The SFTP transport is a poll-based transport that allows you to transfer files securely over the SSH File Transfer Protocol (SFTP) using SSH version 2. It polls a specified directory at regular intervals based on a predefined polling interval. After authentication, a connection is established between ALSB (ALSB) services and the SFTP server, enabling file transfer. The SFTP transport supports one-way inbound and outbound connectivity.
The following are the key features of SFTP transport:
For more information about configuring service types, see Business Services: Creating and Managing and Proxy Services: Creating and Managing in Using the AquaLogic Service Bus Console.
exactly-once
, which ensures that every message is processed at least once. For outbound message processing, the QoS is best-effort
.Note: | For messages that are not transferred, you must create the error-handling logic (including any retry logic) in the pipeline error handler. For more information, see Proxy Services: Error Handlers in Using the AquaLogic Service Bus Console. |
For more information about QoS in ALSB messaging, see Modeling Message Flow in ALSB in AquaLogic Service Bus User Guide
Environment values are predefined fields in the configuration data and are likely to change when you move the configuration from one domain to another (for example, from test to production). The following table lists the environment values associated with the SFTP transport.
The following principles are applicable to the SFTP authentication process for both proxy and business services:
known_hosts
file. For more information, see Creating the Known Hosts File.
Transferring files by using the SFTP transport involves the following steps:
Note: | A new connection is created for each poll cycle. |
.stage
extension. This renaming ensures that the service does not pick up the same files during the next polling cycle.
The .stage
file exists in the input directory until it is delivered.
Note: | If the file cannot be retrieved from the input directory (due to network failure, for example), the .stage file is processed during a clean-up cycle. The clean-up cycle is performed every 15 minutes or after 15 polling cycles, whichever occurs later. If a .stage file exists during two consecutive clean-up cycles, it is processed again. |
Note: | The task uses a pooled connection for processing the message. If a connection is not available in the pool, a new connection is created. |
.stage
file is deleted.Note: | If an SFTP business service is configured, the service puts the message in the outbound directory through a pooled connection. |
In the message is not delivered, the transport attempts to transfer it again and repeats the process up to a predefined number of attempts. If the message cannot be delivered, it is moved to the error directory.
You can use the SFTP transport to transfer files securely using SSH File Transfer Protocol (SFTP).
The following sections describe how you can use the SFTP transport to transfer files securely:
The SFTP transport supports the following authentication methods:
ALSB services authenticate the SFTP server based on the server details defined in a known_hosts
file. So to enable server authentication, you must create a known-hosts
file on the client machine.
The known_hosts
file must exist in the server on which the ALSB proxy services (inbound requests) or business services (outbound requests) run. The file must contain the host name, IP address, and public key of the remote SFTP servers to which the proxy service or business service can connect.
known_hosts
file and enter details in the following format:
Hostname,IP algorithm publickey
Hostname
is the host name of the SFTP server.IP
is the IP address of the SFTP server.algorithm
can be either DSA or RSA, based on the SFTP server configuration. Enter ssh-rsa
or ssh-dss
depending on the algorithm that is supported.publickey
is the public key of the SFTP server. It must be in the Open SSH public key format.
getafix,172.22.52.130 ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAIEAtR+M3Z9HFxnKZTx66fZdnQqAHQcF1vQe1+EjJ/HWYtg
Anqsn0hMJzqWMatb/u9yFwUpZBirjm3g2I9Qd8VocmeHwoGPhDGfQ5LQ/PPo3esE+CGwdnC
OyRCktNHeuKxo4kiCCJ/bph5dRpghCQIvsQvRE3sks+XwQ7Wuswz8pv58=
The known_hosts
file can contain multiple entries, but each entry must be on a separate line.
known_hosts
file to the $DOMAIN_HOME\alsb\transports\sftp
directory.Note: | The directories /transports/sftp are not created automatically. You must create the directories. |
Username-password authentication is the simplest and quickest method of authentication. It is based on the credentials of the user.
To enable username and password authentication for a service:
known_hosts
file. For more information, see Creating the Known Hosts File.Host-based authentication uses a private host key. This method can be used when all the users share a private host.
To enable host-based authentication for a service:
known_hosts
file. For more information, see Creating the Known Hosts File.For example, for an SFTP server on Linux, you must do the following:
/etc/ssh/shosts.equiv
file and add the host name or IP address of the machine on which the ALSB domain runs./etc/ssh/ssh_known_hosts
file and add the host name or IP address of the machine on which the ALSB domain runs, followed by a space and the public key. Note: | You can extract the public key from the key store that was used while creating the service key provider. The public key must be in the Open SSH format. |
Public key authentication is performed using your own private key. This method can be used when each user has a private key.
To enable public key authentication:
For example, for an SFTP server on Linux, you must extract the public key from the key store and enter the key in the $HOME/.ssh/authorized_keys
file on the SFTP server. Ensure that the path and file exist.
known_hosts
file. For more information, see Creating the Known Hosts File.
When you create a proxy service in the Transport Configuration page of the ALSB Console, you must select the transport protocol as sftp
and specify the endpoint configuration in the following format:
sftp://
hostname
:
port
/
directory
Note: | Since the SFTP transport supports only message and XML service types, you must select Messaging Service or Any XML Service as the service type in the General Configuration page of the ALSB console. |
Note: | When you select Messaging Service as the service type, |
Note: | For more information, see Proxy Services: Creating and Managing in Using the AquaLogic Service Bus Console. |
Configure the proxy service as described in the following table.
