HMAC algorithms supported by azure API connection

Question

HMAC algorithms supported by azure API connection

Giovanni Canarecci 20

Hello,

I have an azure API connection which returns "Server HMAC algorithm not found" for a connection to an AWS SFTP folder.

The folder follows AWS TransferSecurityPolicy-2023-05 meaning that it allows for:

"SshMacs": [
"@openssh.com",
"@openssh.com"
],

https://docs.aws.amazon.com/transfer/latest/userguide/security-policies.html#security-policy-transfer-2023-05

Does azure API connection support those algorithms? Or maybe "only" hmac-sha2-512 and hmac-sha2-256?

If those "etm" algorithms are supported, I am not sure what the issue may be.

Any help would be appreciated! :-)

Best,

Giovanni

Anonymous

2024-09-06T14:41:23.7433333+00:00

Hi Thanks for the question, how are you doing this can you share the config/xml ?
To the best of my knowledge APIM cant connect to a downstream (to the request) SFTP service as its not supported. In otherwords the backend cant be over SFTP
Also echoed here https://learn.microsoft.com/en-us/answers/questions/316062/azure-api-management-configuring-sftp-url-as-the-b
Giovanni Canarecci 20 Reputation points

2024-09-09T08:22:00.51+00:00

Hello @Anonymous , thank you very much for the reply! :-)

The issue I have is with an API connection resource, the tag is just the closest tag I could find. I attach a screenshot of the issue, this may make my question clearer. The details of the SFTP folder are those in the main question.

Any help would be appreciated!

Best,

Giovanni
Anonymous

2024-09-09T08:44:29.6+00:00

Aaahh. OK that does make it clearer. So this is a managed connector (SFTP -SSH) call from Logic Apps or PowerApps to your SFTP folder

There are some limitations around the algorithms used which are doc here https://learn.microsoft.com/en-us/connectors/sftpwithssh/#authentication-and-permissions

2 answers

Your answer

Anonymous

2024-09-06T14:41:23.7433333+00:00

Hi Thanks for the question, how are you doing this can you share the config/xml ?
To the best of my knowledge APIM cant connect to a downstream (to the request) SFTP service as its not supported. In otherwords the backend cant be over SFTP
Also echoed here https://learn.microsoft.com/en-us/answers/questions/316062/azure-api-management-configuring-sftp-url-as-the-b
Giovanni Canarecci 20 Reputation points

2024-09-09T08:22:00.51+00:00

Hello @Anonymous , thank you very much for the reply! :-)

The issue I have is with an API connection resource, the tag is just the closest tag I could find. I attach a screenshot of the issue, this may make my question clearer. The details of the SFTP folder are those in the main question.

Any help would be appreciated!

Best,

Giovanni
Anonymous

2024-09-09T08:44:29.6+00:00

Aaahh. OK that does make it clearer. So this is a managed connector (SFTP -SSH) call from Logic Apps or PowerApps to your SFTP folder

There are some limitations around the algorithms used which are doc here https://learn.microsoft.com/en-us/connectors/sftpwithssh/#authentication-and-permissions

Answer 1

Giovanni Canarecci 20

Hello @Anonymous , thank you for the link! :-)

If I read it correctly, clicking on "Encryption algorithms: Review Encryption Method - SSH.NET", the relevant information should be Message Authentication code (screenshot):
User's image

That sounds like the same algorithms are available. The SFTP folder follows AWS TransferSecurityPolicy-2023-05 meaning that it allows for:
"SshMacs": [
"@openssh.com",
"@openssh.com"
].

Could it be I am misreading something? Azure does not give any more details than that and I am otherwise able to connect to the SFTP folder using WinSCP manually. Since "******@openssh.com" is mentioned on both sides, I am not sure what the issue may be. :-D

Best,

Giovanni

Anonymous

2024-09-09T09:23:23.6733333+00:00

you are correct, it should work
I note this was fixed fairly recently in that lib (earlier this year) https://github.com/sshnet/SSH.NET/pull/1316 there is a small chance the managed connector implementation is using a prior version - although that seems unlikely

I think you may need to get this explored with our support colleagues who can triage this further and assign to the developer owners if there is a fault - are you able to do that?
Anonymous

2024-09-09T09:25:27.24+00:00

Are you using Logic App standard ? If you are,, you could try via the "built in" version of this connector (which runs in process, but only works with Logic Apps Standard) .
It will not be the exact same implementation as the managed version and it's directly owned by the Logic Apps Team

Answer 2

Hi - To close the loop here too

We have reported the issue to the Product Owners who have triaged and acknowledged the current limitation; the managed SFTP-SSH connector implementation does not yet support the HMAC algorithms called out here

They have created a task item for the backlog. But, there is no date to share for delivering a fix at this time.

The interim workaround would be to use the built-in connector equivalent but I appreciate this would require moving to Logic Apps Standard which may or may not be possible .

The other obvious workaround is to “offload” the integration step to code, to an Azure function, whereby you would have full control (should you choose to provide the integration yourself as an interim solution)

Share via

HMAC algorithms supported by azure API connection

2 answers

Your answer