SFTP Server Connector

Version 24.1.8910


SFTP Server Connector


Each SFTP Server connector defines a unique client profile that can be used to authenticate to the CData Arc SFTP Server.

Overview

The Arc SFTP Server connector is primarily configured on the Profiles page. Then, individual SFTP Server connectors can be created for each trading partner who should have access to the server. The SFTP Server connector defines a trading partner’s credentials (username, password and/or public key) and provides a unique home directory on the server.

Each user’s home directory contains a Send folder, where clients can download files, and a Receive folder, where clients can upload files. You can rename these folders on the Advanced tab. SFTP clients are not given permissions to the root of the SFTP server, which means that SFTP clients should always cd into the Send or Receive directories after connecting.

The SFTP Server also supports Windows/AD authentication. See Windows Authentication for details.

Video Resources

Watch this short video for an overview of how to configure an SFTP Server.

Profile Configuration

The SFTP Server profile must be configured before connections can be established with individual SFTP Server connectors. Click Profiles on the top menu bar, then click the SFTP Server tab.

Server Configuration

Server implementation settings.

  • Port The port on which the SFTP server listens for incoming connections.
  • Server Certificate The certificate that identifies the server.
  • Certificate Password The password required to access the server certificate.
  • Login Banner The banner presented to SFTP clients when they connect to the server.
  • Root Directory The root directory for the server. Subfolders are created in the root for individual client profiles (for each configured SFTP Server connector). Each client profile includes a Send folder, where clients can download files from the server, and a Receive folder, where clients can upload files to the server.
  • Allowed Files Filter A glob pattern that determines which files are accepted by the SFTP server. You can use negative patterns to indicate files that should not be downloaded (for example, -*.tmp). Separate multiple file types by commas (for example, *.x12,*.edi).
  • Windows Authentication Check this to use Windows Authentication to authenticate users instead of the SFTP Server connector configurations. Only available in the .NET edition of Arc. See Windows Authentication for more information.
  • Security Group The name of the Windows group used for granting access to the server. This can be a group on the local machine or on the domain. Only applicable when Use Windows Authentication is checked.

Lockouts

Optional settings related to locking server access.

  • Failed Attempts The number of unsuccessful login attempts allowed before the user is locked out.
  • Lockout Period The length of time (in minutes) that the user is locked out.
  • Time Check Period The length of time (in minutes) that records are kept of failed login attempts.

Trusted IP Addresses

次の機能は、信頼されたIP アドレスセクションで利用可能です。  

  • 追加 新しいIP アドレスの範囲を入力するためのモーダルを開きます。
  • 編集 選択されたIP アドレスの範囲を編集するためのモーダルを開きます。
  • 削除 選択されたIP アドレスの範囲をリストから削除します。

この機能には次の制約が適用されます。

  • localhost を編集したり、リストから削除することはできません。
  • 定義された範囲外のIP アドレスは拒否されます。
  • 範囲指定に対応しています。例えば、エントリ100.10.100.1-15 は、100.10.100.1 から100.10.100.15 までのIP アドレスが許可されることを示します。
  • Classless Inter-Domain Routing (CIDR) 表記に対応しています。例えば、エントリ100.10.100.0/24 は、100.10.100.0 から100.10.100.255 までのIP アドレスが許可されることを示します。
  • ワイルドカードのパターンに対応しています。例えば、エントリ100.10.100.* は、100.10.100 で始まるIP アドレスが許可されることを示します。

Advanced Settings

  • Inactivity Timeout The length of time (in seconds) that must pass without activity for a user to time out.

Logging

Settings that govern the creation and storage of logs.

  • Log Level The verbosity of logs generated by the connector. When you request support, set this to Debug.
  • Log Rotate Interval The number of days to wait before creating a new log file.
  • Log Delete Interval The number of days to wait before deleting old log files.

Miscellaneous

Miscellaneous settings are for specific use cases.

  • Other Settings Enables you to configure hidden connector settings in a semicolon-separated list (for example, setting1=value1;setting2=value2). Normal connector use cases and functionality should not require the use of these settings.

