SFTP (embedded) server fields

After you add an SFTP embedded trading or application exchange, an embedded SFTP server page is displayed in the UI for modifying the server settings.

To change SFTP embedded server settings:

  • Select System management > Manage embedded servers to open the Embedded servers page.
  • From the list of embedded servers click the name of an SFTP server to open the Change this embedded transport server page.
  • Using the tabs and fields described below, modify the settings.
  • Click Save changes.

The following are the maintenance fields for an embedded SFTP server that has been added to a community.

Settings tab

  • Server name – A name you give the transport server to distinguish it from other embedded servers. This field gets its initial value when you type it in the exchange wizard.
  • Port –The port on which Activator listens for connection requests to this server.

Select the authentication method:

  • This server requires the SFTP client to authenticate using a password – Requires the partner to use a password to connect to the embedded server. The password is the one assigned to the SFTP user associated with the delivery that uses this server. If not selected, the partner optionally can submit a password, but is not required to do so.
  • This server requires the SFTP client to authenticate using a public/private key pair – Requires the partner to use a private key to encrypt an authentication message and pass it to the server to decrypt with the matching public key. This process enables the server to verify the identity of the partner. If not selected, the partner optionally can submit an encrypted authentication message, but is not required to do so.
  • This server requires the SFTP client to authenticate using both a password and a public/private key pair – Requires the partner to provide both of the above authentication methods.
  • This server allows the SFTP client to authenticate using either a password or a public/private key pair – Requires the partner to provide either of the authentication methods.
  • External host or IP address – The fully-qualified domain name or IP address that a community’s partners must use to connect to this embedded server. Activator supplies a value based on the name of the host computer. In many cases you must change this to the external name used by your network firewall or load balancer. Contact your network administrator if you need help with this field.
  • External port – The port number that a community’s partners must use to connect to this embedded server. Contact your network administrator if you need help with this field.

