SFTP (embedded) server fields

After you add an SFTP-type trading delivery or application delivery to a community, an embedded SFTP server is available in the UI. You can then change the server settings and advanced options.

To change settings:

1. Select System management > Manage embedded servers. Or, click Trading configuration on the toolbar.
2. On the Communities page, click the link near the bottom of the page named Manage all embedded servers.

The following are the maintenance fields for an embedded SFTP server that has been added to a community.

Settings tab

• Server name – A name you give the transport server to distinguish it from other embedded servers. This field gets its initial value when you type it in the delivery exchange wizard.
• Port –The port on which Activator listens for connection requests.

Select the authentication method:

• This server requires the SFTP client to authenticate using a password – Requires the partner to use a password to connect to the embedded server. The password is the one assigned to the SFTP user associated with the delivery that uses this server. If not selected, the partner optionally can submit a password, but is not required to do so.
• This server requires the SFTP client to authenticate using a public/private key pair – Requires the partner to use a private key to encrypt an authentication message and pass it to the server to decrypt with the matching public key. This process enables the server to verify the identity of the partner. If not selected, the partner optionally can submit an encrypted authentication message, but is not required to do so.
• This server requires the SFTP client to authenticate using both a password and a public/private key pair – Requires the partner to provide both of the above authentication methods.
• This server allows the SFTP client to authenticate using either a password or a public/private key pair – Requires the partner to provide either of the authentication methods.
• External host or IP address – The fully qualified domain name or IP address that a community’s partners must use to connect to this embedded server. Activator supplies a value based on the name of the host computer. In many cases you must change this to the external name used by your network firewall or load balancer. Contact your network administrator if you need help with this field.
• External port – The port number that a community’s partners must use to connect to this embedded server. Contact your network administrator if you need help with this field.

Advanced tab

• Maximum authentications – The number of failed authentication attempts the server allows before disconnecting the user.
• Session timeout (seconds) – The number of seconds the server waits before disconnecting an inactive logged-on user.
• Server’s current DSA public key – This is the designated DSA public key the embedded server passes to the remote partner’s SFTP client. If the client trusts the key, the message exchange can proceed.
• Activator keeps the corresponding private key in a file in <install directory>\common\conf\keys. The private key is not displayed in the user interface.
• The public key is passed to the partner’s external client when the client connects. The public key assures the client that it is connecting to a trusted server. However, if a DSA key is not specified, the server instead sends the current RSA public key to the client.
• The current public key, whether RSA or DSA, is included in the community profile when it is exported as a partner profile for the partner to import on its instance of Activator. The current key displays in the user interface for the delivery settings within the partner. However, if the partner uses a client other than Activator, the key is passed to the client when the client connects to the server.
• When the community is exported to a backup file, both the RSA and DSA keys are exported to the file.
• Change the DSA SSH keys – Select this to change the current DSA public key for this embedded server. Select one of the following options and click Save changes. If you change the key after you have exported your community profile as a partner profile, export the profile again and give the file to your partner to import to its instance of Activator.
  • Use default key – Select to use the default DSA public key. The length of this key is 1024.
• The default public key is generated when the first SFTP delivery for receiving messages from partners via an embedded server is added to a community. Unless otherwise specified, all SFTP exchange points for all embedded SFTP servers use the same default key.
• If you select another key option and later elect to go back to the default key, the same default key that was first generated becomes the current key again.
  • Do not use a key – Select this if you do not want to specify a DSA public key for this embedded server. If you do, the current RSA public key is used instead. Either a DSA or an RSA public key must be specified as a current key. Both the DSA and RSA public keys cannot be disabled at the same time.
  • Generate a key – Select this to have Activator generate a new public-private key pair and designate the public key as the current DSA public key for this embedded server. Select a key length before clicking Save changes to generate the key.
  • The server is off line while the key is being generated, but restarts once the key has been added.
  • It may take several minutes or more to generate a key longer than 1024.
  • Import a private key – Select this and click Browse to import a private key you have generated. You must use a tool such as PuTTY-Gen to generate the public-private key pair. You cannot use Activator to generate the key. Import only the private key. Activator generates the corresponding public key and makes it the current key for this embedded server.
• Server’s current RSA public key – This is the designated RSA public key the embedded server passes to the remote partner’s SFTP client. If the client trusts the key, the message exchange can proceed. See SFTP (embedded) server fields for more information about how these keys are used for SFTP.
• Change the RSA SSH keys – Select this to change the current RSA public key for this embedded server. Select one of the following options and click Save changes. If you change the key after you have exported your community profile as a partner profile, export the profile again and give the file to your partner to import to its instance of Activator.
  • Use default key – Select to use the default RSA public key. The length of this key is 2048. The default public key is generated when the first SFTP delivery for receiving messages from partners via an embedded server is added to a community. Unless otherwise specified, all SFTP exchange points for all embedded SFTP servers use the same default key.
  • If you select another key option and later elect to go back to the default key, the same default key that was first generated becomes the current key again.
  • Do not use a key – Select this if you do not want to specify an RSA public key. If you do, the current DSA public key is used, which is the default behavior anyway. Either a DSA or an RSA public key must be specified as a current key. Both the DSA and RSA public keys cannot be disabled at the same time.
  • Generate a key – Select this to have Activator generate a new public-private key pair and designate the public key as the current RSA public key. Select a key length before clicking Save changes to generate the key. The server is off line while the key is being generated, but restarts once the key has been added. It may take several minutes or more to generate a key longer than 2048.
  • Import a private key – Select this and click Browse to import a private key you have generated. You must use a tool such as PuTTY-Gen to generate the public-private key pair. You cannot use Activator to generate the key. Import only the private key. Activator generates the corresponding public key and makes it the current key for this embedded server.
• Allow uploads on configured delivery exchanges – Select this option to allow documents to be uploaded to application deliveries or partner deliveries. By default, document uploads are not allowed for deliveries. This setting does not impact pickups.
• Override SSH ciphers – Select this check box to specify, using the Add and Remove buttons, the specific ciphers supported for the server. If not selected, all ciphers are supported by default. The default is less secure than specifying only certain ciphers. This check box is available for production deliveries.
• The default order in the Available column is the preferred order of use. Once ciphers are moved to the Selected column, you can arrange the order. Activator uses the ciphers in the order listed.

