ibm aspera connect server...

114
IBM Aspera Connect Server 3.5.5 Solaris, FreeBSD Revision: 3.5.5.107626 Generated: 06/09/2015 15:59

Upload: others

Post on 04-Jun-2020

12 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

IBM Aspera Connect Server 3.5.5

Solaris, FreeBSD Revision: 3.5.5.107626 Generated: 06/09/2015 15:59

Page 2: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Contents | 2

Contents

Introduction............................................................................................................... 4

Standard Installation................................................................................................5Requirements.........................................................................................................................................................5Before Upgrading..................................................................................................................................................5Product Setup........................................................................................................................................................7Configuring the Firewall...................................................................................................................................... 9Securing your SSH Server................................................................................................................................. 10Testing a Locally Initiated Transfer................................................................................................................... 15Updating the Product License............................................................................................................................ 16Uninstall.............................................................................................................................................................. 17

Connect Server Web UI Setup.............................................................................. 18Configuring Apache............................................................................................................................................18Configuring your Web UI Settings.................................................................................................................... 20Customize your Web UI's Appearance.............................................................................................................. 23Configuring HTTP and HTTPS Fallback.......................................................................................................... 23Testing Web UI...................................................................................................................................................26

Managing Users.......................................................................................................29Test User-Initiated Remote Transfer.................................................................................................................. 29Setting Up Transfer Users.................................................................................................................................. 30Setting Up Transfer Groups............................................................................................................................... 32Configuration Precedence...................................................................................................................................33Setting Up a User's Public Key......................................................................................................................... 34

General Configuration Reference......................................................................... 36Configuring Symbolic Links.............................................................................................................................. 36

Advanced Symbolic Link Options (ascp).............................................................................................. 36Server-Side Symbolic Link Handling.................................................................................................... 36

aspera.conf - Authorization................................................................................................................................ 38aspera.conf - Transfer......................................................................................................................................... 40aspera.conf - File System................................................................................................................................... 48

Global Transfer Settings........................................................................................ 53Global Bandwidth Settings.................................................................................................................................53Setting Up Virtual Links.................................................................................................................................... 54Transfer Server Configuration............................................................................................................................55

Managing the Node API........................................................................................ 58Overview: Aspera Node API..............................................................................................................................58Node API Setup..................................................................................................................................................58Setting up Node Users........................................................................................................................................59

Page 3: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Contents | 3

Node Admin Tool............................................................................................................................................... 59aspera.conf for Nodes.........................................................................................................................................60Redis DB Backup/Restore.................................................................................................................................. 63Setting up SSL for your Nodes..........................................................................................................................64

Database Logger..................................................................................................... 67Setting Up Database Logger.............................................................................................................................. 67Configuring the Database Logger...................................................................................................................... 68

Pre- and Post-Processing (Prepost).......................................................................72Setting Up Pre/Post.............................................................................................................................................72Pre/Post Variables............................................................................................................................................... 73Pre/Post Examples.............................................................................................................................................. 75Setting Up Email Notification............................................................................................................................76Email Notification Examples..............................................................................................................................78

Transferring from the Command Line................................................................ 81Ascp Command Reference................................................................................................................................. 81Ascp General Examples......................................................................................................................................90Ascp File Manipulation Examples..................................................................................................................... 91Ascp Transfers to Cloud Storage....................................................................................................................... 92Token Generation................................................................................................................................................94Creating SSH Keys.............................................................................................................................................95Ascp FAQs.......................................................................................................................................................... 96

Configuring for the Cloud..................................................................................... 99Configuring aspera.conf for S3.......................................................................................................................... 99

Appendix................................................................................................................ 101Restarting Aspera Services...............................................................................................................................101Optimizing Transfer Performance.................................................................................................................... 101Create an SSL Certificate (Apache).................................................................................................................103Enable SSL (Apache)....................................................................................................................................... 105Log Files........................................................................................................................................................... 105Setting Up Token Authorization.......................................................................................................................106Configuring Token Authorization With aspera.conf........................................................................................ 107Product Limitations...........................................................................................................................................108

Troubleshooting..................................................................................................... 109Clients Can't Establish Connection.................................................................................................................. 109

Technical Support................................................................................................. 112

Feedback................................................................................................................ 113

Legal Notice........................................................................................................... 114

Page 4: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Introduction | 4

Introduction

IBM Aspera Connect Server is a web-based file transfer server built upon Aspera's FASP transport. Connect Serveroffers the following features:

Feature Description

FASP transport technology File transfer protocol that dramatically speeds transfers over IP networks byeliminating the fundamental bottlenecks in conventional technologies. FASP featuresbandwidth control, resume, transfer encryption, content protection, and data integrityvalidation.

Transfer server Allows an unlimited number of concurrent client transfers. Uses virtual links tomanage aggregate bandwidth usage.

Connect Server Web UI A web-based interface that enables transfers for Aspera Connect clients. Includes theHTTP Fallback Server to allow clients without FASP connectivity to transfer usingHTTP or HTTPS.

Database Logger A MySQL adapter that logs the server's transfer activity to a database.

Pre- and Post-Processing(Prepost)

Executes customizable actions when transfer events - start and end of sessions andfiles - occur. An email notification script is included.

ascp command The command-line file transfer program.

Page 5: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Standard Installation | 5

Standard Installation

Install the IBM Aspera transfer product and set up your computer for FASP file transfers.

RequirementsSoftware and hardware requirements for optimal product functionality

System requirements for IBM Aspera Connect Server:

• Product-specific Aspera license file.• Solaris version 9 or higher.• BSD version 8.• libc version GLIB 2.3.4 or higher.• SSH Server. Version 5.2 or higher is recommended.• Perl version 5.8 or higher for Web UI.• Apache version 2.0.x or 2.2.x for Web UI.• For Database Logging - A MySQL Database.

The following web browsers are supported by Connect Server:

Supported OS Supported Browsers

Windows 2008r2, 2012 Internet Explorer 8+, Firefox 27+, Google Chrome 32+

Mac OS X 10.7+ Safari 6+, Firefox 27+, Google Chrome 32+

Linux 64-bit Firefox 27+

If you plan to set up and use the Node API, you must also meet the following requirements on each node machine:

• In order to use this application on a cloud platform and access the object-based cloud storage, you must obtain anon-demand license. Please contact Technical Support.

• Identify a directory that you plan to use for sharing data. Later on (in the topic Node API Setup), we will use thisdirectory as the absolute path for the transfer user.

• Verify that the machine's hosts file has an entry for "127.0.0.1 localhost." For UNIX-based nodes, check/etc/hosts. For Windows nodes, check C:\WINDOWS\system32\drivers\etc\hosts.

• For UNIX-based nodes, verify that SELINUX is disabled via cat /etc/sysconfig/selinux. SELINUXcan be "permissive" or "disabled," but not "enforced."

Before UpgradingSteps to take before upgrading your IBM Aspera product.

Warning: When upgrading from Connect Server versions older than 3.2.1, the Connect Server system-levelsecurity settings are not preserved and must be reconfigured. For instructions on enabling or disablingConnect Server system-level security, see "Configuring Apache" (second-to-last step).

The installer for Aspera Connect Server automatically checks for a previous version of the product on your system. Ifa previous version is found, the installer automatically removes it and upgrades your computer to the newer version.

Although the installer performs your upgrade automatically, we highly recommend completing the tasks below beforestarting the installation/upgrade process. If you do not follow these steps, you risk installation errors or losing yourformer configuration settings. Skip any steps that do not apply to your specific product version.

