SFTP Server Connector
Version 24.3.9106
Version 24.3.9106
SFTP Server Connector
Each SFTP Server connector defines a unique client profile that can be used to authenticate to the CData Arc SFTP Server.
Overview
The Arc SFTP Server connector is primarily configured on the Profiles page. Then, individual SFTP Server connectors can be created for each trading partner who should have access to the server. The SFTP Server connector defines a trading partner’s credentials (username, password and/or public key) and provides a unique home directory on the server.
Each user’s home directory contains a Send folder, where clients can download files, and a Receive folder, where clients can upload files. You can rename these folders on the Advanced tab. SFTP clients are not given permissions to the root of the SFTP server, which means that SFTP clients should always cd into the Send or Receive directories after connecting.
The SFTP Server also supports Windows/AD authentication. See Windows Authentication for details.
Video Resources
Watch this short video for an overview of how to configure an SFTP Server.
Profile Configuration
The SFTP Server profile must be configured before connections can be established with individual SFTP Server connectors. Click Profiles on the navbar, then click the SFTP Server tab.
Server Configuration
Server implementation settings.
- Port The port on which the SFTP server listens for incoming connections.
- Server Certificate The certificate that identifies the server.
- Certificate Password The password required to access the server certificate.
- Login Banner The banner presented to SFTP clients when they connect to the server.
- Root Directory The root directory for the server. Subfolders are created in the root for individual client profiles (for each configured SFTP Server connector). Each client profile includes a Send folder, where clients can download files from the server, and a Receive folder, where clients can upload files to the server.
- Allowed Files Filter A glob pattern that determines which files are accepted by the SFTP server. You can use negative patterns to indicate files that should not be downloaded (for example, -*.tmp). Separate multiple file types by commas (for example, *.x12,*.edi).
- Windows Authentication Check this to use Windows Authentication to authenticate users instead of the SFTP Server connector configurations. Only available in the .NET edition of Arc. See Windows Authentication for more information.
- Security Group The name of the Windows group used for granting access to the server. This can be a group on the local machine or on the domain. Only applicable when Use Windows Authentication is checked.
Lockouts
Optional settings related to locking server access.
- Failed Attempts The number of unsuccessful login attempts allowed before the user is locked out.
- Lockout Period The length of time (in minutes) that the user is locked out.
- Time Check Period The length of time (in minutes) that records are kept of failed login attempts.
Trusted IP Addresses
The following functions are available in the Trusted IP Addresses section:
- Add Enter a new IP address range.
- Edit Modify the selected IP address range.
- Delete Deletes the selected IP address range from the list.
The following restrictions apply to this feature:
localhost
cannot be modified or removed from the list.- Any IP addresses outside of the defined ranges are rejected.
- Ranges are supported. For example, the entry
100.10.100.1-15
indicates that IP addresses between100.10.100.1
and100.10.100.15
are allowed. - Classless inter-domain routing (CIDR) notation is supported. For example, the entry
100.10.100.0/24
indicates that IP addresses between100.10.100.0
and100.10.100.255
are allowed. - Wildcard patterns are supported. For example, the entry
100.10.100.*
indicates that IP addresses beginning with100.10.100
are allowed.
Note: In order for clients to reach the server, a clear network path is required. In cloud environments you might need to make changes in three places:
- The networking rules in the cloud console.
- The firewall rules on the machine hosting the application. For example, when using an Amazon AMI, you might use an Uncomplicated Firewall (UFW) to allow traffic on the desired port. A common strategy in Linux environments is to forward traffic from ports lower than 1024 to a non-standard port higher than 1024, while configuring the application to use the non-standard port. This avoids permission issues associated with non-root users binding to ports lower than 1024.
- The Trusted IP Addresses portion of the Settings page.
Advanced Settings
- Inactivity Timeout The length of time (in seconds) that must pass without activity for a user to time out.
Logging
Settings that govern the creation and storage of logs.
- Log Level The verbosity of logs generated by the connector. When you request support, set this to Debug.
- Log Rotate Interval The number of days to wait before creating a new log file.
- Log Delete Interval The number of days to wait before deleting old log files.
