SSH transfer sites

Note SSH keys generated with DSA and RSA can be used to authenticate SSH transfer sites.

By default, a server-initiated transfer using SSH and a pattern with a wildcard character does not create an extra empty file. To allow a temporary zero-byte file to be created, set the ZeroByteWildcardPullAllowed server configuration parameter to true.

SSH Transfer Site options

Configuring a SSH protocol transfer site consists of making selections and completing fields for the following:

Site settings

The following table describes the site settings options for a SSH protocol transfer site.

Field Description
Site Settings
Server The host name or IP address of the remote server to connect to for file transfers. You cannot enter spaces-only values in this field. For more information, see Spaces in required fields.
Port The port on the remote server to be used for file transfers. You cannot enter spaces-only values in this field. For more information, see Spaces in required fields.
Alternative addresses

This set of options allow you to add, delete and set a priority order of alternative endpoints. These endpoints act as backup alternatives to the configured Server-Port Site Settings and are particularly useful in cases of transfer failures. Specifying alternative endpoints as backup servers provides a way to temporarily reroute pending transfers and minimize the risk of transfer failure. As with the Server-Port site settings, the connection to each alternative endpoint is defined by its host name (or IP address) and port number.

  • To add an alternative server endpoint, click New Address. The Alternative Addresses table expands with a new row, that allows you to enter a hostname (or IP address), a port number and save these changes.
  • To delete an alternative server endpoint, select the corresponding check-box on the same row and click Delete.
  • To reorder the list of alternative endpoints, click Reorder. A new option (upward and downward arrow) appears next to each entry. You must hover with the mouse pointer over this newly appeared option and the mouse pointer will assume the "move" shape: a four-directional arrow pointer. This indicates which alternative endpoint is on focus. You can now drag & drop it up and down to the order number you want it at. Perform this action with other alternative endpoints until the list is ordered according to your needs. When you are done, click Save Order to keep the newly changed order.
Note Visibility of this option is controlled with the value set for the TransferSite.AlternativeAddresses.retryPolicy configuration option. It allows you to set a "retry policy" with a list of alternative endpoints (presented in IP address: Port number pairs or hostname) you define on this screen. But before you are able to do so, you must go to Operations > Server Configuration and set the policy type using either of the following values:
  • AllHostsOnEachRetry – with this policy SecureTransport iterates through each endpoint, one by one, starting with the first in the list. If connection not successful, SecureTransport will continue trying each endpoint one after another until the maximum number of retries is reached. You can set the maximum retry value by editing the EventQueue.maxRetryCount configuration option.
  • OneHostOnEachRetry – with this policy SecureTransport tries to connect to the first endpoint in the list. If connection not successful, SecureTransport will continue trying that endpoint until the maximum number of retries is reached; and then will move to the next one in the list. Following that same pattern, SecureTransport will try each endpoint until success; or until end of list. You can set the maximum retry value by editing the EventQueue.maxRetryCount configuration option.
  • Disabled (default) – this is the default value that keeps the table with endpoints entirely hidden from view.
Network Zone

The network zone that defines the proxies to use for transfers through this site.

  • Select none to connect directly to the remote SSH server.
  • Select any to allow SecureTransport to select the proxy connection using a network zone that enables an SOCKS5 proxy.
  • Select Default to use the default network zone proxy configuration. If no default is network zone is defined, transfers from this transfer site fail.
  • Select a specific network zone to use the proxy configuration defined for that zone.

For more information, see Specify TM Server communication ports and IP address for protocol servers on SecureTransport Edge.

Download Folder

The folder on the remote server from which the file are transferred.

Select download folder Advanced Expression to use expression language to evaluate the download folder.

To use the expression language to append dates:

The download folder will be evaluated using the current date when the transfer site is being executed. For example folder_20150130.