Page 6: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Standard Installation | 6

Note: You cannot upgrade directly between different Aspera transfer products (such as from Point-to-Point to Desktop Client, or from Point-to-Point to Enterprise Server). To upgrade, you need to back up theconfiguration, uninstall the product, and perform a fresh install of the new version of the product. .

1. All Versions - Verify the version of your existing product

Depending on your current product version, the upgrade preparation procedure may differ. In a Terminal window,execute this command:

ascp -A

This displays the product name and version number.2. All versions - Stop all FASP transfer-related applications and connections.

Before upgrading the application, close the following applications and services:

• ascp connections• SSH connections

3. All versions - Back up the files

Depending on the version of your previous installation, back up the files in the specified locations:

Version Folder

2.0.2 to 2.7+ • /opt/aspera/etc/(Server config, web config, user settings, license info)• /opt/aspera/var/(Pre- and Post-Processing scripts, Connect Server)

2.0.1 and earlier • /var/opt/aspera/etc/(Server config, web config, user settings, license info)• /usr/local/aspera/var/(Pre- and Post-Processing scripts, Connect Server)

If a previous version of Connect Server (Aspera Web) was set up and customized on your computer, back up thecustomized Connect Server installation in the following location and use it as a template to modify the new one:

/opt/aspera/var/webtools/

4. Version 2.1.x - Verify Aspera's configuration file (aspera.conf) version

If you are upgrading from Connect Server version 2.1.x and have HTTP Fallback configured, you may need tomodify aspera.conf file to avoid upgrading errors. Open aspera.conf with a text editor:

/opt/aspera/etc/aspera.conf

Remove the version="2" from the opening tag <CONF>:

<CONF version="2">...

5. Version 2.0.1 and earlier - Back up and restore Web UI authentication info

If the existing installation is version 2.0.1 or below, you may need to restore the Connect Server authenticationinformation after the installation. Back up this file:

/var/opt/aspera/webpasswd

After the upgrade, restore the file to the following directory:

/opt/aspera/etc/

Page 7: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Standard Installation | 7

Product SetupA walkthrough of the setup process.

Important: If this is a product upgrade, ensure that you have reviewed all prerequisites detailed under thetopic "Before Upgrading."

IBM Aspera Connect Server is a web-based file server that enables file access through a browser, and transfers filesusing the IBM Aspera Connect Browser Plug-in. Additionally, you can set up HTTP Fallback to establish HTTP- orHTTPS-based file transfers with clients that don't have FASP connectivity.

To install Connect Server, log into your computer with permissions, and follow the steps below.

1. Download the IBM Aspera product installer

Download the installer from the link below. Use the credentials provided to your organization by Aspera to access:

http://asperasoft.com/en/downloads/4

If you need help determining your firm's access credentials, contact Technical Support on page 112.2. For product upgrades, ensure you have prepared your machine to upgrade to a newer version.

Although the installer for Aspera Connect Server performs your upgrade automatically, Aspera highlyrecommends completing the tasks identified in the topic Before Upgrading. If you do not follow these steps, yourisk installation errors or losing your former configuration settings.

3. Run the installer

When downloaded, run the installer using the following commands and with the proper administrativepermissions. Replace the file name accordingly.

OS Commands

Solaris$ pkgadd -d aspera-entsrv-version.pkg

FreeBSD$ cd /usr/ports/misc/compat4x$ make$ make install$ make clean$ tar -xzvf (path to installer)/aspera-entsrv-[version].tar$ sh (path to installer)/aspera-entsrv-[version].sh$ kldload aio

Note:

FreeBSD NOTE #1: You must edit /boot/loader.conf to automaticallyload the AIO module after a reboot, for example:

$ echo 'aio_load="YES"' >> /boot/loader.conf

Note:

FreeBSD NOTE #2: Reflect the folder name compat4x on your system. Also,an additional input/output processing called AIO (Asynchronous I/O) needs to beloaded for Aspera FASP file transfer.

4. Install the license

To install the license through command line, create the following file and paste your license key string into it:

Page 8: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Standard Installation | 8

/opt/aspera/etc/aspera-license

When finished, save and close the file. To verify the license info, run the following command:

$ ascp -A

If you are updating your product license after the installation, see Updating the Product License on page 16.5. Review or update OpenSSH authentication methods

Open your SSH Server configuration file with a text editor:

/etc/ssh/sshd_config

To allow public key authentication, set PubkeyAuthentication yes. To allow password authentication, setPasswordAuthentication yes. Here is a configuration example:

...PubkeyAuthentication yesPasswordAuthentication yes...

When modified, run the following to reload SSH:

Solaris$ pfexec svcadm refresh ssh

FreeBSD$ sudo /etc/init.d/ssh restart

To further review your SSH Server's configuration to strengthen security, refer to Securing your SSH Server onpage 10.

6. Convert the old aspera.conf file manually (necessary only when upgrading from product version 2.2 orearlier)

For product versions 2.5+, the docroot settings have been moved to the Aspera configuration file,aspera.conf. When upgrading from product version 2.2 or earlier, the installer converts your oldconfiguration files to the new format, using a "strict" method. If the old aspera.conf file has errors orunrecognized directives, the conversion will fail. To review the errors, run a strict conversion manually. Changeaspera.conf's path if it is not in the default location.

$ cd /opt/aspera/etc$ sudo asconfigurator -T -F convert_conf_V1_data ./aspera.conf

If an error occurs during the conversion, use the relaxed conversion method:

$ cd /opt/aspera/etc$ sudo asconfigurator -F convert_conf_V1_data ./aspera.conf

7. (For upgrades) Check aspera.conf for errors

When upgrading your Aspera product to a newer version, it is recommended that you check the aspera.confconfiguration file for errors. Run the following command in a terminal window to validate aspera.conf:

$ /opt/aspera/bin/asuserdata -v

8. Set up your new Connect Server's Web UI (or verify your Web UI settings after an upgrade).

At this point, your IBM Aspera transfer product is installed; however additional steps are required to configure theWeb UI. For information on configuring the Web UI, see "Connect Server Web UI Setup".

Page 9: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Standard Installation | 9

Important: When upgrading from Connect Server versions older than 3.0, system-level security settings are not preserved and must be reconfigured. For instructions on enabling or disabling system-levelsecurity, see "Configuring Apache" (second-to-last step).

Configuring the FirewallFirewall settings required by the product.

Your Aspera transfer product requires access through the ports listed in the table below. If you cannot establish theconnection, review your local corporate firewall settings and remove the port restrictions accordingly.

Product Firewall Configuration

Connect Server An Aspera server runs one SSH server on a configurable TCP port (22 by default).

Important: Aspera strongly recommends running the SSH server on a non-defaultport to ensure that your server remains secure from SSH port scan attacks. Pleaserefer to the topic Securing your SSH Server on page 10 for detailed instructionson changing your SSH port.

Your firewall should be configured as follows:

• Allow inbound connections for SSH, which is on TCP/22 by default, or on another non-default, configurable TCP port. To ensure that your server is secure, Aspera stronglyrecommends allowing inbound connections for SSH on TCP/33001, and disallowinginbound connections on TCP/22. If you have a legacy customer base utilizing TCP/22,then you can allow inbound connections on both ports. Please refer to the topic Securingyour SSH Server on page 10 for details.

• Allow inbound connections for FASP transfers, which use UDP/33001 by default,although the server may also choose to run FASP transfers on another port.

• If you have a local firewall on your server (like iptables), verify that it is notblocking your SSH and FASP transfer ports (e.g. TCP/UDP 33001).

• For the HTTP Fallback Server, allow inbound and outbound connections for HTTP and/or HTTPS (e.g. TCP/8080, TCP/8443).

