Workday RSA Fingerprint
Learn more about SFTP Gateway, as a simple, secure, affordable way to access cloud storage locations.
Workday has an SFTP component, which is an SFTP client. When connecting to SFTP Gateway v3, the expected fingerprint may not match what is received.
This article explains why this happens, and how you can troubleshoot this issue.
Caching the fingerprint
The Workday SFTP connection contains a bundle of configuration settings such as hostname, username, and credentials. You can then point scripts to this SFTP connection.
There's a Test Connection button that verifies basic connectivity. When you press this button, the server host key (i.e. fingerprint) gets saved to the SFTP connection.
Saving (or caching) the fingerprint is necessary for scripts to run non-interactively. In other words, a script will not be able to respond to a pop-up asking whether to trust the server's fingerprint.
The problem is that the SFTP connection does not let you change the fingerprint value after it's initially set. For example, the Test Connection could cache the fingerprint of the ed25519 server host key, but your script may encounter the ssh-rsa server host key at runtime.
If the fingerprint does not match, the SFTP connection will fail.
Fixing the issue
If your SFTP connection is caching the wrong fingerprint, one approach would be to force everyone across the board to use a particular algorithm (i.e. ssh-rsa).
1. SFTP Gateway v3
By default, SFTP Gateway v3 does not allow ssh-rsa for server host keys. So the first step would be to downgrade the security level to allow this.
See this article: Downgrade your security level to WEAK
2. Workday SFTP connection
In Workday, create a new SFTP connection. In the fingerprint section, make sure you check the box for RSA and DSS. This will force the SFTP connection to cache the ssh-rsa fingerprint.
3. Connect using the SFTP script
At this point, (1) SFTP Gateway v3 allows the ssh-rsa fingerprint. And (2) the SFTP connection has the ssh-rsa fingerprint cached.
In Workday, connect your SFTP script to the SFTP connection. Try running the script, and check the logs. Hopefully, you should see that the expected fingerprint matches what is received.