Attachments over SFTP for HP OpenView ServiceDesk 4.5 and 5.x

version 0.60 [6th of November, 2008]

created by Radovan Skolnik,


This is not HP product and is in no way supported by HP. Try and use it at your own risk.



It is widely known that attachments in HPOVSD 4.5 and 5.x are stored and retrieved in/from FTP server. This has been causing many concerns by security admins who usually banned FTP long time ago. What isn't known that much is that you need to enable access to that FTP from every location where you plan to use SD clients as the attachment transfers happen directly between clients and attachment store - the SD server is only involved with generating OIDs, the transfers occur between FTP server and clients directly which results in requirement to open ports used by FTP to all clients.

As HP does not provide any real alternative this is an independent attempt to provide one which overcomes the necessity of outdated FTP. In 5.1 HP introduced a secure option for attachments. However that is only FTPS - FTP protocol where connections are secured by SSL (it requires to have FTP server that supports this feature - how common is this on Unixes?). This library provides a way to store attachments on SSH server - that is it supports SFTP. SSH is usually considered far more secure (and managable - security wise) than FTP.



This library provides replacement of functionality originally provided in lib\libftp.jar in 4.5 (both on SD client and server) and in OvObsFtp.jar in 5.x (on client, server and in WebStart installation as well) to be able to store and retrieve attachments in/from SSH server over SFTP (that is FTP over SSH). It provides 2 authentication methods: username/password and public key. It provides TripleDES, BlowFish and AES-128/192/256 ciphers, and SHA1, SHA1-96, MD5, MD5-96 MACs .


Contents of the package

The downloadable package contains these files:

docs (folder that contains files with license information of used libraries and some pictures used in this readme ;-)

webstart (folder that contains files that need to be replaced in order to make client WebStart distribution (in 5.x) work with the library)

updatesite (folder that contains configuration files needed to distribute the library for Client 2008)

libsftp.jar (this file is throughout this readme referred as "the library" as it contains all the functionality)

readme.html (this very file you are reading)

SignJAR.[bat|sh] (helper file for 5.x to let you sign the .jar archive with the library (needed for 5.x))

TestConnection_MS_JVM.bat (helper file for to let you test the connection from command line using Microsoft JVM)

TestConnection_Sun_JVM.[bat|sh] (helper file to let you test the connection from command line using Sun JVM)

TestRSADSAKey.[bat|sh] (helper file to test if the provided private key is acceptable (needed for public key authentication with passphrase))


Installation for 4.5

Legacy client (MS JVM)

During the existence of HPOVSD 4.5 there have been many Service Packs (SPs) that fixed bugs and added new functionality. The FTP functionality has been fixed (or upgraded?) as well so the functionality being used currently does not reside in libftp.jar but in the servicepack.jar (check the com.hp.ftpclient there). That is why replacing the libftp.jar would not work. So there are these installation options:


v     The easiest way is to rename the library to hotfix.jar and put it into lib directory of the client (usually C:\Program Files\Hewlett-Packard\OpenView\service desk 4.5\client\lib). You can put it into lib directory of the server as well but it is only used there if you use WEB-API for working with attachments. From SP13 you can use the Remote Updater (Tools -> System -> System Panel -> General Settings -> Remote Updater) functionality to distribute the file to all clients. Just go there, enable hotfix.jar distribution and select the file provided.

v     The other way is to keep the name libsftp.jar (you may want to do this to be able to continue using hotfix.jar provided by HP). In order to be used you will have to modify the sd_client.bat and sd_client.ini files (usually residing C:\Program Files\Hewlett-Packard\OpenView\service desk 4.5\client\bin) on all clients. In both there is line that starts jview /cp lib\hotfix.jar;lib\servicepack.jar; You need to modify it so that it starts with jview /cp lib\libsftp.jar;lib\hotfix.jar;lib\servicepack.jar; and put libsftp.jar into lib directory of the SD client. This way you ensure that classes from the library are used (and not the ones in servicepack.jar or hotfix.jar)


Client 2008 (Sun JVM)