Example:

folder_${date("yyyyMMdd")}

Download Pattern Type Select one of two types: Regular Expression or File Globbing. For regular expression syntax, see Regular expressions. File globbing uses simple wildcards to specify a pattern. A question mark (?) matches any one character. An asterisk (*) matches any number of characters.
Download Pattern

The pattern used to match file names to determine whether a file is downloaded.

Select download pattern Advanced Expression to use expression language to evaluate the download pattern.

Using it together with File Globbing Pattern Type selected:

The download pattern will be evaluated using the current date when the transfer site is being executed. For example *_20150130.txt. This will match all files ending with _20150130.txt.

Example:

*_${date("yyyyMMdd")}.txt

Using it together with Regular Expression Pattern Type selected:

The download pattern will be evaluated using the current date when the transfer site is being executed. For example *[a-z]_20150130.txt. This will match all files starting with any combination of letters from a to z and ending with _20150130.txt.

Example:

*[a-z]_${date("yyyyMMdd")}.txt

Allow Overwrite Taken into account when the site is used by Send To Partner step. If checked the value of "Upload folder" will be overwritten with the value of "Overwrite upload folder". For more details see Advanced Routing.
Upload Folder The folder on the remote server to which files are transferred.
Upload Permissions Sets permission of the remote file during SFTP push.

Transfer settings

The following table describes the transfer settings options for a SSH protocol transfer site.

Field Description
Transfer Settings
Transfer Mode Specify whether data is transferred as ASCII or binary. You can also choose to have SecureTransport automatically determine the correct transfer mode. For more information about automatically determining transfer mode, see Client-initiated and server-initiated transfers.
Verify Fingerprint for this Site Select this check box to require SecureTransport to verify the fingerprint for the SSH key against the value you specify below. If the values do not match, the connection is refused.
Fingerprint

The value against which you want to verify the fingerprint from the remote server.

If the partner SSH server has both DSA and RSA keys configured, the fingerprint that SecureTransport must verify for a server-initiated transfer depends on FIPS transfer mode. With FIPS transfer mode enabled, enter the fingerprint for the DSA key. With FIPS transfer mode disabled, enter the fingerprint for the RSA key.

Note The fingerprint value must start with a formatted hashing algorithm name in the following format: <hashing_algorithm>:<certificate_ssh_fingerprint_hash>

Examples:

  • MD5:2d:d2:3d:32:d2:24:f2:2s:1a:2s:1a:23:af:e1:4s:3f
  • SHA-1:43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8
  • SHA-256:12:5a:32:a1:5b:fc:8b:b7:00:a4:a9:b1:f0:88:73:c9
Enable FIPS Transfer Mode

Restrict SSH to use only FIPS 140-2 Level 1 certified cryptographic libraries.

When you enable FIPS transfer mode, the panel expands with the following fields that let you specify the desired set of SSH ciphers and algorithms for server-initiated transfers through this site:

  • FIPS cipher suites – allowed ciphers for server-initiated transfers through this site in FIPS mode. By default, this set is populated with the cipher suites as defined in the Ssh.FIPS.SIT.Ciphers configuration option.
  • FIPS allowed macs – allowed MAC algorithms for server-initiated transfers through this site in FIPS mode. By default, this set is populated with the MAC algorithms as defined in the Ssh.FIPS.SIT.AllowedMacs configuration option.
  • FIPS key exchange algorithms – allowed KEX algorithms for server-initiated transfers through this site in FIPS mode. By default, this set is populated with the KEX algorithms as defined in the Ssh.FIPS.SIT.KeyExchangeAlgorithms configuration option.
  • FIPS public keys – allowed public keys for server-initiated transfers through this site in FIPS mode. By default, this set is populated with the public keys as defined in the Ssh.FIPS.SIT.PublicKeys configuration option.

All fields are editable. The supported FIPS ciphers and algorithms from which you can select when adding new ones are listed in FIPS transfer mode. Note that both the sender and the recipient must use FIPS-approved ciphers and algorithms supported by SecureTransport. Otherwise, the transfer will fail.

Site login credentials

The following table describes the site login credentials options for a SSH protocol transfer site.