Connector Configuration

Once you configure the SFTP Server profile settings, create and configure an individual SFTP Server connector for each trading partner on the Flows page..

Settings Tab

Configuration

  • コネクタId コネクタの静的な一意の識別子。
  • コネクタの種類 コネクタ名とその機能の説明が表示されます。
  • コネクタの説明 コネクタとフローにおけるロールについて自由形式の説明を記載するオプションのフィールド。

User Configuration

Credentials for authenticating to the local SFTP server.

  • User The username credential for logging in to the local SFTP server.
  • Authentication Mode The type of authentication to use with the SFTP server. The following fields vary based on your authentication mode.
  • Password The password credential for logging in to the SFTP server.
  • Client Certificate The public key certificate corresponding to the private certificate the client uses when you choose Public Key authentication.

Permissions

Settings related to the read/write permissions for the Send and Receive folders.

  • Send Directory Permissions Use the checkboxes to set read/write permissions for the Send directory. This is where files are downloaded.
  • Receive Directory Permissions Use the checkboxes to set read/write permissions for the Receive directory. This is where files are uploaded.

アラートタブ

アラートとサービスレベル(SLA)の設定に関連する設定。

コネクタのE メール設定

サービスレベル(SLA)を実行する前に、通知用のE メールアラートを設定する必要があります。アラートを設定をクリックすると、新しいブラウザウィンドウで設定ページが開き、システム全体のアラートを設定することができます。詳しくは、アラートを参照してください。

サービスレベル(SLA)の設定

サービスレベルでは、フロー内のコネクタが送受信すると予想される処理量を設定し、その量が満たされると予想される時間枠を設定できます。CData Arc は、サービスレベルが満たされていない場合にユーザーに警告するE メールを送信し、SLA を At Risk(危険) としてマークします。これは、サービスレベルがすぐに満たされない場合に Violated(違反) としてマークされることを意味します。これにより、ユーザーはサービスレベルが満たされていない理由を特定し、適切な措置を講じることができます。At Risk の期間内にサービスレベルが満たされなかった場合、SLA はViolated としてマークされ、ユーザーに再度通知されます。

サービスレベルを定義するには、予想処理量の条件を追加をクリックします。

  • コネクタに個別の送信アクションと受信アクションがある場合は、ラジオボタンを使用してSLA に関連する方向を指定します。
  • 検知基準(最小)を、処理が予想されるトランザクションの最小値(量)に設定し、フィールドを使用して期間を指定します。
  • デフォルトでは、SLA は毎日有効です。これを変更するには、毎日のチェックをOFF にし、希望する曜日のチェックをON にします。
  • 期間終了前にステータスを’At Risk’ に設定するタイミングを使用して、SLA がAt Risk としてマークされるようにします。
  • デフォルトでは、通知はSLA が違反のステータスになるまで送信されません。これを変更するには、‘At Risk’ 通知を送信のチェックをON にします。

次の例は、月曜日から金曜日まで毎日1000ファイルを受信すると予想されるコネクタに対して構成されたSLA を示しています。1000ファイルが受信されていない場合、期間終了の1時間前にAt Risk 通知が送信されます。

Advanced Tab

Local Folders

Settings related to the folders where clients upload and download files. Rename the default folders here.

  • Input Folder (Send) Files placed in the Send folder are available to be downloaded by clients.
  • Output Folder (Receive) Files uploaded by the client should be placed in the Receive folder. Files remain in the Receive folder or are passed along to the next connector in the flow.

Additional Paths

The SFTP Server connector allows you to expose paths in addition to the Input and Output folders. To configure additional paths, follow these steps:

  1. Use the Path field to specify the additional path that should be exposed. Path values are relative to the Root Directory defined on the Profiles page.
  2. Set the permissions for the additional path using the Read and Write checkboxes.
  3. If more paths are needed, click New and repeat these steps for each path.

For example, if Root Directory is set to /var/opt/arc/sftpserver, and an additional path of MyAdditionalPath is added, it maps to the /var/opt/arc/sftpserver/MyAdditionalPath path on disk.