After years of waiting HP released new client (called Client 2008) based on Eclipse platform (a personal note here: it requires company such HP to invest considerable amount of work to build something on great truly multiplatform base and screw it by using platform-specific calls here and there and thus preventing running it on any other OS than Windows...) The updates are distributed differently here than in old client. You need to setup update site (simple HTTP server) that will contain future service packs and hotfixes (read documentation available with Client 2008 for details). We will use this mechanism to distribute the library as hotfix (it will actually mimic SP40 which is high enough so that 4.5 will probably never see a real one of that number ;-). The site.xml contains refernces to 2 features supported by Client 2008: servicepack and hotfix. Just make sure that hotfix one references the one provided in the provided sample. So the line should look like this:

    <feature url="features/com.hp.hotfix.feature_45.40.0.jar" id="com.hp.hotfix.feature" version="45.40.0">
      <category name="Service Desk Product"/>

Also you need to copy the library (after embedding the SSH key if you want to use public key authentication) to updatesite/plugins/ under the name com.hp.libftp_45.40.0.jar

If you did everything correctly you should be able to update the client. If you do it interactively (Help -> Update...) you should see this:


Web Console

If you are using Web Console you need to unpack the contents of the libsftp.jar (which is just zip file) to %WebConsoleHome%/SIP/webapps/ovportal/WEB-INF/classes/. Restart Tomcat. Done.


Installation for 5.x

In 5.x the service packs are not distributed as servicepack.jar (as in 4.5). Instead newer versions of the original .jar files are distributed. There are basically 2 options of how to install the client (and thus 2 different way to introduce SFTP library into it):

Web Start installation

The client is installed by clicking on .jnlp link on ServiceDesk's web page. That starts installation via Web Start mechanism (you need to have Java Runtime installed for this to work). All required files are downloaded to Web Start folder (usually somewhere in your home directory - not important where). Every time the client is started it checks the server if any files have been updated. This is the key for replacing standard FTP with SFTP.

On the server in %sd_server_home%/www/webstart/ you need to replace objectserver.jnlp and add libsftp.jnlp (they are located in webstart folder of the archive) and put signed library (named sig_sftplib.jar - otherwise edit the libsftp.jnlp and provide correct name) into %sd_server_home%/www/webstart/nonOV/

Local installation & WEB-API

If you install client(s) locally (I suggest using Web Start for it's ability to automatically update the installation) you need to replace files manually. All you need to replace is all occurences of OvObsFtp.jar with the library (that is rename the library to OvObsFtp.jar and replace all files with that name in your installation). This also applies to server installation in case you want to work with attachments via WEB-API.

Remark: For Web Start functionality the library has(!) to be signed by digital certificate! See further chapter for info on how to sign the library.


Embedding SSH key into the library

If you want to use public key authentication you need to provide the private key (usually the file named id_dsa or id_rsa) to the library (for configuring your SSH server to support this method, please consult it's documentation. For OpenSSH check here for some howto: This is done by adding the private key into the root of the archive under the name ssh_key using this command (you will need to have Java SDK in PATH for this to work): jar -uf libsftp.jar ssh_key

The contents of the resulting libsftp.jar will look like this:





META-INF (this folder will contain digital signatures)


ssh_key (the provided key)

In case you want to switch back to username/password authentication just delete the entry from the .jar filethe easiest way is to switch back to original version of the library (otherwise delete the added ssh_key from the library and re-sign it if it has been signed).

Digitally signing the library

If you want to use the Web Start functionality of 5.x (so this chapter is irrelevant for 4.5), all the entries in the .jar file have to be digitally signed (that includes the embedded key if there is one). The original file is signed by HP, the replacement will be signed by me ;-) You only need to re-sign the library in case you added private key to it (se previous chpater) - otherwise the file is already signed. To make this easier I created a script that makes this easier. It is called SignJAR.[bat|sh]. It accepts one file as input (the library with private key embedded) and provides signed version of it with the same name preceded by sig_ So in case you haven't changed the filename it would be sig_libsftp.jar (this filename is expected by provided .jnlp files for Web Start functionality).