Field Description
Site Login Credentials
User Name Username used to log in to the SSH server. You cannot enter spaces-only values in this field. For more information, see Spaces in required fields.
Use Password Select to use a password to log in to the SSH server.
Password Password used to log in to the SSH server.
SSH Key The certificate used to identify the user logging in. You can select a certificate or import a certificate.

Network settings

The following table describes the network settings options for a SSH protocol transfer site.

Field Description
Network Settings
Connection Read/Write timeout The maximum number of seconds the server waits to read a block of data from the partner server, or write a block of data to the partner server. If not specified, its value is 300 seconds. This option corresponds to the SO_RVCTIMEO and SO_SNDTIMO Socket options.
Connection Read Buffer Size The size of the receive buffer in bytes used by the socket open for the transfer. It is used by the platform's networking code as a hint for the size to set the underlying network I/O buffers. Increasing the receive buffer size can increase the performance of network I/O for high-volume connections, while decreasing it can help reduce the backlog of incoming data. This value is also used to set the TCP receive window that is advertized to the remote peer. This option corresponds to the SO_RCVBUF. The value should be a positive integer.
Connection Write Buffer Size The size of the send buffer in bytes used by the socket open for the transfer. It is used by the platform's networking code as a hint for the size to set the underlying network I/O buffers. This option corresponds to the SO_SNDBUF. The value should be a positive integer.
Local Filesystem Buffer Size The size of the buffer in bytes used for reading from the local file system when performing the transfer.
SFTP Message Block Size The SFTP block size value used for the transfer.
Enable TCP_NODELAY Enable or disable Nagle algorithm for the transfer.

Test SSH Connection

After you have filled in all the required settings, you can check if the connection between the transfer site and the remote partner is configured correctly. The test is performed based on the input on the transfer site page. The functionality is available for saved and non-saved transfer sites.

To initiate a test connection, click the Test Connection button located in the top-right corner of the configuration pane. Using the transfer site settings currently specified on the page, SecureTransport will to try to connect to the remote partner and display the result.

The Result test connection pane contains the following information:

  • Connection statussuccess or failed.
  • Fingerprint verification statussuccess, failed or not verified.
    • success – the fingerprint verification during the test connection is successful.
    • failed – the fingerprint verification during the test connection failed.
    • not verified – the fingerprint verification is skipped during the test connection.
  • Fingerprint – the fingerprint used in the test connection.
  • Cipher suite – the name of the cipher suite used in the test connection.
  • HMAC – hash-based message authentication codes used in the test connection.
  • Key exchange algorithms – the KEX used in the test connection.
  • Public key – the public key used in the test connection.
  • Send Buffer size – the size of the send buffer in bytes (SO_SNDBUF) used in the test connection.
  • Receive Buffer size – the size of the receive buffer in byte (SO_RCVBUF) used in the test connection.
  • Authentication status – either success or failed.
  • SSH key alias – the SSH key alias used in the test connection.
  • Session ID – the Session ID associated with the test connection, represented as a link to the filtered Server Log entries.
  • Error details – in the event of an error, displays detailed information on why the test connection failed.
Note The Test Connection option is also exposed as a REST API resource.

Post transmission send options

The following table describes the post transmission send settings options for a SSH protocol transfer site.

Field Description
Send Options
Send File As Select the check box to specify a file name. You can use the expression language to specify the criteria you want to match. The expression uses the criteria provided to create a new file name from the original file name.
On Temporary Failure

A temporary failure can occur when the transfer is incomplete and a retry occurs. Select one of the three choices: No Action, Delete Destination File, or Move File To. Selecting No Action causes the file to stay in the new location with the file name you specified. If another file with the same name is transferred to this location, the original file is overwritten. Selecting Delete Destination File removes the file from the new location. Selecting Move File To requires you to specify a directory in the location where you are transferring the files to and to provide an expression used to rename the file.

