Key Capabilities
- Embedded SSH-based secure file server with multi-user support
- Flexible authentication including password, public key, and Windows/AD integration (Windows/AD integration is only available in the .NET edition)
- Individual user directories with customizable folder structures and additional paths
- Advanced security features including login attempt lockouts and IP restrictions
- Support for temporary file extensions and automatic file movement after operations
Overview
The SFTP Server connector is primarily configured on the Profiles page. Then, individual SFTP Server connectors can be created for each trading partner who should have access to the server. The SFTP Server connector defines a trading partner’s credentials (username, password and/or public key) and provides a unique home directory on the server. Each user’s home directory contains a Send folder, where clients can download files, and a Receive folder, where clients can upload files. You can rename these folders on the Advanced tab. SFTP clients are not given permissions to the root of the SFTP server, which means that SFTP clients should always cd into the Send or Receive directories after connecting. The SFTP Server also supports Windows/AD authentication. See Windows Authentication for details.Video Resources
Watch this short video for an overview of how to configure an SFTP Server.Profile Configuration
The SFTP Server profile must be configured before connections can be established with individual SFTP Server connectors. Click Profiles on the navbar, then click the SFTP Server tab.Server Configuration
Server implementation settings.| Setting | Description |
|---|---|
| Port | The port on which the SFTP server listens for incoming connections. |
| Server Certificate | The certificate that identifies the server. |
| Certificate Password | The password required to access the server certificate. |
| Login Banner | The banner presented to SFTP clients when they connect to the server. |
| Root Directory | The root directory for the server. Subfolders are created in the root for individual client profiles (for each configured SFTP Server connector). Each client profile includes a Send folder, where clients can download files from the server, and a Receive folder, where clients can upload files to the server. |
| Allowed Files Filter | A glob pattern that determines which files are accepted by the SFTP server. You can use negative patterns to indicate files that should not be downloaded (for example, -*.tmp). Separate multiple file types by commas (for example, *.x12,*.edi). |
| Windows Authentication | Check this to use Windows Authentication to authenticate users instead of the SFTP Server connector configurations. Only available in the .NET edition of . See Windows Authentication for more information. |
| Security Group | The name of the Windows group used for granting access to the server. This can be a group on the local machine or on the domain. Only applicable when Use Windows Authentication is checked. |
Lockouts
Optional settings related to locking server access.| Setting | Description |
|---|---|
| Failed Attempts | The number of unsuccessful login attempts allowed before the user is locked out. |
| Lockout Period | The length of time (in minutes) that the user is locked out. |
| Time Check Period | The length of time (in minutes) that records are kept of failed login attempts. |
Trusted IP Addresses
Advanced Settings
| Setting | Description |
|---|---|
| Inactivity Timeout | The length of time (in seconds) that must pass without activity for a user to time out. |
Logging
Miscellaneous
Connector Configuration
Once you configure the SFTP Server profile settings, create and configure an individual SFTP Server connector for each trading partner on the Flows page.Settings Tab
Configuration
User Configuration
Credentials for authenticating to the local SFTP server.| Setting | Description |
|---|---|
| User | The username credential for logging in to the local SFTP server. |
| Authentication Mode | The type of authentication to use with the SFTP server. The following fields vary based on your authentication mode. |
| Password | The password credential for logging in to the SFTP server. |
| Client Certificate | The public key certificate corresponding to the private certificate the client uses when you choose Public Key authentication. |
Permissions
Settings related to the read/write permissions for the Send and Receive folders.| Setting | Description |
|---|---|
| Send Directory Permissions | Use the checkboxes to set read/write permissions for the Send directory. This is where files are downloaded. |
| Receive Directory Permissions | Use the checkboxes to set read/write permissions for the Receive directory. This is where files are uploaded. |
Advanced Tab
Local Folders
Settings related to the folders where clients upload and download files. Rename the default folders here.| Setting | Description |
|---|---|
| Input Folder (Send) | Files placed in the Send folder are available to be downloaded by clients. |
| Output Folder (Receive) | Files uploaded by the client should be placed in the Receive folder. Files remain in the Receive folder or are passed along to the next connector in the flow. |
Additional Paths
The SFTP Server connector allows you to expose paths in addition to the Input and Output folders. To configure additional paths, follow these steps:- Use the Path field to specify the additional path that should be exposed. Path values are relative to the Root Directory defined on the Profiles page.
- Set the permissions for the additional path using the Read and Write checkboxes.
- If more paths are needed, click New and repeat these steps for each path.
/var/opt/arc/sftpserver, and an additional path of MyAdditionalPath is added, it maps to the /var/opt/arc/sftpserver/MyAdditionalPath path on disk.
Advanced Settings
Settings not included in the previous categories.| Setting | Description |
|---|---|
| Allowed Files Filter | A glob pattern that determines which files are accepted by the SFTP server. You can use negative patterns to indicate files that should not be downloaded (for example, -*.tmp). Separate multiple file types by commas (for example, *.x12,*.edi). Overrides the Allowed Files Filter option on the Server Configuration portion of the Profiles page. |
| Move File After Send | Specifies whether files in the Send folder should be moved to the Sent folder after they are downloaded by the client. |
| Temp Receive Extensions | Files with a matching extension are not recorded in the Receive table and do not fire the After Receive event until after they are renamed. Supply a comma-delimited list of extensions. |
| Timeout | The length of time (in seconds) the server waits for a connection response before throwing a timeout error. |
| Save Subfolder | Check this to have a Subfolder header added to received messages. It represents the path relative to the local folders or additional paths. |
| Local File Scheme | A scheme for assigning filenames to messages that are output by the connector. You can use macros in your filenames dynamically to include information such as identifiers and timestamps. For more information, see Macros. |
Message
Logging
Miscellaneous
Alerts Tab
SLAs Tab
Establishing a Connection
Each SFTP Server connector represents a single trading partner’s connection parameters. The trading partner should connect to the SFTP server using the server settings from the Profiles page (port, server certificate, and so on) and the authentication settings in the dedicated SFTP Server connector (user and password). Each trading partner has a pair of Send and Receive directories that are subfolders of the root. The partner downloads files from the Send folder and uploads files to the Receive folder. The client is not permitted to upload or download files from the root.Windows Authentication
When Windows Authentication is enabled on the Server Configuration portion of the Profiles tab, individual SFTP Server connectors are not required to grant login access to the SFTP Server. Instead, you need to specify the name of the Windows Security Group that should be granted access to the server. When Windows Authentication is enabled, the Root Directory profile setting supports the %User% and %Domain% macros to establish separate root directories for separate users in the security group. Therefore, when Windows Authentication is enabled, users are permitted to upload/download files in the root directory (this is not true when you use SFTP Server connectors for authentication). Once files are uploaded to the user-specific folder, they can be entered into the flow using a File connector.Macros
Examples
Common Errors
Error: Could not bind server socket: Permission denied.
Cause This error can appear when attempting to connect to an SFTP server and the process hosting does not have sufficient privileges to establish a listener on the specified port. Note that in some cases (such as Linux environments and hosted instances running in an Amazon AMI), ports below 1024 are forbidden from access. Resolution Choose a different port, or change the identity of the process hosting to one with permissions to bind to the port. The Amazon AMI-hosted version of uses the Ubuntu operating system, so recommends that you use an Uncomplicated Firewall (UFW) to manage port permission issues. For example, setting up SFTP Server to run on port 8022 in and using UFW to forward port 22 to 8022 at the OS level looks like this:iptables to route incoming requests on the desired port to the allowed port:
iptables -t nat -I PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 8022