Recently I worked on a simple yet different type of integration. The requirement statement of integration was pretty simple.
When a Service Request is closed then attachments of that SR should be extracted and sent to a different application though SFTP.
The interesting part in this requirement was SFTP part as I had never done that before.
The approach for this requirement was pretty simple:
- Setup a Policy which will trigger a workflow when SR is closed (Policy because we wanted it to be asynchronous)
- The workflow will query for attachment records and run a loop around them
- A business service will be called in this loop which will
- Query for attachment record in eScript
- Execute GetFile method to obtain path of uncompressed file
- Use Clib.System command execute a shell script on UNIX (passing path as argument)
- Shell script will issue SFTP command to actually put files on different application server
The biggest problem that I faced in this was making SFTP work.
FTP protocol allows you to hardcode username and passwords in shell scripts like this:
ftp -n ftpsite << !
quote USER username
quote PASS password
But SFTP was built to overcome this limitation and doesn’t allow password to supplied as an argument due to security reasons (S stands for Secure). So, you have following option to make SFTP work.
- SSH Keys:The most common method (which we also used) is to use ssh keys. The system that wants to connect (in this case it was Siebel) will generate a Public key and a Private Key. Public Key resides on the target server and Private Key resides on the server where the session is initiated (Siebel). This approach allows you to connect to target server without actually using the password.
- Expect Library:
The Second approach is to use Expect Library. It allows you to automate certain tasks but script is tedious to write and often error prone.
- PSFTP tool:
You can also use PSFTP tool which allows you supply password as an argument and takes care of rest of things.
The Second and third approach are plagued with same problem as FTP, your password is exposed to everybody who has access to shell script. This is not desirable in secure environments.