Skip to content

Configure the SFTP Transport Connector

The SFTP transport connector makes it possible to send and receive files to and from IFS Cloud by using the SSH2 File Transfer Protocol; commonly referred to as SFTP and "Secure FTP". SFTP provides secure file transfers by utilizing strong network encryption, server authentication (by the use of "known hosts" file) and user authentication (by the use of password or identity files).

The SFTP Reader gets files from an IN directory in any format and executes them. The SFTP Sender has the possibility to put files in different xml-formats or plain text to an OUT directory.

The SFTP Reader and SFTP Sender are powered by JSch, an open source (BSD licensed) pure Java library.

In below steps to create knownhosts/identity file, ifs-fnd-connect.jar and jsch.jar is required. You can download ifs-fnd-connnect.jar from here and jsch.jar from here.

Setting up SFTP authentication files

Creating a known hosts file

SFTP requires a "known hosts" file. The "known hosts" file contains the public key of the SSH2 server, and the purpose of this file is to ensure that another server cannot maliciously impersonate another server (e.g. man-in-the-middle attacks).

The known hosts file may already has been created by an SSH2 client and may be reused by SFTP Reader. If the known hosts file does not exists, or is in an incompatible file format, a new known hosts file can be created with the following command:

java -cp \ifs-fnd-connect.jar;\jsch-0.1.53.jar ifs.fnd.connect.ftp.SftpClient -CreateKnownHosts=KNOWNHOSTS -hostname=SFTPHOST -username=USERNAME -password=PASSWORD

(replace '\' with '/' and ';' with ':' on Linux).

Setting Description
KNOWNHOSTS The full path name of the known hosts file.
SFTPHOST Fully qualified host name.
USERNAME User account name.
PASSWORD User password.

Example: To create the file C:\ifs\knownhosts containing the server sftp.example.com  for which the user account sftp with password h4rd_pPpasZzw0oRd is used to logon with the ifs-fnd-connect.jar and jsch-0.1.53.jar downloaded in to C:\ifs\jars, issue the following command:

java -cp C:\ifs\jars\ifs-fnd-connect.jar;C:\ifs\jars\jsch-0.1.53.jar ifs.fnd.connect.ftp.SftpClient -CreateKnownHosts=C:\ifs\knownhosts -hostname=sftp.example.com -username=sftp -password=h4rd_pPpasZzw0oRd

Important! You are recommended to specify a fully qualified domain name, FQDN, when specifying hostname. In other words you should specify sftp.example.com . Do not use short hostname like sftp or an IP like 10.1.2.3. This is not strictly necessary, but generally tends to reduce the need for maintenance/reconfiguration. Also note that the hostname in known host file should match the connection settings.

The username and password is not stored in the known hosts file; they are necessary to provide in this step due to JSch internals.

Creating an identity file

This is an optional step you may ignore if it does not apply to your environment.

Some SFTP servers do not do user authentication with passwords, but with public key cryptography instead. A user then creates an "identity file" which contains the private credential needed to authenticate the user against the SFTP server. A second file, a public file, is also created when creating an identity file.  The public file needs to be uploaded and installed into the SFTP server's user repository to enable identity based user authentication.

The identity file may already have been created by an SSH2 client and may be reused by SFTP Reader. If the identity file does not exists, or is in an incompatible file format, a new identity file can be created with the following command:

java -cp \ifs-fnd-connect.jar;\jsch-0.1.53.jar ifs.fnd.connect.ftp.SftpClient -CreateIdFile=IDFILE -keytype=KEYTYPE -comment=COMMENT -passphrase=PASSPHRASE  -keysize=KEYSIZE

(replace '\' with '/' and ';' with ':' on Linux).

Setting Description
IDFILE The full path name of the (private) identity file. The public key will be stored into a second file which begins with the same name but is suffixed with " .pub ".
KEYTYPE Key algorithm to use. Valid values are dsa and rsa.
COMMENT An descriptive comment to add to the identity file. Anything goes.
PASSPHRASE A passphrase/password used to encrypt the identity file, for additional protection.
KEYSIZE The bit-length of the encryption key stored in the identity file.

Example: To create the file C:\ifs\identity with keytype dsa, comment IFSConnect, and passphrase veRy:c0mpl3X_pq$sw0rT and keysize 1024 with the ifs-fnd-connect.jar and jsch-0.1.53.jar downloaded in to C:\ifs\jars, issue the following command:

java -cp C:\ifs\jars\ifs-fnd-connect.jar;C:\ifs\jars\jsch-0.1.53.jar ifs.fnd.connect.ftp.SftpClient -CreateIdFile=C:\ifs\identity -keytype=dsa -comment=IFSConnect -passphrase=veRy:c0mpl3X_pq$sw0rT -keysize=1024

Common parameters for SFTP Sender and SFTP Reader

The following parameters are common for both SFTP Sender and SFTP Reader configuration.