• For the Web UI, allow inbound connections for HTTP and/or HTTPS Web access (e.g.TCP/80, TCP/443).

The firewall on the server side must allow the open TCP port to reach the Aspera server.Note that no servers are listening on UDP ports. When a transfer is initiated by an Asperaclient, the client opens an SSH session to the SSH server on the designated TCP port andnegotiates the UDP port over which the data transfer will occur.

For Aspera servers that have multiple concurrent clients utilizing two or more user accounts,FreeBSD does not allow the Aspera FASP protocol to reuse the same UDP port. Conversely,one UDP port can be opened if only one account is being used for transfers. Thus, if youhave multiple concurrent clients utilizing multiple user accounts and your Aspera serverruns on FreeBSD, then you must allow inbound connections on a range of UDP ports, wherethe range of ports is equal to the maximum number of concurrent FASP transfers expected.These UDP ports should be opened incrementally from the base port, which is UDP/33001,by default. For example, to allow 10 concurrent FASP transfers that are using two ormore user accounts, allow inbound traffic from UDP/33001 to UDP/33010.

Client Typically, consumer and business firewalls allow direct outbound connections from clientcomputers on TCP and UDP. There is no configuration required for Aspera transfers in thiscase. In the special case of firewalls disallowing direct outbound connections, typicallyusing proxy servers for Web browsing, the following configuration applies:

Page 10: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Standard Installation | 10

Product Firewall Configuration• Allow outbound connections from the Aspera client on the TCP port (TCP/33001, by

default, when connecting to a Windows server, or on another non-default port for otherserver operating systems).

• Allow outbound connections from the Aspera client on the FASP UDP port (33001, bydefault).

• If you have a local firewall on your server (like iptables), verify that it is notblocking your SSH and FASP transfer ports (e.g. TCP/UDP 33001).

Important: Multiple concurrent clients cannot connect to a Windows Asperaserver on the same UDP port. Similarly, multiple concurrent clients that areutilizing two or more user accounts cannot connect to a Mac OS X or FreeBSDAspera server on the same UDP port. If connecting to these servers, you will needto allow a range of outbound connections from the Aspera client (that have beenopened incrementally on the server side, starting at UDP/33001). For example, youmay need to allow outbound connections on UDP/33001 through UDP/33010 if 10concurrent connections are allowed by the server.

Important: If you have a local firewall on your server (Windows firewall, Linux iptables or Mac ipfw), thenyou will need to allow the Vlink UDP port (55001, by default) for multicast traffic. For additional informationon setting up Vlinks, please refer to the topic Setting Up Virtual Links on page 54.

Securing your SSH ServerSecure your SSH server to prevent potential security risks.

Introduction

Keeping your data secure is critically important. Aspera strongly recommends you take additional steps in settingup and configuring your SSH server so that it is protected against common attacks. Most automated robots will tryto log into your SSH server on Port 22 as root, with various brute force and dictionary combinations in order to gainaccess to your data. Furthermore, automated robots can put enormous loads on your server as they perform thousandsof retries to break into your system. This topic addresses steps to take in securing your SSH server against potentialthreats, including changing the default port for SSH connections from TCP/22 to TCP/33001.

Why Change to TCP/33001?

It is well known that SSH servers listen for incoming connections on TCP Port 22. As such, Port 22 is subject tocountless, unauthorized login attempts by hackers who are attempting to access unsecured servers. A highly effectivedeterrent is to simply turn off Port 22 and run the service on a seemingly random port above 1024 (and up to 65535).To standardize the port for use in Aspera transfers, we recommend using TCP/33001.

Note: Remote Aspera application connections attempt to establish an SSH connection using the default port33001. However, if the connection fails, the application attempts the connection using port 22.

The following explains how to change the SSH port to 33001 and take additional steps for securing your SSH server.The steps all require root access privileges.

1. Locate and open your system's SSH configuration file

Open your SSH configuration file with a text editor. You will find this file in the following system location:

/etc/ssh/sshd_config

2. Add new SSH port

Note: Before changing the default port for SSH connections, verify with your network administrators thatTCP/33001 is open.

Page 11: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Standard Installation | 11

The OpenSSH suite included in the installer uses TCP/22 as the default port for SSH connections. Asperarecommends opening TCP/33001 and disabling TCP/22 to prevent security breaches of your SSH server.

Note: When changing the SSH port, you must also update the SshPort value in the <WEB...> sectionof aspera.conf. See Configuring your Web UI Settings for details.

To enable TCP/33001 while your organization is migrating from TCP/22, open Port 33001 within yoursshd_config file (where SSHD is listening on both ports). As demonstrated by this exercise, SSHD is capable oflistening on multiple ports.

...Port 22Port 33001...

Once your client users have been notified of the port change (from TCP/22 to TCP/33001), you can disablePort 22 in your sshd_config file. To disable TCP/22 and use only TCP/33001, comment out Port 22 in yoursshd_config file.

...#Port 22Port 33001...

Note: Aspera recognizes that disabling the default SSH connection port (TCP/22) may affect your clientusers. When you change the port, ensure that you advise your users on configuring the new port number.Basic instructions for specifying the SSH port for FASP file transfers can be found below. To changethe SSH port for Aspera Client, click Connections on the main window, and select the entry for yourcomputer. Under the Connection tab, click Show Advanced Settings and enter the SSH port number inthe SSH Port (TCP) field.

To make an impromptu connection to TCP/33001 during an ascp session, specify the SSH port (33001) with the -P (capital P) flag. Note that this command does not alter ascp or your SSH server's configuration.

$ ascp -P 33001 ...

3. Disable non-admin SSH tunneling

Page 12: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Standard Installation | 12

Note: The instructions below assume that OpenSSH 4.4 or newer is installed on your system. ForOpenSSH 4.4 and newer versions, the "Match" directive allows some configuration options to beselectively overridden if specific criteria (based on user, group, hostname and/or address) are met. If youare running an OpenSSH version older than 4.4, the Match directive is not available; Aspera recommendsupdating to the latest version.

In OpenSSH versions 4.4 and newer, disable SSH tunneling to avoid potential attacks; thereby only allowingtunneling from root users. To disable non-admin SSH tunneling, open your SSH Server configuration file,sshd_config, with a text editor.

Add the following lines to the end of the file (or modify them if they already exist):

...AllowTcpForwarding noMatch Group rootAllowTcpForwarding yes

Depending on your sshd_config file, you may have additional instances of AllowTCPForwarding that are setto the default Yes. Review your sshd_config file for other instances and disable as appropriate.

Note that disabling TCP forwarding does not improve security unless users are also denied shell access, as theycan always install their own forwarders. Review your user and file permissions, and see the instructions below onmodifying shell access.

4. Update authentication methods

Public key authentication can prevent brute-force SSH attacks if all password-based authentication methods aredisabled. For this reason, Aspera recommends disabling password authentication in the sshd_config file andenabling private/public key authentication. To do so, add or uncomment PubkeyAuthentication yes andcomment out PasswordAuthentication yes.

...PubkeyAuthentication yes#PasswordAuthentication yesPasswordAuthentication no...

Note: If you choose leave password authentication enabled, be sure PermitEmptyPasswords is setto "no".

PermitEmptyPasswords no

5. Disable Root Login

OpenSSH defaults to allowing root logins; however disabling root access helps you to maintain a more secureserver. Aspera recommends commenting out PermitRootLogin yes in the sshd_config file and addingPermitRootLogin No.

...#PermitRootLogin yesPermitRootLogin no...

