SFTP Server Connector

Version 23.4.8800


SFTP Server Connector


Each SFTP Server connector defines a unique client profile that can be used to authenticate to the CData Arc SFTP Server.

Overview

The Arc SFTP Server connector is primarily configured on the Profiles page. Then, individual SFTP Server connectors can be created for each trading partner who should have access to the server. The SFTP Server connector defines a trading partner’s credentials (username, password and/or public key) and provides a unique home directory on the server.

Each user’s home directory contains a Send folder, where clients can download files, and a Receive folder, where clients can upload files. You can rename these folders on the Advanced tab. SFTP clients are not given permissions to the root of the SFTP server, which means that SFTP clients should always cd into the Send or Receive directories after connecting.

The SFTP Server also supports Windows/AD authentication. See Windows Authentication for details.

Video Resources

Watch this short video for an overview of how to configure an SFTP Server.

Profile Configuration

The SFTP Server profile must be configured before connections can be established with individual SFTP Server connectors. Click Profiles on the top menu bar, then click the SFTP Server tab.

Server Configuration

Server implementation settings.

  • Port The port on which the SFTP server listens for incoming connections.
  • Server Certificate The certificate that identifies the server.
  • Certificate Password The password required to access the server certificate.
  • Login Banner The banner presented to SFTP clients when they connect to the server.
  • Root Directory The root directory for the server. Subfolders are created in the root for individual client profiles (for each configured SFTP Server connector). Each client profile includes a Send folder, where clients can download files from the server, and a Receive folder, where clients can upload files to the server.
  • Allowed Files Filter A glob pattern that determines which files are accepted by the SFTP server. You can use negative patterns to indicate files that should not be downloaded (for example, -*.tmp). Separate multiple file types by commas (for example, *.x12,*.edi).
  • Windows Authentication Check this to use Windows Authentication to authenticate users instead of the SFTP Server connector configurations. Only available in the .NET edition of Arc. See Windows Authentication for more information.
  • Security Group The name of the Windows group used for granting access to the server. This can be a group on the local machine or on the domain. Only applicable when Use Windows Authentication is checked.

Lockouts

Optional settings related to locking server access.

  • Failed Attempts The number of unsuccessful login attempts allowed before the user is locked out.
  • Lockout Period The length of time (in minutes) that the user is locked out.
  • Time Check Period The length of time (in minutes) that records are kept of failed login attempts.

Trusted IP Addresses

The following functions are available in the Trusted IP Addresses section:  

  • Add Opens a modal to enter a new IP address range.
  • Edit Opens a modal to modify the selected IP address range.
  • Delete Deletes the selected IP address range from the list.

The following restrictions apply to this feature:

  • localhost cannot be modified or removed from the list.
  • Any IP addresses outside of the defined ranges are rejected.
  • Ranges are supported. For example, the entry 100.10.100.1-15 indicates that IP addresses between 100.10.100.1 and 100.10.100.15 are allowed.
  • Classless inter-domain routing (CIDR) notation is supported. For example, the entry 100.10.100.0/24 indicates that IP addresses between 100.10.100.0 and 100.10.100.255 are allowed.
  • Wildcard patterns are supported. For example, the entry 100.10.100.* indicates that IP addresses beginning with 100.10.100 are allowed.

Advanced Settings

  • Inactivity Timeout The length of time (in seconds) that must pass without activity for a user to time out.

Logging

Settings that govern the creation and storage of logs.

  • Log Level The verbosity of logs generated by the connector. When you request support, set this to Debug.
  • Log Rotate Interval The number of days to wait before creating a new log file.
  • Log Delete Interval The number of days to wait before deleting old log files.

Miscellaneous

Miscellaneous settings are for specific use cases.

  • Other Settings Enables you to configure hidden connector settings in a semicolon-separated list (for example, setting1=value1;setting2=value2). Normal connector use cases and functionality should not require the use of these settings.

Connector Configuration

Once you configure the SFTP Server profile settings, create and configure an individual SFTP Server connector for each trading partner on the Flows page..

