Use the SFTP and SFTP Ciphers tab of the MOVEit Transfer Configuration utility to configure the SFTP server.

To open/run the MOVEit Transfer Configuration Utility:

  1. From Windows, select the Start menu.
  2. Choose the shortcut for MOVEit Transfer Config.

Note: Users, groups, and folder settings are maintained through the Web UI or MOVEit Transfer API.

SFTP Server Configuration Update Interval

MOVEit Transfer SFTP server applies configuration changes immediately. The changes will take effect the next time a new connection is established.

Exception: If a change is made to the SFTP port, the MOVEit Transfer SFTP service must be restarted for this change to take effect.

SFTP Tab

The MOVEit Transfer Config Utility SFTP tab enables you to view and configure the SFTP server running on the current MOVEit Transfer server host.

Note: MOVEit Transfer uses SFTP keys and controls for both SFTP and SFTP (SFTP File Transfer Protocol).

The controls on this panel allow you to:

  • Adjust the logical port that the SFTP listener runs on.
  • Generate SFTP Server host keys.
  • Bind an SFTP listener to a specific IP address.
  • Bind keys generated from algorithms with extended security (elliptic curve, for example).
  • Manage, maintain, and update keys in use by MOVEit SFTP.

Multiple SFTP Server Host Key Types

MOVEit Transfer allows you to configure each SFTP binding (including the default binding) with one or more host keys. This feature makes it convenient for SFTP/SFTP clients to connect to MOVEit Transfer, especially when their policy constraints limit them to use a specific key or key type.

You can add SFTP Binding Configuration Options using the controls on the SFTP tab of the MOVEit Transfer Config Utility.
Note: You can use the SFTP tab and Bindings panel to create additional host keys and then assign them to any of the bindings (including default).

You can also bind SFTP to listen on different IP addresses using the Bindings panel.

SFTP tab and bindings panel

SFTP Configuration Panel

SFTP Port:

This is the TCP/IP port that the SFTP server listens for incoming connection requests.
SFTP port value 22 (default/well-known for SFTP protocol).

Server Keys

The Server Keys view on the SFTP tab shows:

  • Name. Readable name.
  • Key type. The algorithm or used to generate the key pair.
  • Fingerprint. The MD5 hash of the server key.

Note: You can bind these keys with a specific IP address (SFTP server endpoint) using the Bindings panel. This can be useful for multi-org deployments, for example.

The Server Keys controls (Add Key, Edit, Remove, Default) allow you to:

  • Generate new keys you can assign to an SFTP listener. (Add Key)
  • Edit friendly name, view, copy key pair, remove key. (Edit)
  • Remove a key and prevent connections from clients using that key. (Remove)
  • Make a key the default. (Default)

Note for Multi-org Systems

Note: If your MOVEit Transfer configuration has multiple organizations, you might want to add a different server key for each organization. Doing so will make it easier to change only one organization’s server key without affecting other organizations.
Viewing and Understanding SFTP Server Keys

SFTP clients use this key to encrypt traffic that only the SFTP server having the private key (that was generated as part of the public/private key pair) can decrypt.
The key is generated internally, and the MD5 hash of the key displayed here for reference. There is no mechanism to edit this value. Use the View button next to the MD5 field to view and/or export the entire SFTP public key.

To Export the Public Key

To export the MOVEit Transfer SFTP public key:
  1. Click the Edit button on the SFTP tab of the MOVEit Transfer Config utility. The dialog will show you the key in two different formats.
  2. Select all the text in the window displaying the format you wish to export, press CTRL+C to copy the text, then save it into a text file of your choice.

Tip: Unless you change them, the MOVEit DMZ SFTP server key for a given type/binding will not change. It might be helpful to export both public formats of the same SFTP server key while you're in this dialog. If you save these off (perhaps on an internal server) you might save time and not need to refer the SFTP tab later.

Add a new Server Key:

  1. Click Add and then select the desired key type and size. Key type refers to the algorithm. Different algorithms had different advantages and tradeoffs. Size roughly means the feature space or difficulty of the algorithm. (Better algorithms with larger calculated sizes mean better security for the key pair.)

    • DSS key type provides digital signatures but not key exchange or encryption. With DSS, signature generation is faster than signature verification.
    • ECDSA key types use elliptical curve algorithms that span a larger problem space with faster compute times.
    • RSA key types provide digital signatures, key exchange, and encryption. With RSS, signature verification is faster than signature generation.

    After you select a key type and size, the Add SFTP Server Key window displays:

    This window shows the key details, including:

    • Fingerprint
    • Type
    • OpenSFTP Format
    • SFTP2 Format
  2. Enter a Name for the key and click OK.

    The new key adds to the Server Keys window.

    • To edit a key's name, select the key and click Details.
    • To remove a key, select the key and click Remove.
    • To make a key the default SFTP server key, select the key and click Default. The current default key will be renamed to "OldDefault-year-month-day_xxxxxx" and the name of the key you have selected will be renamed "default."