Administrators can then utilize the su command if root privileges are needed.6. Restart the SSH server to apply new settings

Page 13: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Standard Installation | 13

When you have finished updating your SSH server configuration, you must restart or reload the server to applyyour new settings. Restarting or reloading your SSH server will not impact currently connected users. To restart orreload your SSH Server, you may use the following commands:

OS Version Instructions

Solaris$ pfexec svcadm refresh ssh

FreeBSD$ sudo /etc/rc.d/sshd reload

7. Restrict user access

Restricting user access is a critical component of securing your server. By default, all user accounts are allowed tobrowse and read all files on the server. To limit a user's access to a portion of the system, set the account's shell tothe Aspera secured shell (aspshell) and create a document root (docroot) for that user. The aspshell permitsonly the following operations:

• Run Aspera uploads and downloads to or from this computer.• Establish connections in the application and browse, create, delete, rename or list contents.

The following instructions demonstrate how to change a user account so that it uses the aspshell. Keep inmind that this is an example, and there may be other ways to do so for your system. For FreeBSD, the "chsh"command can be utilized to change a user's account to use the aspshell. In the following example, the userasp1 is being updated to use the aspshell.

$ chsh -s /bin/aspshell asp1

For Solaris, modify the passwd file to update user accounts to the aspshell.

/etc/passwd

Add or replace the user's shell with /bin/aspshell. For example, to apply aspshell to the user asp1, usethe following settings in this file:

...asp1:x:501:501:...:/home/asp1:/bin/aspshell...

You can also restrict a user's file access by setting a Document Root (docroot). You can set a user's docroot byediting the aspera.conf file (/opt/aspera/etc/aspera.conf). The following template displaysaccess options:

<file_system> <access> <paths> <path> <absolute>/sandbox/asp1</absolute> <!-- Absolute Path --> <read_allowed>true</read_allowed> <!-- Read Allowed --> <write_allowed>true</write_allowed> <!-- Write Allowed --> <dir_allowed>true</dir_allowed> <!-- Browse Allowed --> </path> </paths> </access>...</file_system>

Once you have set the user's shell and docroot, you can further restrict access by disabling read, write and/orbrowse. You may do so via aspera.conf, as shown in the template above.

Page 14: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Standard Installation | 14

Field Description Values

Absolute Path The area of the file system (i.e. path) that is accessible to the Aspera user.The default empty value gives a user access to the entire file system.

Path or blank

Read Allowed Setting this to true allows users to transfer from the designated area ofthe file system as specified by the Absolute Path value.

• true• false

Write Allowed Setting this to true allows users to transfer to the designated area of thefile system as specified by the Absolute Path value.

• true• false

Browse Allowed Setting this to true allows users to browse the directory. • true• false

8. Run the asp-check tool to check for potential user-security issues

The asp-check tool performs the following secure checks:

• Searches for full-access users and reports how many exist on the system. Note that the existence of full-accessusers does not necessarily indicate that your system is vulnerable; however, it is being brought to the attentionof the System Administrator to ensure that the existence of full-access users is intentional.

• Searches for restricted users and potential misconfigurations, including incorrect login shell (i.e., one that isnot restricted via aspshell); SSH tunnel access (which can be used to work around the restricted shell); anddocroot setting that allows the user to access the home directory.

Note: A docroot setting that allows access to the home directory does not necessarily indicate that yoursystem is vulnerable; however, a user with this docroot can download or upload keys in .ssh, as well asupload .login scripts. These capabilities may be used to circumvent the intended, restricted-nature ofthe user. Aspera highly recommends setting the docroot under the user's home folder (e.g. /home/jane/data) or in an alternate location (e.g. /data).

To run the asp-check tool, run the following command in a Terminal window:

$ sudo /opt/aspera/bin/asp-check.sh

Your search results will appear in the Terminal window, as shown in the example below. If potential issues havebeen identified, review your users' settings before proceeding.

Users with full access: 22 (not considered insecure)Restricted users: 0Insecure users: 0 - no restricted shell (aspshell): 0 - docroot above home directory: 0 - ssh tunneling enabled: 0

9. Review your logs periodically for attacks

Aspera recommends reviewing your SSH log periodically for signs of a potential attack. Locate and openyour syslog, for example, /var/log/auth.log or /var/log/secure. Depending on your systemconfiguration, syslog's path and file name may vary.

Look for invalid users in the log, especially a series of login attempts with common user names from the sameaddress, usually in alphabetical order. For example:

...Mar 10 18:48:02 sku sshd[1496]: Failed password for invalid user alex from 1.2.3.4 port 1585 ssh2...

Page 15: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Standard Installation | 15

Mar 14 23:25:52 sku sshd[1496]: Failed password for invalid user alice from 1.2.3.4 port 1585 ssh2...

If you have identified attacks:

• Double-check the SSH security settings in this topic.• Report attacker to your ISP's abuse email (e.g. abuse@your-isp).

10. Set up transfer server authentication

For transfers mediated by a web application, the client browser sets up the context for the transfer using anHTTPS connection to the server, and then delegates the transfer to the Aspera FASP engine. The FASP enginethen connects to the transfer server. In so doing, it needs to ensure the server's authenticity in order to protect theclient against server impersonation and man-in-the-middle (MITM) attacks.

To verify the authenticity of the transfer server, the web app passes the client a trusted SSH host key fingerprintof the transfer server. When connecting to the transfer server, the client confirms the server's authenticity bycomparing the server's fingerprint with the trusted fingerprint.

To configure transfer server authentication, open the transfer server's aspera.conf file:

/opt/aspera/etc/aspera.conf

• <ssh_host_key_fingerprint>

<ssh_host_key_fingerprint>fingerprint</ssh_host_key_fingerprint>

To retrieve the SSH fingerprint, locate the transfers server's public or private key, and run the followingcommand on a Linux, Mac, or other UNIX computer:

# cd /etc/ssh# cat ssh_host_rsa_key.pub | cut -d' ' -f2 | base64 -d | sha1sum | cut -d' ' -f1

The following is an example SSH fingerprint:

43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8

By convention, Aspera uses a hex string without the colons ( : ). For example:

435143a1b5fc8bb70a3aa9b10f6673a8

The aspera.conf setting for this key would then be as follows:

<ssh_host_key_fingerprint>435143a1b5fc8bb70a3aa9b10f6673a8</ssh_host_key_fingerprint>

After modifying aspera.conf, be sure to restart the node service by running asperanoded:

# /etc/init.d/asperanoded restart

Testing a Locally Initiated TransferTest client functionality by transferring to and from the Aspera Demo Server.

To make sure the software is working properly, follow these steps to test download and upload transfers between yoursystem and the Aspera Demo Server:

Page 16: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Standard Installation | 16

1. Download test files from the Demo Server

The first test is to download a test file from the Demo Server. The transfer command is based on the followingsettings:

Item Value

Demo Server address demo.asperasoft.com

Login account aspera

password demoaspera

Test file /aspera-test-dir-large/100MB

Download location /tmp/

Transfer settings Fair transfer policy, target rate 10M, minimum rate1M, encryption disabled.

Use the following command to download, press y to accept the server's key, and enter the passworddemoaspera when prompted:

$ ascp -QT -l 10M -m 1M [email protected]:aspera-test-dir-large/100MB /tmp/

You should see the following session messages. The description from left to right is explained below:

Item Description

100MB The name of the file that is being transferred.

23% The percentage completed.

23MB The amount transferred.

509Kb/s Current transfer rate.

11:59 ETA Estimated time remaining.

2. Upload test files to the Demo Server

When the file is downloaded, try uploading the same file back to the Demo Server. Use the command to uploadthe file (100MB) to the Demo Server's /Upload directory. Enter the password demoaspera when prompted:

$ ascp -QT -l 10M -m 1M /tmp/100MB [email protected]:Upload/

Updating the Product LicenseUpdate your product license.

