Skip to main content

SFTP (Action Flow)

With SFTP modules in Celonis platform, you can manage your files, folders, and file permissions on a remote server.

To use SFTP modules, you must have an SFTP account on some hosting.

To establish the connection in Celonis platform:

  1. Log in to your Celonis platform account, add a SFTP module to your Action Flow, and click Create a connection.

  2. Optional: In the Connection name field, enter a name for the connection.

  3. In the Host field, enter the host address of the server you want to connect.

  4. In the Port field, enter the SFTP server port. It must be a number between 1 and 65535. The default value is 22.

  5. In the Auth type dropdown list, select the authorization method you want to use for connecting to the SFTP server.

    • In the User name field, enter the user name that you use to enter the server.

    • Only for the User name and password auth type: In the Password field, enter the password that you use to enter the server.

    • Only for the User name and key auth type: In the Private key field, upload the private key to use the client-side authorization.

      Note

      Upload your certificate (P12, PFX, or PEM file) to use TLS using your self-signed certificate. If you use the client-side certificate authorization, you can enter your CA certificate here. Refer to our Help Center for more information.

  6. Optional: Set up an algorithm.

    Important

    The blowfish-cbc cipher option stopped functioning since March 19, 2024.

  7. Click Save.

You have successfully established the connection. You can now edit your Action Flow and add more SFTP modules.

After connecting the app, you can perform the following actions:

Triggers

  • Watch files in a folder

  • Watch subfolders in a folder

Actions

  • List a folder's content

  • Get files

  • Get a file

  • Upload a file

  • Rename a file

  • Move a file

  • Delete a file

  • Update file permissions

    Note: Use the chmod parameters, for example, 777 or -rwxrwxrwx. The entered data should match the patters: /(.?([r-][w-][x-]){3})|[0-7]{3}/. Refer to the chmod Man Page to get more information.

  • Create a folder

    Note: Use the chmod parameters, for example, 777 or -rwxrwxrwx. The entered data should match the patters: /(.?([r-][w-][x-]){3})|[0-7]{3}/. Refer to the chmod Man Page to get more information.

  • Delete a folder

Cause

The private key is password-protected (encrypted), which is not fully supported.

Solution

Strip the encryption with:

ssh-keygen -p -P "[old passphrase]" -N "" -m pem -f [path/to/key]

The resulting key must begin with:

-----BEGIN RSA PRIVATE KEY-----.

The connector reached the host but the connection was actively refused or timed out before a response.

Cause

Wrong port number, a WAF or firewall blocking the connection, the Celonis IP not being whitelisted, or too many simultaneous connections. ETIMEDOUT can also occur when processing very large files.

Solution

Verify the port number, check firewall and WAF settings, confirm IP whitelisting, and review the simultaneous connection limit.

The connector cannot locate the server at the address provided.

Cause

he host field contains a protocol prefix (https://, sftp://, ssh://) or includes the port number in the address.

Solution

Remove any protocol prefix from the URL/IP field. Move the port to the Advanced Settings port field if it is not the default port 22.

This error appears after the key exchange has started. The error returned may look the following way:

Handshake failed: signature verification failed

Cause

There are the following possible root causes:

  • RSA key too short - the rsa-sha2-512 requires a minimum 2048-bit RSA host key. 1024-bit keys will produce unverifiable signature and return an error.

  • Host key mismatch - the server's actual host key does not match what was stored or expected. This can happen if the server was re-provisioned, migrated, or if you're trying to access a different node behind a load balancer.

  • Algorithm negotiation mismatch - the connector and server agreed on an algorithm during negotiation, but the server sent a signature using a different algorithm. This is typically a server-side misconfiguration.

Solution

Work through the root causes in order. Start by checking the RSA key length. To verify your RSA key length, run:

ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub

If the key is shorter than 1024, the host key must be regenerated. For signature or host key mismatch, see Wrong signature type.

This error may appear during the connection attempt. The error may look the following way:

Wrong signature type: ssh-rsa, expected: rsa-sha2-512

Cause

These two algorithm identifiers refer to the same underlying RSA key but use different signature schemes.

Solutions

  1. In the SFTP connection settings, go to Advanced Settings > Server host keys.

  2. Add rsa-sha2-512 as the first item, followed by rsa-sha2-256. Remove ssh-rsa if it is present, or move it to the end of the list.

  3. If the server explicitly requires the legacy ssh-rsa algorithm (older SFTP appliances or embedded systems), add ssh-rsa to the list but verify with the server administrator that this is intentional

Related topics