Slate supports sending a scheduled export to a remote SFTP server. This practice is generally discouraged, as the export process will fail if the remote SFTP server becomes unavailable for any reason, such as a network connectivity or maintenance issue. All exports should be delivered to the Technolutions SFTP servers, where we can provide high availability, and from which they can be downloaded at any time. Best practices aside, we do support pushing an exported file to a remote SFTP server, where this may be useful to your business process.

The recommended configuration for sending files to a remote server is to use the SSH File Transfer Protocol (SFTP) with certificate-based authentication, as this will provide the highest level of security.

🔔 Important!

The original File Transfer Protocol (FTP) is not an encrypted transfer protocol. This means that all data is sent in clear text and can be read by anyone with access to the traffic. Therefore, while FTP is supported in Slate, it is highly discouraged and should always be used together with PGP file encryption.

Outbound connections are initiated from the IP addresses listed in Outbound Networks.

📖 SFTP Technical Details for Network Administrators

Certificate-based authentication

Using a private/public key pair is the recommended approach for connecting to a remote SFTP server. Unlike password authentication, which is configured entirely in the export settings of a query, Certificate based authentication requires you to create a User account with a type of “Service Account (Remote).” This user account will store the SSH private key. The public key should be saved in a corresponding profile on the remote server.

Create a Service Account (Remote) user

A Slate User with the type Service Account (Remote) represents the credentials that Slate will use when attempting to connect to the remote File Transfer server. For each server or process that requires unique credentials, a unique Service Account (Remote) user will be required.

🔑 Required Permissions: The Security Administrator exclusive permission (not inherited by any roles, even the Administrator role) is required to create or edit user accounts.

1. If you do not already have a key pair to use, use an SSH key generator like the terminal utility ssh-keygen or PuTTYGen. The corresponding public key must be installed on the remote server for this user ID to authenticate using the private key.

2. Go to Database → User Permissions.

3. Select New User.

4. Configure the following settings:

   • First, Last Name: Enter information that clearly states this is a service account, rather than a Slate user.

   • Email: Enter an email address of a real user or distribution group that can receive email notifications.

   • User Type: Service Account (Remote)

   • User ID: Enter a user ID that matches the one created in the remote system.

   • SSH Private Key: Enter the SSH Private Key.
     

5. Select Save.

   💡 Tip

   The SSH Private Key should be an RSA key of at least 2048 bits and be saved without a passphrase. In addition, the private key should include the wrapper comments as shown below.

   

   The private key in this example has been shortened for illustrative purposes. If using PuTTYgen, use Conversions → Export OpenSSH Key to format the newly generated Private Key correctly. Save the OpenSSH Key without a passphrase by ignoring PuTTYgen's warnings.

Configuring the query for export

1. Go to Queries / Reports.

2. Select the query that exports data to the remote server, or create a new one.

3. Select Edit Query.

4. Select Schedule Export.

5. Configure the following settings:

   • Destination: Custom File Transfer

   • Connection: Provide the protocol, username, and hostname in the following format: protocol://username@hostname. For example,  sftp://remoteuser@ft.technolutions.net

     📝 Note
     The protocol should be sftp for SFTP connections (recommended), ftps for FTPS connections, ftpes for FTPES connections, or ftp for (much less secure) FTP connections.

     If you must use FTP, use PGP encryption. The username should match the user name in the remote system. The hostname should be the remote server address. Configure the username in your connection to match both the username of the service account and the username of the user account on the remote server containing the public key. Special characters in the username must be URL encoded. See special characters in usernames and passwords. See Path for important notes about configuring the path.

   • Configure the remaining export settings as appropriate for your process.

     

6. Select Save.

All other settings are the same as when configuring the file to use the Technolutions SFTP servers.

Password-based authentication

Password authentication for file transfer to remote servers is configured directly in the query export settings, rather than in a User account. Passwords should be long, and contain a mixture of lower and upper case letters, numbers, and symbols.

Configuring the query for export

1. Go to Queries / Reports.

2. Select the query that exports data to the remote server, or create a new one.

3. Select Edit Query.

4. Select Schedule Export.

5. Configure the following settings:

   • Destination: Custom File Transfer

   • Connection: Provide the protocol, username, password, and hostname in the following format: protocol://username:password@hostname. For example, sftp://remoteuser:mypasswordthatshouldbecomplex@ft.technolutions.net
     

     📝 Note
     The protocol should be sftp for SFTP connections (recommended), ftps for FTPS connections, ftpes for FTPES connections, or ftp for (much less secure) FTP connections.

     If you must use FTP, use PGP encryption. The username should match the user name in the remote system. The password should be the password that the remote system expects for the user name. Special characters in the username or password must be URL encoded. The hostname should be the remote server address. See the Path section below for important notes about configuring the path.

   • Configure the remaining export settings as appropriate for your process.
     

6. Select Save.

PGP encryption

SFTP offers secure transfer, so PGP Encryption is superfluous but still supported. FTP traffic is not encrypted, so if you must use FTP, encrypt the exported data with PGP encryption.

To configure a data export to encrypt the generated file before exporting to the remote server within the Schedule Export options:

1. Go to Queries / Reports.

2. Select the query that exports data to the remote server, or create a new one.

3. Select Edit Query.

4. Select Schedule Export.

5. Configure the following settings:

   • Encryption: PGP Encryption

   • Public Key: Paste the public key that Slate should use to perform the encryption. If you do not already have a PGP key pair, you may use a PGP key pair generator, including this website, to generate a new key pair. The server or entity that consumes the file must have the matching private key to read the file.
     

🔔 Important

If the export is configured to allow empty files, you may receive the following error: File or folder... does not exist. System Error. Code: 2. The system cannot find the file specified.

Exports to remote servers are first generated on local Technolutions SFTP servers and then transferred to the remote endpoint. For empty files, this process attempts to move the export results but is not able to find the file, which causes the error.

Switching to the Suppress empty files setting prevents the error.  

Path

Enter the remote path on the server along with the name of the file.

Use date/time variables to prevent A file or directory with the same name already exists errors. For example, if you want to upload the file to the directory Files on the remote server, and you want the file name to be test%FT%T.txt, enter /Files/test%FT%T.txt

📝  Path names on many servers, including Unix or Linux servers, are case-sensitive.

Port

If a port number must be specified, this can be done in the Connection field in the Schedule Export settings, for example.

sftp://remoteuser:mypasswordthatshouldbecomplex@ft.technolutions.net:22

Special characters in usernames and passwords

Certain characters are reserved in URLs and must be encoded (replaced with a non-reserved code representing that character) if included in your username or password. Common special characters and their encodings are listed in the table below: