Pentaho offers a step that handles the process of connecting to an SFTP server and putting and getting files, and (as always) orchestrating the steps leading up to and after the file transfer. Â The step relies on the Java implementation of the SSH2 connectors done by the good folk at JCRAFT ( http://www.jcraft.com/jsch/ ) and uses the underlying Java policy files. Â However, due to US export restrictions, the default policy files only support a max key length of 128bits. Â As encryption strength ramps up in response to increased security concerns, this can lead to the SFTP step trying to connect to a server that refuses to accept a 128bit key. The following error will appear in the logs:
2017/04/05 09:41:33 - 2017/04/05 09:41:33 - get sftp (server) - ERROR (version 6.1.0.9-307, build 1 from 2016-12-14 10.21.12 by buildguy) : org.pentaho.di.core.exception.KettleJobException: 2017/04/05 09:41:33 - 2017/04/05 09:41:33 - get sftp (server) - com.jcraft.jsch.JSchException: Algorithm negotiation fail 2017/04/05 09:41:33 - 2017/04/05 09:41:33 - get sftp (server) - Algorithm negotiation fail 2017/04/05 09:41:33 - 2017/04/05 09:41:33 - get sftp (server) - 2017/04/05 09:41:33 - 2017/04/05 09:41:33 - get sftp (server) - at org.pentaho.di.job.entries.sftp.SFTPClient.login(SFTPClient.java:186) 2017/04/05 09:41:33 - 2017/04/05 09:41:33 - get sftp (server) - at org.pentaho.di.job.entries.sftp.JobEntrySFTP.execute(JobEntrySFTP.java:621)
I’ve attached a kettle transformation ( test_aes_key_length.ktr ) which has a little bit of Java code that writes the current max AES key length to log. Â Running it on my machine (with a base 6.1 GA release install and Java 1.8.0_121) gives me the following output:
2017/04/10 19:29:10 - Write to log.0 - 2017/04/10 19:29:10 - Write to log.0 - ------------> Linenr 1------------------------------ 2017/04/10 19:29:10 - Write to log.0 - MaxKeyLength for encryption is... 2017/04/10 19:29:10 - Write to log.0 - 2017/04/10 19:29:10 - Write to log.0 - maxkeylength = 128 2017/04/10 19:29:10 - Write to log.0 - 2017/04/10 19:29:10 - Write to log.0 - ====================
showing that the maximum allowed key length is (as expected) 128 bits.
To fix this we’ll need to get a hold of the JCE Unlimited Strength Jurisdiction Policy Files which is an Oracle extension to Java to allow unlimited strength cryptography (http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html for Java 8, but that might change. Just search to get the current link).  Instructions to install the Policy Files can be found at this Computer Associates page https://www.ca.com/us/services-support/ca-support/ca-support-online/knowledge-base-articles.tec1698523.html
As Pentaho ships with the jsch-0.1.46 jar by default, we should take the opportunity to update this by downloading the file from here (look for the Download section half way down the page) .  To install this, find your install folder for Spoon and in the ‘lib’ folder, find the existing jsch-0.1.46.jar file and rename it to jsch-0.1.46.jar.old.  Copy the .jar file you just downloaded into the lib file to replace it.  Now restart Spoon and re-run the test_aes_key_length.ktr transformation and you (should) get the following:
2017/04/10 20:26:35 – Write to log.0 – ————> Linenr 1——————————
2017/04/10 20:26:35 – Write to log.0 – MaxKeyLength for encryption is…
2017/04/10 20:26:35 – Write to log.0 –
2017/04/10 20:26:35 – Write to log.0 – maxkeylength = 2147483647
2017/04/10 20:26:35 – Write to log.0 –
2017/04/10 20:26:35 – Write to log.0 – ====================
The max key length has been extended to handle up to 2 Gb length keys. Â Not quite ‘Unlimited’ but near enough for practical purposes.
Download the ktr here:
Zachary Zeus
Zachary Zeus is the Founder of BizCubed. He has more than 20 years' engineering experience and a solid background in providing large financial services with data capability. He maintains a passion for providing engineering solutions to real world problems, lending his considerable experience to enabling people to make better data driven decisions.