Configure the SFTP Transport Connector

The SFTP transport connector makes it possible to send and receive files to and from IFS Applications by using the SSH2 File Transfer Protocol; commonly referred to as SFTP and "Secure FTP". SFTP provides secure file transfers by utilizing strong network encryption, server authentication (by the use of "known hosts" file) and user authentication (by the use of password or identity files).

The SFTP Reader gets files from an IN directory in any format and executes them. The SFTP Sender has the possibility to put files in different xml-formats or plain text to an OUT directory.

The SFTP Reader and SFTP Sender are powered by JSch, an open source (BSD licensed) pure Java library.

Contents

Setting up SFTP authentication files

Creating a known hosts file

SFTP requires a "known hosts" file. The "known hosts" file contains the public key of the SSH2 server, and the purpose of this file is to ensure that another server cannot maliciously impersonate another server (e.g. man-in-the-middle attacks).

The known hosts file may already has been created by an SSH2 client and may be reused by SFTP Reader. If the known hosts file does not exists, or is in an incompatible file format, a new known hosts file can be created with the following command:

java -cp <IFS_HOME>\repository\server\javaruntime\ifs-fnd-connect.jar;<IFS_HOME>\repository\server\dist\lib\jsch-0.1.54.jar ifs.fnd.connect.ftp.SftpClient -CreateKnownHosts=KNOWNHOSTS -hostname=SFTPHOST -username=USERNAME -password=PASSWORD

(replace '\' with '/' and ';' with ':' on Linux).

Setting Description
KNOWNHOSTS The full path name of the known hosts file.
SFTPHOST Fully qualified host name.
USERNAME User account name.
PASSWORD User password.

Example: To create the file C:\ifs\knownhosts containing the server sftp.example.com  for which the user account sftp with password h4rd_pPpasZzw0oRd is used to logon, issue the following command:

java -cp C:\ifs\repository\server\javaruntime\ifs-fnd-connect.jar;C:\ifs\repository\server\dist\lib\jsch-0.1.54.jar ifs.fnd.connect.ftp.SftpClient -CreateKnownHosts=C:\ifs\knownhosts -hostname=sftp.example.com -username=sftp -password=h4rd_pPpasZzw0oRd

Important! You are recommended to specify a fully qualified domain name, FQDN, when specifying hostname. In other words you should specify sftp.example.com . Do not use short hostname like sftp or an IP like 10.1.2.3. This is not strictly necessary, but generally tends to reduce the need for maintenance/reconfiguration. Also note that the hostname in known host file should match the connection settings.

The username and password is not stored in the known hosts file; they are necessary to provide in this step due to JSch internals.

Creating an identity file

This is an optional step you may ignore if it does not apply to your environment.

Some SFTP servers do not do user authentication with passwords, but with public key cryptography instead. A user then creates an "identity file" which contains the private credential needed to authenticate the user against the SFTP server. A second file, a public file, is also created when creating an identity file.  The public file needs to be uploaded and installed into the SFTP server's user repository to enable identity based user authentication. 

The identity file may already have been created by an SSH2 client and may be reused by SFTP Reader. If the identity file does not exists, or is in an incompatible file format, a new identity file can be created with the following command:

java -cp <IFS_HOME>\repository\server\javaruntime\ifs-fnd-connect.jar;<IFS_HOME>\repository\server\dist\lib\jsch-0.1.54.jar ifs.fnd.connect.ftp.SftpClient -CreateIdFile=IDFILE -keytype=KEYTYPE -comment=COMMENT -passphrase=PASSPHRASE  -keysize=KEYSIZE

(replace '\' with '/' and ';' with ':' on Linux).
Setting Description
IDFILE The full path name of the (private) identity file. The public key will be stored into a second file which begins with the same name but is suffixed with ".pub".
KEYTYPE Key algorithm to use. Valid values are dsa and rsa.
COMMENT An descriptive comment to add to the identity file. Anything goes.
PASSPHRASE A passphrase/password used to encrypt the identity file, for additional protection.
KEYSIZE The bit-length of the encryption key stored in the identity file.

Example: To create the file C:\ifs\identity with keytype dsa, comment IFSConnect, and passphrase veRy:c0mpl3X_pq$sw0rT and keysize 1024, issue the following command:

java -cp C:\ifs\repository\server\javaruntime\ifs-fnd-connect.jar;C:\ifs\repository\server\dist\lib\jsch-0.1.54.jar ifs.fnd.connect.ftp.SftpClient -CreateIdFile=C:\ifs\identity -keytype=dsa -comment=IFSConnect -passphrase=veRy:c0mpl3X_pq$sw0rT -keysize=1024

Common parameters for SFTP Sender and SFTP Reader

The following parameters are common for both SFTP Sender and SFTP Reader configuration.

Server connection settings

Server connection settings are settings which gives the connector information about which server to connect to:

Important! You are recommended to specify a fully qualified domain name, FQDN, when specifying hostname. In other words you should specify sftp.example.com . Do not use short hostname like sftp or an IP like 10.1.2.3. This is not strictly necessary, but generally tends to reduce the need for maintenance/reconfiguration. Also note that the hostname in known host file should match the connection settings.

Server authentication settings

Server authentication settings helps the SFTP transport connector to identity spoofing attacks (malicious servers attempting to impersonate the SFTP server). The way it works is compare the servers public key with the one previously recorded into known hosts file.

Consult Setting up SFTP authentication files regarding how to create the known hosts file.

User authentication settings

User authentication settings helps the SFTP transport connector to identify itself when connecting to the SFTP server. Typically USERAUTH_METHOD is set to Password authentication and a username/password pair is used to authenticate. Optionally, public key identification can be provided by the use of an identity file.

To utilize Identity file based authentication, please consult Setting up SFTP authentication files.

Remote directory or path names on a SFTP server

Directory path name on an SFTP server is always specified in SFTP syntax; which is similar to UNIX path names. This is true for all SFTP servers standard-compliant servers even if they are hosted on Windows Operating system.

Syntax Root directory Current directory Path separator
SFTP / . /
UNIX / . /
Windows A:\
C:\

etc...

. \

Examples of SFTP syntax:

SFTP Sender specific parameters

The SFTP Sender connector uploads files from IFS Connect to an SFTP server. The filename to be uploaded is configured in the SFTP Sender address.

Common settings

Most SFTP parameters exist in both SFTP Reader and SFTP Sender. Please refer to "Common parameters for SFTP Sender and SFTP Reader" regarding how to setup connection and authentication settings.

Directory settings

The directory settings controls where temporary files are to be written.

Additional parameters are specified on Routing Address for Destination Type Sftp.

SFTP Reader specific parameters

The SFTP Reader is a connector for reading files from an SFTP file server.

Common settings

Most SFTP parameters exist in both SFTP Reader and SFTP Sender. Please refer to "Common parameters for SFTP Sender and SFTP Reader" regarding how to setup connection and authentication settings.

Directory settings

How to create new instances of the SFTP Connector

It's possible to create new instances of the SFTP Reader Transport Connector provided that they should scan different directories, or has in-file filters without overlapping file names.

Instructions for how to create a new connector instance.