SFTP Server Connector

Version 22.0.8209


SFTP Server Connector


Each SFTP Server Connector defines a unique client profile that can be used to authenticate to the CData Arc SFTP Server.

Overview

The Arc SFTP Server is primarily configured in the application’s Profile page. Once the SFTP Server is configured, an SFTP Server Connector should be created for each user that should have access to the server. The SFTP Server Connector defines a user’s credentials (Username, Password and/or Public Key) and provides a unique home directory on the server.

Each user’s home directory contains a ‘Send’ folder, where clients can download files, and a ‘Receive’ folder, where clients can upload files. These folders can be renamed in the Advanced section of the SFTP Server Connector configuration panel. SFTP clients are not given permissions to the root of the SFTP Server, meaning that SFTP clients should always cd into the ‘Send’ (to download) or ‘Receive’ (to upload) directories after connecting.

The SFTP Server also supports Windows/AD authentication; more details can be found in the Windows Authentication section.

Profile Configuration

The SFTP Server Profile must be configured before connections can be established with individual SFTP Server connectors. Open the SFTP Server tab on the Profiles page.

Server Configuration

Server implementation settings.

  • Port The port on which the SFTP Server will listen for incoming connections.
  • Server Certificate The certificate that identifies the server.
  • Certificate Password The password required to access the Server Certificate.
  • Login Banner The banner to be presented to SFTP clients when connecting to the server.
  • Root Directory The root directory for the server. Subfolders will be created within the root for individual client profiles (i.e. for each configured SFTP Server connector). Each client profile includes a Send Folder, where clients can download files from the server, and a Receive Folder, where clients can upload files to the server.
  • Allowed Files Filter A glob pattern that determines which files will be accepted by the SFTP server. Multiple patterns can be specified in a comma-delimited list (e.g. *.x12,*.edi), and negative patterns can be specified to exclude certain file patterns (e.g. -*.txt).

Lockouts

  • Failed Attempts The number of unsuccessful login attempts that are allowed before a user is locked out.
  • Lockout Period The length of time (in minutes) that a user is locked out.
  • Time Check Period The length of time (in minutes) to keep records of failed login attempts.

Trusted IP Addresses

This section defines the IP addresses that are allowed to make connections. The following functions are available:

  • Add Opens a modal to enter a new IP address range.
  • Edit Opens a modal to modify the selected IP address range.
  • Delete Deletes the selected IP address range from the list.

The following restrictions apply to this feature:

  • localhost cannot be modified or removed from the list.
  • Any IP addresses outside of the defined ranges will be rejected.
  • Ranges are supported. For example, the entry 100.10.100.1-15 indicates that IP addresses between 100.10.100.1 and 100.10.100.15 are allowed.
  • CIDR notation is supported. For example, the entry 100.10.100.0/24 indicates that IP addresses between 100.10.100.0 and 100.10.100.255 are allowed.
  • Wildcard patterns are supported. For example, the entry 100.10.100.* indicates that IP addresses beginning with 100.10.100 are allowed.

Advanced Settings

  • Inactivity Timeout The length of time (in seconds) that must pass without activity for a user to time out.

Logging

Settings related to server logging.

  • Log Level The verbosity of logs generated by the connection. When requesting support, it is recommended to set this value to Debug.
  • Log Rotate Interval The number of days that the server should use a log file before a new file is started.
  • Log Delete Interval The number of days that the server should retain a log file before deleting it.

Miscellaneous

Settings for specific use cases.

  • Other Settings Allows configuration of hidden connector settings in a semicolon-separated list, like setting1=value1;setting2=value2. Normal connector use cases and functionality should not require use of these settings.

Connector Configuration

After the SFTP Server Profile has been configured, SFTP Server connectors can be created in the Flows page and configured for a specific trading partner.

Settings Tab

Configuration

  • Connector Id The static name of the connector. All connector-specific files are held in a folder by the same name within the Data Directory.
  • Connector Description An optional field to provide free-form description of the connector and its role in the flow.

User Configuration

Credentials for authenticating to the local SFTP server.

  • User The username credential for logging in to the local SFTP server.
  • Authentication Mode The type of authentication to use with the SFTP server.
  • Password The password credential for logging in to the SFTP server.
  • Client Certificate The public key certificate corresponding to the private certificate the client will use during public key authentication.

Permissions

Settings related to the read/write permissions the configured client has for the Send and Receive folders.

  • Send Directory Permissions Toggles read/write permissions for the Send directory. This directory is where files are downloaded.
  • Receive Directory Permissions Toggles read/write permissions for the Receive directory. This directory is where files are uploaded.

Advanced Tab

Local Folders

Settings related to the folders where clients will upload and download files.

  • Input Folder (Send) Files placed in the Send folder are available to be downloaded by clients.
  • Output Folder (Receive) Files uploaded by the client should be placed in the Receive folder. Files will remain in the Receive folder or be passed along to the next connected connector in the flow.

