SFTP (external) transport configuration

You can use Secure FTP (SFTP) as a trading partner or application transport.

To enable partners to send messages to your SFTP server, first set up the account, user ID and password for the SFTP server where Activator retrieves files. Any partner who intends to receive messages from you by SFTP also must also perform this step.

SFTP is similar to FTP, but performs all operations over an encrypted Secure Shell (SSH) transport. SFTP and FTP/SSL (or FTPS) are different transports. An SFTP server can communicate only with other SFTP servers, not FTP servers.

Activator supports limited SFTP functionality as the following notes:

• Only supports SSH 2.0.
• Checkpoint-restart functionality is not supported.
• User commands and scripting (as supported for FTP) are not supported for SFTP.

This transport has been tested only with the OpenSSH sftp‑server.

For more information about SSH see:

• http://datatracker.ietf.org/wg/secsh/charter/
• http://www.openssh.com/txt/draft-ietf-secsh-filexfer-02.txt
• http://www.openssh.com/faq.html

SFTP fields

The following fields are used in the delivery exchange wizard for configuring this transport.

• SFTP server – The name of the SFTP server.
• Port – The port on which the server listens for incoming connections. The default is 22.
• Pickup directory – Type the path of the directory on your server where messages are picked up. When Activator polls the server for files, it only looks in the pickup directory, not an inbox directory.
• Use temporary files to avoid read/write collisions – We recommend using this option to prevent Activator from attempting to retrieve partially written files. When this is selected, you must select one of the two following options.
  • Use separate directory for temporary files – Type the full path of an inbox directory (for example, c:\data\inbox). Files are uploaded to this directory. When fully written, files are moved to the pickup directory for retrieval.
  • Do not put the inbox under the pickup directory unless you use a period at the beginning of the inbox name. Activator and other applications ignore directories and files that begin with periods.
  • For example, do not use the following directory structure:

    c:\data\pickup\inbox

  • But you can use the following because a period is the first character of the inbox directory name:

    c:\data\pickup\.inbox

  • When receiving files from a partner, we recommend that your partner write files to the inbox directory first and then move them to the pickup directory when they are ready to be retrieved. This process is automatic if your partner also uses Activator. If the partner uses other software to upload files to your server, the software should be configured to initially upload the files to the inbox directory and move them to the pickup directory when they are ready to be retrieved.
  • For outbound integration, the back-end system must write the message to the inbox and then move it to the pickup directory.
  • For inbound integration and sending outbound to partners, Activator writes to the inbox and then moves the message to the pickup directory.
  • Use special extension in pickup directory for temporary files – If you prefer not to use an inbox, select this option. While a file is being written to the pickup directory, a temporary extension is added so the system knows not to retrieve it because the file is only partially written. Once fully written, the temporary extension goes away and the file can be retrieved.
• Server’s public key – You have two options for designating the RSA or DSA public key for the SFTP server. Activator uses the key to authenticate the server.
  • Retrieve public key from server – Click Get Key to have Activator retrieve the public key for the SFTP server. The server name and port number entered on this page must be correct for this option to work.
  • Server public key file – Type the path to the file containing the public key for the SFTP server or click Browse to locate the file. You may have to ask the server administrator for the file path.
• Use password authentication – Password authentication requires entering the user name and password for connecting to the server. The user name and password are sent over an encrypted connection to authenticate the user to the server. Although this option offers ease of administration, the password is vulnerable because it is sent every time a connection is made. The password could be compromised if the server is ever compromised.
• For more information see Public-private key and password authentication.
• Use public/private key pair authentication – Public-private key pair authentication requires entering the user name of the server here.
• If this exchange is for a community, add the private key to the community. If this exchange is for a partner, add the public key to any community that will be trading with the partner.
• To add a key, click Certificates in the navigation graphic at the top of the community summary page. Select the SSH keys tab. Click Add an SSH key, follow the prompts and click Add. Select the key as the default SSH key after it has been added.
• For more information see Public-private key and password authentication.

• Use host-based authentication – Select this option if this delivery binds outbound messages to a server that requires host-based authentication. You can use host-based authentication with a Linux SFTP server. Before you activate this option you must complete the steps listed below. If you have started creating an external SFTP pickup or delivery, cancel the wizard and complete the prerequisites first.
• •  On the server:
    1. Copy the public key file to the following directory:
       /home/user/.ssh/
    2. Append the public key file contents to authorized_keys:
       /home/users/.ssh/key1.pub >> /home/user/.ssh/authorized_keys
    3. Append the public key to the /etc/ssh/ssh_known_hosts file. Edit to add hostname:
       cat /home/user/.ssh/sshkey1_linux36.pub >> /etc/ssh/ssh_known_hosts
    4. Add the client's hostname to the following file:
       /etc/ssh/shosts.equiv
    5. Ensure the /etc/ssh/sshd_config file contains the following line:
       HostbasedAuthentication yes
  • On the client:
    1. Copy the corresponding private key file to a directory.
    2. In Axway Activator, create a new pickup/delivery using an external SFTP server. When prompted to Configure the SFTP settings, after you complete the initial fields, select Use host-based authentication. Enter the User Name and browse to the private key file. If a Key password is required, enter it.

Testing SFTP

You can use the sftpTester tool to exercise the SFTP client outside of Activator. The script to start sftpTester can be found in <install directory>\tools.

sftpTester is a console-based application that can verify the operation of the SFTP client in Activator and a partner’s SFTP server. Activator server does not have to be running to use this tool. You can use it on UNIX or Windows.

sftpTester duplicates the way Activator accesses an SFTP server. It is a test program to verify interoperability with SFTP servers. If you can send, list, receive and delete files on a SFTP server using sftpTester, this is a good indication Activator can interoperate with the server.

sftpTester prompts for all the information it needs, as the following illustrates:

After prompting for the initial configuration information such as the host, user and password, sftpTester displays a main prompt that allows you to enter meta-commands to perform simple operations such as list, send and receive. You can enter a question mark (?) at this point to get more information. The following information displays upon entering a question mark at the main prompt:

Consumer commands

Producer commands

Troubleshooting SFTP

For troubleshooting, you can write messages specific to the SFTP transport to Activator log file. You can add the following properties to the log4j.properties file at <install directory>\conf.

• For messages related to high-level operation of the SFTP client, this property in debug mode is useful for finding common SFTP problems.
• log4j.category.com.cyclonecommerce.tradingengine.transport.sftp.SimpleDebug=debug
• For messages related to low-level operation of the SFTP client, this property in debug mode produces verbose messages. (Try the simple debug property before using this one.)
• log4j.category.com.cyclonecommerce.tradingengine.transport.sftp=debug

Related topics:

• SFTP fields
• Testing SFTP