> SFTP Transport User Guide > Using the SFTP Transport
You can use the SFTP transport to transfer files using the SFTP protocol. When you configure your proxy and business services, you can choose any of the 3 authentication methods for server authentication. For more information, see Authentication Methods, Configuring Proxy Services to Use the SFTP Transport, and Configuring Business Services to Use the SFTP Transport.
When you configure a proxy service, you can use a Transport Header action to set the header values in messages. For more information, see Transport Headers and Metadata.
In addition, you can also import and export resources using ALSB Console. For more information, see Importing and Exporting Resources and UDDI Registries: Importing and Publishing Services.
SFTP Authentication Process
The following general principles apply to the SFTP authentication process for both a proxy service and business service.
- Connection: The ALSB service (proxy and business) always acts as the SFTP client and connects to the SFTP server.
- Authentication by the SFTP Server: For Public Key and Host Based authentication, the SFTP server authenticates the connection with the public key of the ALSB service. For Username Password authentication, the SFTP server authenticates the connection with the username and password. For more information, see Authentication Methods.
- Authentication by the SFTP Client: The ALSB service always authenticates the SFTP server with the public-key/host/IP combination present in the
known_hosts
file. For more information, see Known_hosts File. - Connection established: Connection is established only when both the server and client authentications are successful. File (message) transfer can now be done.
- Transfer: When a proxy service is the client to the SFTP server, the file (message) is downloaded from the SFTP server and when a business service is the client to the SFTP server, the file (message) is uploaded to the SFTP server.
Authentication Methods
The following authentication methods are supported for the SFTP transport:
For server authentication, you must have a known-hosts
file on the client machine. For more information, see Known_hosts File.
Known_hosts File
ALSB services authenticate the SFTP server based on the server details in a known_hosts
file. This
file must be available on the server on which the ALSB proxy services (inbound requests) or business services (outbound requests) run and must have the host name, IP address, and public key of the remote SFTP servers to which the proxy service or business service can connect.
- Create a
known_hosts
file and enter these details in the following format: - host name specifies the host name of the SFTP server
- IP specifies the IP address of the SFTP server
- algorithm can be either DSA or RSA, based on the SFTP server configuration. Enter
ssh-rsa
orssh-dss
depending on the supported algorithm. - format of the public key in this file is "Open SSH public key format". This is the public key of the SFTP server.
- Move the
known_hosts
file to the <ALSB installation directory>\ user_projects\domains\alsb_domain\sbconfig\sftp
directory.
Hostname, IP algorithm publickey
Multiple entries are supported in this file and it should be one entry per line.
getafix,172.22.52.130 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAtR+M3Z9HFxnKZTx66fZdnQqAHQcF1vQe1+EjJ/HWYtgAnqsn0hMJzqWMatb/u9yFwUpZBirjm3g2I9Qd8VocmeHwoGPhDGfQ5LQ/PPo3esE+CGwdnCOyRCktNHeuKxo4kiCCJ/bph5dRpghCQIvsQvRE3sks+XwQ7Wuswz8pv58=
Additional tasks that need to be done for a specific authentication method are listed in the following sections.
Username-Password Authentication
Username and password authentication is done using the credentials of the user.
To enable username and password authentication for a service:
- Create a static service account using the user credentials on the SFTP server. For more information, see Service Accounts in Using the AquaLogic Service Bus Console.
- Create a
known_hosts
file. For more information, see Known_hosts File.
Host-based Authentication
Host-based authentication is done using a private host key.
To enable host-based authentication for a service:
- Configure a service key provider with an SSL client authentication key. For information about using service key providers, see Service Key Providers in Using the AquaLogic Service Bus Console.
- Create a
known_hosts
file. For more information, see Known_hosts File. - Configure the SFTP server to accept the requests from ALSB, which is a client to the SFTP server.
- Edit the
/etc/ssh/shosts.equiv
file and add the host name or IP address of the machine on which ALSB domain is running. - Edit the
/etc/ssh/ssh_known_hosts
file and add the host name or IP address of the machine on which ALSB domain is running, followed by space and the public key.
For example, with an SFTP server on Linux, you must:
Note: | Extract the public key from the key store used while creating the service key provider. The format of this public key should be Open SSH public key format. |
Public Key Authentication
Public key authentication is done using your own private key.
To enable public key authentication:
- Configure a service key provider with SSL client authentication key. For information about using service key providers, see Service Key Providers in Using the AquaLogic Service Bus Console.
- Configure the SFTP server to accept the requests from ALSB (SFTP client).
- Create a
known_hosts
file. For more information, see Known_hosts File.
For example, with an SFTP server on Linux, you must extract the public key from the key store and put the key in the $HOME/.ssh/authorized_keys
file on the SFTP server. Ensure the path and file are available.
Configuring Proxy Services to Use the SFTP Transport
When you create a proxy service in ALSB Console Transport Configuration page, select the transport protocol as sftp
and specify the endpoint configuration in sftp://hostname:port/directory
format.
Note: | Because the only service types that are supported for the SFTP transport are Message and XML, you must select either Message service or XML service when you select the service type in the General Configuration page. For more information, see Proxy Services in Using the AquaLogic Service Bus Console. |
Configure the SFTP transport for a proxy service with values as described in Table2-1.
