How to connect to SFTP and FTPS

Introduction

This topic shows you how to connect to FTPS and SFTP using Iguana.

Note: To ensure the most secure connection you will need to verify the authenticity of the security certificates that are used.

Certificate checking is implemented differently for FTPS and SFTP — How it works below for more information.

Tip: FTPS and SFTP are often thought of as secure “extensions” of FTP this is not quite the case. FTPS (FTP over SSL) is actually a secure extension of FTP. Whereas SFTP (SSH File Transfer Protocol) is an extension of the SSH protocol. Because both commands have a similar function and command set they are generally regarded as “interchangeable” (hence the confusion).

Task [top]

Connect to FTPS and SFTP Clients according to best practices.

Implementation [top]

Both the examples shown here use password authentication, which is the simplest way to setup a connection.

For building FTPS connections using password authentication:

  1. Use the net.ftps.init command to initialize the connection.
  2. You only need to use the following six parameters:
    Parameter Description Recommendation
    Server The server hostname you are connecting to
    username The user name you use to login
    password
    The password for the user
    verify_peer=false Verify the peer security certificate (default = true) For the highest security set this to true
    verify_host=false Verify the host security certificate (default = true) For the highest security set this to true
    timeout Timeout for operations (default = 15 seconds) 60 seconds minimum, more for large files
  3. Your net.ftps.init Translator code will look something like this:

    The variable “Conn” contains a persistent connection that can be re-used (for many queries) throughout your channel code.

     

    Conn = net.ftps.init{
    server=Destination_HostName,
    username=Destination_Login,
    password=Destination_Password,
    port=Destination_Port,
    verify_peer=false,
    verify_host=false,
    timeout = 60
    }
  4. If you need to download large files you will need to adjust the timeouts:

    The exact timeout settings will depend on the size of your files and the bandwidth of the connection. You will need to experiment to identify the correct settings. If your files take longer than 300 seconds (5minutes) to download then you will also need to increase the script timeout beyond the default value of 300 seconds (5minutes). If you need help with this please contact us at support@interfaceware.com.

    • You will have to increase the timeout value (net.ftps.init parameter).
    • If you set the FTPS timeout to greater than 5 minutes (300 seconds) — then you will need to increase the timeout value for your script (iguana.setTimeout) to match.
    • Your Translator code will look something like this:

      In this case we set the FTPS timeout to 360 second (6 minutes) and increased the script timeout to 370 seconds.

       

      Conn = net.ftps.init{
      server=Destination_HostName,
      username=Destination_Login,
      password=Destination_Password,
      port=Destination_Port,
      verify_peer=false,
      verify_host=false,
      timeout = 360
      }
      iguana.setTimeout(370)

Note: Setting verify_host and verify_peer = FALSE allows for the simplest form of FTPS protocol — which means it does not check verify the security certificates. This may be secure enough for your needs if you are dealing with a client that you know. However for the highest level of security you should set verify_host and verify_peer = TRUE. You will need to make this decision based on your requirements. See Using SSL security, certificates and verify peer etc for more information.

For building SFTP interactions using password authentication:
  1. Use the net.sftp.init command to initialize the connection.
  2. You only need to use the following five parameters:
    Parameter Description Recommendation
    Server The server hostname you are connecting to
    username The user name you use to login
    password
    The password for the user
    port The port to use (default = 22)
    timeout Timeout for operations (default = 15 seconds) 60 seconds minimum, more for large files
  3. Your net.sftp.init Translator code will look something like this:

    The variable “Conn” contains a persistent connection that can be re-used (for many queries) throughout your channel code.

     

    Conn = net.sftp.init{
    server=Destination_HostName,
    username=Destination_Login,
    password=Destination_Password,
    port=Destination_Port,
    timeout = 60,
    }
  4. Timeout settings for downloading large files:

    The exact timeout settings will depend on the size of your files and the bandwidth of the connection. You will need to experiment to identify the correct settings. If your files take longer than 300 seconds (5minutes) to download then you will also need to increase the script timeout beyond the default value of 300 seconds (5minutes). If you need help with this please contact us at support@interfaceware.com.

    • You will have to increase the timeout value (net.sftp.init parameter).
    • If you set the SFTP timeout to greater than 5 minutes (300 seconds) — then you will need to increase the timeout value for your script (iguana.setTimeout) to match.
    • Your Translator code will look something like this:

      In this case we set the SFTP timeout to 360 second (6 minutes) and increased the script timeout to 370 seconds.

       

      Conn = net.sftp.init{
      server=Destination_HostName,
      username=Destination_Login,
      password=Destination_Password,
      port=Destination_Port,
      timeout = 360
      }
      iguana.setTimeout(370)

Note: Unlike FTPS the SFTP command does not include parameters to enable checking of security certificates — this is because SFTP runs over an existing SSH connection.The SSH connection itself will need to be setup to enforce checking of certificates. You will need to discuss security requirements with whoever administers your SSH connections.

How it works [top]

This page shows you how to use password authentication for FTPS and SFTP connections, which is the simplest way to setup these connections. Specifying the SFTP and FTPS parameters according to this guide allows you to establish a persistent connection that can be used throughout your translator code for many queries at a time.

If you need the most secure connection you will need to ensure that the security certificates are checked. Certificate checking is implemented differently for FTPS and SFTP:

FTPS:

  • FTPS includes the checking as part of the net.ftps.init command (verify_peer & verify_host).
  • This is because the FTPS protocol initiates it’s own SSL connection and then needs to perform it’s own certificate checking.
  • To enable certificate checking you need to set verify_host and verify_peer = TRUE.

SFTP:

  • SFTP does not include checking as part of the net.sftp.init command.
  • This is because the SSH protocol already includes commands for certificate checking.
  • SFTP runs over an existing SSH connection, and therefore depends on how that SSH connection is setup.
  • You will need to talk to whoever administers your SSH connection if you need verify security certificates.

Note: These are some important things to consider when downloading files:

  • What happens to the file after you download it:
    • First you will process the file.
    • Finally you will either archive or delete the file.
  • You will need to ensure that you do not download or reprocess the same file twice.
    • You will need to have some logic in place to ensure that you do not reprocess the same file.
    • This will need to be discussed with the client.
    • In some cases clients may send a file twice — in this case you will need to have logic in place to prevent reprocessing the duplicate.
  • How will you log file downloads and processing:
    • You will probably want to log when you start and finish the transfers.
    • For each transfer you should log the file name, from where it is from, and where you are saving it.
  • You should also consider using pcall to trap errors when using FTP, FTPS and SFTP connections.

More information [top]