FTP service
Transfer files to censhare or pick them up from an FTP server.
Introduction
The FTP service is implemented as a standard-compliant censhare Server service.
The censhare Server allows users to access specified directories via FTP. This enables you to upload files to the censhare system using an FTP client of your choice. The destination directory on the censhare Server could also be a hot folder that triggers dedicated automated processes upon upload.
The service optionally supports encrypted connections via the protocol FTPS (SSL over FTP) and can operate in the so-called "passive mode", making communication possible even across a firewall.
You need a standard censhare user for the FTP service
Currently, only the standard authentication is supported specifically for the FTP service. Keycloak and FTP service remain "disconnected" for now.
The implication is that you need a standard censhare user to use the FTP service. This needs to be added directly in the censhare Admin Client and granted permission keys "all" or at least "ftp_access_all".
If you want it to be an actual user, you will need to maintain their user account twice: in Keycloak and in the Admin Client.
Users without a password will be ignored by the FTP service for security reasons. Likewise, there is no anonymous access.
When connecting through an FTP client, you will need to specify the hostname (such as the IP address of the censhare Server), port, username, and password of the standard censhare user.
Configuring FTP service
The service configuration is done in the Admin client. You can find it under Configuration->Services->FTP.
Special setup
| Configuration | Description or accepted values | Additional note |
|---|---|---|
| Standard port | Port for non-encrypted access | |
| Secure port | Port for encrypted SSL access | |
| Internal IP address | Name or IP address of the censhare system | Both internal and external are necessary if you want to use passive mode |
| External IP address | ||
| Key Alias | In case TLS is used, a certificate needs to be provided in the censhare Java Keystore. The setting "Key Alias" references the to-be-used certificate alias in the Java Keystore. | Optional |
| Mode | Either active or passive. Use passive if your censhare Server is behind a firewall. | |
| Port (s) for passive mode | Here one or more ports can be configured that are made available for the passive mode. | For details about the syntax, see Configuration of passive ports |
| Authentication | standard | Only the standard censhare authentication should be used. |
| Log level | SEVERE by default. Allows you to specify what kind of messages should be written to the log and which not. | The censhare Server log can grow very quickly because of the FTP transfers running. We recommend the default severe log level to focus on the most warning messages and prevent the server log from exploding in size. |
File system setup | Home directories
In addition, a specific start directory can be specified for each user. This is the remote path where the user is located on the censhare Server after a successful connection via the FTP client.
For each user, you need to specify:
- the file system
- if necessary, a subdirectory on this file system (
Pathon the screenshot)
If no directory has been configured for a particular user, the Default home directory will be used. This can be specified in the configuration as well: see the last field at the bottom of the screenshot.
Configuration of passive ports
If the port for passive mode is not specified, the FTP service selects from any available port. You may also have specific ports shown as viable passive ports. Here you can specify either a single port (e.g. 20020), an array of multiple ports (e.g. 20020, 20030, 20040) or a range of ports (e.g. 20020 through 20030). A port range can be closed (e.g. 20020 - 20030) or open (e.g. 60000 -). An open area starts at 1024 and ends at 65535. This means that the area "60000 -" includes all remaining ports from 60000 to 65535. You can also use any combination of these options, which must then be separated by a comma. However; the port number must be in any case greater than or equal to 1024.
If the service has used all passive ports (one per client in passive mode), then the other clients must wait until a port is available. Therefore, it is highly recommended to configure multiple ports for the passive mode.
The FTP service will be restarted if any configuration (e.g. log level) is changed.
Tips & Tricks
FileZilla
SFTP (FTP over SSH) and FTP with implicit SSL are not supported by this open-source software. In FileZilla, the "Explicit SSL" option must be selected. Implicit does not work and "Plain FTP" is an unencrypted connection. Example to import certificate and private key to the Java Keystore:
openssl pkcs12 -inkey star_censhare.key -in star_censhare.crt -export -out censhare.pkcs12 keytool -importkeystore -srckeystore censhare.pkcs12 -srcstoretype PKCS12 -destkeystore -alias "ftp@censhare-server" ~/cscs/app/config/keystoreTest FTPS connection
An example how to test FTPS connection from a command line using open source tool curl:
curl --ssl-reqd -k -l ftp://customer.example.com4243/ -u censhare:password