• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

SFTP server DNS change requires a certificate upgrade?

 
Ranch Hand
Posts: 52
1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi All,

I have an SFTP (FTP over SSH) client that communicates with an SFTP server (MFT, Secure Transport from Axway). The SFTP (MFT) server is also hosted within my company (intranet).
The client application uses a certificate to establish a connection with the SFTP (MFT) server.

The SFTP (MFT) server has a domain name: mft.intranet.ABC.com Port: 22.

In the future the SFTP host name is going to be changed to: mft.intranet.XYZ.com Port: 22.

I have 2 questions:

Does the SFTP server uses a certificate? If yes, after the change in its DNS name, do we need to get a new certificate for the server?
Does the client also need to change the client certificate, since it now communicate with the same server but with different DNS?

Thanks.


 
Ranch Hand
Posts: 417
Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
SFTP usually uses public/private key pair, no certificate per say. Are you sure your client is using a certificate? Even then, the public/private key pair of the client should be retrieved from the certificate and it shouldn't make any difference.

It should be transparent.

If you changed the public/private key pair on the server without changing the hostname then you should get a warning since clients usually save the key fingerprint of the server to prevent man in the middle attacks but you would still be able to connect.
 
Norman Meister
Ranch Hand
Posts: 52
1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for replying.


The client tool needs to be configured with:

Hostadresse: mft.intranet.ABC.com Port: 22
Username: YYY
Password: ***
Remote-Path: /toAmp or /fromAmp
Host-Key: “sshd.pub“ import

The Merlin Client also uses an Eignes/Own Certificate (.p12) and MFT certificate (.p7b) in order to complete the connection setup with MFT server.

In the future, Hostadresse would be lets say: mft.intranet.com Port: 22 i.e. without ABC.




A.J. Côté wrote:SFTP usually uses public/private key pair, no certificate per say. Are you sure your client is using a certificate? Even then, the public/private key pair of the client should be retrieved from the certificate and it shouldn't make any difference.

It should be transparent.

If you changed the public/private key pair on the server without changing the hostname then you should get a warning since clients usually save the key fingerprint of the server to prevent man in the middle attacks but you would still be able to connect.

 
A.J. Côté
Ranch Hand
Posts: 417
Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Norman Meister wrote:Thanks for replying.


The client tool needs to be configured with:

Hostadresse: mft.intranet.ABC.com Port: 22
Username: YYY
Password: ***
Remote-Path: /toAmp or /fromAmp
Host-Key: “sshd.pub“ import

The Merlin Client also uses an Eignes/Own Certificate (.p12) and MFT certificate (.p7b) in order to complete the connection setup with MFT server.

In the future, Hostadresse would be lets say: mft.intranet.com Port: 22 i.e. without ABC.



Based on the information you provide, it should work without any changes on the server nor client except the server host address on the client of course.
 
Norman Meister
Ranch Hand
Posts: 52
1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
so you are suggesting, if the DNS name of the SFTP (MFT) server changes, we do not need to change anything at the client side other than hostname change?

But then what are these client certificates for used by the client tool while establishing the connection?

Eignes/Own Certificate (.p12) and MFT certificate (.p7b)

To address the requirements a product named MeRLin from a provider named abc is used. MeRLin is a client application that is installed on end-user machines with a file-based data store sitting in a shared drive. The client exchanges messages with the external party using Managed File Transfer (aka MFT, Secure Transport). The MFT is hosted in a DMZ and is exposed over internet to a server sitting on external party side. Client communicates with MFT using SSH over FTP protocol and authenticates with it using certificates. The MFT in turn transmits the encrypted messages to external party server over a secured channel using certificates. Once messages are read by client, they are removed from MFT.

A.J. Côté wrote:

Norman Meister wrote:Thanks for replying.


The client tool needs to be configured with:

Hostadresse: mft.intranet.ABC.com Port: 22
Username: YYY
Password: ***
Remote-Path: /toAmp or /fromAmp
Host-Key: “sshd.pub“ import

The Merlin Client also uses an Eignes/Own Certificate (.p12) and MFT certificate (.p7b) in order to complete the connection setup with MFT server.

In the future, Hostadresse would be lets say: mft.intranet.com Port: 22 i.e. without ABC.



Based on the information you provide, it should work without any changes on the server nor client except the server host address on the client of course.

 
A.J. Côté
Ranch Hand
Posts: 417
Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Well, just test it. If there is a certificate on the server and that you need to change it, well change it.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
    Bookmark Topic Watch Topic
  • New Topic