Red Hat Secure FTP - User Guide

Updated -

Background

The purpose of Red Hat Secure FTP is to provide a sustainable, cross-platform and command-line accessible endpoint for customers to upload files to Red Hat. The goal is to provide a secure, scalable endpoint that is usable across the broad customer base. The legacy FTP for customers dropbox.redhat.com is on its path to being deprecated in favor of this new SFTP.

Scope

  • Provide an endpoint accessible by customers for uploading files from command-line
  • Minimal disruption to customer workflow
  • No additional packages by Red Hat
  • Secure Support cases are OUT OF SCOPE

User Guide for Customers

Authenticated Flow

Customers having valid portal credentials should be able to upload an attachment to a case of an account to which they belong, however, there is a strict file format policy (i.e casenumber_filename) which needs to be followed. If the filename is valid, the file would be uploaded to case as an attachment and deleted from the Red Hat Secure FTP, however, if the filename is invalid, it remains in the Red Hat Secure FTP bucket for 30 days, after which it is permanently deleted.
Here are a few example filenames with valid and invalid formats for automatic attachment to support cases:

  • 02436811_sosreport.gz (Valid)
  • 02436811_sosreport-report.gz (Valid)
  • 02436811-sosreport.gz (Invalid)
  • sosreport.gz (Invalid)
  • sosreport_02436811.gz (Invalid)

The below matrix explains what an authenticated customer is entitled to do:

Can Cannot
List files in their own directory List/view other user's files or directories
Upload an attachment to Red Hat SFTP, and with the correct filename format auto attach the file to a support case the customer has access to Download any attachment
Attach files to cases they don't have access to

Note: If the uploaded file is prefixed with an invalid case number or a case number that the customer doesn't have access to, the uploaded file will not be attached to the support case, and will remain in Secure FTP as per the retention policy.

Here's a quick walkthrough for uploading an attachment.

Token Generation

Open a command terminal (on Linux or Macintosh) or PowerShell (on Windows). At the prompt, enter the following cURL to generate SFTP login token (replace brett.lymn with your Customer Portal username).

$ curl -u brett.lymn https://access.redhat.com/hydra/rest/v1/sftp/token
{
  "username" : "brett.lymn",
  "token" : "7c8afc4ff028f79b67971b6c28be8be36d2cdce7ba31fa8066171c62e0b4fa23"
}

Alternatively, using a web browser, go to the Red Hat Customer Portal and ensure you are logged in. Then go to the following URL to generate your token:

https://access.redhat.com/hydra/rest/v1/sftp/token

You should see a JSON response of the following format:

{
  "username" : "brett.lymn",
  "token" : "7c8afc4ff028f79b67971b6c28be8be36d2cdce7ba31fa8066171c62e0b4fa23"
}

Note: Authenticated tokens are valid for 30 days.

SFTP Connection

On Linux or Macintosh

From a command terminal, open the SFTP connection and enter the token when prompted for password:

$ sftp brett.lymn@sftp.access.redhat.com
brett.lymn@sftp.access.redhat.com's password: <token>
Connected to brett.lymn@sftp.access.redhat.com.
sftp>
On Windows

Users can use the winscp software to connect from a windows machine.

Attachment Upload

On Linux or Macintosh

Uploading a file to case using PUT command using <casenumber>_<filename> format.

sftp> put 02436811_sosreport.gz
Uploading 02436811_sosreport.gz to /02436811_sosreport.gz
02436811_sosreport.gz                                                                                                                                                                                   100%   10MB   1.9MB/s   00:05   
sftp>
On Windows

Use the winscp software to upload files from a windows machine.

Note

  • If the filename is in the correct format of <casenumber>_<filename>:
    • the file will get attached to its corresponding case.
    • if the file was successfully attached to a case, it is removed from Secure FTP and will no longer be visible there.
  • If the filename is not in the correct format:
    • the file will not get attached to a case.
    • the file will remain in Secure FTP as per the retention policy.
  • If there are special character in username like 'example@company.com', the above steps should still work.
  • Uploads over Secure FTP are single stream, as compared to the multi-part upload capability that Customer Portal Case Management provides. This could result in slower speeds during SFTP uploads.

Examples of special characters in username:

$ curl -u example@company.com https://access.redhat.com/hydra/rest/v1/sftp/token
Response-
{ "username" : "example@company.com", "token" : "7c8afc4ff028f79b67971b6c28be8be36d2cdce7ba31" }

$ sftp example@company.com@sftp.access.redhat.com
example@company.com@sftp.access.redhat.com's password: <token>
Connected to example@company.com@sftp.access.redhat.com 
sftp>

Unauthenticated Flow

Red Hat SFTP also supports file uploads by users who do not have an account created with Red Hat. They will be able to upload a file to Red Hat SFTP and view the files present under their directory, however they won't be able to download any file. Also, files uploaded by anonymous users aren't auto-attached to a support case.

