SFTP (external) transport configuration

You can use Secure FTP (SFTP) as a trading partner or application transport. This topic describes configuring an external SFTP server. For an embedded SFTP server, see .

To enable partners to send messages to your SFTP server, first set up the account, user ID and password for the SFTP server where Activator retrieves files. Any partner who intends to receive messages from you by SFTP also must also perform this step.

SFTP is similar to FTP, but performs all operations over an encrypted Secure Shell (SSH) transport. SFTP and FTP/SSL (or FTPS) are different transports. An SFTP server can communicate only with other SFTP servers, not FTP servers.

Activator supports limited SFTP functionality as the following notes:

  • Only supports SSH 2.0.
  • Checkpoint-restart functionality is not supported.
  • User commands and scripting (as supported for FTP) are not supported for SFTP.

This transport has been tested only with the OpenSSH sftp‑server.

For more information about SSH see:

SFTP fields

The following fields are used in the delivery exchange wizard for configuring this transport.

  • SFTP server – The name of the SFTP server.
  • Port – The port on which the server listens for incoming connections. The default is 22.
  • Pickup directory – Type the path of the directory on your server where messages are picked up. When Activator polls the server for files, it only looks in the pickup directory, not an inbox directory.
  • Use temporary files to avoid read/write collisions – We recommend using this option to prevent Activator from attempting to retrieve partially written files. When this is selected, you must select one of the two following options.
    • Use separate directory for temporary files – Type the full path of an inbox directory (for example, c:\data\inbox). Files are uploaded to this directory. When fully written, files are moved to the pickup directory for retrieval.
    • Do not put the inbox under the pickup directory unless you use a period at the beginning of the inbox name. Activator and other applications ignore directories and files that begin with periods.
    • For example, do not use the following directory structure:

      c:\data\pickup\inbox

    • But you can use the following because a period is the first character of the inbox directory name:

      c:\data\pickup\.inbox

    • When receiving files from a partner, we recommend that your partner write files to the inbox directory first and then move them to the pickup directory when they are ready to be retrieved. This process is automatic if your partner also uses Activator. If the partner uses other software to upload files to your server, the software should be configured to initially upload the files to the inbox directory and move them to the pickup directory when they are ready to be retrieved.
    • For sending to a backend application, the back-end system must write the message to the inbox and then move it to the pickup directory.
    • For consuming from a backend application and sending outbound to partners, Activator writes to the inbox and then moves the message to the pickup directory.
    • Use special extension in pickup directory for temporary files – If you prefer not to use an inbox, select this option. While a file is being written to the pickup directory, a temporary extension is added so the system knows not to retrieve it because the file is only partially written. Once fully written, the temporary extension goes away and the file can be retrieved.
  • Server’s public key – You have two options for designating the RSA or DSA public key for the SFTP server. Activator uses the key to authenticate the server.
    • Retrieve public key from server – Click Get Key to have Activator retrieve the public key for the SFTP server. The server name and port number entered on this page must be correct for this option to work.
    • Server public key file – Type the path to the file containing the public key for the SFTP server or click Browse to locate the file. You may have to ask the server administrator for the file path.
  • Use password authentication – Password authentication requires entering the user name and password for connecting to the server. The user name and password are sent over an encrypted connection to authenticate the user to the server. Although this option offers ease of administration, the password is vulnerable because it is sent every time a connection is made. The password could be compromised if the server is ever compromised.
  • For more information see Public-private key and password authentication.
  • Use public/private key pair authentication – Public-private key pair authentication requires entering the user name of the server here.
  • If this exchange is for a community, add the private key to the community. If this exchange is for a partner, add the public key to any community that will be trading with the partner.
  • To add a key, click Certificates in the navigation graphic at the top of the community summary page. Select the SSH keys tab. Click Add an SSH key, follow the prompts and click Add. Select the key as the default SSH key after it has been added.
  • For more information see Public-private key and password authentication.
  • Use host-based authentication – Select this option if this delivery binds outbound messages to a server that requires host-based authentication. You can use host-based authentication with a Linux SFTP server. Before you activate this option you must complete the steps listed below. If you have started creating an external SFTP pickup or delivery, cancel the wizard and complete the prerequisites first.
    • On the server:
      1. Copy the public key file to the following directory:
        /home/user/.ssh/
      2. Append the public key file contents to authorized_keys:
        /home/users/.ssh/key1.pub >> /home/user/.ssh/authorized_keys
      3. Append the public key to the /etc/ssh/ssh_known_hosts file. Edit to add hostname:
        cat /home/user/.ssh/sshkey1_linux36.pub >> /etc/ssh/ssh_known_hosts
      4. Add the client's hostname to the following file:
        /etc/ssh/shosts.equiv
      5. Ensure the /etc/ssh/sshd_config file contains the following line:
        HostbasedAuthentication yes
    • On the client:
      1. Copy the corresponding private key file to a directory.
      2. In Axway Activator, create a new pickup/delivery using an external SFTP server. When prompted to Configure the SFTP settings, after you complete the initial fields, select Use host-based authentication. Enter the User Name and browse to the private key file. If a Key password is required, enter it.

Troubleshooting SFTP

For troubleshooting, you can write messages specific to the SFTP transport to the Activator server log file. You can add the following properties to the log4j2.xml file at <install directory>\Activator\conf.

  • For messages related to high-level operation of the SFTP client, this property in debug mode is useful for finding common SFTP problems.
  • log4j.category.com.cyclonecommerce.tradingengine.transport.sftp.SimpleDebug=debug
  • For messages related to low-level operation of the SFTP client, this property in debug mode produces verbose messages. (Try the simple debug property before using this one.)
  • log4j.category.com.cyclonecommerce.tradingengine.transport.sftp=debug

Related topics:

Related Links