Settings Tab

Configuration

  • Connector Id The static, unique identifier for the connector.
  • Connector Type Displays the connector name and a description of what it does.
  • Connector Description An optional field to provide a free-form description of the connector and its role in the flow.

User Configuration

Credentials for authenticating to the local SFTP server.

  • User The username credential for logging in to the local SFTP server.
  • Authentication Mode The type of authentication to use with the SFTP server. The following fields vary based on your authentication mode.
  • Password The password credential for logging in to the SFTP server.
  • Client Certificate The public key certificate corresponding to the private certificate the client uses when you choose Public Key authentication.

Permissions

Settings related to the read/write permissions for the Send and Receive folders.

  • Send Directory Permissions Use the checkboxes to set read/write permissions for the Send directory. This is where files are downloaded.
  • Receive Directory Permissions Use the checkboxes to set read/write permissions for the Receive directory. This is where files are uploaded.

アラートタブ

アラートとサービスレベル(SLA)の設定に関連する設定.

コネクタのE メール設定

サービスレベル(SLA)を実行する前に、通知用のE メールアラートを設定する必要があります。アラートを設定をクリックすると、新しいブラウザウィンドウで設定ページが開き、システム全体のアラートを設定することができます。詳しくは、アラートを参照してください。

サービスレベル(SLA)の設定

サービスレベルでは、フロー内のコネクタが送受信すると予想される処理量を設定し、その量が満たされると予想される時間枠を設定できます。CData Arc は、サービスレベルが満たされていない場合にユーザーに警告するE メールを送信し、SLA を At Risk(危険) としてマークします。これは、サービスレベルがすぐに満たされない場合に Violated(違反) としてマークされることを意味します。これにより、ユーザーはサービスレベルが満たされていない理由を特定し、適切な措置を講じることができます。At Risk の期間内にサービスレベルが満たされなかった場合、SLA はViolated としてマークされ、ユーザーに再度通知されます。

サービスレベルを定義するには、予想処理量の条件を追加をクリックします。

  • コネクタに個別の送信アクションと受信アクションがある場合は、ラジオボタンを使用してSLA に関連する方向を指定します。
  • 検知基準(最小)を、処理が予想されるトランザクションの最小値(量)に設定し、フィールドを使用して期間を指定します。
  • デフォルトでは、SLA は毎日有効です。これを変更するには、毎日のチェックをOFF にし、希望する曜日のチェックをON にします。
  • 期間終了前にステータスを’At Risk’ に設定するタイミングを使用して、SLA がAt Risk としてマークされるようにします。
  • デフォルトでは、通知はSLA が違反のステータスになるまで送信されません。これを変更するには、‘At Risk’ 通知を送信のチェックをON にします。

次の例は、月曜日から金曜日まで毎日1000ファイルを受信すると予想されるコネクタに対して構成されたSLA を示しています。1000ファイルが受信されていない場合、期間終了の1時間前にAt Risk 通知が送信されます。

Advanced Tab

Local Folders

Settings related to the folders where clients upload and download files. Rename the default folders here.

  • Input Folder (Send) Files placed in the Send folder are available to be downloaded by clients.
  • Output Folder (Receive) Files uploaded by the client should be placed in the Receive folder. Files remain in the Receive folder or are passed along to the next connector in the flow.

Additional Paths

The SFTP Server connector allows you to expose paths in addition to the Input and Output folders. To configure additional paths, follow these steps:

  1. Use the Path field to specify the additional path that should be exposed. Path values are relative to the Root Directory defined on the Profiles page.
  2. Set the permissions for the additional path using the Read and Write checkboxes.
  3. If more paths are needed, click New and repeat these steps for each path.

For example, if Root Directory is set to /var/opt/arc/sftpserver, and an additional path of MyAdditionalPath is added, it maps to the /var/opt/arc/sftpserver/MyAdditionalPath path on disk.

Advanced Settings

Settings not included in the previous categories.

