Attachments over SFTP for HP OpenView ServiceDesk 4.5 and 5.x
version 0.60 [6th of November, 2008]
created by Radovan Skolnik, radovan@skolnik.info
Disclaimer
This is not HP product and is in no way supported by HP. Try and use it at your own risk.
Intro
It is widely known that attachments in HPOVSD 4.5 and 5.x are stored and retrieved in/from FTP server. This has been causing
many concerns by security admins who usually banned FTP long time ago. What isn't known that much is that you need to enable access to that FTP from every location where you plan to use SD clients as the attachment transfers
happen directly between clients and attachment store - the SD server is only involved with generating OIDs, the transfers occur between FTP server and clients directly which results in requirement to open ports used by FTP to all clients.
As HP does not provide any real alternative this is an independent attempt to provide one which overcomes the necessity of outdated FTP.
In 5.1 HP introduced a secure option for attachments. However that is only FTPS - FTP protocol where connections are secured by SSL (it requires to have FTP server that supports this feature - how common is this on Unixes?).
This library provides a way to store attachments on SSH server - that is it supports SFTP. SSH is usually considered far more secure (and managable - security wise) than FTP.
Features
This library provides replacement of
functionality originally provided in lib\libftp.jar in 4.5 (both on SD client and server)
and in OvObsFtp.jar in 5.x (on client, server and in WebStart installation as well)
to be able to store and retrieve attachments in/from SSH server over SFTP (that is FTP
over SSH). It provides 2 authentication methods: username/password and public
key. It provides TripleDES, BlowFish and
Contents of the package
The downloadable package contains these files:
docs (folder that contains files with license information of used libraries and some pictures used in this readme ;-)
webstart (folder that contains files that need to be replaced in order to make client WebStart distribution (in 5.x) work with the library)
updatesite (folder that contains configuration files needed to distribute the library for Client 2008)
libsftp.jar (this file is throughout this readme referred as "the library" as it contains all the functionality)
readme.html (this very file you are reading)
SignJAR.[bat|sh] (helper file for 5.x to let you sign the .jar archive with the library (needed for 5.x))
TestConnection_MS_JVM.bat (helper file for to let you test the connection from command line using Microsoft JVM)
TestConnection_Sun_JVM.[bat|sh] (helper file to let you test the connection from command line using Sun JVM)
TestRSADSAKey.[bat|sh] (helper file to test if the provided private key is acceptable (needed for public key authentication with passphrase))
Installation for 4.5
Legacy client (MS JVM)
During the existence of HPOVSD 4.5 there have been many Service Packs (SPs) that fixed bugs and added new functionality. The FTP functionality has been fixed (or upgraded?) as well so the functionality being used currently does not reside in libftp.jar but in the servicepack.jar (check the com.hp.ftpclient there). That is why replacing the libftp.jar would not work. So there are these installation options:
v The
easiest way is to rename the library to hotfix.jar and put it
into lib directory of the client (usually
v The
other way is to keep the name libsftp.jar (you may want to do this to be able to continue using hotfix.jar provided by HP). In order to be used you will have to
modify the sd_client.bat and sd_client.ini files (usually residing
Client 2008 (Sun JVM)
After years of waiting HP released new client (called Client 2008) based on Eclipse platform (a
personal note here: it requires company such HP to invest considerable amount of work to build something
on great truly multiplatform base and screw it by using platform-specific calls here and there and thus preventing running it on
any other OS than Windows...) The updates are distributed differently here than in old client. You need to setup update site (simple HTTP server)
that will contain future service packs and hotfixes (read documentation available with Client 2008 for details). We will use this mechanism
to distribute the library as hotfix (it will actually mimic SP40 which is high enough so that 4.5 will probably never see a real one of that number ;-).