Miscellaneous
Miscellaneous settings are for specific use cases.
- Other Settings Enables you to configure hidden connector settings in a semicolon-separated list (for example,
setting1=value1;setting2=value2
). Normal connector use cases and functionality should not require the use of these settings.
Connector Configuration
Once you configure the SFTP Server profile settings, create and configure an individual SFTP Server connector for each trading partner on the Flows page..
Settings Tab
Configuration
- Connector Id The static, unique identifier for the connector.
- Connector Type Displays the connector name and a description of what it does.
- Connector Description An optional field to provide a free-form description of the connector and its role in the flow.
User Configuration
Credentials for authenticating to the local SFTP server.
- User The username credential for logging in to the local SFTP server.
- Authentication Mode The type of authentication to use with the SFTP server. The following fields vary based on your authentication mode.
- Password The password credential for logging in to the SFTP server.
- Client Certificate The public key certificate corresponding to the private certificate the client uses when you choose Public Key authentication.
Permissions
Settings related to the read/write permissions for the Send and Receive folders.
- Send Directory Permissions Use the checkboxes to set read/write permissions for the Send directory. This is where files are downloaded.
- Receive Directory Permissions Use the checkboxes to set read/write permissions for the Receive directory. This is where files are uploaded.
Alerts Tab
Settings related to configuring alerts and Service Level Agreements (SLAs).
Connector Email Settings
Before you can execute SLAs, you need to set up email alerts for notifications. Clicking Configure Alerts opens a new browser window to the Settings page where you can set up system-wide alerts. See Alerts for more information.
Service Level Agreement (SLA) Settings
SLAs enable you to configure the volume you expect connectors in your flow to send or receive, and to set the time frame in which you expect that volume to be met. CData Arc sends emails to warn the user when an SLA is not met, and marks the SLA as At Risk, which means that if the SLA is not met soon, it will be marked as Violated. This gives the user an opportunity to step in and determine the reasons the SLA is not being met, and to take appropriate actions. If the SLA is still not met at the end of the at-risk time period, the SLA is marked as violated, and the user is notified again.
To define an SLA, click Add Expected Volume Criteria.
- If your connector has separate send and receive actions, use the radio buttons to specify which direction the SLA pertains to.
- Set Expect at least to the minimum number of transactions (the volume) you expect to be processed, then use the Every fields to specify the time frame.
- By default, the SLA is in effect every day. To change that, uncheck Everyday then check the boxes for the days of the week you want.
- Use And set status to ‘At Risk’ to indicate when the SLA should be marked as at risk.
- By default, notifications are not sent until an SLA is in violation. To change that, check Send an ‘At Risk’ notification.
The following example shows an SLA configured for a connector that expects to receive 1000 files every day Monday-Friday. An at-risk notification is sent 1 hour before the end of the time period if the 1000 files have not been received.
Advanced Tab
Local Folders
Settings related to the folders where clients upload and download files. Rename the default folders here.
- Input Folder (Send) Files placed in the Send folder are available to be downloaded by clients.
- Output Folder (Receive) Files uploaded by the client should be placed in the Receive folder. Files remain in the Receive folder or are passed along to the next connector in the flow.
Additional Paths
The SFTP Server connector allows you to expose paths in addition to the Input and Output folders. To configure additional paths, follow these steps:
- Use the Path field to specify the additional path that should be exposed. Path values are relative to the Root Directory defined on the Profiles page.
- Set the permissions for the additional path using the Read and Write checkboxes.
- If more paths are needed, click New and repeat these steps for each path.
For example, if Root Directory is set to /var/opt/arc/sftpserver
, and an additional path of MyAdditionalPath
is added, it maps to the /var/opt/arc/sftpserver/MyAdditionalPath
path on disk.
Advanced Settings
Settings not included in the previous categories.
- Allowed Files Filter A glob pattern that determines which files are accepted by the SFTP server. You can use negative patterns to indicate files that should not be downloaded (for example, -*.tmp). Separate multiple file types by commas (for example, *.x12,*.edi). Overrides the Allowed Files Filter option on the Server Configuration portion of the Profiles page.
