To ensure being able to connect to the SFTP immediately upon gaining access we recommend that you send a SSH key with the application for access to the test server, see guide on how to create the SSH below.
Nets SFTP server supports: SSH Version 2, Version 3 SFTP protocol, as supported by OpenSSH Inbound scp commands using SSH / SCP protocol, as supported by OpenSSH
Steps to connect to Nets SFTP:
1. The customer has acquired a SFTP client
2. The customer generates User Identity key pair, User-rsa.pub + User-rsa.ppk
3. The customer sends public key User-rsa.pub to Nets.
4. Nets assigns a User ID and connects the received User-rsa.pub to this, and returns the details to the customer via email. (Nets assigns a unique User ID for test and production).
5. The customer enters in the SFTP client:
a. User ID received from Nets. (Passwords are not used)
b. IP address to the SFTP server, test= 220.127.116.11 port 22
c. Private key: User-rsa.ppk
6. The customer connects to Nets via the SFTP client.
The User ID provided by Nets:
t (test) , p (prod) + 6-8 characters indicating company.
Example: tFIRMA1 (test), pFIRMA1 (prod).
The subfolder tFIRMA1/Inbound/DK12345678 is where shipment zip files to be sent, are placed.
The subfolder tFIRMA1/Outbound is where Nets will place receipts, distribution reports, return files and all other files.
Control of key fingerprint at the first connection
1. SFTP client connects to the desired environment, test or production.
2. On initial connection to the Nets SFTP server, the operator will be asked to approve a key fingerprint of the host-key. After approval, the Nets SFTP server is stored as a known host. None other than one of these key fingerprints shall occur. This approves the Nets SFTP server.
Test = 09:fd :65:3a:12:16:a6:3c:a3:32:25:ac:60:1f:cb:11
The host-key is used to establish an encrypted SSH connection. By subsequent logons, the host-key is known and session keys can be exchanged without the need of key fingerprint approval.
User authentication at logon
1. User authentication
a. The SFTP client sends the User ID. (Received User ID and IP address are already added to the SFTP client).
b. The SFTP server generates a random number (a session-password). This random number is encrypted with the User-rsa.pub. (The User-rsa.pub received from the client side is already connected to the User ID).
c. The SFTP client decrypts with its User-rsa.ppk, finds the random number and sends it back to the SFTP server.
d. With the correct random number, the SFTP client is verified.
2. The connection is established, the customer can access its area with subdirectories.
a. Inbound/DK+organization number. For submission of files, as well as receipts from Nets. (NOR for Norway and SE for Sweden instead of DK if sender is not Danish)
b. Outbound for files from Nets that can be retrieved.
How to get started with SFTP against Nets
Various SFTP clients can be acquired either as freeware from the net, or as licensed software. There are SFTP clients for all common operating systems like Linux, Unix, Windows and z/OS.
The below is intended as an initial help to get started with SFTP from a Windows platform.
Link to freeware for Windows that supports SFTP (There are others that can be used):
Generate User Identity Key Pair
(public and private key) RSA type with 1024 or 2048 key length.
After SFTP client is acquired and installed, a User Identity key pair for authentication of the user must be generated.
On Windows you can use the program PuTTYgen to generate the key pair. (PuTTYgen is provided with the installation of WinSCP).
Start PuTTYgen and generate the SSH RSA key pair (move the mouse in blank space)
Save your private key and public key,
E-mail the Public key to Nets.
The Private key is used in the SFTP Client's Login configuration.
For operating systems other than Windows, consult the documentation for generation of key pairs. On Unix/Linux, the command is ssh-keygen.
Nets recommends using a Passphrase for the private user-key.
The passphrase is a local password protecting the user's own private-key. The passphrase is controlled by the SFTP client before logon, and are thus not part of the user authentication in the SFTP server. If the use of passphrase causes automation problems, it can be omitted. If you choose not to use the passphrase, you have to secure the private key otherwise. This can be done by storing the private key on a location with limited access.
When access has been approved to the SFTP server
When you have received the mail from the support team with the details on your information and you have provided a valid SSH key, then you may send the first shipment.
When logging in your username is tXXXXX in test or pXXXXX in production. The folder you are to place the shipments for sending is tXXXXX/Inbound/DKXXXXXXXX and the place where you may see the receipts and all other outbound files are tXXXXX/Outbound
In the beginning, it might be useful to use the Nets Share Overview page to keep track of the different files you receive, and when to expect them.
If you have any questions in regards to using Nets Share or need help with tests, please feel free to contact our support team @ the Support page