To update your license from the GUI, open Tools > License.

To update the license, open the following file with write permission, and replace the existing license key string withthe new one:

/opt/aspera/etc/aspera-license

Page 17: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Standard Installation | 17

When finished, save and close the file. Use this command to verify the new license info:

$ ascp -A

Lastly, if you are using the Node API, you must reload the asperanoded service.

$ /opt/aspera/bin/asnodeadmin --reload

UninstallHow to uninstall the Aspera product from your computer.

To uninstall the product, use the following commands. For RedHat and Debian, replace the Package-name with theprinted name from the first command:

Platform Command

Solaris$ pkgrm ASPRent

FreeBSD$ sh /opt/aspera/var/uninstall.sh

Page 18: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Connect Server Web UI Setup | 18

Connect Server Web UI Setup

Configure the server's Web UI settings and appearance.

Configuring ApacheSet up the Apache Web Server to host the Web UI for IBM Aspera Connect Server.

1. Locate and open your Apache configuration file.

With administrative account access (i.e., write/read permissions), open your Apache configuration file in a texteditor. To locate this file, please refer to the table below for your specific OS.

Version Path

Solaris /etc/apache/httpd.conf

FreeBSD /usr/local/etc/apache/httpd.conf

2. Review the Apache ServerName setting

Within this file, locate the ServerName section and verify that the server's name resolves correctly. For example,if your Connect Server uses the domain name www.myConnectServer.com, use the following setting:

ServerName www.myConnectServer.com

3. Turn off Apache's UseCanonicalName setting

Locate the line that states UseCanonicalName and verify that it is set to off.

UseCanonicalName off

4. Review and/or modify your Web UI settings

Add the following section at the end of the configuration file:

#BEGIN_ASPERA<Directory /opt/aspera/var/webtools> AllowOverride All Allow from all</Directory><Directory /opt/aspera/var/webtools/scripts> AddHandler cgi-script .pl SetHandler cgi-script Options +ExecCGI AllowOverride All</Directory>ScriptAlias /aspera/scripts/ "/opt/aspera/var/webtools/scripts/"Alias /aspera/ "/opt/aspera/var/webtools/"#END_ASPERA

5. Enable Apache's cgi and the dir modules

Your Apache web server must have both the cgi and the dir modules enabled. To do so, run the commandslisted in the table below for your specific version of Apache.

Page 19: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Connect Server Web UI Setup | 19

Apache Version Instruction

2.2 Run the following commands to enable the requisite modules:

$ sudo a2enmod dir$ sudo a2enmod cgi$ sudo a2enmod cgid

1.3, 2.0 In Apache's configuration file, add or un-comment the following lines:

LoadModule dir_module modules/mod_dir.soLoadModule cgi_module modules/mod_cgi.so

6. (Optional) Configure SSL

For instructions on generating an RSA Private Key, Certificate Signing Request (CSR) and optional self-signedcertificate using OpenSSL, please refer to the topic Create an SSL Certificate (Apache) on page 103. Then,once you have created your private key and Certificate (or you are using the unsigned Certificate provided byAspera), please refer to the topic Enable SSL (Apache) on page 105 for instructions on enabling SSL on yoursystem.

7. Restart your Apache web server

After modifying the Apache configuration file, save and close it. Then, based on your version of Apache, use thefollowing commands to restart it:

Version Command

Solaris /etc/init.d/apache restart

FreeBSD /usr/local/sbin/apachectl restart

8. Enable system-level security

Enabling system-level security allows the Web UI to accurately display the users' files and show or hide controlsdepending on users' permissions (this includes the delete and make directory functions). The FreeBSD operatingsystem requires sudo to run Connect Server in "secure mode." To install sudo, run the following commands:

% su $ cd /usr/ports/security/sudo ; make install clean

Then to enable system-level security, run the following command (as root) in a Terminal window:

$ sudo /opt/aspera/sbin/enablesecure enable

Once the script is executed, you will be prompted to input the name of the Apache user.

User running apache (default apache):

Based on your input, the script generates text similar to the following. Use visudoers to copy and paste thegenerated text into your usr/local/etc/sudoers file. In the following example output, apache is theaccount that is running Apache and is the Aspera installation directory.

# BEGIN Aspera Connect Server# The user account that runs the web server will impersonate# the logged-in user to present that user's files and folders.Defaults env_keep += "SERVER_NAME REQUEST_URI REQUEST_METHOD REMOTE_USER QUERY_STRING CONTENT_LENGTH SESSION_ID CSRF_TOKEN"Defaults:apache !requirettyapache ALL=(ALL) NOPASSWD: /var/webtools/scripts/aspera-dirlist.pl,

Page 20: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Connect Server Web UI Setup | 20

SETENV: /var/webtools/scripts/aspera-dirlist.pl# END Aspera Connect Server

Note: Once secure permissions are enabled, users will see the Delete and Create Folder buttons,allowing then to remove files and create directories on the server (within their docroot). You may hide theDelete and Create Folder buttons by updating the Web UI configuration parameters EnableDeleteand EnableCreateFolder, respectively. Please refer to Configuring your Web UI Settings on page20 for details.

To disable the secure permissions, run the enablesecure script again with the argument "disable."

$ sudo /opt/aspera/sbin/enablesecure disable

9. (On client computers) Verify that cookies are enabled in Web browser

Ensure that your client users have cookies enabled within their browsers before attempting to log in. Failure to doso may result in an error message as they attempt to access the Connect Server Web UI.

Configuring your Web UI SettingsConfigure Connect Server's Web UI transfer settings by updating aspera.conf

The instructions below describe the process of configuring IBM Aspera Connect Server's Web UI transfer settings byupdating aspera.conf.

1. Locate and open aspera.conf

To configure Connect Server's Web UI transfer settings, locate aspera.conf and open it with a text editor:

/opt/aspera/etc/aspera.conf2. Additionally, open Aspera's sample Web UI configuration file

Locate and open Aspera's sample Web UI configuration file, which can be found in the following directory:

/opt/aspera/etc/samples/aspera-web-sample.conf3. Modify the <WEB> section inside the sample Web UI configuration file and copy it into aspera.conf

Locate the <WEB> section and modify it based on your requirements. Then, copy the <WEB> section intoaspera.conf.

<CONF version="2">...<WEB SshPort = "33001" UdpPort = "33001" PathMTU = "0" HttpFallback = "no" HttpFallbackPort = "8080" HttpsFallbackPort = "8443" EnableDelete = "yes" EnableCreateFolder = "yes" AsperaServer = "" EnableUserSwitching = "no" FollowSymbolicLinks = "yes" EnableSortByName = "false" EnableConnectUpdates = "yes"/></CONF>

Page 21: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Connect Server Web UI Setup | 21

Important: Although the industry-standard SSH port is TCP/22, we recommend changing it toTCP/33001 (as described in the topic "Securing your SSH Server"). The default configuration example,above, assumes your SSH port is set to TCP/33001.

The table below provides descriptions of all Web UI configuration options.

Field Description Values Default

SshPort The TCP port for SSH transfercommunication.

integer between1 and 65535

22

UdpPort The UDP port for FASP file transfer. integer between1 and 65535

33001

PathMTU Sets the maximum packet size for filetransmission. When using the value"0", FASP will automatically set theappropriate value for the network withinthis value.

integer between296 and 10000

0

HttpFallback Use HTTP Fallback transfer when UDP-port transfer fails.

yes / no no

HttpFallbackPort The TCP port for HTTP Fallback transfer. integer between1 and 65535

8080

HttpsFallbackPort The TCP port for HTTPS Fallbacktransfer.

integer between1 and 65535

8443

EnableDelete When set to "yes" (default), users withthe appropriate permissions can deletefiles and folders within the Web UI.

yes / no yes

EnableCreateFolder When set to "yes" (default), users withthe appropriate permissions can createnew folders using the "New Folder"button within the Web UI.

