Monday, April 29, 2019

How to resolve Mule SFTP Kerberos username error & Authentication failure


In this article, we will learn how to resolve Mule SFTP outbound-endpoint Kerberos username issue and Authentication failure.

<sftp:outbound-endpoint exchange-pattern="one-way" connector-ref="SFTP" outputPattern="#[flowVars.targetFileName]"
        host="${sftp.target.host}" port="${sftp.target.port}" path="${sftp.target.path}" user="${sftp.target.username}"
        password="${sftp.target.password}" responseTimeout="10000" doc:name="SFTP"/>

When I executed an SFTP outbound-endpoint flow, I got below Kerberos username request in console and actual connectivity to SFTP endpoint is stopped.
Kerberos username [Vishnu.Ramakrishnan]:

Mule SFTP Connector uses JSch library (a pure java implementation of the SSH2 protocol). JSch depends on Java Cryptography Extension (JCE) and supports 4 different types of User Authentication (1) gssapi-with-mic (2) keyboard-interactive (3) publickey(DSA,RSA,ECDSA) (4) password
You can read all about JSch here
http://www.jcraft.com/jsch/

What is SSH:
Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. SSH provides support for secure remote login, secure file transfer, and secure TCP/IP and X11 forwarding. It can automatically encrypt, authenticate, and compress transmitted data. The SSH protocol is available in two incompatible varieties: SSH1 and SSH2. 

Why are we get this Kerberos username request in console ?
This is a known issue related to Java version 7 & above. JSch running in java 1.7 and above connecting to a SFTP server with Kerberos enabled requests for Kerberos username.

https://bz.apache.org/bugzilla/show_bug.cgi?id=53437
https://sourceforge.net/p/jsch/mailman/message/29359265/

Mulesoft Ticket & Solution:
https://www.mulesoft.org/jira/browse/MULE-6864

From Mulesoft Documentation:
SFTP Connector Attribute:
preferredAuthenticationMethods: Comma-separated list of authentication methods used by the SFTP client. Valid values are: gssapi-with-mic, publickey, keyboard-interactive and password.

Solution:
Add preferredAuthenticationMethods attribute to sftp connector
       <sftp:connector name="SFTP" validateConnections="true"   sizeCheckWaitTime="500" doc:name="SFTP" 
             preferredAuthenticationMethods="publickey,password,keyboard-interactive"> 
    </sftp:connector>

Now, let’s take a look at handling Authentication error.

Authentication Error:
ERROR 2018-08-24 09:39:52,698 [[fin602-dynamics-cashbookentries].SFTP.dispatcher.01] org.mule.transport.sftp.SftpClient: Error during login to abc@abc-test.xyz.net
com.jcraft.jsch.JSchException: Auth fail

Solution:
I was using a password that contained special characters dollar (“$”) and backslash (“\”). To escape these special characters we need to use a backslash. The backslash is used as a marker character to tell the compiler/interpreter that the next character has no special meaning. For example n to be interpreted as n instead of as a newline.

The meta characters that we usually need to escape are:
<([{\^-=$!|]})?*+.>

Posted by at

1 comment:

  1. Learn MulesoftJuly 28, 2020 at 1:45 PM

    What is public key, password and keyboard-interactive values? Do we get it from server details of Kerbose?

    ReplyDelete

Subscribe to: Post Comments (Atom)