SFTP (Action Flow)
With SFTP modules in Celonis platform, you can manage your files, folders, and file permissions on a remote server.
To use SFTP modules, you must have an SFTP account on some hosting.
To establish the connection in Celonis platform:
Log in to your Celonis platform account, add a SFTP module to your Action Flow, and click Create a connection.
Optional: In the Connection name field, enter a name for the connection.
In the Host field, enter the host address of the server you want to connect.
In the Port field, enter the SFTP server port. It must be a number between 1 and 65535. The default value is
22.In the Auth type dropdown list, select the authorization method you want to use for connecting to the SFTP server.
In the User name field, enter the user name that you use to enter the server.
Only for the User name and password auth type: In the Password field, enter the password that you use to enter the server.
Only for the User name and key auth type: In the Private key field, upload the private key to use the client-side authorization.
Note
Upload your certificate (P12, PFX, or PEM file) to use TLS using your self-signed certificate. If you use the client-side certificate authorization, you can enter your CA certificate here. Refer to our Help Center for more information.
Optional: Set up an algorithm.
Important
The blowfish-cbc cipher option stopped functioning since March 19, 2024.
Click Save.
You have successfully established the connection. You can now edit your Action Flow and add more SFTP modules.
After connecting the app, you can perform the following actions:
Triggers
Watch files in a folder
Watch subfolders in a folder
Actions
List a folder's content
Get files
Get a file
Upload a file
Rename a file
Move a file
Delete a file
Update file permissions
Note: Use the chmod parameters, for example,
777or-rwxrwxrwx. The entered data should match the patters:/(.?([r-][w-][x-]){3})|[0-7]{3}/. Refer to the chmod Man Page to get more information.Create a folder
Note: Use the chmod parameters, for example,
777or-rwxrwxrwx. The entered data should match the patters:/(.?([r-][w-][x-]){3})|[0-7]{3}/. Refer to the chmod Man Page to get more information.Delete a folder
Cause
The private key is password-protected (encrypted), which is not fully supported.
Solution
Strip the encryption with:
ssh-keygen -p -P "[old passphrase]" -N "" -m pem -f [path/to/key]
The resulting key must begin with:
-----BEGIN RSA PRIVATE KEY-----.
The connector reached the host but the connection was actively refused or timed out before a response.
Cause
Wrong port number, a WAF or firewall blocking the connection, the Celonis IP not being whitelisted, or too many simultaneous connections. ETIMEDOUT can also occur when processing very large files.
Solution
Verify the port number, check firewall and WAF settings, confirm IP whitelisting, and review the simultaneous connection limit.
The connector cannot locate the server at the address provided.
Cause
he host field contains a protocol prefix (https://, sftp://, ssh://) or includes the port number in the address.
Solution
Remove any protocol prefix from the URL/IP field. Move the port to the Advanced Settings port field if it is not the default port 22.
This error appears after the key exchange has started. The error returned may look the following way:
Handshake failed: signature verification failed
Cause
There are the following possible root causes:
RSA key too short - the
rsa-sha2-512requires a minimum 2048-bit RSA host key. 1024-bit keys will produce unverifiable signature and return an error.Host key mismatch - the server's actual host key does not match what was stored or expected. This can happen if the server was re-provisioned, migrated, or if you're trying to access a different node behind a load balancer.
Algorithm negotiation mismatch - the connector and server agreed on an algorithm during negotiation, but the server sent a signature using a different algorithm. This is typically a server-side misconfiguration.
Solution
Work through the root causes in order. Start by checking the RSA key length. To verify your RSA key length, run:
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
If the key is shorter than 1024, the host key must be regenerated. For signature or host key mismatch, see Wrong signature type.
This error may appear during the connection attempt. The error may look the following way:
Wrong signature type: ssh-rsa, expected: rsa-sha2-512
Cause
These two algorithm identifiers refer to the same underlying RSA key but use different signature schemes.
Solutions
In the SFTP connection settings, go to Advanced Settings > Server host keys.
Add
rsa-sha2-512as the first item, followed byrsa-sha2-256. Removessh-rsaif it is present, or move it to the end of the list.If the server explicitly requires the legacy
ssh-rsaalgorithm (older SFTP appliances or embedded systems), addssh-rsato the list but verify with the server administrator that this is intentional