Note: Please note thatthe user can still uploada new folder even if"EnableCreateFolder" isset to "no."

yes / no yes

AsperaServer To use this computer solely for theConnect Server Web UI (and not for filetransfers), enter the IP address or hostname of the transfer server machine inthis field. In the case of a high-availabilityor clustered setup, this value shouldbe the IP address or host name of theVIP (where the VIP/cluster service/load balancer will manage the transferservers). Once added, Connect Serverallows the user to transfer to and fromthe file system on the indicated transferserver machine.

The IP addressor host nameof the transferserver machine

unspecified(transfer usinglocal machine)

MinimumConnectVersion Specifies the minimum version ofConnect that must be installed in order

Version number 2.8.0.0

Page 22: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Connect Server Web UI Setup | 22

Field Description Values Defaultfor users to be able to use Connect Server.If the minimum version is not installed,a message is displayed that indicates theminimum version required and providesa download link. This option takes thevalue in the format of the Aspera Connectversion, for example, "3.0.0.12345".

Note: The default value forthis setting is also the lowestallowable value. If the valuespecified is below the defaultvalue, the Web UI enforces thedefault value.

EnableUserSwitching This option enables a feature that allows auser to switch to a different user account.When set to "yes", a Change Userbutton is added to the web page in theupper-right corner. Note that the featureonly allows users to log in to a differentaccount than the one they are exiting.

This is currently an experimental feature.

yes / no no

FollowSymbolicLinks Support the symbolic link in the ConnectServer. The secure permission featureshould be configured to enable thisoption.

yes / no yes

EnableSortByName When value is "true," files are sortedinto a given order to be displayed inbefore being listed on the Connect ServerWeb UI.

Important: We recommendthat you keep the default settingof "false." If you browse adirectory that contains numerousfiles, then browsing performancemay be impacted due to the extrasorting that needs to occur.

true / false false

EnableConnectUpdates When the value is "yes," the ConnectServer Web UI will display a promptto upgrade the Connect browser pluginwhen an upgrade is available. When set to"no," this prompt will no longer appear,except for mandatory upgrades whenthe minimum version requirement forConnect is not met. This setting doesnot affect the installation message thatappears when Connect is not installed.

yes / no yes

4. Restart Aspera HTTPD

Page 23: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Connect Server Web UI Setup | 23

To restart Aspera HTTPD, run the following command(s) in a Terminal window:

OS Command

Solaris$ /etc/init.d/asperahttpd restart

FreeBSD$ /etc/rc.d/asperahttpd restart

Customize your Web UI's AppearanceCustomize Connect Server's Web UI header and footer

To customize Connect Server's Web UI header and footer, modify the following files:

Item File Location

Header /opt/aspera/var/webtools/aspdir-header.html

Footer /opt/aspera/var/webtools/aspdir-footer.html

Alternatively, you can integrate Aspera transfers into a custom web application. For more information, refer to AsperaDeveloper Network - Aspera Web.

Configuring HTTP and HTTPS FallbackConfigure HTTP/HTTPS Fallback using the Connect Server GUI or aspera.conf.

HTTP Fallback serves as a secondary transfer method when the Internet connectivity required for Aspera acceleratedtransfers (UDP port 33001, by default) is unavailable. When HTTP Fallback is enabled and UDP connectivity is lostor cannot be established, the transfer will continue over the HTTP (or HTTPS) protocol. The instructions below walkthrough the process of setting up HTTP/HTTPS fallback. For additional information on configuring different modesand testing, see the Aspera KB Article "HTTP fallback configuration, testing and troubleshooting."

Note: Ensure that your HTTP daemon (Aspera HTTPD) is running with sufficient privileges, so that it canmodify file ownership.

1. Turn on HTTP/HTTPS Fallback.

These instructions assume that you have already configured your Connect Server's Web UI, as documentedin the topic "Connect Server Web UI Settings." If you have not done so, please review that topic beforeproceeding. To turn on HTTP/HTTPS Fallback, you must edit the <WEB/> section of aspera.conf. Thisconfiguration file can be found in the following directory:

/opt/aspera/etc/aspera.conf

If you do not see the <WEB/> section, you will need to copy it from the file aspera-web-sample.conf,as described in "Connect Server Web UI Settings." Within the <WEB/> section, locate and confirm the followingentries:

<WEB ... HttpFallback = "yes" <!-- Yes to turn on; No to turn off --> HttpFallbackPort = "8080" <!-- Default: 8080 --> HttpsFallbackPort = "8443" <!-- Default: 8443 -->/>

Page 24: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Connect Server Web UI Setup | 24

If you modify aspera.conf, run the following command (from Enterprise Server's bin directory) to validateyour updated configuration file:

$ /opt/aspera/bin/asuserdata -v

2. Configure HTTP/HTTPS Fallback settings.

To change your HTTP Fallback settings within aspera.conf, navigate to the following directory:

/opt/aspera/etc/aspera.conf

Update your HTTP Fallback settings within aspera.conf based on the example shown below. Setenable_http and, if you want to allow HTTPS fallback, enable_https to true, as well as specifyport numbers for http_port and https_port. Note that the values for http_port and https_portmust match the HttpFallbackPort and HttpsFallbackPort values set within the <WEB/> section ofaspera.conf (8080 and 8443, respectively). Refer to Step 1 for additional information.

<CONF version="2"> ... <http_server> ... <enable_http>true</enable_http> <!-- Enable HTTP --> <enable_https>true</enable_https> <!-- Enable HTTPS --> <http_port>8080</http_port> <!-- HTTP port --> <https_port>8443</https_port> <!-- HTTPS port --> ... </http_server></CONF>

After modifying aspera.conf, run the following command (from Enterprise Server's bin directory) tovalidate your updated configuration file:

$ /opt/aspera/bin/asuserdata -v

3. Review additional HTTP Fallback settings.

The following sample template and description table displays additional HTTP Fallback options withinaspera.conf:

<CONF version="2"> ... <http_server> <cert_file> </cert_file> <!-- Cert file --> <key_file> </key_file> <!-- Key file --> <bind_address>0.0.0.0</bind_address> <!-- Bind Address --> <restartable_transfers>true</restartable_transfers> <!-- Restartable Transfers --> <session_activity_timeout>1</session_activity_timeout> <!-- Session Activity Timeout --> <enable_http>true</enable_http> <!-- Enable HTTP --> <enable_https>true</enable_https> <!-- Enable HTTPS --> <http_port>8080</http_port> <!-- HTTP port --> <https_port>8443</https_port> <!-- HTTPS port --> </http_server></CONF>

# Field Description Values Default

1 Cert File The absolute path to an SSL certificate file. If leftblank, the default certificate file that came withEnterprise Server is used.

file path blank

Page 25: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Connect Server Web UI Setup | 25

# Field Description Values Default

2 Key File The absolute path to an SSL key file. If left blank,the default certificate file that came with your AsperaEnterprise Server will be used.

file path blank

3 Bind Address This is the network interface address on which theHTTP Fallback server listens. The default value0.0.0.0 allows the HTTP Fallback server to accepttransfer requests on all network interfaces for thisnode. Alternatively, a specific network interfaceaddress may be specified.

valid IPv4address

0.0.0.0

4 RestartableTransfers

Setting this to true allows interrupted transfers toresume at the point of interruption.