The site.xml contains refernces to 2 features supported by Client 2008: servicepack and hotfix. Just make sure that hotfix one
references the one provided in the provided sample. So the line should look like this:
<feature url="features/com.hp.hotfix.feature_45.40.0.jar" id="com.hp.hotfix.feature" version="45.40.0">
<category name="Service Desk Product"/>
</feature>
Also you need to copy the library (after embedding the SSH key if you want to use public key authentication) to updatesite/plugins/ under the name com.hp.libftp_45.40.0.jar
If you did everything correctly you should be able to update the client. If you do it interactively (Help -> Update...) you should see this:
Web Console
If you are using Web Console you need to unpack the contents of the libsftp.jar (which is just zip file) to %WebConsoleHome%/SIP/webapps/ovportal/WEB-INF/classes/. Restart Tomcat. Done.
Installation for 5.x
In 5.x the service packs are not distributed as servicepack.jar (as in 4.5). Instead newer versions of the original .jar files are distributed. There are basically 2 options of how to install the client (and thus 2 different way to introduce SFTP library into it):
Web Start installation
The client is installed by clicking on .jnlp link on ServiceDesk's web page. That starts installation via Web Start mechanism (you need to have Java Runtime installed for this to work). All required files are downloaded to Web Start folder (usually somewhere in your home directory - not important where). Every time the client is started it checks the server if any files have been updated. This is the key for replacing standard FTP with SFTP.
On the server in %sd_server_home%/www/webstart/ you need to replace objectserver.jnlp and add libsftp.jnlp (they are located in webstart folder of the archive) and put signed library (named sig_sftplib.jar - otherwise edit the libsftp.jnlp and provide correct name) into %sd_server_home%/www/webstart/nonOV/
Local installation & WEB-API
If you install client(s) locally (I suggest using Web Start for it's ability to automatically update the installation) you need to replace files manually. All you need to replace is all occurences of OvObsFtp.jar with the library (that is rename the library to OvObsFtp.jar and replace all files with that name in your installation). This also applies to server installation in case you want to work with attachments via WEB-API.
Remark: For Web Start functionality the library has(!) to be signed by digital certificate! See further chapter for info on how to sign the library.
Embedding SSH key into the library
If you want to use public key authentication you need to provide the private key (usually the file named id_dsa or id_rsa) to the library (for configuring your SSH server to support this method, please consult it's documentation. For OpenSSH check here for some howto: http://sial.org/howto/openssh/publickey-auth/). This is done by adding the private key into the root of the archive under the name ssh_key using this command (you will need to have Java SDK in PATH for this to work): jar -uf libsftp.jar ssh_key
The contents of the resulting libsftp.jar will look like this:
In case you want to switch back to username/password authentication just delete the entry from the .jar filethe easiest way is to switch back to original version of the library (otherwise delete the added ssh_key from the library and re-sign it if it has been signed).
Digitally signing the library
If you want to use the Web Start functionality of 5.x (so this chapter is irrelevant for 4.5), all the entries in the .jar file have to be digitally signed (that includes the embedded key if there is one). The original file is signed by HP, the replacement will be signed by me ;-) You only need to re-sign the library in case you added private key to it (se previous chpater) - otherwise the file is already signed. To make this easier I created a script that makes this easier. It is called SignJAR.[bat|sh]. It accepts one file as input (the library with private key embedded) and provides signed version of it with the same name preceded by sig_ So in case you haven't changed the filename it would be sig_libsftp.jar (this filename is expected by provided .jnlp files for Web Start functionality).
The contents of the resulting sig_libsftp.jar will look like this:
Remark: You have to(!) re-sign the library in case you changed or deleted the private key. Otherwise the digital signature wouldn't match in case you changed the priavte key or the Java Runtime would report missing file in case you deleted the private key. You can check the validity of whole file using this command (JDK needs to be in path): jarsigner -verify sig_libsftp.jar
Setup
Once you have the library installed the functionality is set up from the original attachments applet in Administrator Console (in 4.5: Tools -> System -> System Panel -> Attachment Settings):
- Name contains SFTP server's URL in the form: sftp://hostname[:port] Examples: sftp://server.domain.com:22 or sftp://10.0.0.1 Do not enter any credentials into URL (like sftp://user:pass@hostname) - they will be ignored!
- Username enter the username to be used
- Password enter the password to be used for username/password authentication or passphrase for public key authentication
- Target folder enter home directory for the attachments
- Use Passive FTP does not matter at all what you choose here - it is irrelevant for SFTP
My advice would be to set up the attachments to the same target as they have
been with FTP - that is make the attachments folder available through SFTP so that
you still can access the existing attachments. To test the setup you have the Test
Connection button available in the applet that works the same way as with
original FTP.