The contents of the resulting sig_libsftp.jar will look like this:





META-INF (this folder will contain digital signatures - files SFTPATTA.DSA and SFTPATTA.SF)


ssh_key (the provided key - will only be present in case you added private key - see previous chapter fo rmore info)

Remark: You have to(!) re-sign the library in case you changed or deleted the private key. Otherwise the digital signature wouldn't match in case you changed the priavte key or the Java Runtime would report missing file in case you deleted the private key. You can check the validity of whole file using this command (JDK needs to be in path): jarsigner -verify sig_libsftp.jar


Once you have the library installed the functionality is set up from the original attachments applet in Administrator Console (in 4.5: Tools -> System -> System Panel -> Attachment Settings):

My advice would be to set up the attachments to the same target as they have been with FTP - that is make the attachments folder available through SFTP so that you still can access the existing attachments. To test the setup you have the Test Connection button available in the applet that works the same way as with original FTP.

There is also command line version utility for testing the library (before you distribute it to clients). It is run by TestConnection_MS_JVM.bat for Microsoft JVM or TestConnection_Sun_JVM.[bat|sh] for Sun JVM and if everything works OK it should provide output similar to this (this is example with public key authentication ):


Testing 4.5 version
 -> 2008.03.19 13:46:56 [1ms]   Attachments over SFTP for HP OpenView ServiceDesk 4.5 & 5.x - version 0.50, (C)Radovan Skolnik,
 -> 2008.03.19 13:46:56 [0ms]   This is a demo version that permits 5 attachment operations per session
 -> 2008.03.19 13:46:56 [1ms]   using username/password authentication
 -> 2008.03.19 13:47:01 [4797ms]        connected to (s2ccipher=aes128-cbc c2scipher=aes128-cbc s2cmac=hmac-md5 c2smac=hmac-md5 inflater=none deflater=none)
 -> 2008.03.19 13:47:01 [312ms] SFTP channel opened
 -> 2008.03.19 13:47:02 [95ms]  chdir /c/SD_ATTACHMENTS OK
 -> 2008.03.19 13:47:02 [269ms] ls /c/SD_ATTACHMENTS OK
    drwxrwxrwx  544     513     0       1970-01-14 23:58:50     .
    drwxrwxrwx  544     0       0       1970-01-14 23:58:50     ..
    drwxrwxrwx  544     513     0       1970-01-14 23:48:59     ConfigurationItem
    drwxrwxrwx  544     513     0       1970-01-14 23:50:58     Person
 -> 2008.03.19 13:47:02 [47ms]  mkdir SFTP_TEST OK
 -> 2008.03.19 13:47:02 [105ms] chdir SFTP_TEST OK
 -> 2008.03.19 13:47:02 [87ms]  chdir .. OK
 -> 2008.03.19 13:47:02 [44ms]  rmdir SFTP_TEST OK
 -> 2008.03.19 13:47:02 [0ms]   SFTP channel close OK
 -> 2008.03.19 13:47:02 [3ms]   SSH connection close OK

The library should work with any SSH server - especially on *nix platforms. For Windows there are few alternatives:


The demo version downloadable only allows 5 upload/download/removal operations per session (that means on one SD client run). Full version has no limitations. Please contact me for info on licensing.


You can download zipped current version of the library with docs here:

Future enhancements

Few of the things that may be worked on (depends on interest):


0.10 [03/05/2006]

0.20 [11/11/2007]

0.30 [21/01/2008]

  • added rename support needed for later SPs of 5.1 to migrate attachments to new structure
  • fixed a bug where connections to SSH servers were not closed (only SFTP tunnel was)

0.40 [03/03/2008]

  • added support for Client 2008 version and enhanced this docs
  • added support for finalize method allowing garbage collector to close all remaining connections

0.50 [14/03/2008]

  • updated the underlying SSH library to JSch 0.1.37 which results into (sometimes) dramatic speed improvements and much better compatibility with various SSH servers
  • cleaned up some code

0.60 [06/11/2008]

  • added support for Web Console


The code from following projects has been used:

JSch 0.1.37

This library provides core SSH (and SFTP) functionality. Some minor modifications were required to make it work correctly under MS JVM. License

The Bouncy Castle Crypto Package for J2ME v 1.32

This library provides crypto functionality needed for JSch. Some modifications were required to make it work correctly under MS JVM. License

HTTPClient v 0.3-3 by Ronald Tschalär

This is very nice HTTP client library. However only URI parsing is used from this. License