Server connection settings

Server connection settings are settings which gives the connector information about which server to connect to:

  • HOST
    The hostname of the host which runs the SFTP service. It is recommended to specify a fully qualified domain name (FQDN), e.g. sftp.example.com
  • PORT
    Port number the SFTP service use. Default port is 22.

Important! You are recommended to specify a fully qualified domain name, FQDN, when specifying hostname. In other words you should specify sftp.example.com . Do not use short hostname like sftp or an IP like 10.1.2.3. This is not strictly necessary, but generally tends to reduce the need for maintenance/reconfiguration. Also note that the hostname in known host file should match the connection settings.

Server authentication settings

Server authentication settings helps the SFTP transport connector to identity spoofing attacks (malicious servers attempting to impersonate the SFTP server). The way it works is compare the servers public key with the one previously recorded into known hosts file.

  • KNOWNHOSTS_FILE
    File containing the known (authorized) public server keys, This has to be uploaded using the 'Upload KnowHost File' command button.

Consult Setting up SFTP authentication files regarding how to create the known hosts file.

User authentication settings

User authentication settings helps the SFTP transport connector to identify itself when connecting to the SFTP server. Typically USERAUTH_METHOD is set to Password authentication and a username/password pair is used to authenticate. Optionally, public key identification can be provided by the use of an identity file.

  • USERAUTH_METHOD
    Is either set to Password authentication, or Identity file authentication.
    This should be set toPassword authenticationunless you are using an identity file.
    If you are not sure what you are using, you are probably using
    Password authentication.
  • USER
    User account name used for login on to the SFTP server.
  • PASSWORD
    The password of the user account.
  • PRVKEY_FILE
    Identity file for public key based authentication. The file has to be uploaded using 'Upload Private Key File' command button.
    This should be ignored unless you are using an identity file.
  • PASS_PHRASE
    The passphrase which unlocks the encrypted identity file.
    This should be ignored unless you are using an identity file.

To utilize Identity file based authentication, please consult Setting up SFTP authentication files.

Remote directory or path names on a SFTP server

Directory path name on an SFTP server is always specified in SFTP syntax; which is similar to UNIX path names. This is true for all SFTP servers standard-compliant servers even if they are hosted on Windows Operating system.

Syntax Root directory Current directory Path separator
SFTP / . /
UNIX / . /
Windows A:\
C:*

etc...*
. **

Examples of SFTP syntax:

  • /tmp indicates directory tmp in the file structure's root directory.
  • /ifs/tmp indicates directory tmp under the ifs directory.
  • ./tmp indicates directory tmp under the current directory. The SFTP Transport connectors never change the current directory, so it should always refer to where the SFTP server defaults upon login; e.g. the logged on users login directory,

SFTP Sender specific parameters

The SFTP Sender connector uploads files from IFS Connect to an SFTP server. The filename to be uploaded is configured in the SFTP Sender address.

Common settings

Most SFTP parameters exist in both SFTP Reader and SFTP Sender. Please refer to "Common parameters for SFTP Sender and SFTP Reader" regarding how to setup connection and authentication settings.

Directory settings

The directory settings controls where temporary files are to be written.

  • TEMP_DIRECTORY
    If the temporary directory is not set, the file will be directly uploaded to the location specified in the Routing Address. Until completely transferred the file will be suffixed with .part.
    By setting a temporary directory you help prevent race conditions; recipients polling a directory will not poll the file until the entire file has been uploaded. The file will first be uploaded to the temporary directory on the SFTP server. Once the upload has completed, the file will be moved from temporary directory to the location specified in the Routing Address.
    Refer to Remote directory or path names on a SFTP server for help with specifying directory name.

Additional parameters are specified on Routing Address for Destination Type Sftp.

SFTP Reader specific parameters

The SFTP Reader is a connector for reading files from an SFTP file server.

Common settings

Most SFTP parameters exist in both SFTP Reader and SFTP Sender. Please refer to "Common parameters for SFTP Sender and SFTP Reader" regarding how to setup connection and authentication settings.

Directory settings

  • IN_DIRECTORY The directory for this SFTP Reader to read input files from, e.g. ./in.
    Refer to Remote directory or path names on a SFTP server for help with specifying directory name. See also file based reader considerations.
  • ARCHIVE_DIRECTORY
    Directory to move files read from IN_DIRECTORY when finished processing them. If empty, files are deleted.
    Refer to Remote directory or path names on a SFTP server for help with specifying directory name.
  • IGNORE_IF_NOT_FOUND
    If ticked, read retry of a file that no longer exists will be ignored. Such situation can arise if the file has been removed or changed after it has been listed but before it has been read. See also file based reader considerations. If un-ticked a read attempt of a file that not exists will result in a failure leaving the corresponding entry in Connect Reader Queue with status Read Failed.

How to create new instances of the SFTP Connector

It's possible to create new instances of the SFTP Reader Transport Connector provided that they should scan different directories, or has in-file filters without overlapping file names.