Configuring an SFTP server for use with Adobe Launch
This guide will walk through the necessary steps to configure an SFTP server for use in Launch. This guide assumes the use of macOS for the local machine environment and Ubuntu 16.04 or newer, with OpenSSH Server for the server environment. If attempting to follow this guide using other systems or software, your mileage may vary.
Prerequisites
Local Machine
- macOS
- GPG Suite — Used for GPG key management and encryption. Available at https://gpgtools.org.
- ssh-keygen — Used for generating an SSH key pair.
Server
- Ubuntu >= 16.04
- OpenSSH Server
Recommended Reading
Set up SSH keys
Launch requires key-based authentication for SFTP hosts.
Generate a new RSA SSH key pair
ssh-keygen -m PEM -t rsa -b 4096 -C "user@mydomain.com" -N '' -f ~/.ssh/id_rsa_launch_sftp
The result should resemble:
Generating public/private rsa key pair.
Your identification has been saved in /Users/you/.ssh/id_rsa_launch_sftp.
Your public key has been saved in /Users/you/.ssh/id_rsa_launch_sftp.pub.
The key fingerprint is:
SHA256:i1YzqYT/3j3jgRIf/4LKIRHatnK9HUP7sbLXE8CLn6U user@domain.com
The key's randomart image is:
+---[RSA 4096]----+
| |
| |
| . . |
| + . . o |
| o = S o. o |
| + B B.=. o |
| . O = *o+= . |
| + + *o=E=o |
| .*.+==+.. |
+----[SHA256]-----+
Two files will have been generated. ~/.ssh/id_rsa_launch_sftp
, the private key, and ~/.ssh/id_rsa_launch_sftp.pub
, the public key.
Configure the SFTP server
Create a new user on the SFTP server.
sudo useradd -d /home/launchsftp -m launchsftp
Check this was successful by running:
id launchsftp && ls -l /home
The result should resemble:
uid=1000(launchsftp) gid=1000(launchsftp) groups=1000(launchsftp)
total 4
drwxr-xr-x 2 launchsftp launchsftp 4096 Oct 29 15:19 launchsftp
Switch to the launchsftp
user.
su - launchsftp
Create the .ssh
directory and an authorized_keys
file in it.
mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys
Ensure the correct permissions are set.
chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys
Back on your local machine, copy the public key to your clipboard.
cat ~/.ssh/id_rsa_launch_sftp.pub | pbcopy
Return to the SFTP server as the launchsftp
user. Using an editor, open .ssh/authorized_keys
and paste in the public key. Save and close the file.
Next, test the SFTP configuration.
ssh -i ~/.ssh/id_rsa_launch_sftp launchsftp@myhost.mydomain.com
If successful, you’ll see a shell prompt, e.g. $
or launchsftp@myhost:~$
. Now you’re ready to configure Launch to use this SFTP server.
Configure Launch SFTP
Obtain the Launch GPG Key
Download the production
Launch GPG key from https://developer.adobelaunch.com/api/guides/encrypting_values/#obtain-the-public-gpg-key
Import the GPG key.
gpg --import launch@adobe.com_pub.gpg
The result should resemble:
gpg: key 8D757616FB3A784A: public key "Adobe Launch Data Encryption <launch@adobe.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
Verify the key was successfully imported.
gpg --list-keys
Ensure the following is shown:
pub rsa4096 2017-11-02 [SC]
2F65635688B5EA5C72A191228D757616FB3A784A
uid [ unknown] Adobe Launch Data Encryption <launch@adobe.com>
sub rsa4096 2017-11-02 [E]
Encrypt the private SSH key using GPG
Use GPG to encrypt the private SSH key, setting the recipient to Adobe Launch Data Encryption <launch@adobe.com>
, so the private key may only be decrypted for use by the Launch system.
NOTE: Set the recipient (-r
) to the full key name and email address as shown for the value of uid
in the output of gpg --list-keys
. Do not include the trust level in this value ([ unknown]
).
cat ~/.ssh/id_rsa_launch_sftp | gpg --armor --encrypt -r "Adobe Launch Data Encryption <launch@adobe.com>" --trust-model always
Retain this output for use in the next step. We’ll copy the result into the Launch interface when creating an Hosts
.
Create the Host in Launch
Open https://launch.adobe.com, sign in, and navigate to the Property where you’d like to add an SFTP host. Next, go to the Hosts
section and click Add Host
. This page asks for some information needed to create the Host
.
Name
— The name of theHost
. Set this toExample SFTP
.Type
— The type of theHost
. Set this toSFTP
.Host
— The externally accessible hostname or IP address of the SFTP server.Path
— The location relative to the launchsftp user’s root directory where Launch will deliver files. Set this tolaunch-example
.Port
— The port of the SFTP server. Typically this is22
.Username
— The username of the SFTP user. Set this tolaunchsftp
.Encrypted Private Key
— The encrypted version of the private key from the pair whose public key was added to thelaunchsftp
user’sauthorized_keys
file on the SFTP server. Set this to the output from the “Encrypt the private SSH key using GPG” step.
The result should resemble the following:
Next, click Save
. You’ll then see a pending indicator while Launch tests the SFTP configuration.
If successful, you’ll be presented with a list of SFTP hosts. If you’d like to make sure everything went well, select Example SFTP
. Connection status should now be Success
.
Return to the SFTP server as the launchsftp
user and run ls -l
.
The result should resemble:
drwxrwxr-x 2 launchsftp launchsftp 4096 Oct 29 15:54 launch-example
This indicates Launch was able to successfully connect and deliver files to your SFTP server.
Next Steps
For increased security of your SFTP server consider:
- Setting up a firewall
- Disabling password authentication
- Narrowing SFTP access with chroot.