Advanced tab

  • Maximum concurrent connections – (Default = 500) The maximum number of concurrent connections that can be accepted by the embedded server from a trading partner or back-end application.
  • For example, if the value is 100 connections and there are 150 messages to exchange, Activator opens only 100 connections from the connecting partner or back-end application. The remaining 50 messages must wait until connections become available.
  • If you are operating in a cluster environment, this is the total number across the entire cluster, regardless of how many nodes are running.
  • Maximum authentications – The number of failed authentication attempts the server allows before disconnecting the trading partner or back-end application.
  • Session timeout (seconds) – The number of seconds the server waits before disconnecting an inactive logged-on user.
  • Server’s current DSA public key – The designated DSA public key the embedded server passes to the remote partner’s SFTP client. If the client trusts the key, the message exchange can proceed.
  • Activator keeps the corresponding private key in this directory: <Activator_common_directory>\conf\keys. The private key is not displayed in the user interface.
  • The public key is passed to the partner’s external client when the client connects. The public key assures the client that it is connecting to a trusted server. However, if a DSA key is not specified, the server instead sends the current RSA or ECDSA public key to the client.
  • The current public key is included in the community profile when it is exported as a partner profile for the partner to import on its instance of Activator. The current key displays in the user interface for the delivery settings within the partner. However, if the partner uses a client other than Activator, the key is passed to the client when the client connects to the server.
  • When the community is exported to a backup file, all keys are exported to the file.
  • Change the DSA SSH keys – Select this option to change the current DSA public key for this embedded server. Select one of the following options and click Save changes. If you change the key after you have exported your community profile as a partner profile, export the profile again and give the file to your partner to import to its instance of Activator.
    • Use default key – Select to use the default DSA public key. The length of this key is 1024. The default public key is generated when the first SFTP delivery for receiving messages from partners via an embedded server is added to a community. Unless otherwise specified, all SFTP exchange points for all embedded SFTP servers use the same default key.
    • If you select another key option and later elect to go back to the default key, the same default key that was first generated becomes the current key again.
    • Do not use a key – Select this if you do not want to specify a DSA public key for this embedded server. If you do, the current RSA or ECDSA public key is used instead. Either a DSA, RSA or ECDSA public key must be specified as a current key. Public keys cannot be disabled at the same time.
    • Generate a key – Select this to have Activator generate a new public-private key pair and designate the public key as the current DSA public key for this embedded server. Select a key length before clicking Save changes to generate the key.
    • The server is off line while the key is being generated, but restarts once the key has been added.Depending on the key size, it may take several minutes to generate.
    • Import a private key – Select this and click Browse to import a private key you have generated. You must use a tool such as PuTTY-Gen to generate the public-private key pair. You cannot use Activator to generate the key. Import only the private key. Activator generates the corresponding public key and makes it the current key for this embedded server.
  • Server’s current RSA public key – This is the designated RSA public key the embedded server passes to the remote partner’s SFTP client. If the client trusts the key, the message exchange can proceed.
  • Change the RSA SSH keys – Select this option to change the current RSA public key for this embedded server. Select one of the following options and click Save changes. If you change the key after you have exported your community profile as a partner profile, export the profile again and give the file to your partner to import to its instance of Activator.
    • Use default key – Select to use the default RSA public key. The length of this key is 2048. The default public key is generated when the first SFTP delivery for receiving messages from partners via an embedded server is added to a community. Unless otherwise specified, all SFTP exchange points for all embedded SFTP servers use the same default key.
    • If you select another key option and later elect to go back to the default key, the same default key that was first generated becomes the current key again.
    • Do not use a key – Select this option if you do not want to specify an RSA public key. If you do, the current DSA or ECDSA public key is used. Either a DSA, RSA or ECDSA public key must be specified as a current key. Public keys cannot be disabled at the same time.
    • Generate a key – Select this option to have Activator generate a new public-private key pair and designate the public key as the current RSA public key. Select a key length before clicking Save changes to generate the key. The server is off line while the key is being generated, but restarts once the key has been added. Depending on the key size, it may take several minutes to generate.
    • Import a private key – Select this option and click Browse to import a private key you have generated. You must use a tool such as PuTTY-Gen to generate the public-private key pair. You cannot use Activator to generate the key. Import only the private key. Activator generates the corresponding public key and makes it the current key for this embedded server.
  • Server’s current ECDSA public key – This is the designated ECDSA public key the embedded server passes to the remote partner’s SFTP client. If the client trusts the key, the message exchange can proceed. Activator keeps the corresponding private key in this directory: <Activaor_common_directory>\conf\keys. The private key is not displayed in the user interface.
The public key is passed to the partner’s external client when the client connects. The public key assures the client that it is connecting to a trusted server. However, if a ECDSA key is not specified, the server instead sends the current DSA or RSA public key to the client.
The current public key, whether RSA, DSA or ECDSA, is included in the community profile when it is exported as a partner profile for the partner to import on its instance of Activator. The current key displays in the user interface for the delivery settings within the partner. However, if the partner uses a client other than Activator, the key is passed to the client when the client connects to the server. When the community is exported to a backup file, all keys are exported to the file.
  • Change the ECDSA SSH keys – Select this option to change the current ECDSA public key for this embedded server. Select one of the following options and click Save changes. If you change the key after you have exported your community profile as a partner profile, export the profile again and give the file to your partner to import to its instance of Activator.
    • Use default key – Select to use the default ECDSA public key. The default public key is generated when the first SFTP delivery for receiving messages from partners via an embedded server is added to a community. Unless otherwise specified, all SFTP exchange points for all embedded SFTP servers use the same default key.
    • If you select another key option and later elect to go back to the default key, the same default key that was first generated becomes the current key again.
    • Do not use a key – Select this option if you do not want to specify an ECDSA public key. If you do, the current ECDSA public key is used, which is the default behavior anyway. A public key must be specified as a current key. The public keys cannot be disabled at the same time.
    • Generate a key – Select this option to have Activator generate a new public-private key pair and designate the public key as the current ECDSA public key. Select a key length before clicking Save changes to generate the key. Supported curves are P256, P384 and P521. The server is off line while the key is being generated, but restarts once the key has been added. Depending on the key size, it may take several minutes to generate.
    • Import a private key – Select this option and click Browse to import a private key you have generated. You must use a tool such as PuTTY-Gen to generate the public-private key pair. You cannot use Activator to generate the key. Import only the private key. Activator generates the corresponding public key and makes it the current key for this embedded server.
  • Allow uploads on configured delivery exchanges – Select this option to allow documents to be uploaded to application deliveries or partner deliveries. By default, document uploads are not allowed for deliveries. This setting does not impact pickups.
  • Override HMAC algorithms – Select this option to restrict the server HMAC algorithms to preferred (secure) ones. If not selected, all of the listed HMAC algorithms are supported by default. The default is less secure; therefore, use the Add and Remove buttons to specify only the algorithms that should be available.

Home directories tab

Use the Home directories tab to force messages to be directed to a single directory. Specifying home directories is optional.

Home directories are used by FTP and SFTP embedded servers to direct messages to a single sub-directory for a transport user. For example, a community has three deliveries for receiving messages from partners. All exchanges use the same embedded server and the same user to connect to the server. The user sub-directories for each exchange are different. The subdirectories are:

Exchange point

User

User sub-directory

No packaging

foo

foo\NoPackaging

Related topics

Related Links