When you connect to a server using SFTP, SSH encryption is used to protect the connection between your client machine and the server. This protects your password and your data, preventing an eavesdropper from capturing or stealing them as they travel over the network.
Despite the similarity in name and operation, SFTP is a completely different protocol from FTP and does not support all the same features and commands as FTP. Also, while they are both secure file transfer protocols and have similar names, FTPS (FTP with TLS/SSL) should not be confused with SFTP.
To use SFTP for secure connections, the server you are connecting to must also support SFTP. If you try to connect with SFTP to a server that doesn't support it, you will receive an error. Your network administrator or service provider can tell you if your server supports SFTP, and what other information you might need to use SFTP if it does.
The following components are supported by the SSH File Transfer Protocol:
A Listener that uses sftp protocol component that is continuously polling the specified folder on the sftp server (machine that supports openSSH FTP).
The SFTP Emitter will emit messages onto an sftp server. It requires the credentials on the server and the directory to emit as input.
The SFTP Read agent is used to read files from an SFTP server (drive on Unix or Windows). It can also be used in tandem with a file listener to embed file contents (the file picked up by the listener) into the xml file read from the SFTP drive by specifying the tag.
SFTP Emit Agent is used to write files to an output directory through SFTP (drive on Unix or Windows). The output file name can be specified completely or using wildcard characters.
The SFTPOps agent stands for SFTP operations. Emits via SSH protocol to a given host<:port> using various common SFTP commands. It can be used to perform operations such as Copy, Prepend, Append, Size, Move and so on.
All the SFTP components support both password based and keypair based authentication without password.
In conventional password authentication, you prove you are who you claim to be by proving that you know the correct password. The only way to prove you know the password is to tell the server what you think the password is. This means that if the server has been hacked, or spoofed, an attacker can learn your password.
Key Pair authentication solves this problem. You generate a key pair, consisting of a public key (which everybody is allowed to know) and a private key (which you keep secret and do not give to anybody). The private key is able to generate signatures. A signature created using your private key cannot be forged by anybody who does not have that key; but anybody who has your public key can verify that a particular signature is genuine.
So you generate a key pair on your own computer, and you copy the public key to the server under a certain name. Then, when the server asks you to prove who you are, WinSCP can generate a signature using your private key. The server can verify that signature (since it has your public key) and allow you to log in. Now if the server is hacked or spoofed, the attacker does not gain your private key or password; they only gain one signature. And signatures cannot be re-used, so they have gained nothing.
Note: While using keypair authentication, the private key file path has to be populated in the SFTP component that is invoked. If password based authentication is used, the password field has to be populated while the private key file is left blank. This applies for all SFTP components.
Before you install the SFTP extension, ensure that the following prerequisites are met:
To test SFTP, an SSH/SFTP server is required for connection purposes. You can also access the following Web site for more information:
http://sourceforge.net/project/showfiles.php?group_id=103886&package_id=111688
To install SFTP, you must add the sftp extension to your iWay Service Manager instance during the iWay Service Manager installation. For more information on installing iWay Service Manager, see the iWay Installation and Configuration Guide. However, if you have already installed iWay Service Manager, you can also add the sftp extension by modifying the existing iWay Service Manager installation. This section describes how to add the SFTP extension by modifying an existing iWay Service Manager installation.
Since there are unique SFTP components required for the Relay and Executor iWay Service Manager instances, the SFTP extension must be added to both for proper operation. To add the SFTP extension:
The iWay 6.0 Service Manager Repair or Remove Installation dialog box opens.
The iWay 6.0 Service Manager Select Features dialog box opens. Select the check box for SFTP, and click Next.
Note: You must perform a hard restart. Using the Restart function in the iWay Service Manager Administration Console is not sufficient.
All the SFTP components support both password based and keypair based authentication without password.
In conventional password authentication, you prove you are who you claim to be by proving that you know the correct password. The only way to prove you know the password is to tell the server what you think the password is. This means that if the server has been hacked, or spoofed, an attacker can learn your password.
Key Pair authentication solves this problem. You generate a key pair, consisting of a public key (which everybody is allowed to know) and a private key (which you keep secret and do not give to anybody). The private key is able to generate signatures. A signature created using your private key cannot be forged by anybody who does not have that key; but anybody who has your public key can verify that a particular signature is genuine.
So you generate a key pair on your own computer, and you copy the public key to the server under a certain name. Then, when the server asks you to prove who you are, WinSCP can generate a signature using your private key. The server can verify that signature (since it has your public key) and allow you to log in. Now if the server is hacked or spoofed, the attacker does not gain your private key or password; they only gain one signature. And signatures cannot be re-used, so they have gained nothing.
Note: While using keypair authentication, the private key file path has to be populated in the SFTP component that is invoked. If password based authentication is used, the password field has to be populated while the private key file is left blank. This applies for all SFTP components listed below.
This section lists components that are supported by iwsftp.
Below are three types of SFTP Agents:
This section describes how to configure the SFTP listener.
The following table lists and describes the procedure for the SFTP Listerner.