The proxy service is authenticated by the SFTP server based on the specified user authentication method.
|
|||
Enter the service account for the user, or click Browse and select a service account. For information about using service accounts, see
Service Accounts in Using the AquaLogic Service Bus Console.
|
|||
Enter a service key provider, or click Browse and select a service key provider. For more information, see
Service Key Providers in Using the AquaLogic Service Bus Console.
|
|||
This value is required only when you select either the host-based or public key authentication method.
|
|||
Select this option to stage the file in the archive directory and pass it as a reference in the headers.
|
|||
Polling interval is the frequency at which the input directory is polled. Polling involves creation of an SFTP connection.
Enter the interval (in seconds) at which the file must be polled from the specified location. The default value is 60.
|
|||
If numerous files exist in the poll directory, you can limit the number of concurrent transfers by selecting an appropriate value in this field.
|
|||
If Post Read Action is set to Archive, then, after the files are transferred, they are moved (from either the download directory or the remote location) to the archive directory.
If remote streaming is enabled, the archive directory is with respect to the SFTP server. If remote streaming is disabled, the archive directory is available on the ALSB machine.
|
|||
Specify the absolute path of the directory on your local machine to which files are downloaded during the file transfer.
|
|||
If remote streaming is enabled, the error directory is with respect to the SFTP server. If remote streaming is disabled, the error directory is available on the ALSB machine.
|
|||
Select this option if you want all subdirectories within the directory that is specified in the endpoint URI to be scanned recursively.
|
|||
For more information about configuring proxy services to use the SFTP transport, see Proxy Services: Creating and Managing in Using the AquaLogic Service Bus Console.
When you configure a proxy service, you can use a Transport Header action to set the header values in messages. The following table lists the transport header and metadata related to the SFTP transport.
You can configure the transport headers only for outbound requests in the ALSB message flow. In the pipeline, use a transport header action to set the header values in messages. For more information, see Proxy Services: Actions in Using the AquaLogic Service Bus Console.
You can configure the FileName
transport header and the isFilePath
metadata values in the ALSB test console when you test the SFTP transport-based services during development. For more information, see
Test Console in Using the AquaLogic Service Bus Console and
Using the Test Console in AquaLogic Service Bus User Guide.
When you create a business service in the Transport Configuration page of the ALSB console, you must select the transport protocol as sftp
and specify the endpoint URI (location of the service) in the following format:
sftp://
hostname
:
port
/
directory
Note: | Since the SFTP transport supports only message and XML service types, you must select Messaging Service or Any XML Service as the service type in the General Configuration page of the ALSB console. |
Note: | When you select Messaging Service as the service type, |
Note: | For more information, see Business Services: Creating and Managing in Using the AquaLogic Service Bus Console. |
Configure the business service as described in the following table.
The proxy service is authenticated by the SFTP server based on the specified user authentication method.
|
|
Enter the service account for the user, or click Browse and select a service account. For information about using service accounts, see
Service Accounts in Using the AquaLogic Service Bus Console.
|
|
Enter a service key provider, or click Browse and select a service key provider. For more information, see
Service Key Providers in Using the AquaLogic Service Bus Console.
|
|
This value is required only when you select either the host-based or public key authentication method.
|
|
For more information about configuring business services using the SFTP transport, see Business Services: Creating and Managing in Using the AquaLogic Service Bus Console.
You can configure the SFTP transport-based business services to handle communications errors, which can occur when a connection or user authentication fails while connecting to the remote SFTP server. When you configure the business service, you can enable the business service endpoint URIs to be taken offline after a specified retry interval.
For more information, see the following topics in Monitoring in Using the AquaLogic Service Bus Console:
Most of the errors occur while configuring an SFTP proxy or business service. The following are a few tips to help you understand and solve the errors:
known_hosts
file in place.Connection refused
error message indicates that the SFTP server is not available on the configured host and port.Authentication failed
error message indicates that the username or password is not valid, or that the public key is not configured correctly.Connection did not complete
error message is displayed after the actual error that caused the connection failure (example: Key not found
) is displayed.Key not found for IP, host
error message indicates that the known_hosts
file does not contain an entry that corresponds to the specified IP-host combination. If the entry exists, then try with another algorithm key; for example, if the earlier attempt was with an RSA key, try again with a DSA key.When you import a resource that exists in an ALSB domain, you can preserve the existing security and policy configuration details of the resource by selecting the Preserve Security and Policy Configuration option. The following SFTP service-specific details are preserved when you import a resource:
For more information about importing resources from the ALSB Console, see Importing Resources in Using the AquaLogic Service Bus Console.
When an SFTP service is published to the UDDI registry, Authentication mode
, Request encoding
, Sort by arrival
, and File mask
are the properties that are published.
Table 1-5 lists the properties that are imported from the registry when an SFTP service is imported from the UDDI registry.
After the service is import imported, the default value of the load balancing algorithm is round-robin
.
For more information, see UDDI in Using the AquaLogic Service Bus Console.