On Failure A failure occurs when the transfer is incomplete and all retry attempts were unsuccessful. Select one of the three choices: No Action, Delete Destination File, or Move File To. Selecting No Action causes the file to stay in the new location with the file name you specified. If another file with the same name is transferred to this location, the original file is overwritten. Selecting Delete Destination File removes the file from the new location. Selecting Move File To requires you to specify a directory in the location where you are transferring the files to and to provide an expression used to rename the file.
On Success

Select one of the choices: No Action, or Move File To. Selecting No Action causes the file to stay in the new location with the file name you specified. If another file with the same name is transferred to this location, the original file is overwritten. Selecting Move File To requires you to specify a directory in the location where you are transferring the files to and to provide an expression used to rename the file.

Select Allow Overwrite to allow the file move to overwrite an existing file. If Allow Overwrite is not selected, a file transfer that attempts to overwrite an existing file fails.

Allow Overwrite Existing File When enabled and the rename operation fails because the target file exists, SecureTransport will delete the target file and repeat the rename operation.
Note To preserve the original file name when using the Move File To option, use the ${stenv.target} or ${stenv['target']} expression.

Post transmission receive options

The following table describes the post transmission receive settings options for a SSH protocol transfer site.

Field Description
Receive Options
Receive File As Select the check box to specify a file name. You can use the expression language to specify the criteria you want to match. The expression uses the criteria provided to create a new file name from the original file name when the transfer is received. You can use the SecureTransport-specific variable ${stenv.site_target} which takes the value from the remote file path. see Expression Language for information on SecureTransport-specific variables.
On Failure A failure occurs when the transfer is incomplete and all retry attempts were unsuccessful. Select one of the three choices: No Action, Delete Source File, or Move File To. Selecting No Action causes the file to stay in the original location. If another file with the same name is transferred to this location, the original file is overwritten. Selecting Delete Source File removes the file from the original location. Selecting Move File To requires you to specify a directory in the location where you are transferring the files from and to provide an expression used to rename the file. To preserve the original file name you can use the SecureTransport-specific named variable ${stenv.target}.
On Success

Select one of the three choices: No Action, Delete Source File, or Move File To. Selecting No Action causes the file to stay in the original location. If another file with the same name is transferred to this location, the original file is overwritten. Selecting Delete Source File removes the file from the original location. Selecting Move File To requires you to specify a directory in the location where you are transferring the files from and to provide an expression used to rename the file.

 Allow Overwrite Existing File When enabled and the rename operation fails because the target file exists, SecureTransport will delete the target file and repeat the rename operation.
Note To preserve the original file name when using the Move File To option, use the ${stenv.target} or ${stenv['target']} expression.

Advanced SSL Settings

Advanced SSL settings allow you to define Cipher suites and SSL protocols with your current SSH Transfer Site. Select Show Advanced SSL Settings to expand the pane with available options.

The following table describes the Advanced SSL Settings for a SSH protocol transfer site. Select the checkbox to expand the pane with available options.

Field Description
Show Advanced SSL Settings - select this check-box to expand the pane with available options.
Cipher suites

The set of cipher suites for secure SIT connection with the current SSH transfer site. By default this set is populated with the cipher suites as defined in the Ssh.SIT.Ciphers configuration option.

To reset to default values, click the button next to the tooltip.

Allowed macs

The set of allowed HMAC algorithms with the current SSH transfer site for secure SIT connection, presented in a comma-separated list.

By default this list is populated with the supported MAC algorithms as defined in the Ssh.SIT.AllowedMacs configuration option.

Key exchange algorithms

The set of allowed key exchange algorithms with the current SSH transfer site for secure SIT connection, presented in a comma-separated list.

By default this list is populated with the supported key exchange algorithms as defined in the Ssh.SIT.KeyExchangeAlgorithms configuration option.

Public keys

The set of allowed public key algorithms with the current SSH transfer site for secure SIT connection, presented in a comma-separated list.

By default this list is populated with the supported public exchange algorithms as defined in the Ssh.SIT.PublicKeys configuration option.

Related topics:

Related Links