- Move File After Send Specifies whether files in the Send folder should be moved to the Sent folder after they are downloaded by the client.
- Temp Receive Extensions Files with a matching extension are not recorded in the Receive table and do not fire the After Receive event until after they are renamed. Supply a comma-delimited list of extensions.
- Timeout The length of time (in seconds) the server waits for a connection response before throwing a timeout error.
- Save Subfolder Check this to have a Subfolder header added to received messages. It represents the path relative to the local folders or additional paths.
Message
Message settings determine how the connector searches for messages and manages them after processing. You can save messages to your Sent folder or you can group them based on a Sent folder scheme, as described below.
- Save to Sent Folder Check this to copy files processed by the connector to the Sent folder for the connector.
- Sent Folder Scheme Instructs the connector to group files in the Sent folder according to the selected interval. For example, the Weekly option instructs the connector to create a new subfolder each week and store all sent files for the week in that folder. The blank setting instructs the connector to save all files directly in the Sent folder. For connectors that process many transactions, using subfolders can help keep files organized and improve performance.
Logging
Settings that govern the creation and storage of logs.
- Log Level The verbosity of logs generated by the connector. When you request support, set this to Debug.
- Log Subfolder Scheme Instructs the connector to group files in the Logs folder according to the selected interval. For example, the Weekly option instructs the connector to create a new subfolder each week and store all logs for the week in that folder. The blank setting tells the connector to save all logs directly in the Logs folder. For connectors that process many transactions, using subfolders helps keep logs organized and improves performance.
- Log Messages Check this to have the log entry for a processed file include a copy of the file itself. If you disable this, you might not be able to download a copy of the file from the Input or Output tabs.
Miscellaneous
Miscellaneous settings are for specific use cases.
- Other Settings Enables you to configure hidden connector settings in a semicolon-separated list (for example,
setting1=value1;setting2=value2
). Normal connector use cases and functionality should not require the use of these settings.
Establishing a Connection
Each SFTP Server connector represents a single trading partner’s connection parameters. The trading partner should connect to the SFTP server using the server settings from the Profiles page (port, server certificate, and so on) and the authentication settings in the dedicated SFTP Server connector (user and password).
Each trading partner has a pair of Send and Receive directories that are subfolders of the root. The partner downloads files from the Send folder and uploads files to the Receive folder. The client is not permitted to upload or download files from the root.
Windows Authentication
When Windows Authentication is enabled on the Server Configuration portion of the Profiles tab, individual SFTP Server connectors are not required to grant login access to the SFTP Server. Instead, you need to specify the name of the Windows Security Group that should be granted access to the server.
When Windows Authentication is enabled, the Root Directory profile setting supports the %User% and %Domain% macros to establish separate root directories for separate users in the security group. Therefore, when Windows Authentication is enabled, users are permitted to upload/download files in the root directory (this is not true when you use SFTP Server connectors for authentication).
Once files are uploaded to the user-specific folder, they can be entered into the Arc flow using a File connector.
Common Errors
ERROR:
“Could not bind server socket: Permission denied.”
Cause
This error can appear when attempting to connect to an SFTP server and the process hosting Arc does not have sufficient privileges to establish a listener on the specified port. Note that in some cases (such as Linux environments and hosted instances running in an Amazon AMI), ports below 1024 are forbidden from access.
Resolution
Choose a different port, or change the identity of the process hosting Arc to one with permissions to bind to the port.
The Amazon AMI-hosted version of Arc uses the Ubuntu operating system, so CData recommends that you use an Uncomplicated Firewall (UFW) to manage port permission issues. For example, setting up SFTP Server to run on port 2022 in Arc and using UFW to forward port 22 to 2022 at the OS level looks like this:
ufw allow 22/tcp
ufw allow 2022/tcp
echo "
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2022
COMMIT" >> /etc/ufw/before.rules
If your environment uses a different Linux operating system, CData recommends that you bind to a port above the restricted range (for example, 8022 for SFTP traffic) and use iptables
to route incoming requests on the desired port to the allowed port:
iptables -t nat -I PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 8022