• true• false

true

5 Session ActivityTimeout

Any value greater than 0 sets the amount of time,in seconds, that the HTTP Fallback server will waitwithout any transfer activity before canceling thetransfer. Notice that this option cannot be left at0, otherwise interrupted HTTP Fallback sessionswill get stuck until server or asperacentral isrestarted.

positive integer -

6 HTTP Port The port on which the HTTP server listens. Valid portnumbers range between 1 and 65535.

positive integer 8080

7 HTTPS Port The port on which the HTTPS server listens. Validport numbers range between 1 and 65535.

positive integer 8443

8 Enable HTTP Enables the HTTP Fallback server that allows failedUDP transfers to continue over HTTP.

• true• false

false

9 Enable HTTPS Enables the HTTPS Fallback server that allows failedUDP transfers to continue over HTTPS.

• true• false

false

4. Specify a token encryption key.

The token encryption key is the secret text string that is used to authorize transfers configured to require a token.

Note: If HTTP/HTTPS fallback is enabled, a token encryption key is required. If HTTP/HTTPS isconfigured without the encryption key, initiating a transfer with the download button generates thefollowing error:

Error: internal error - unable to start token generation

To specify the token encryption key in aspera.conf, open the file with a text editor, and add or update theauthorization section's encryption_key (the example below uses the string "secret"; however, it canbe any string):

<CONF version="2"> ... <default> <authorization> ... <token> <encryption_key>secret</encryption_key> </token> </authorization>

Page 26: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Connect Server Web UI Setup | 26

</default> ...</CONF>

Important: After changing your Aspera token settings (either via aspera.conf or the GUI), you mustrestart AsperaHTTPD. For instructions, see the final step in this topic.

5. (Optional) Utilize asconfigurator to update HTTP Fallback settings.

You may also use the asconfigurator command-line tool to configure HTTP Fallback. Use the option -Fand specify the HTTP Fallback configuration with set_http_server_data;. You must append the optionswith values and enclose them in quotes. The syntax is as follows:

asconfigurator -F "set_http_server_data; <option_name>, <value>"

For example, to enable HTTP Fallback (e.g. enable_http, true) and use port 8085 (http_port,8085),use the following syntax:

$ asconfigurator -F "set_http_server_data; enable_http,true; http_port,8085"

To reset the settings, use the AS_NULL value. For example, to reset enable_http, use the following syntax:

$ asconfigurator -F "set_http_server_data; enable_http,AS_NULL"

To view current settings, use the following command:

$ asuserdata -b -t

6. Restart Aspera Central and Aspera HTTPD to apply new settings.

Run the following commands to restart Aspera Central and Aspera HTTPD:

OS Command

Solaris$ /etc/init.d/asperacentral restart$ /etc/init.d/asperahttpd restart

FreeBSD$ /etc/rc.d/asperacentral restart$ /etc/rc.d/asperahttpd restart

Testing Web UITest Aspera Connect client transfers through Web UI.

Follow the steps below to test your client transfers through the Web UI.

Note: The instructions require steps to be taken on both the Connect Server system and a client computer.Make sure you are performing the steps on the specified machine.

1. Clients: Test the connection to the Web UI

To test your connection to the Connect Server Web UI, go to the following address with a client computer'sbrowser:

Scope URL

HTTP http://server-ip-or-name/aspera/user

HTTPS https://server-ip-or-name/aspera/user

Page 27: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Connect Server Web UI Setup | 27

Note: Ensure that your client users have cookies enabled within their browsers before attempting to login. Failure to do so may result in an error message as they attempt to access the Connect Server Web UI.

2. Connect Server: Set up a test user account

Note: On the operating system, the system user should have read and write permissions to its docroot.

On top of SSH authentication, Connect Server uses Apache's authentication to authorize Web UI access. To set upa system user for Apache authentication (asp1), use the htpasswd command to set up the user for Web UI.

$ htpasswd /opt/aspera/etc/webpasswd asp1

Note: Use the -c option only if this is the first time running htpasswd to create the webpasswd file. Donot use the -c option otherwise.

3. Connect Server: Configure a user for FASP file transfer

Open the Aspera configuration file (aspera.conf) and set up the user's docroot information:

/opt/aspera/etc/aspera.conf

The following example uses these settings. If you use the substitutable string $(name), the applicationautomatically replaces it with the login user name:

Item Value

String for generating token secRet

Default docroot /sandbox/$(name)

<CONF version="2"> <default> <authorization> <value>allow</value> <!-- Allow token authentication for HTTP --> <token> <encryption_key>secRet</encryption_key> <!-- String for token --> </token> </authorization> <file_system> <access><paths><path> <absolute>/sandbox/$(name)</absolute> <!-- Default docroot --> </path></paths></access> </file_system> </default> ...</CONF>

Note: The aspera.conf sample file can be used as a setup reference. The sample file is provided in thefollowing location:/opt/aspera/etc/samples/aspera.web-sample.conf

4. Client: Test the Web UI with the client machine

Note: Cookies must be enabled in a client's browser!

Prepare a client computer with the supported OS and browser to test connecting to the Web UI. See theIntroduction on page 4 for supported platform and browser. Browsing the Web UI from the client machine, youshould see the Aspera Connect browser plugin installation instruction on the web page. Click either Install Now or Download Aspera Connect and follow the instructions.

Page 28: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Connect Server Web UI Setup | 28

In the Web UI, click Upload and select one or more files to send to Connect Server. When finished, select theuploaded files on the Web UI, and click Download.

Note:

When adding files to the Web UI, do not use the following characters in the filenames:

/ \ " : ' ? > < & * |

For further information about the Aspera Connect browser plugin, see the Aspera Connect User Guide.

If you are having difficulties establishing FASP transfers using the Web UI, see Clients Can't Establish Connection onpage 109.

Page 29: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Managing Users | 29

Managing Users

Add users for the FASP connection authentication, and set up user transfer settings.

Test User-Initiated Remote TransferTest FASP transfers initiated from a client computer.

Important: These instructions require you to take steps on both the Connect Server and a client computer.Ensure that you are performing the task on the indicated machine. As a prerequisite, Connect Server musthave at least one transfer user. For instructions on adding a transfer user, see .

1. (On your client machine) Verify your connection to Connect Server.

On the client machine, use the ping command in a Terminal window to verify connectivity to the host. In thisexample, the address of Connect Server is 10.0.0.2.

$ ping 10.0.0.2PING 10.0.0.2 (10.0.0.2): 56 data bytes64 bytes from 10.0.0.2: icmp_seq=0 ttl=64 time=8.432 ms64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=7.121 ms64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=5.116 ms64 bytes from 10.0.0.2: icmp_seq=3 ttl=64 time=4.421 ms64 bytes from 10.0.0.2: icmp_seq=4 ttl=64 time=3.050 ms...

2. (On your client machine) Initiate a transfer to Connect Server.

Attempt to establish a connection from your client machine to Connect Server. To do so, run the followingcommand on your client machine (where asp1 is our example transfer user):

$ ascp -P 33001 -T --policy=fair -l 10000 -m 1000 /client-dir/files [email protected]:/dir

Item Value

Host Address 10.0.0.2

Transfer User asp1

Files to upload /client-dir/files

Destination Folder {user's docroot}/dir

Transfer Options • Maximum transfer rate = 10 Mbps (-l 10000)• Minimum transfer rate = 1 Mbps (-m 1000)• Change default TCP port used for FASP session initiation = 33001 (-P 33001).

Please note that this command does not alter ascp or your SSH server's configuration.• Disable encryption (-T)• Fair transfer policy (--policy=fair)

3. (For clients connecting to a Connect Server) Test the Web UI with a client machine.