Property Name |
Property Description |
---|---|
Host Name |
Name of host machine where listener will contact service to obtain requests from. |
Remote Port |
Port to connect to on the SFTP site, blank for default port 22 |
Input Path |
Directory with optional pattern on SFTP host from which to retrieve files. A specific file name or DOS-style pattern) can be used. Do not use suffix in. |
Include Symbolic Links |
Set to true if you want the sftp listener to process the symbolic links |
Include Hidden Files |
Set to true if you want the sftp listener to process the hidden files |
Destination Directory |
Directory on SFTP host to return responses to |
Data, Signal or Streaming |
Data. Data file will be retrieved from the SSH server and maintained in memory while processed by the listener. Signal. Data file will be retrieved from the SSH server and stored locally (requires that the 'Local Store Directory' be filled in); a signal document will be generated by the listener. Streaming. A connection will be opened with the SSH server and data from the file will be retrieved and processed by the listener as needed. |
Local Store Directory |
Directory on the iWay server to save the files. Required when 'Data, Signal or Streaming' is set to Signal; otherwise this field is not used. |
Remove locally stored files |
Set to true if you want the SFTP listener to delete the file stored locally after it is processed |
Pending Queue |
Directory to hold documents which are to be retried later |
Suffix In |
Limits input files to those with these extensions. For example, enter "XML,in" to accept files with extensions "xml" and "in". Note that this is not case sensitive.Do not use '.'; use - to mean no extension, or * to mean any. |
Duration |
Maximum time that a document can remain in the retry pending queue |
Retry |
Interval between retrying pending requests |
Do not unzip ZIP files |
Pass ZIP files as a single file for processing (requires ACCEPT FLAT turned on) |
Bad File List |
Maintain a list of files with errors, preventing them from being re-accessed. If set, files will not be retried. |
User Name |
User ID on the SFTP server |
Password |
User's password on the SFTP server |
Private Key |
Path to the private key file for public-key authentication.. |
Passphrase |
Passphrase used to protect the Private Key |
Whitespace Normalization |
Specifies how the parser treats whitespace in Element content. Choose preserve to turn off all normalization as prescribed by the XML Specification.Choose condense to remove extra whitespace in pretty printed documents and for compatibility with earlier versions. |
Accepts non-XML (flat) only |
If true, listener expects flat (non-XML). Automatic parsing is not performed. |
Optimize Favoring |
Selection of memory is useful for large input document |
Multithreading |
Number of documents that can be processed in parallel |
Execution Time Limit |
Time limit for document execution(in seconds) before it is cancellation is attempted. (Also see system property "kill interval". This applies to agent stacks and sets a lower limit for process flows.) |
Polling Interval |
Interval at which to check for new input |
Default Java File Encoding |
Default encoding if incoming message is not self-declaring (i.e. XML) |
Agent Precedence |
Changes order by which engine selects agents. Normally Document overrides listener. This is used to manage iWay documents |
Always reply to listener default |
If true, the default reply definition is used in addition to defined replies |
Error Documents treated normally |
If true, error documents will get processed by any configured pre-emitters |
Listener is Transaction Manager |
If true, agents run within a local transaction managed by the listener |
Record in Activity Log(s) |
If set, activity on this channel will be recorded in the activity logs, else the activity will not be recorded. |
This section describes how to configure the SFTP emitter.
The following table lists and describes the procedure for the SFTP Emitter.
Property Name |
Property Description |
---|---|
Destination |
The absolute path of the file which is being emitted @ The name of the SFTP server. For instance, if the file needs to be emitted to a machine sftpsrv on the directory /home/org and the file is to be saved as out[1..9].xml then the value of this field would be /home/org/out*.xml@sftpsrv as shown above. |
User Name |
The username on the SFTP server that has read and write access to the directory entered in the Input Path field. |
Password |
Password for user account to use when connecting to protocol host. |
Private Key |
SSH private Key file used for server authentication (required is password is omitted). |
Pass Phrase |
SSH Passphrase used when Private Key was generated (optional). |
Mode |
Mode of File transfer - ASCII/BINARY |
Socket Timeout |
Timeout in seconds. With this option set to a non-zero timeout, a read() call on the Socket will block for only this amount of time. If the timeout expires, a java.net.SocketTimeoutException is raised. Default timeout is operating system dependent. |
Move To |
The directory to which the file is to be moved after it is emitted. |
The File1 channel processes this message and drops the file out1.xml onto the directory on the SFTP server machine, which is /home/org as per the configuration settings in How to Test an SFTP Emitter Test Channel.
This section describes how to configure the SFTP agents.
The following table lists and describes the procedure for the SFTP Agents.
