Posted inUS_1

Securely Connect Axway Secure Transport to Azure Blob Storage

No Comments

The Azure Blob Connector enhances Axway Secure Transport (ST) by enabling seamless file exchange with your existing Azure Storage account, leveraging its robust Blob service. Deployed as a Transfer Site plugin within your ST environment, this connector introduces a dedicated “Azure Blob Storage” protocol. This new protocol becomes readily available in the Add New Transfer Site page, streamlining the setup process for user accounts.

For a broader understanding of Transfer Site configuration within SecureTransport, please refer to the “Manage accounts: Transfer sites” section in the SecureTransport Administration Guide. SecureTransport 5.5 Administrator Guide and SecureTransport 5.4 Administrator Guide offer comprehensive details.

Prerequisites for Azure Blob Connector

Before proceeding with the integration, ensure the following prerequisites are in place:

  • Microsoft Azure Account: You need an active Azure subscription to access Azure services.
  • Azure Resource Group and Storage Account Access: Verify you have the necessary permissions to access your Azure Resource Group and Storage account where Blob service is enabled.

Downloading the Azure Blob Storage Connector

The installation package for the Azure Blob Storage Connector for SecureTransport is readily available for download from the AMPLIFY Repository.

Installation Guide

Follow these steps to install the Azure Blob Storage Connector for SecureTransport across all SecureTransport Server nodes within your environment:

  1. Remove Previous Versions (If Applicable): If you have a prior version of the connector installed, delete the following files and folders to ensure a clean installation. Note: Your existing configurations within ST will be preserved during this process.

    • <filedrivehome>/plugins/transferSites/axway-site-azure-blob.jar</filedrivehome>
    • <filedrivehome>/plugins/transferSites/axway-site-azure-blob</filedrivehome>

  2. Extract the Connector Package: Extract the contents of the downloaded securetransport-plugins-site-azureblob-<plugin_version>.zip</plugin_version> archive into the <filedrivehome>/plugins/transferSites</filedrivehome> directory on each SecureTransport Server node.

  3. Restart SecureTransport Services: After extracting the plugin, restart all SecureTransport services on every node to activate the newly installed connector.

Connecting with Identity Service Principal Authentication

Service Principal authentication is a secure and recommended method for connecting Axway Secure Transport to Azure Blob Storage. It leverages Azure Active Directory to grant granular access permissions.

  1. Access Azure Portal: Log in to the Azure portal at https://portal.azure.com using your work, school, or personal Microsoft account.

  2. Register an Application: Navigate to the App Registrations page within the Azure portal and create a new application. Detailed instructions for creating an application registration can be found in the Microsoft Azure documentation: Create a service principal in Azure Active Directory.

  3. Collect Application Registration Details: Once the application is registered, gather the following credentials, which are essential for establishing a connection from Secure Transport:

    • Application (client) ID
    • Directory (tenant) ID
    • Client Credentials: Choose either a Secret or a client Certificate for authentication.

  4. Grant Storage Account Access: Go to Storage Accounts in the Azure portal and select the specific storage account you intend to access with Secure Transport.

  5. Assign Access Role (IAM): Navigate to the Access Control (IAM) page for your storage account. Grant the newly created App Registration an appropriate access role. For typical file transfer operations, the Storage Blob Data Contributor role provides sufficient privileges.

Assigning Storage Blob Data Contributor role to App Registration in Azure IAM for Axway Secure Transport Azure Blob Connector.

Creating a Transfer Site with Service Principal in Secure Transport

  1. Create a New Transfer Site: Within Secure Transport, under the desired User Account, initiate the creation of a new Transfer Site.

  2. Select Azure Blob Storage Protocol: From the Transfer Protocol dropdown menu, choose Azure Blob Storage.

  3. Choose Service Principal Connection Type: Select Service Principal as the Connection Type.

  4. Enter Azure Blob Container Details: Provide the necessary details to connect to your Azure Blob Container, using either Client Secret or Certificate based authentication.

    • Client Secret Configuration:

Configuring Azure Blob Storage Transfer Site in Axway Secure Transport with Service Principal and Client Secret.

*   **Certificate Configuration:**

Configuring Azure Blob Storage Transfer Site in Axway Secure Transport with Service Principal and Certificate Authentication.

Connecting with Connection String Authentication

Connection String authentication offers a simpler approach for connecting to Azure Blob Storage, especially for testing or non-production environments.

Obtaining a Connection String

  1. Access Azure Portal: Log in to the Azure portal at https://portal.azure.com using your Azure account credentials.

  2. Navigate to Storage Account: Go to Storage Accounts and open the storage account you wish to connect to Secure Transport.