The below matrix explains what an anonymous user is entitled to do:

Can Cannot
List files in their own directory List/view other user's files or directories
Upload an attachment to Red Hat SFTP Download any attachment
Attach files to a support case

Username and Token generation

Open a command terminal (on Linux or Macintosh) or PowerShell (on Windows). At the prompt, enter the following cURL to generate username and token for anonymous user:

$ curl  https://access.redhat.com/hydra/rest/v1/sftp/token?isAnonymous=true
{
  "username" : "DpDPSPGN",
  "token" : "89d41439423b242f77a4d020ddaae18f30760f61fb4cd9fb2b280ad498e944ff"
}

Alternatively, using a web browser, open a private/incognito tab and go to the following URL to generate your token:

https://access.redhat.com/hydra/rest/v1/sftp/token?isAnonymous=true

You should see a JSON response of the following format:

{
  "username" : "DpDPSPGN",
  "token" : "89d41439423b242f77a4d020ddaae18f30760f61fb4cd9fb2b280ad498e944ff"
}

Note: Anonymous tokens are valid for one time use only. For every session, a new token needs to be generated.

SFTP connection

Connect to Red Hat SFTP (refer to Authenticated flow for WinSCP).

$ sftp DpDPSPGN@sftp.access.redhat.com
DpDPSPGN@sftp.access.redhat.com's password: <token>
Connected to DpDPSPGN@sftp.access.redhat.com.
sftp>

File upload

Upload file using PUT command (refer to Authenticated flow for WinSCP).

Connected to DpDPSPGN@sftp.access.redhat.com.
sftp> put sysreport.tar.gz
Uploading sysreport.tar.gz to /sysreport.tar.gz
sysreport.tar.gz                                                                                                                                                                                            100%   10MB   1.8MB/s   00:05   
sftp>

File listing

List file under user's directory. This can also be done using WinSCP.

sftp> ls -l
-rwxr--r--   1        -        - 10485760 Sep 30 18:18 sysreport.tar.gz
sftp>

Connecting to Secure FTP server via proxy

A alternative method for connecting to sftp server via proxy

Unauthenticated proxy (RHEL 8 and RHEL 7)

sftp -o "ProxyCommand nc --proxy <proxy_host>:<proxy_port> --proxy-type http %h %p" brett.lymn@sftp.access.redhat.com

For authenticated proxy (RHEL 8 and RHEL 7)

sftp -o "ProxyCommand nc --proxy <proxy_host>:<proxy_port> --proxy-auth <proxy_user>:<proxy_password> --proxy-type http %h %p" brett.lymn@sftp.access.redhat.com

For RHEL 6

Please use the ncat command instead of nc. E.g.

sftp -o "ProxyCommand ncat --proxy <proxy_host>:<proxy_port> --proxy-type http %h %p" brett.lymn@sftp.access.redhat.com

Note -
1. The proxy needs to be configured for this example to allow port 22 in proxy config, so that it can connect to Secure FTP.
2. You need to install the package that provides nc command i.e nmap-ncat (sudo yum install nmap-ncat for RHEL 7 and RHEL 8) . For RHEL 6, you need to install the package nmap (sudo yum install nmap) .

Customer Firewall Configuration

Your customer must allow these connections in their firewall:

Source Destination Purpose
Customer IP sftp.access.redhat.com:22 SFTP control channel

7 Comments

Is "redhat-support-tool addattachment" still an option for uploading files?

Hey John. Yes, redhat-support-tool addattachment will still work. However, the -f option will upload files to the legacy dropbox FTP, which isn't preferred, but will work as dropbox is still active. In the next couple of months, we will be releasing updates to redhat-support-tool to point -f option to Red Hat Secure FTP. Regards,

Wow, excellent. I can't even remember how long we've been waiting for this. On that note, could we not refer to it as "Secure FTP"? Since we're not talking about FTPS here, we are talking about SSH File Transfer Protocol. We are calling it by the wrong name.

Equally, many environments do not allow port 22 open outwards for obvious reasons, so providing alternative ports (for example, 222, 2222, or even going against standard and also offer it on port 21) could be useful.

Last but not least, can we get this integrated with the user portal also? So files can be uploaded / viewed through to that and be visible in the same place?

Thanks very happy to see the excellent progress so far :-)

Hey Alexander, I understand the confusion, but "Red Hat Secure FTP" has been approved by Red Hat's Legal and Branding team. We will look into allowing other ports, will provide an update about this soon. A Web UI has not been part of our initial offering, but if that is going to be useful we can definitely look into it. Regards,

Hi There In relation to filenames Does the extension have to end in .gz Would this file name be valid 01234567_sosreport-cloudXX-controller-1-2020-02-19-bowivbp.tar.xz I am just prefixing the filename I get from sosreport with casenumber_

Hey Kevin, .gz is just an example. You can upload any file, including tarballs, images, PDFs etc. 01234567_sosreport-cloudXX-controller-1-2020-02-19-bowivbp.tar.xz is a valid filename if you would want to attach to case #01234567 - assuming the customer has access to case #01234567.

Hey Shreyank I was worried as I had uploaded files via Secure FTP and they were not appearing in ticket But they appeared after a while. So sftp is working as expected. Thanks again for confirming the filename rules Regards