Public Keys
Public Keys are cryptographic credentials used to enable secure, authenticated SFTP connections in UDMG. They are used in two distinct contexts:
- When a partner connects to UDMG via SFTP, they authenticate using their SSH key pair. In this case, the partner previously shares their public key with UDMG Admins, who stores it in the partner's Account and uses it to validate their connections (Use Case 1).
- When UDMG initiates an SFTP connection to an external server, it must verify the server's identity. This requires storing the public host key of the external (remote) SFTP server in UDMG (Use Case 2).
UDMG supports several key types and verifies that each key is in the correct format when saved. While these keys are stored securely, their values are not masked in the UDMG Admin UI. This is intentional and appropriate, as SSH Public Keys are non-sensitive by design and can be shared freely.
Use Cases
| # | Use Case | Referenced By | Purpose |
|---|---|---|---|
| 1 | Account Authentication | Account → Local SFTP Server Endpoint | Allows a remote Account to authenticate to UDMG. Multiple authentication methods are supported, with key-only authentication used for automated or scripted transfers. This is referred to as passwordless. |
| 2 | External SFTP Server Identity Verification | Remote SFTP Server Endpoint | Verifies the identity of the remote host (external SFTP server) to UDMG when UDMG is oriented as the SFTP client. |
Account Authentication
When an Account connects to a Local SFTP Server Endpoint, it must provide a Public Key if the Endpoint's Authentication Method is configured as either Public Key, Password or Public Key, or Password and Public Key.
Implementation
- An SSH key pair is generated outside of UDMG (e.g., by your business partner) and the public key from that pair is shared with your organization.
- A new Credential (with Type: Public Key) is added on the Credentials page with the public key from Step 1.
- A new Account is created on the Accounts page, and the Public Key Credential created in Step 2 is selected in the Account's Credentials field.
- The Local SFTP Server Endpoint to which the Account is associated (by nature of Account Group and Pipeline assignment) has its Authentication Method set to Public Key, Password or Public Key, or Password and Public Key.
- UDMG references and uses the public key when a partner attempts to authenticate over SFTP.
- An Account can have multiple Public Keys assigned.
- In the above example, a new Credential and Account were created, but this process also applies to modifying existing Configuration Items.
External SFTP Server Identity Verification
When UDMG acts as an SFTP client connecting to a remote SFTP server, it must verify the identity of the remote host before establishing a secure connection. This is achieved by comparing the host key sent by the remote SFTP server during the SSH handshake with the Public Key stored in the corresponding Remote SFTP Server Endpoint.
This identity verification step is distinct from authentication. If the remote server also requires UDMG to authenticate using a key, you must add a Username and Key or Username, Password, and Key Credential to the Pipeline.
Implementation
- A public key representing the Host Key of the external SFTP server is generated outside of UDMG (e.g., by your business partner) and shared with your organization.
- A new Credential (with Type: Public Key) is added on the Credentials page with the public key from Step 1.
- The Public Key is associated with the Remote SFTP Server Endpoint on the Endpoints page using the Credentials Name (Host Key) field.
- When UDMG connects to the external SFTP server, the server sends a copy of its Host Key, which is compared to the one stored locally, verifying the identity of the external SFTP server.
- UDMG connects to the external SFTP server using the connection details stored in the Remote SFTP Server Endpoint and associated Pipeline.
Only one Public Key can be assigned per Remote SFTP Server Endpoint.
Adding a Public Key
To add a Key Credential, follow these steps:
- From the Sidebar, click Configuration > Credentials.
- Click Add Credential.
- Select Public Key as the Credential Type.
- Enter an identifying Name and Description, and optionally Valid From and Valid To dates.
- Enter or paste in the Public Key obtained from your partner (or from your organization, if applicable).
- Click Add.
Each key must be properly created to be referenced by other Configuration Items. UDMG validates keys for format, but not for usage.
Field Descriptions
The following table lists all fields that can be completed when adding (or editing) a Public Key:
| Name | Description | Specifications | Required |
|---|---|---|---|
| Type | Type of Credential. Select: Public Key. | Cannot be modified after creation. | Yes |
| Name | The name of the Public Key. |
| Yes |
| Description | The description of the Public Key. | No | |
| Valid From | Date when the Credential becomes valid. | Cannot be later than Valid To date. | No |
| Valid To | Date when the Credential becomes invalid. info UDMG does not use or check the dates provided. The dates entered are only meant to help Users keep track of expiration dates. | Cannot be earlier than Valid From date. | No |
| Key | Raw cryptographic data of the Public Key. Key metadata is parsed automatically. |
| Yes |
Editing a Public Key
To edit a Public Key, follow these steps:
- From the Sidebar, select Configuration > Credentials.
- Click the Name of the Public Key you want to edit.
- Click the Edit button above the details to edit the specific fields.
- Edit details for the Public Key, using the Field Descriptions table as a guide.
- Click Update.
Managing a Public Key
Viewing Public Key Details
To view the details of a Public Key, follow these steps:
- From the Sidebar, click Configuration > Credentials.
- Click the Name of the Public Key you want to view.
Public Key Metadata
Public Key details include all parameters given in the Field Descriptions table above, plus the following read-only metadata:
| Name | Description |
|---|---|
| UUID | Universally Unique Identifier of this Public Key. |
| Enabled | Credentials Enabled status. If enabled, field is set to True. |
| Version | Version number of the latest configuration of the Credential, including changes to the Enabled status. |
| Created | Date and time this Account Group was created. |
| Updated | Date and time this Account Group was last updated. |
| Algorithm | The cryptographic method used to generate the key (RSA, DSA, or ECC). |
| Bits | The key length that determines its strength against brute force attacks. |
| Comments | Optional administrative notes for identification or documentation purposes. |
| Fingerprint (MD5) | A legacy hash checksum that provides a unique identifier for the key. |
| Fingerprint (SHA256) | A modern, more secure hash that uniquely identifies the key. |
| Authorized Keys | The formatted text string is ready to be copied into SSH server configuration files. |
Enabling and Disabling Public Keys
Public Keys can be Enabled or Disabled to control their active status and ability to participate in file transfers. The status is defaulted to Enabled and can be changed after creation.
- Enabled (default): The Public Key is active and available for use.
- Disabled: The Public Key is not active and unavailable for use.
To enable or disable a Public Key, follow these steps:
- From the Sidebar, click Configuration > Credentials.
- Click the Name of the Public Key you want to enable/disable.
- Click the Enable or Disable button above the Public Key details, depending on the current status.
Deleting a Public Key
To delete a Credential, follow these steps:
- From the Sidebar, click Configuration > Credentials.
- Click the Name of the Credential you want to delete.
- Click the Delete button above the Credential details.
- You will be asked to confirm the deletion. Click Delete.
If a Credential is currently assigned to a Configuration Item (Endpoint, Pipeline, Account) or LDAP, then it cannot be deleted. You must first remove the Credential from the specific Configuration Item(s) it is assigned to, then go back to the Credentials page to delete the Credential.