Additional Paths

The SFTP Server Connector allows for paths other than the Input and Output Folders to be exposed to SFTP Clients. To configure additional paths, follow these steps:

  1. Use the Path field to specify the additional path that should be exposed. Path values are relative to the Root Directory defined in the profile.
  2. Set the permissions for the additional path using the Read and Write checkboxes.
  3. If more paths are needed, click New and repeat these steps for each path.

For example, if Root Directory is set to /var/opt/arc/sftpserver, and an additional path of MyAdditionalPath is added, then it would map to the /var/opt/arc/sftpserver/MyAdditionalPath path on disk.

Advanced Settings

Settings not included in the previous categories.

  • Allowed Files Filter A glob pattern that determines what files can be uploaded to directories for this user. Overrides the setting of the same name in the SFTP Profile page when specifying filters per-user is required. Multiple patterns can be specified in a comma-delimited list (e.g. *.x12,*.edi), and negative patterns can be specified to exclude certain file patterns (e.g. -*.txt).
  • Move File After Send Specifies whether files in the Send folder should be moved to the Sent folder after they are downloaded by the client.
  • Temp Receive Extensions Files with a matching extension are not recorded in the Receive table and do not fire the After Receive event until after they are renamed. Specified as a comma-delimited list of extensions.
  • Timeout The duration the server will wait for a connection response before throwing a timeout error.

Message

Settings that determine how the connector will search for messages and handle them after processing.

  • Save to Sent Folder A toggle that instructs the connector to keep a copy of sent messages in the Sent folder.
  • Sent Folder Scheme Instructs the connector to group files in the Sent folder according to the selected interval. For example, the Weekly option instructs the connector to create a new subfolder each week and store all sent files for the week in that folder. The blank setting tells the connector to save all files directly in the Sent folder. For connectors that process many transactions, using subfolders can help keep files organized and improve performance.

Logging

Settings that govern the creation and storage of logs.

  • Log Level Specifies the type of information to log in the connector’s Logs directory:
    None — Does not create any logs.
    Error — Creates logs only when the connector encounters an error.
    Warning — Creates logs only when the connector issues a warning.
    Info — Logs general information about the workflow, including any errors and warnings (if applicable).
    Debug — Logs detailed debugging information for both successful and failed workflows.
    Trace — Logs detailed trace information for both successful and failed workflows.
  • Log Subfolder Scheme Instructs the connector to group files in the Logs folder according to the selected interval. For example, the Weekly option instructs the connector to create a new subfolder each week and store all logs for the week in that folder. The blank setting tells the connector to save all logs directly in the Logs folder. For connectors that process many transactions, using subfolders can help keep logs organized and improve performance.
  • Log Messages A toggle that instructs the connector to save a copy of the most recent message in the Logs directory. Note that the connector only keeps one message per subfolder, and the connector overrides the previously-saved message when it runs again.

Miscellaneous

Settings for specific use cases.

  • Other Settings Allows configuration of hidden connector settings in a semicolon-separated list, like setting1=value1;setting2=value2. Normal connector use cases and functionality should not require use of these settings.

Establishing a Connection

Each configured SFTP Server connector represents a single trading partner’s connection parameters. The trading partner should connect to the SFTP server using the server settings from the Profile page (port, server certificate, etc) and the authentication settings in the dedicated SFTP Server connector (User, Password).

Each trading partner has a separate pair of Send and Receive directories that are subfolders of the root. The partner should download files from the Send folder and upload files to the Receive folder. The client is not permitted to upload or download files from the root.

Windows Authentication

When Windows Authentication is enabled in the SFTP Server Profile tab, individual SFTP Server connectors are not required to grant login access to the SFTP Server. Instead, the Windows Security Group that should be granted access to the server is specified within the SFTP Server profile.

When using Windows Authentication, the Root Directory profile setting supports the %User% and %Domain% macros to establish separate root directories for separate users within the security group. When using Windows Authentication, users are permitted to upload/download files in the root directory (note that this is not true when using SFTP Server connectors for authentication).

Once files are uploaded to the user-specific folder, they can be entered into the Arc flow using file operations within a Script connector, or by setting the Send/Input Folder for a connector to the user-specific folder where files will be uploaded.

Common Errors

ERROR:

“Could not bind server socket: Permission denied.”

Cause

This error can appear when attempting to connect to an SFTP server and the process hosting Arc does not have sufficient privileges to establish a listener on the specified port. Note that in some cases (such as linux environments and hosted instances running in an Amazon AMI), ports below 1024 are forbidden from access.

Resolution

Choose a different port or change the identity of the process hosting Arc to one with permissions to bind to the port. When using the hosted instance of ArcESB in an Amazon AMI, it is recommended that you bind to a port above the restricted range (for example, 8022 for SFTP traffic) and use iptables to route incoming request on the desired port to the allowed port:

iptables -t nat -I PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 8022