There is also command line version utility for testing the library (before you distribute
it to clients). It is run by TestConnection_MS_JVM.bat for Microsoft JVM or TestConnection_Sun_JVM.[bat|sh] for Sun JVM and if everything
works OK it should provide output similar to this (this is example with public
key authentication ):
Testing 4.5 version
-> 2008.03.19 13:46:56 [1ms] Attachments over SFTP for HP OpenView ServiceDesk 4.5 & 5.x - version 0.50, (C)Radovan Skolnik, radovan@skolnik.info
-> 2008.03.19 13:46:56 [0ms] This is a demo version that permits 5 attachment operations per session
-> 2008.03.19 13:46:56 [1ms] using username/password authentication
-> 2008.03.19 13:47:01 [4797ms] connected to 192.168.114.129:22 (s2ccipher=aes128-cbc c2scipher=aes128-cbc s2cmac=hmac-md5 c2smac=hmac-md5 inflater=none deflater=none)
-> 2008.03.19 13:47:01 [312ms] SFTP channel opened
-> 2008.03.19 13:47:02 [95ms] chdir /c/SD_ATTACHMENTS OK
-> 2008.03.19 13:47:02 [269ms] ls /c/SD_ATTACHMENTS OK
drwxrwxrwx 544 513 0 1970-01-14 23:58:50 .
drwxrwxrwx 544 0 0 1970-01-14 23:58:50 ..
drwxrwxrwx 544 513 0 1970-01-14 23:48:59 ConfigurationItem
drwxrwxrwx 544 513 0 1970-01-14 23:50:58 Person
-> 2008.03.19 13:47:02 [47ms] mkdir SFTP_TEST OK
-> 2008.03.19 13:47:02 [105ms] chdir SFTP_TEST OK
-> 2008.03.19 13:47:02 [87ms] chdir .. OK
-> 2008.03.19 13:47:02 [44ms] rmdir SFTP_TEST OK
-> 2008.03.19 13:47:02 [0ms] SFTP channel close OK
-> 2008.03.19 13:47:02 [3ms] SSH connection close OK
Succesful...
The library should work with any SSH server - especially on *nix platforms. For Windows there are few alternatives:
Limitations
The demo version downloadable only allows 5 upload/download/removal operations per session (that means on one SD client run). Full version has no limitations. Please contact me for info on licensing.
Download
You can download zipped current version of the library with docs here: libsftp.zip
Future enhancements
Few of the things that may be worked on (depends on interest):
- Support for proxies. SOCKS5 and HTTP with CONNECT method can easily be supported.
- Explicit host fingerprint checking. There's no host fingerprint check now.
- ... any suggestions are welcome
History
0.10 [03/05/2006]
initial release
0.20 [11/11/2007]
support for SD 5.xsupport for AES-128/192/256 ciphersraised the demo limit to 5 (was 2 in 0.10)reworked most of this document in hopes to be much clearer to the readers
0.30 [21/01/2008]
added rename support needed for later SPs of 5.1 to migrate attachments to new structurefixed a bug where connections to SSH servers were not closed (only SFTP tunnel was)
0.40 [03/03/2008]
added support for Client 2008 version and enhanced this docsadded support for finalize method allowing garbage collector to close all remaining connections
0.50 [14/03/2008]
0.60 [06/11/2008]
The code from following projects has been
used: This library provides core SSH (and SFTP) functionality. Some
minor modifications were required to make it work correctly under MS JVM. License This library provides crypto functionality needed for JSch. Some
modifications were required to make it work correctly under MS JVM. License This is very nice HTTP client library. However only URI parsing is
used from this. License
updated the underlying SSH library to JSch 0.1.37 which results into (sometimes) dramatic speed improvements and much better compatibility with various SSH serverscleaned up some code
added support for Web ConsoleAcknowledgments
JSch 0.1.37
The Bouncy Castle Crypto Package for J2ME v
1.32
HTTPClient v 0.3-3 by Ronald
Tschalär