Bindings Panel (and Add Alternate Bindings)

Alternate Bindings lets you associate a Server IP and Server Key types with a MOVEit Transfer Organization.

If your MOVEit Transfer system has multiple organizations and it allows duplicate usernames across organizations, you can direct users to the IP address of their specific organization at system sign-on by way of an alternate binding. You can also assign a unique server key to an organization so that any changes you make to that server key will affect only that organization.
Note: You can specify binding rules for a single IP address.

To add an alternative binding:

  1. Under Bindings, click Add.

    The Add SFTP Alternative Binding dialog displays.

  2. Enter the following:
    • Server IP Address: Enter a distinct IP address that does not already have an alternative binding. Do not select the default Bind to IP Address (0.0.0.0.).
    • Server Key: Select a host key from the drop-down list to bind to the Server IP address. Server keys appear here only if they have already been added to the Server Keys window.
    • Organization: Select an organization from the drop-down list to bind to the Server IP address. The dropdown list displays the following:
      • (default): Any organization can be assigned as the default. See WebUI SETTINGS - System - Miscellaneous for information on how to assign a default organization
      • Your current MOVEit Transfer Organizations.
  3. Click OK.

    The new binding adds to the Bindings window.

    Note: To edit the Server IP, Server Key, and Organization of a binding, select the binding and click Edit. To remove a binding, select the binding and click Remove.

Diagnostic Logs (set on Status tab)

The MOVEit Transfer SFTP server diagnostic log settings can be changed on the Status tab of the configuration utility. See the MOVEit Transfer Config Utility Status Tab for details.

Paths (set on Paths tab)

The MOVEit Transfer SFTP server communicates with MOVEit Transfer using the Machine URL configured on this tab. See the MOVEit Transfer Config Utility Paths tab for details.

SFTP Ciphers Tab

Tip: In general, more secure algorithms are made available by the latest version of MOVEit Transfer. Also note, if you select strict FIPS mode this will reduce the list to algorithms that comply with the FIPS standard.

The SFTP Ciphers Tab includes:

  • SFTP Ciphers. Algorithms available for encoding data and their priority.
  • Hash Functions. Hash-based Message Authentication Codes used and their priority.
  • Key exchange algorithms. Algorithms available to exchange a session key and their priority.
Note: You can use the SFTP Ciphers tab to select a group (subset) of ciphers that enable FIPS mode. This mode provides cryptographic capabilities and algorithms that conform to Federal Information Processing Standards (FIPS 140-3).
Important: The list of algorithms you can select from depends on server and policy constraints. For example, if you enable FIPS mode, a subset of more secure FIPS-conforming algorithms displays.
The encryption and hashing algorithms that the MOVEit Transfer SFTP server uses can be configured on the SFTP Ciphers Tab.

This tab lets you select the ciphers and hash functions used to secure the SFTP connection.

For FIPS and PCI compliance, you may need to prevent the use of weak ciphers. For example, a PCI audit may flag the use of ciphers, such as MD5 and MD5-96. FIPS-approved cryptographic methods for SFTP include (as of September 2015) 3des-cbc, aes128-cbc, aes192-cbc, and aes-256 ciphers with hmac-sha2-512, hmac-sha2-256, hmac-sha1, hmac-md5, hmac-sha1-96, and hmac-md5-96 as the approved hash functions.

Note: Both the client's and the server's preferences are taken into consideration when choosing the actual cipher and hash function for a given session. There must be a common cipher and hash function on both sides or there will be an error.

Selecting SFTP Ciphers

The SFTP Ciphers section allows you to choose which ciphers are permissible and their order of preference. By default, all ciphers available to the current MOVEit Transfer platform are available.

  1. Select the Enabled check box to disable a selected entry or to enable an unselected entry.
  2. For order of precedence, use the arrow buttons to move entries up or down in the list. (Entries closer to the top of the list are given preference over entries lower down.)
    Note: If you must permit weak ciphers or hashes, you should always put the stronger options at the top of the list.

FIPS Mode

The MOVEit Transfer SFTP library provides cryptographic capabilities and algorithms that conform to Federal Information Processing Standards (FIPS 140-3). The FIPS-validated secure encryption, key exchange, host key, client key, MAC, and compression algorithms are available in the MOVEit Transfer Config Utility.

To select FIPS mode:

  1. Click the Enable FIPS Mode checkbox to limit the SFTP Ciphers, Hash Functions, and Key Algorithms to a subset that conform to the FIPS standard.
  2. Verify/check that you have reduced the list of ciphers to the subset that conforms to the FIPS standard.

SFTP Ciphers Tab with FIPS Mode Checkbox Selected

Selecting SFTP Hash Functions

The SFTP Hash Functions section allows you to choose which hash functions are permissible and their order of preference. By default, all hash functions available to the current MOVEit Transfer platform will be available..

Note: Hash function are used to determine message integrity.
  1. Select the Enabled check box to disable a selected entry or to enable an unselected entry.

    Entries closer to the top of the list are given preference over entries that follow them in the list.
  2. Use the arrow buttons to move entries up or down in the list.