8MB/s   00:05   
sftp>

File listing

List file under user's directory. This can also be done using WinSCP.

sftp> ls -l
-rwxr--r--   1        -        - 10485760 Sep 30 18:18 sysreport.tar.gz
sftp>

Connecting to Secure FTP server via proxy

A alternative method for connecting to sftp server via proxy

Unauthenticated proxy (RHEL 8 and RHEL 7)

sftp -o "ProxyCommand nc --proxy <proxy_host>:<proxy_port> --proxy-type http %h %p" brett.lymn@sftp.access.redhat.com

For authenticated proxy (RHEL 8 and RHEL 7)

sftp -o "ProxyCommand nc --proxy <proxy_host>:<proxy_port> --proxy-auth <proxy_user>:<proxy_password> --proxy-type http %h %p" brett.lymn@sftp.access.redhat.com

For authenticated proxy (RHEL 8 and RHEL 7) but using Port 80.

sftp -P 80 -o "ProxyCommand nc --proxy <proxy_host>:<proxy_port> --proxy-auth <proxy_user>:<proxy_password> --proxy-type http %h %p" brett.lymn@sftp.access.redhat.com

For RHEL 6

Please use the ncat command instead of nc. E.g.

sftp -o "ProxyCommand ncat --proxy <proxy_host>:<proxy_port> --proxy-type http %h %p" brett.lymn@sftp.access.redhat.com

Note -
1. The proxy needs to be configured for this example to allow port 22 OR port 80 in proxy config, so that it can connect to Secure FTP.
2. You need to install the package that provides nc command i.e nmap-ncat (sudo yum install nmap-ncat for RHEL 7 and RHEL 8) . For RHEL 6, you need to install the package nmap (sudo yum install nmap) .

Customer Firewall Configuration

Your customer must allow these connections in their firewall:

Source Destination Purpose
Customer IP sftp.access.redhat.com:22 OR 35.80.245.1:22 SFTP control channel

OR

Source Destination Purpose
Customer IP sftp.access.redhat.com:80 OR 35.80.245.1:80 SFTP control channel

Note:
1. Connections are supported over both Port 22 and Port 80.
2. The IP Address 35.80.245.1 can be used in place of the hostname sftp.access.redhat.com in proxy / firewall config, but this IP might change if we update the load balancer.

SSH Host Key Fingerprint

Here's the fingerprint of the SSH host key for Red Hat Secure FTP:

SHA256:Ij7dPhl1PhiycLC/rFXy1sGO2nSS9ky0PYdYhi+ykpQ=

17 Comments

Is "redhat-support-tool addattachment" still an option for uploading files?

Hey John. Yes, redhat-support-tool addattachment will still work. However, the -f option will upload files to the legacy dropbox FTP, which isn't preferred, but will work as dropbox is still active. In the next couple of months, we will be releasing updates to redhat-support-tool to point -f option to Red Hat Secure FTP. Regards,

In addition, the sosreport tool doesn't create files using this format. Will sosreport be updated to create files in the new format?

For example, providing a case number, sosreport outputs this filename - which I will need to upload directly to a case for a RHOSP 16.1.3 using the sosreport tool, sosreport outputs this. But, it sounds like I'm going to have to rename each file across the cluster in order to upload ( I have 18 in this support case nodes )

/var/tmp/sosreport-rhosp-pcmk-2-02827402-2021-09-07-emmvwry.tar.xz

Hey John,

We are updating sosreport tool to be able to upload directly to Secure FTP instead of the legacy FTP. Here's the github issue for the same [1]. This has been fixed upstream and should make it way into the downstream RHEL package soon.

[1] https://github.com/sosreport/sos/issues/2467

Wow, excellent. I can't even remember how long we've been waiting for this. On that note, could we not refer to it as "Secure FTP"? Since we're not talking about FTPS here, we are talking about SSH File Transfer Protocol. We are calling it by the wrong name.

Equally, many environments do not allow port 22 open outwards for obvious reasons, so providing alternative ports (for example, 222, 2222, or even going against standard and also offer it on port 21) could be useful.

Last but not least, can we get this integrated with the user portal also? So files can be uploaded / viewed through to that and be visible in the same place?

Thanks very happy to see the excellent progress so far :-)

Hey Alexander, I understand the confusion, but "Red Hat Secure FTP" has been approved by Red Hat's Legal and Branding team. We will look into allowing other ports, will provide an update about this soon. A Web UI has not been part of our initial offering, but if that is going to be useful we can definitely look into it. Regards,

Hi Alexander, We have now enabled Port 80 in addition to Port 22. Let me know if that helps. Regards,

Hi There In relation to filenames Does the extension have to end in .gz Would this file name be valid 01234567_sosreport-cloudXX-controller-1-2020-02-19-bowivbp.tar.xz I am just prefixing the filename I get from sosreport with casenumber_

Hey Kevin, .gz is just an example. You can upload any file, including tarballs, images, PDFs etc. 01234567_sosreport-cloudXX-controller-1-2020-02-19-bowivbp.tar.xz is a valid filename if you would want to attach to case #01234567 - assuming the customer has access to case #01234567.

Hey Shreyank I was worried as I had uploaded files via Secure FTP and they were not appearing in ticket But they appeared after a while. So sftp is working as expected. Thanks again for confirming the filename rules Regards

Hello, can you post the fingerprint of the SSH Host Key for verification -- otherwise, this is not really secure...

@Joseph: Please see below the fingerprint of the SSH Host Key for verification:

SHA256:Ij7dPhl1PhiycLC/rFXy1sGO2nSS9ky0PYdYhi+ykpQ=

Can you consider fixing the IP address to assist those of us who have to request IPs in firewall/proxy requests.

Hey Richard, 35.80.245.1 is the IP which is fixed for now. Will add this to the article as well, but this might change in the future when the load balancer is changed. Just ensure to update the IP if that fails anytime in the future. Regards,

Thanks for the info. This IP has changed since this article was originally published so I'll have to go round the request and approval loop again. Is there anyway to request a permanent fixed IP for this? As I say, this is very painful for us customers. Thanks.

DNS address lookups exist actually so one can refer to the DNS name without pinning down an IP. If firewall departments are not able to operate on that base, maybe they want to implement a checkscript on their side which constantly resolves DNS into IP address, to detect when the IP changes.

Hey Richard,

We understand your pain points. To provide some context, we didn't have a load balancer before but added one recently to support multiple ports. We have verified that the load balancer allows us to keep a static IP for the foreseeable future. Hope that helps!