Configuring an SFTP server for use with Adobe Launch

This guide will walk through the necessary steps to configure an SFTP server for use in Launch. This guide assumes the use of macOS for the local machine environment and Ubuntu 16.04 or newer, with OpenSSH Server for the server environment. If attempting to follow this guide using other systems or software, your mileage may vary.

Prerequisites

Local Machine

• macOS
• GPG Suite — Used for GPG key management and encryption. Available at https://gpgtools.org.
• ssh-keygen — Used for generating an SSH key pair.

Server

• Ubuntu >= 16.04
• OpenSSH Server

Recommended Reading

• Encrypting Values Launch API Guide
• Create a Host Launch API Reference

Set up SSH keys

Launch requires key-based authentication for SFTP hosts.

Generate a new RSA SSH key pair

ssh-keygen -m PEM -t rsa -b 4096 -C "user@mydomain.com" -N '' -f ~/.ssh/id_rsa_launch_sftp

The result should resemble:

Generating public/private rsa key pair.
Your identification has been saved in /Users/you/.ssh/id_rsa_launch_sftp.
Your public key has been saved in /Users/you/.ssh/id_rsa_launch_sftp.pub.
The key fingerprint is:
SHA256:i1YzqYT/3j3jgRIf/4LKIRHatnK9HUP7sbLXE8CLn6U user@domain.com
The key's randomart image is:
+---[RSA 4096]----+
|                 |
|                 |
|      .    .     |
|     + . .  o    |
|    o = S o. o   |
|     + B B.=. o  |
|    . O = *o+= . |
|     + + *o=E=o  |
|       .*.+==+.. |
+----[SHA256]-----+

Two files will have been generated. ~/.ssh/id_rsa_launch_sftp, the private key, and ~/.ssh/id_rsa_launch_sftp.pub, the public key.

Configure the SFTP server

Create a new user on the SFTP server.

sudo useradd -d /home/launchsftp -m launchsftp

Check this was successful by running:

id launchsftp && ls -l /home

The result should resemble:

uid=1000(launchsftp) gid=1000(launchsftp) groups=1000(launchsftp)
total 4
drwxr-xr-x 2 launchsftp launchsftp 4096 Oct 29 15:19 launchsftp

Switch to the launchsftp user.

su - launchsftp

Create the .ssh directory and an authorized_keys file in it.

mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys

Ensure the correct permissions are set.

chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys

Back on your local machine, copy the public key to your clipboard.

cat ~/.ssh/id_rsa_launch_sftp.pub | pbcopy

Return to the SFTP server as the launchsftp user. Using an editor, open .ssh/authorized_keys and paste in the public key. Save and close the file.

Next, test the SFTP configuration.

ssh -i ~/.ssh/id_rsa_launch_sftp launchsftp@myhost.mydomain.com

If successful, you’ll see a shell prompt, e.g. $ or launchsftp@myhost:~$. Now you’re ready to configure Launch to use this SFTP server.

Configure Launch SFTP

Obtain the Launch GPG Key

Download the production Launch GPG key from https://developer.adobelaunch.com/api/guides/encrypting_values/#obtain-the-public-gpg-key

Import the GPG key.

gpg --import launch@adobe.com_pub.gpg

The result should resemble:

gpg: key 8D757616FB3A784A: public key "Adobe Launch Data Encryption <launch@adobe.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Verify the key was successfully imported.

gpg --list-keys

Ensure the following is shown:

pub   rsa4096 2017-11-02 [SC]
      2F65635688B5EA5C72A191228D757616FB3A784A
uid           [ unknown] Adobe Launch Data Encryption <launch@adobe.com>
sub   rsa4096 2017-11-02 [E]

Encrypt the private SSH key using GPG

Use GPG to encrypt the private SSH key, setting the recipient to Adobe Launch Data Encryption <launch@adobe.com>, so the private key may only be decrypted for use by the Launch system.

NOTE: Set the recipient (-r) to the full key name and email address as shown for the value of uid in the output of gpg --list-keys. Do not include the trust level in this value ([ unknown]).

cat ~/.ssh/id_rsa_launch_sftp | gpg --armor --encrypt -r "Adobe Launch Data Encryption <launch@adobe.com>" --trust-model always

Retain this output for use in the next step. We’ll copy the result into the Launch interface when creating an Hosts.

Create the Host in Launch

Open https://launch.adobe.com, sign in, and navigate to the Property where you’d like to add an SFTP host. Next, go to the Hosts section and click Add Host. This page asks for some information needed to create the Host.

• Name — The name of the Host. Set this to Example SFTP.
• Type — The type of the Host. Set this to SFTP.
• Host — The externally accessible hostname or IP address of the SFTP server.
• Path — The location relative to the launchsftp user’s root directory where Launch will deliver files. Set this to launch-example.
• Port — The port of the SFTP server. Typically this is 22.
• Username — The username of the SFTP user. Set this to launchsftp.
• Encrypted Private Key — The encrypted version of the private key from the pair whose public key was added to the launchsftp user’s authorized_keys file on the SFTP server. Set this to the output from the “Encrypt the private SSH key using GPG” step.

The result should resemble the following:

Create a Host

Next, click Save. You’ll then see a pending indicator while Launch tests the SFTP configuration.

If successful, you’ll be presented with a list of SFTP hosts. If you’d like to make sure everything went well, select Example SFTP. Connection status should now be Success.

Return to the SFTP server as the launchsftp user and run ls -l.

The result should resemble:

drwxrwxr-x 2 launchsftp launchsftp 4096 Oct 29 15:54 launch-example

This indicates Launch was able to successfully connect and deliver files to your SFTP server.

Next Steps

For increased security of your SFTP server consider:

• Setting up a firewall
• Disabling password authentication
• Narrowing SFTP access with chroot.