  • Allowed Files Filter A glob pattern that determines which files are accepted by the SFTP server. You can use negative patterns to indicate files that should not be downloaded (for example, -*.tmp). Separate multiple file types by commas (for example, *.x12,*.edi). Overrides the Allowed Files Filter option on the Server Configuration portion of the Profiles page.
  • Move File After Send Specifies whether files in the Send folder should be moved to the Sent folder after they are downloaded by the client.
  • Temp Receive Extensions Files with a matching extension are not recorded in the Receive table and do not fire the After Receive event until after they are renamed. Supply a comma-delimited list of extensions.
  • Timeout The length of time (in seconds) the server waits for a connection response before throwing a timeout error.
  • Save Subfolder Check this to have a Subfolder header added to received messages. It represents the path relative to the local folders or additional paths.

Message

Message settings determine how the connector searches for messages and manages them after processing. You can save messages to your Sent folder or you can group them based on a Sent folder scheme, as described below.

  • Save to Sent Folder A toggle that instructs the connector to keep a copy of sent messages in the Sent folder.
  • Sent Folder Scheme Instructs the connector to group files in the Sent folder according to the selected interval. For example, the Weekly option instructs the connector to create a new subfolder each week and store all sent files for the week in that folder. The blank setting instructs the connector to save all files directly in the Sent folder. For connectors that process many transactions, using subfolders can help keep files organized and improve performance.

Logging

Settings that govern the creation and storage of logs.

  • Log Level The verbosity of logs generated by the connector. When you request support, set this to Debug.
  • Log Subfolder Scheme Instructs the connector to group files in the Logs folder according to the selected interval. For example, the Weekly option instructs the connector to create a new subfolder each week and store all logs for the week in that folder. The blank setting tells the connector to save all logs directly in the Logs folder. For connectors that process many transactions, using subfolders helps keep logs organized and improves performance.
  • Log Messages Check this to have the log entry for a processed file include a copy of the file itself. If you disable this, you might not be able to download a copy of the file from the Input or Output tabs.

Miscellaneous

Miscellaneous settings are for specific use cases.

  • Other Settings Enables you to configure hidden connector settings in a semicolon-separated list (for example, setting1=value1;setting2=value2). Normal connector use cases and functionality should not require the use of these settings.

Establishing a Connection

Each SFTP Server connector represents a single trading partner’s connection parameters. The trading partner should connect to the SFTP server using the server settings from the Profiles page (port, server certificate, and so on) and the authentication settings in the dedicated SFTP Server connector (user and password).

Each trading partner has a pair of Send and Receive directories that are subfolders of the root. The partner downloads files from the Send folder and uploads files to the Receive folder. The client is not permitted to upload or download files from the root.

Windows Authentication

When Windows Authentication is enabled on the Server Configuration portion of the Profiles tab, individual SFTP Server connectors are not required to grant login access to the SFTP Server. Instead, you need to specify the name of the Windows Security Group that should be granted access to the server.

When Windows Authentication is enabled, the Root Directory profile setting supports the %User% and %Domain% macros to establish separate root directories for separate users in the security group. Therefore, when Windows Authentication is enabled, users are permitted to upload/download files in the root directory (this is not true when you use SFTP Server connectors for authentication).

Once files are uploaded to the user-specific folder, they can be entered into the Arc flow using a File connector.

Common Errors

ERROR:

“Could not bind server socket: Permission denied.”

Cause

This error can appear when attempting to connect to an SFTP server and the process hosting Arc does not have sufficient privileges to establish a listener on the specified port. Note that in some cases (such as Linux environments and hosted instances running in an Amazon AMI), ports below 1024 are forbidden from access.

Resolution

Choose a different port, or change the identity of the process hosting Arc to one with permissions to bind to the port. When using the hosted instance of Arc in an Amazon AMI, CData recommends that you bind to a port above the restricted range (for example, 8022 for SFTP traffic) and use iptables to route incoming requests on the desired port to the allowed port:

iptables -t nat -I PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 8022