  3. Retrieve Connection String: Under Settings, select Access keys. Click on “Show keys” to reveal the connection strings. Copy one of the provided Connection strings.

Azure Storage Account Access Keys page showing Connection String for Axway Secure Transport integration.

Creating a Transfer Site with Connection String in Secure Transport

  1. Create a New Transfer Site: In Secure Transport, create a new Transfer Site under a User Account.

  2. Select Azure Blob Storage Protocol: Choose Azure Blob Storage from the Transfer Protocol dropdown.

  3. Choose Connection String Type: Select Connection String as the Connection Type. Paste the copied Connection String into the designated field.

  4. Verify Auto-population: Upon providing a valid Connection String, Secure Transport should automatically extract and populate the Account Name, Account Key (masked for security), and Endpoint Suffix fields.

  5. Enter Azure Blob Container Details: Specify the remaining details for your Azure Blob Container.

Creating Azure Blob Storage Transfer Site in Axway Secure Transport using Connection String Authentication.

  1. Configure Download/Upload Settings: Customize the download and upload settings according to your requirements, similar to configuring a standard Transfer Site. You can also configure any necessary PTA (Pre-Transfer Agent) settings.

Download and Upload settings for Azure Blob Storage Transfer Site in Axway Secure Transport.

**Note:** If the **Download Folder** field is left empty, the connector will default to the root directory of the specified container.

Connecting with Shared Access Signature (SAS) Authentication

Shared Access Signatures (SAS) provide time-limited and restricted access to Azure Storage resources. Axway Secure Transport supports various SAS types, including Account-level, Service-level, User-delegation, Container-level, and Blob-level SAS. Container and Blob level SAS are detailed below for focused use cases.

  1. Access Azure Portal: Log in to the Azure portal (https://portal.azure.com).

Generating a Container-level SAS

  1. Navigate to Storage Account: Go to Storage Accounts and select the storage account you need to access.

  2. Access Shared Access Signature Settings: Under Settings, select Shared Access Signature.

  3. Select Allowed Resource Types: Choose Container in the Allowed resource types section. Define the necessary permissions and set the Start and Expiry dates for the SAS token.

Generating Container Level Shared Access Signature (SAS) in Azure for Axway Secure Transport.

  1. Generate SAS URL: Click on “Generate SAS and connection string” and copy the Blob service SAS URL.

Azure Blob Service SAS URL copied for use in Axway Secure Transport.

Generating a Blob-level SAS

  1. Navigate to Storage Explorer: Go to Storage Accounts, and select Storage Explorer (preview).

  2. Select Target Blob: Right-click on the specific blob you need to access.

  3. Get Shared Access Signature: Choose Get Shared Access Signature. Configure the required permissions and the Start and Expiry dates.

Generating Blob Level Shared Access Signature (SAS) in Azure Storage Explorer for Axway Secure Transport.

  1. Create and Copy URI: Click Create and copy the generated URI.

Blob Level SAS URI copied from Azure Storage Explorer for Axway Secure Transport configuration.

Generating SAS with Access Policy

  1. Navigate to Containers: Go to Storage Accounts, then under Blob Service, select Containers. Right-click on the container for which you want to create an Access Policy.

  2. Access Policy Settings: Select Access Policy. In the Access Policy window, click Add policy and create a new access policy with desired permissions and expiry.

Creating Access Policy for Azure Blob Container in Azure portal.

  1. Generate SAS (using Access Policy): Repeat steps for generating a Blob-level SAS as described above, leveraging the newly created Access Policy for consistent SAS token generation.

Generating Blob Level Shared Access Signature (SAS) in Azure Storage Explorer for Axway Secure Transport.

Creating a Transfer Site with SAS in Secure Transport

  1. Create a New Transfer Site: Within Secure Transport, create a new Transfer Site under a User Account.

  2. Select Azure Blob Storage Protocol: Choose Azure Blob Storage as the Transfer Protocol.

  3. Select Shared Access Signature Type: Select Shared Access Signature for the Connection Type. Paste the copied SAS URI into the SAS URI field.

  4. Verify Auto-population: A valid SAS URI will enable Secure Transport to automatically extract and populate fields such as Storage Resource URI, SAS Parameters, SAS Signature (masked), Azure Blob Container, and Upload/Download Folder, if these are included in the SAS.

Configuring Azure Blob Storage Transfer Site in Axway Secure Transport with Shared Access Signature (SAS).