Advanced Settings

Settings not included in the previous categories.

  • Allowed Files Filter A glob pattern that determines which files are accepted by the SFTP server. You can use negative patterns to indicate files that should not be downloaded (for example, -*.tmp). Separate multiple file types by commas (for example, *.x12,*.edi). Overrides the Allowed Files Filter option on the Server Configuration portion of the Profiles page.
  • Move File After Send Specifies whether files in the Send folder should be moved to the Sent folder after they are downloaded by the client.
  • Temp Receive Extensions Files with a matching extension are not recorded in the Receive table and do not fire the After Receive event until after they are renamed. Supply a comma-delimited list of extensions.
  • Timeout The length of time (in seconds) the server waits for a connection response before throwing a timeout error.
  • Save Subfolder Check this to have a Subfolder header added to received messages. It represents the path relative to the local folders or additional paths.

Message

Message settings determine how the connector searches for messages and manages them after processing. You can save messages to your Sent folder or you can group them based on a Sent folder scheme, as described below.

  • Sent フォルダに保存 チェックすると、コネクタで処理されたファイルをコネクタのSent フォルダにコピーします。
  • Sent Folder Scheme Instructs the connector to group files in the Sent folder according to the selected interval. For example, the Weekly option instructs the connector to create a new subfolder each week and store all sent files for the week in that folder. The blank setting instructs the connector to save all files directly in the Sent folder. For connectors that process many transactions, using subfolders can help keep files organized and improve performance.

Logging

Settings that govern the creation and storage of logs.

  • Log Level The verbosity of logs generated by the connector. When you request support, set this to Debug.
  • Log Subfolder Scheme Instructs the connector to group files in the Logs folder according to the selected interval. For example, the Weekly option instructs the connector to create a new subfolder each week and store all logs for the week in that folder. The blank setting tells the connector to save all logs directly in the Logs folder. For connectors that process many transactions, using subfolders helps keep logs organized and improves performance.
  • Log Messages Check this to have the log entry for a processed file include a copy of the file itself. If you disable this, you might not be able to download a copy of the file from the Input or Output tabs.

Miscellaneous

Miscellaneous settings are for specific use cases.

  • Other Settings Enables you to configure hidden connector settings in a semicolon-separated list (for example, setting1=value1;setting2=value2). Normal connector use cases and functionality should not require the use of these settings.

Establishing a Connection

Each SFTP Server connector represents a single trading partner’s connection parameters. The trading partner should connect to the SFTP server using the server settings from the Profiles page (port, server certificate, and so on) and the authentication settings in the dedicated SFTP Server connector (user and password).

Each trading partner has a pair of Send and Receive directories that are subfolders of the root. The partner downloads files from the Send folder and uploads files to the Receive folder. The client is not permitted to upload or download files from the root.

Windows Authentication

When Windows Authentication is enabled on the Server Configuration portion of the Profiles tab, individual SFTP Server connectors are not required to grant login access to the SFTP Server. Instead, you need to specify the name of the Windows Security Group that should be granted access to the server.

When Windows Authentication is enabled, the Root Directory profile setting supports the %User% and %Domain% macros to establish separate root directories for separate users in the security group. Therefore, when Windows Authentication is enabled, users are permitted to upload/download files in the root directory (this is not true when you use SFTP Server connectors for authentication).

Once files are uploaded to the user-specific folder, they can be entered into the Arc flow using a File connector.

Common Errors

ERROR:

“Could not bind server socket: Permission denied.”

Cause

This error can appear when attempting to connect to an SFTP server and the process hosting Arc does not have sufficient privileges to establish a listener on the specified port. Note that in some cases (such as Linux environments and hosted instances running in an Amazon AMI), ports below 1024 are forbidden from access.

Resolution

Choose a different port, or change the identity of the process hosting Arc to one with permissions to bind to the port. When using the hosted instance of Arc in an Amazon AMI, CData recommends that you bind to a port above the restricted range (for example, 8022 for SFTP traffic) and use iptables to route incoming requests on the desired port to the allowed port:

iptables -t nat -I PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 8022