Home directories tab

Use the Home directories tab to force messages to be directed to a single directory. Specifying home directories is optional.

Home directories are used by FTP and SFTP embedded servers to direct messages to a single subdirectory for a transport user. For example, a community has three deliveries for receiving messages from partners. All exchanges use the same embedded server and the same user to connect to the server. The user subdirectories for each exchange are different. The subdirectories are:

Normally, when a remote partner connects to the server as user foo and sends messages via AS3, the messages are written to the foo\AS3 subdirectory. Messages sent via secure file and no packaging are similarly routed to the designated subdirectories for those exchanges.

However, if a home directory for the foo user is set as foo\home, all messages are re-routed to the home directory. This occurs regardless whether a partner uses the AS3, secure file or no packaging exchange to send messages to the community

If the advanced control is enabled on a delivery to allow clients to add and remove subdirectories, the home directory for the embedded server is honored. This means the embedded server's settings take precedence over the settings for the exchange point, which is hosted on that embedded server. In such case, messages are re-routed to the home directory even when the transport user sends to the subdirectory the user created earlier.

One other item of note: If a user has an FTP or SFTP client and logs on to the embedded server directly — outside of a messaging protocol — the client connects to the home directory rather than to the user subdirectory.

Related topics

• Embedded transport servers
• Types of embedded servers
• Usage summary of embedded servers
• Manage embedded servers
• Global embedded HTTP server
• Lockout settings for cXML (embedded HTTP) users
• Modify a global embedded SMTP server
• Global embedded Web Services API server
• User interface embedded servers
• HTTP (embedded) fields
• FTP (embedded) fields
• Lockout settings for FTP (embedded) server users
• Lockout settings for SFTP (embedded) users
• SMTP (embedded) configuration
• OFTP (embedded) fields
• OFTP X.25 over ISDN (embedded) fields
• PeSIT (embedded) fields
• HTTP (embedded) business cases