New SFTP Server Information

IU Accounts Payable will be switching to new systems for SFTP file transfers used by vendors sending cXML invoice files to IU in early 2017. 

New Server Information:

Server Type Server DNS Hostname Server IP Address
Test dtt.fms.iu.edu 129.79.165.72
Production dtp.fms.iu.edu (on Feb. 6, 2017) 129.79.165.71

 

Old Server Information:

Server Type Server DNS Hostname Server IP Address
Production dtp.fms.iu.edu (now) 129.79.13.56

 

The name dtt.fms.iu.edu is available now to support initial connectivity testing to our new server.  The dtp.fms.iu.edu hostname will be moving from our old server to the new server on Monday, February 6th, 2017.

 

All existing usernames, passwords, ssh public keys, and server directories should exactly match between the old server and the new server.  The only differences will be:

  • New SSH host keys for new servers
  • New Test server only has a test incoming file directory
  • New Production server only has a prod incoming file directory

Directory Information

Test and Production servers will continue to have different directories to distinguish test and production file submissions.

 

Directory Type Directory Name Note
Test /home/(username)/test/purap The test directory only exists on the test server
Production

/home/(username)/purap

Or

/home/(username)/prod/purap

The production directory only exists on the production server

 

Note that the directories and files on the servers are case sensitive, and are in lower case. This may require some review and changes of existing processes to verify that you are using lower case for directory names. Also, that the (username) section of the directory name will be replaced with the username that you use to connect to dtp.fms.iu.edu or dtt.fms.iu.edu.

Connection Method - SFTP

You must connect to dtt.fms.iu.edu and dtp.fms.iu.edu using SFTP, also known as Secure FTP.  Our SFTP server supports only the SSH protocol version 2, and does not support version 1.  As of January 2017, we are using OpenSSH_6.6.1p1 as the SFTP software.  Connections should use tcp port 22, the standard for ssh.  We must know the IP addresses that you will be connecting from prior to account setup, so that we can add your IP addresses to our firewall for SFTP access.

 

For general sftp information, feel free to review What is SFTP

 

During the SFTP account setup phase, we will determine the username that you will use, as well as the authentication method.  We support either password based authentication or ssh public key based authentication.  We prefer the use of public key authentication, and can assist with confirming that you your public key file is in the correct location for it to be used for authentication.

SSH Host Keys

Our new ssh servers have new host keys that will require a manual acceptance for ssh authentication to continue.  The fingerprints for the new server host keys are listed below: 

Test Server - dtt.fms.iu.edu

2048 MD5:38:30:90:c6:58:e1:27:2e:35:ca:88:b5:cb:44:55:d8 dtt.fms.iu.edu (RSA)
256 MD5:ba:9b:07:d9:70:49:d3:ce:6c:d1:8c:c1:7e:17:35:e6 dtt.fms.iu.edu (ECDSA)
256 MD5:d9:b1:72:02:17:8c:2a:b4:03:50:4f:a3:72:52:67:19 dtt.fms.iu.edu (ED25519)

Production Server - dtp.fms.iu.edu

2048 MD5:4a:7e:b8:f8:0d:05:ac:4c:59:48:34:3d:fb:f3:84:cd dtp.fms.iu.edu (RSA)
256 MD5:ee:a5:fe:dd:7e:17:be:5c:c8:bf:96:f2:14:c3:fc:b4 dtp.fms.iu.edu (ECDSA)
256 MD5:91:bc:b3:38:4a:92:f4:5e:e5:2c:d7:03:aa:66:3d:8e dtp.fms.iu.edu (ED25519)
 

Note that these host keys are different than has been used in the past, so you will need to manually accept the new host keys when changing to the new SFTP server.

SSH Public Key Authentication Setup

If you choose to use public key authentication for connecting to dtp.fms.iu.edu and dtt.fms.iu.edu, each system will require separate setup steps to establish the public key files.  The IU Knowledge base has general instructions for setting up public key authentication that may be helpful.

 

As a part of account setup, there should be a .ssh directory inside your home directory on both the dtt and dtp servers.  To setup public key authentication, the contents of the public keys you wish to use for authentication need to be:

  • In the OpenSSH format
  • Appended to a single file named authorized_keys, located in your ~/.ssh/ directory.

Invoice File Name Format

It is important that each cXML invoice file that we receive has a unique file name.  In order to enforce unique names, we have a file naming standard that includes several sections:

YYYYY_Y_username_datetime.dat

  • YYYYY_Y_  - To be replaced with a numeric identifier provided by IU Accounts Payable
  • username  - Your username on our dtp SFTP server
  • datetime  - The full date and time stamp of the file

You may optionally include additional components to your filenames that insure your processes are sending unique file names.  For example, inputting the respective invoice number in the file name.  Adding this detail can help in research individual invoice payments by allowing IU to track how a specific e-Invoice file is processed. 

New Host Key Acceptance

The first time that you connect after our switch to the new server on February 6th, 2017, you may receive an error and/or warning message similar to the following:

 

sftp xxx2edi@dtt.fms.iu.edu
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@       WARNING: POSSIBLE DNS SPOOFING DETECTED!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The ECDSA host key for dtt.fms.iu.edu has changed,
and the key for the corresponding IP address 129.79.165.72
is unchanged. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
Offending key for IP in /home/username/.ssh/known_hosts:10
  remove with:
  ssh-keygen -f "/home/username/.ssh/known_hosts" -R 129.79.165.72
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:wMi8QB+BP6+ytDWR8VRdTSqTystgGppEFWFKUzxcWmI.
Please contact your system administrator.
Add correct host key in /home/username/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/username/.ssh/known_hosts:52
  remove with:
  ssh-keygen -f "/home/username/.ssh/known_hosts" -R dtt.fms.iu.edu
ECDSA host key for dtt.fms.iu.edu has changed and you have requested strict checking.
Host key verification failed.
Couldn't read packet: Connection reset by peer

 

To resolve this issue, the host keys for both the IP address and host name will need to be updated.  The following should accomplish this, if you are using the openssh command client client:

For Test SFTP Server:

ssh-keygen -f "/home/username/.ssh/known_hosts" -R 129.79.165.72
ssh-keygen -f "/home/username/.ssh/known_hosts" -R dtt.fms.iu.edu

For Production SFTP Server:

ssh-keygen -f "/home/username/.ssh/known_hosts" -R 129.79.165.71
ssh-keygen -f "/home/username/.ssh/known_hosts" -R dtp.fms.iu.edu 


You will need to replace username in the above commands with your actual username on the system used for sending us files.