  1. Configure Download/Upload Settings: Adjust download and upload settings as needed, similar to other Transfer Site configurations, including any necessary PTA settings.

Download and Upload settings for Azure Blob Storage Transfer Site in Axway Secure Transport.

**Note:** If Upload and Download Folder paths are present within the SAS URI, they will be automatically extracted and populated. If these fields remain empty, the root directory of the container will be used.

Testing the Azure Blob Storage Setup

After configuring the Azure Blob Connector and a Transfer Site, it’s crucial to test the setup to ensure seamless file transfers between Axway Secure Transport and Azure Blob Storage.

Server Initiated Pull from Azure Blob Storage by ST

  1. Create a Subscription: Create a Subscription within Secure Transport for a Basic Application (BA).

  2. Configure Automatic File Retrieval: In the “For Files Received from this Account or its Partners” section of the Subscription, select “Automatically retrieve files from” and choose your newly created Azure Blob Storage Transfer Site from the dropdown list.

  3. Schedule or Retrieve Files Now: Set a retrieval schedule or, alternatively, use the “Retrieve Files Now” button after saving the Subscription. Important: You must save the Subscription first and then re-open it to enable the “Retrieve Files Now” button.

  4. (Optional) Configure File Sending: In the “For Files Sent to this Account or its Partners” section, you can optionally select “Send Files Directly To” and choose a different Transfer Site (local or remote) where the files should be sent after being pulled from Azure Blob Storage.

  5. Save the Subscription.

Configuring Axway Secure Transport Subscription for Server Initiated Pull from Azure Blob Storage.

  1. Place a Test File in Azure: Upload a test file to your Azure Storage account, placing it in the folder specified under “Download Settings” of your Azure Blob Storage Transfer Site configuration in Secure Transport.

  2. Initiate Retrieval: Wait for the scheduled retrieval to trigger or manually use the “Retrieve Files Now” button in the Subscription.

  3. Verify Transfer Success: Navigate to Operations → File Tracking → Show Advanced Search in Secure Transport. Filter the results by “Protocol: azure-blob”. Confirm that the transfer operation succeeded, indicated by a green check mark in the Transfer Status icon.

Server Initiated Push from ST to Azure Blob Storage

  1. Create Another Subscription: Create a new Subscription for a Basic Application (BA).

  2. Configure Direct File Sending: In the “For Files Sent to this Account or its Partners” section, select “Send Files Directly To” and choose your Azure Blob Storage Transfer Site.

Configuring Axway Secure Transport Subscription for Server Initiated Push to Azure Blob Storage.

  1. Upload a Test File: Log in to Secure Transport using the user account associated with the Subscription. Upload a test file to the Subscription Folder. Wait for a few seconds to allow the transfer to initiate.

  2. Verify Transfer Success in ST: Go to Operations → File Tracking → Show Advanced Search and filter by “Protocol: azure-blob”. Ensure the transfer status shows a green check mark, indicating successful file push.

  3. Verify File in Azure Storage: Access your Azure Storage account and navigate to the folder defined under “Upload Settings” of your Azure Blob Storage Site in Secure Transport. The test file should be present in the designated Azure Blob Storage location.

Troubleshooting and Important Notes

For enhanced debugging, you can enable extended debug logging. Edit the <filedrivehome>/conf/tm-log4j.xml</filedrivehome> configuration file. Locate the com.axway.st.plugins.site logger element and change its level value to DEBUG.

If you encounter issues with Azure transfers, the following troubleshooting steps can help diagnose the problem. Always begin by verifying that your Azure configuration and Download/Upload parameters in Secure Transport are correctly configured and up-to-date.

  • Examine File Tracking: Go to Operations → File Tracking → Show Advanced Search in Secure Transport and filter by “Protocol: azure-blob”.
  • Inspect Error Details: If a transfer failed (indicated by a red X icon), click on the red X Transfer Status icon. Expand the window and capture a screenshot of the complete content. This screenshot can be valuable if you need to open a support ticket with Axway Support.
  • Review Server Logs: Click on the SessionID link associated with the failed transfer. This will redirect you to the Server Log page, filtered to show logs related to the specific transfer session.
  • Analyze Error Messages: Carefully examine the event messages in the Server Log for detailed error information and the root cause of the failure. Click on the timestamp link next to any message that seems relevant to the error. Expand the window to view the full error message and stack trace, which often provides crucial details.

For a comprehensive list of known issues and limitations, please refer to the “Known Issues and Limitations” section within the README.md file included in the Azure Blob Storage Connector archive.

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *