sFTP Tips

What you need to know for easy and secure file transfers


I’m pretty handy using sFTP. I’ve configured sFTP several times on IBM i and am able to securely send and receive (put and get) data from the i to a remote system. And I’m talking Secure File Transfer Protocol (or SSH File Transfer Protocol), not FTP through Secure Sockets Layer or SSL FTP. sFTP is the widely used protocol for transferring information securely—especially with financial institutions like banks and credit-card companies. Note that sFTP runs under the Portable Application Solutions Environment (PASE), the UNIX runtime within i. Licensed program 5733-SC1 (Portable Utilities for i) contains OpenSSH, the open-source implementation of Secure Shell. You also need i Option 33–PASE to be installed on your system.

I usually follow the same general steps when configuring sFTP to be used in a batch process. These steps are to configure sFTP without a password. Most financial institutions I’ve worked with have used this method. You can use sFTP with a password, but you’d need something like a TCP expect script, which makes the process more complicated.

sFTP uses public-key encryption, meaning each side (your system and the remote system) will create a public encryption key and send it to the other. Each side can then encrypt information with the partner’s public key. I’ll show a basic sFTP setup, and discuss a few potential problems and how to avoid them.

sFTP Configuration Basics

First, sign on as the user that will perform the batch sFTP; I’ll use SFTPUSER in this example. Start configuring sFTP by issuing CALL QP2TERM to start an i PASE session, which provides a PASE command line. Perform the following steps by entering commands on the command line:

1. Create a /home directory for the user that will be running sFTP (the user the batch process runs under). If the user already has a /home directory, you can skip this step. If not, use command mkdir home/SFTPUSER, where SFTPUSER is the specified user.

Ensure the permissions are set correctly on the /home directory. This is one of the gotchas with sFTP. If these permissions are incorrect, sFTP won’t work and it’s difficult to find the cause. Issue the change mode (chmod) command to set the /home directory’s permissions:

chmod 755 /home/SFTPUSER

2. Generate the public and private encryption keys using the ssh-keygen command:

ssh-keygen -t dsa -N ""

You’ll be prompted for the file name; just press “Enter” for the default file name. This command will create the .ssh subdirectory and generate the public and private encryption keys in the /home/SFTPUSER/.ssh directory. You’ll have files id_dsa (the private key) and (the public key).

3. Send the public key to your communications partner. This can be done via e-mail or FTP. Your communications partner will take your public key and place in its .ssh folder, and add your host name to its known_hosts file.

4. If your partner has its own key (which is likely), you’ll use it for the transfer. Get it with this command, where your partner’s name is

ssh-keyscan -t >> ~/.ssh/known_hosts

This adds your partner’s public key to your known_hosts file and enables secure communications between the systems.


Michael Ryan is a technical editor with IBM Systems Magazine. Michael can be reached at

comments powered by Disqus



2018 Solutions Edition

A Comprehensive Online Buyer's Guide to Solutions, Services and Education.


Going Mobile With DB2 Web Query

Directing i

How to enable IBM i for management by IBM Systems Director

Putting the "V" in Virtualization

IBM eServer line delivers on the promise of virtualization

IBM Systems Magazine Subscribe Box Read Now Link Subscribe Now Link iPad App Google Play Store
IBMi News Sign Up Today! Past News Letters