The proxy service is authenticated by the SFTP server based on the specified user authentication method. Select one of the following:
For more information, see Authentication Methods. | |||
Enter the service account for the user, or click Browse to select a service account. For information about using service accounts, see Service Accounts in Using the AquaLogic Service Bus Console. | |||
Enter a service key provider or click Browse to select a service key provider. For more information, see Service Key Providers in Using the AquaLogic Service Bus Console.
| |||
This name is required only when you select either the Host Based or the Public Key authentication method. In host-based user authentication, the user name is used for polling the home directory of the user on the SFTP server. For public key user authentication, the user name is used for polling the home directory of the user and for identifying the location of the public key on the SFTP server. | |||
Select this option to stage the file in the archive directory and pass it as a reference in the headers.
| |||
Select this option to stream the SFTP files directly from the remote server at the time of processing. When you select this option, the archive directory is the remote directory on the SFTP server machine. Therefore, you should specify the archive directory relative to the SFTP user directory. | |||
Enter a regular expression to select the files that you want to pick from the directory. Default is | |||
Enter the interval in seconds at which the file is polled from the specified location. Default is | |||
Specify the maximum number of messages to read per polling sweep. Enter | |||
Specify the path to the archive location if the Post Read Action option is set to Archive. You must specify a archive directory if the Pass By Reference option is selected. If remote streaming is enabled, this directory location is with respect to the SFTP server. If remote streaming disabled, the archive directory is available on the ALSB machine. When the Archive option is selected, the files are moved from either the download directory or the remote location to this directory.
| |||
Enter the directory on your local machine where files are downloaded during the file transfer. If remote streaming is enabled, this option is disabled.
| |||
Enter the location where messages are posted if there is a problem. If remote streaming is enabled, this directory is with respect to the SFTP server. If disabled, it is available on the ALSB machine.
| |||
Accept the default | |||
Select this option to recursively scan all directories within the directory that is specified in the endpoint URI. | |||
Select this option to deliver events in the order of arrival. This ensure that the message delivery is not random, but based on the time at which the file is downloaded into the destination directory. | |||
Enter the socket timeout interval, in seconds, before the connection is dropped. If you enter | |||
Specify the number of retries for SFTP connection failures. Default is 3. |
For more information about configuring proxy services using SFTP transport, see SFTP Transport Configuration Page in Proxy Services in Using the AquaLogic Service Bus Console.
Transport Headers and Metadata
The transport header and metadata related to the SFTP transport are listed in Table2-2.
Configuring Transport Headers in the ALSB Message Flow
You can configure the transport headers only for outbound requests in the message flow. For information about the transport headers related to the SFTP transport, see Transport Headers and Metadata.
In the pipeline, use a Transport Header action to set the header values in messages. For information about adding transport header actions, see "Transport Headers" in Proxy Services: Actions in Using the AquaLogic Service Bus Console.
Configuring the Transports Headers and Metadata in Test Console
You can also configure the filename transport header and the isFilePath metadata values in the ALSB Test Console when you test SFTP transport based services during development.
For information about using Test Console, see Test Console in Using the AquaLogic Service Bus Console and Using the Test Console in AquaLogic Service Bus User Guide.
Configuring Business Services to Use the SFTP Transport
When you create a business service in ALSB Console, in the Transport Configuration page, select the transport protocol as sftp
and specify the endpoint URI (location of the service) in sftp://hostname:port/directory
format.
Note: | Because the only service types that are supported for the SFTP transport are Message and XML, ensure that you select either Message service or XML service when you select the service type in the General Configuration page. For more information, see in Business Services in Using the AquaLogic Service Bus Console. |
To configure the SFTP transport for a business service, specify the values as described in Table2-3.
For more information, see Authentication Methods. | |||
Enter the service account for the user, or click Browse to select a service account. For information about using service accounts, see Service Accounts in Using the AquaLogic Service Bus Console. | |||
Enter a service key provider or click Browse to select a service key provider. For more information, see Service Key Providers in Using the AquaLogic Service Bus Console.
| |||
This name is required only when you select either the Host Based or the Public Key authentication method. In host-based user authentication, the user name is used for polling the home directory of the user on the SFTP server. For public key user authentication, the user name is used for polling the home directory of the user and for identifying the location of the public key on the SFTP server. | |||
Enter the socket timeout interval, in seconds, before the connection is dropped. If you enter 0, there is no timeout. Default is 60. | |||
Enter the prefix for the file name under which the file is stored on the remote server. | |||
Enter the suffix for the file name under which the file is stored on the remote server. | |||
Accept the default UTF-8 as the character set encoding for requests in SFTP transports. |
For more information about configuring business services using SFTP transport, see SFTP Transport Configuration Page in Business Services in Using the AquaLogic Service Bus Console.
Importing and Exporting Resources
When a resource exists in an ALSB domain, you can preserve the security and policy configuration details while importing that resource to ALSB by selecting the Preserve Security and Policy Configuration option. When you select this option, even if the security and policy configuration details have been updated in the resource that you want to import, the values in the existing resource are preserved. For information about importing resources from ALSB Console, see "Importing Resources" in System Administration in Using the AquaLogic Service Bus Console.
For SFTP services, the following details are preserved:
- client authentication method.
- reference to the service account, for services associated with username password authentication.
- reference to service key provider, for services associated with either host based or public key based authentication.
- user name, for services associated with either host based or public key based authentication.
UDDI Registries: Importing and Publishing Services
While publishing SFTP services to the UDDI registry, the authentication mode (auth-mode) is published to the registry along with other properties like endpoint URI, request-encoding, and scheme.
The protocol, load balancing algorithm, and endpoint URI values are imported from the registry while importing any service from the UDDI registry. After import, round-robin
is the default value assigned to the load balancing algorithm. In addition, while importing SFTP services from the UDDI registry, the properties listed in Table2-4 are imported from the registry:
For more information, see "Importing a Business Service From a UDDI Registry" and "Publishing a Proxy Service to a UDDI Registry" in System Administration in Using the AquaLogic Service Bus Console.