Property Name |
Property Description |
---|---|
File Name Tag * |
Name of the tag from the input document in which to find the file name. |
Enclose Tag |
The name of the tag in which to enclose data read. If omitted, no entagging. If used, output is XML. |
Base Path |
Optional directory to be used if incoming name is not absolute. |
Input Data Format |
Format of the input data, default is flat. |
Transfer Type |
For non-XML, this parameter sets the transfer type. |
Host Name |
The name of the SFTP server to connect. |
Remote Port |
Port to connect to on the SFTP site, blank for default port 22. |
User Name |
The username on the SFTP server through which files are emitted. |
Password |
Password for user account to use when connecting to protocol host. |
Private Key |
SSH Private Key file used for server authentication (required is password is omitted). |
Pass Phrase |
SSH Passphrase used when Private Key was generated (optional). |
Encoding |
Character set encoding to be performed on the input. |
Delete After Read |
Flag to show whether to delete the file after the read. |
The test case is similar to the SFTP emitter in section 6. However, in this case an agent is used to emit the file to the SFTP server using private key file. An SFTPEmitAgent would be used instead of an SFTPEmitter when a process flow which performs a sequence of tasks (for a business process) needs to be used and statuses need to be evaluated.
The properties are explained in the section Configuring the SFTP Emitter.
As shown in the above example, the value of the HostName can be
edasol29
and the username can be
edasxr
where:
Has write access to the Remote Site Folder directory.
Also, the Private Key file can point to the id_dsa private key file on the iway server. Enter the values of the fields as shown above.
The File1 channel processes this message and drops the file out1.xml onto the directory on the SFTP server referred to by the attribute Remote Site Folder on the sftpservice object in the pflow.
The SFTP Read agent is used to read files from an SFTP server (drive on Unix or Windows). It can also be used in tandem with a file listener to embed file contents (the file picked up by the listener) into the xml file read from the SFTP drive by specifying the tag.
The properties are explained under Configuring the SFTP Agents.
<test>c:\test\a.txt </test>
This is a sftp readagent test
<testout> This is a sftp readagent test </testout>
The SFTP Ops agent stands for SFTP operations. Emits via SSH protocol to a given host<:port> using various common SFTP commands. It can be used to perform operations such as Copy, Prepend, Append, Size, Move and so on.
The From file test.txt is
This an SFTPServer test
The to file out6.txt is:-
<parent><test1>Soumya</test1></parent>
The To File out6.txt's content is modified as
This an SFTPServer test
Set the properties as shown below:
This an SFTPServer test
The From File test.txt is renamed to testmove.txt.
Set the properties as shown below.
The From file /users/edasxr/testdir/out6.txt is:
this is a test
The to file /users/edasxr/testdir/testmove.txt is:
for sftpops agent
The To File testmove.txt's content is modified as
this is a testfor sftpops agent
Set the properties as shown below.
The From file /users/edasxr/testdir/out6.txt is
this is a test
The to file /users/edasxr/testdir/testmove.txt is
for sftpops agent
The To File testmove.txt's content is modified as
this is a testfor sftpops agent
Set the properties as shown below:
The From file /users/edasxr/testdir/out6.txt is deleted.
Set the properties as shown below:
This an SFTPServer test
The From File test.txt is renamed to testmove.txt.
Set the properties as shown below:
Below are steps on how to install an openSSH server in Windows:
Note: No configuration is required during installation.
Below are steps on how to configure an openSSH server in Windows:
For both domain and local, it is best to run the command twice (remember to use >>, not >). If you use both, make sure to edit the file to remove any duplicate entries.
mkgroup -l >> ..\etc\group (local groups) mkgroup -d >> ..\etc\group (domain groups)
For both domain and local, it is best to run the command twice (remember to use >>, not >). If you use both, make sure to edit the file to remove any duplicate entries.
mkpasswd -l [-u <username>] >> ..\etc\passwd (local users) mkpasswd -d [-u <username>] >> ..\etc\passwd (domain users)
Note:
net start opensshd
Note: The major rule in using this utility is to only allow trusted users to have login permissions. The cygwin port of OpenSSH uses the full OpenSSH source code and the security of the program is not diluted.
Do check permissions on your ~/.ssh folder and make sure to
chmod 700 .ssh
if they are wrong.
ssh-keygen -t dsa
or rsa. Read the main pages if your don't know how to use ssh-keygen.
mv id_dsa.pub authorized_keys
The id_dsa, private key generated can be used to login without password to the openSSH server.
privatekey.ppk
In the passwd file, you will notice that the home directory of the user is set as /home/username, with username being the name of the account. In the default install, the /home directory is set to the default profile directory for all users. This is usually C:\Documents and Settings on Windows 2000 and XP, and C:\WINNT\Profiles on Windows NT 4.0. The location of /home can be edited to fit your special requirements by editing a registry key.
To change the Windows directory /home corresponds to, you will need to edit a registry entry under HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin\mounts v2\/home. The value of the key named native is the directory that /home is. If you want all your users to enter in a directory on your machine called F:\Users, change native to read F:\Users. By default, each user will then be placed in the directory F:\Users\username, where username is the name of the user account. To place the user directly under f:\Users, change the home directory in passwd to /home.
The OpenSSH server listens for traffic on TCP port 22 by default. If your firewall setup does not allow connections on this port, it can be changed by editing the etc/sshd_config file.
Note: For additional troubleshooting and OPENSSH advanced configuration, refer to readme.txt under C:\Program files\OpenSSH\docs
iWay Software |