Notice: Cookies must be enabled within the client's browser!

Page 30: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Managing Users | 30

Browse to your Connect Server URL from the client machine. Here, you should see the Aspera Connect browserplugin installation instructions. After installing the browser plugin, click Upload and select one or more files tosend to the server. When finished, attempt to Download the same files.

Important: When adding files to Web UI, avoid using the following characters in the file names:

/ \ " : ' ? > < & * |

For additional information on Aspera Connect browser plugin, refer to the Aspera Connect User Guide.

If you cannot establish a connection to Connect Server, see Clients Cannot Establish Connection.

Setting Up Transfer UsersAdd system users on your computer, and configure the account for the fasp transfer.

Aspera transfer products use system accounts for connection authentication, and these accounts requires additionalconfiguration for Aspera transfers. You may specify user-based settings, such as bandwidth, document root (docroot),and file handling rules.

Follow these steps to set up transfer accounts in a command terminal:

1. Set up a system user for Web UI authentication

On top of SSH authentication, Connect Server uses Apache's authentication to authorize Web UI access. To set upa system user for Apache authentication (asp1), use the htpasswd command to set up the user for Web UI.

OS Command

Solaris Requires full path, which may differ based on your distribution. Please refer to theexample below.

$ /opt/csw/apache2/sbin/htpasswd /opt/aspera/etc/webpasswd asp1

FreeBSD Requires full path.

$ /usr/local/sbin/htpasswd /opt/aspera/etc/webpasswd asp1

Note: Use the -c option only if this is the first time running htpasswd to create the webpasswd file. Donot use the -c option otherwise.

2. Open aspera.conf with a text editor

To set up system users for fasp files transfers, locate the Aspera transfer product's configuration file, aspera.conf,and open it with a text editor:

/opt/aspera/etc/aspera.conf

You can find an example of aspera.conf in the following location:

/opt/aspera/etc/samples/aspera-everything.conf

The following steps explain how to update this file.3. Create default (global) transfer settings

When setting up a test user for the Web UI, the following default setting is created. This setting sets the token keyand docroot for all users:

Page 31: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Managing Users | 31

Item Value

String for generating the token secRet

Default docroot /sandbox/$(name)

<CONF version="2"> <default> <authorization> <value>allow</value> <!-- Allow token authentication for HTTP --> <token> <encryption_key>secRet</encryption_key> <!-- String for token --> </token> </authorization> <file_system> <access><paths><path> <absolute>/sandbox/$(name)</absolute> <!-- Default docroot --> </path></paths></access> </file_system> </default> ...</CONF>

Notice that the docroot setting uses a substitutional string $(name). If your system user's docroot setting has apattern (for example, /sandbox/username, you can take advantage of this feature. The substitutional string lets youassign an independent docroot to each user by means of a single default setting, instead of setting a docroot foreach user individually.

Substitutional String Definition Example

$(name) The system user's name. /sandbox/$(name)

4. Restrict user permissions with aspshell

By default, all system users can establish a fasp connection and are only restricted by file permissions. You canrestrict the user's file operations through the aspshell, which permits only the following operations:

• Running Aspera uploads and downloads to or from this computer.• Establishing connections in the application, and browsing, creating, deleting, renaming, or listing contents.

The following steps explain how to change a user account so that it uses the aspshell. Keep in mind that this is anexample, and there may be other ways to do so on your system. For FreeBSD, the chsh command can be utilizedto change a user's account to use the aspshell. In the following example, the user asp1 is updated to use aspshell.

$ chsh -s /bin/aspshell asp1

For Solaris, modify the passwd file to update user accounts to the aspshell.

/etc/passwd

Add or replace the user's shell with aspshell. For example, to apply aspshell to the user asp1, use the followingsettings in this file:

...asp1:x:501:501:...:/home/asp1:/bin/aspshell...

You can also restrict a user's file access with docroot (document root) settings in the <file_system /> section ofaspera.conf, using the following tags: <absolute />, <read_allowed />, <write_allowed />, and <dir_allowed />.For details, see aspera.conf - File System on page 48.

Page 32: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Managing Users | 32

5. Configure a user's transfer settings

Besides the default (global) transfer settings, you can also create user-specific and group-specific transfer settings.The user-specific settings have the highest priority, overriding both group and global settings.

Add the following section to aspera.conf:

<?xml version='1.0' encoding='UTF-8'?><CONF version="2"> <aaa> <realms> <realm> <users> <user> <!-- Each user tag contains a user's profile. --> <name>asp1</name> <!-- user name --> <authorization>...</authorization> <!-- authorization settings --> <transfer>...</transfer> <!-- transfer settings --> <file_system>...</file_system> <!-- file system settings --> </user> <user><!-- another user's profile --> ... <!-- settings --> </user> </users> </realm> </realms> </aaa> ...</CONF>

6. Verify the configuration

When you have finished updating the user's settings in the aspera.conf, use the following command to verify it (Inthis example, verify the user asp1's settings):

$ /opt/aspera/bin/asuserdata -b -u asp1

Setting Up Transfer GroupsCreate system groups on your computer, and set up transfer settings for the group and its members.

You can set up transfer settings based on your system's user groups. If users within a group do not have individualtransfer settings, then the group's transfer settings will be applied. Please note that Connect Server doesn't create usergroups on the Operating System for you, so you must ensure that the groups currently exist before adding them toyour Aspera product. Follow the steps below to add user groups to Connect Server in a Terminal.

1. Determine the user group(s) that you would like to add to your Aspera transfer product

Ensure that you have an existing user group on your Operating System, or create a new user group. Please referto your Operating System's documentation for information on creating user groups. Connect Server reads groupinformation from the following file:

/etc/group2. Add the user group to your Aspera transfer product

When a transfer group is specified, it overwrites global settings and applies group configuration to correspondingusers. To add group-specific transfer settings, open your aspera.conf file with a text editor.

/opt/aspera/etc/aspera.conf

You can access an aspera.conf example via the following path:

Page 33: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Managing Users | 33

/opt/aspera/etc/samples/aspera-everything.conf

Add the following section to aspera.conf:

<?xml version='1.0' encoding='UTF-8'?><CONF version="2"> <aaa> <realms> <realm> <users> ... <!-- user-specific settings --> </users> <groups> <group> <!-- Each group tag contains a group's profile. --> <name>aspgroup</name> <!-- The group name. --> <precedence>0</precedence> <!-- Group precedence. --> <authorization>...</authorization> <!-- Authorization settings. --> <transfer>...</transfer> <!-- Transfer settings. --> <file_system>...</file_system> <!-- File System settings. --> </group> <group> ... <!-- Another group's settings--> </group> </groups> </realm> <realms> </aaa> ...</CONF>

Refer to following sections for precedence, authorization, transfer and file system configuration options:

Category Description

Configuration Precedence on page 33 When a user is a member of multiple groups, the precedencesetting can be used to determine priority.

aspera.conf - Authorization on page 38 Connection permissions, token key and encryptionrequirements.

aspera.conf - Transfer on page 40 Incoming and outgoing transfer bandwidth and policysettings.

aspera.conf - File System on page 48 Network IP, port and socket buffer settings.

3. Verify your configuration

When you have finished updating the group's settings in aspera.conf, use the following command to verify it(in this example, verify the group asp-group's settings):

$ /opt/aspera/bin/asuserdata -g asp-group

Configuration PrecedenceThe priority of user, group, global-level and default settings.

Connect Server gives precedence to settings as follows, where user settings have the highest priority and defaultsettings have the lowest.

(1) User

Page 34: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Managing Users | 34

(2) Group(s) (If a user belongs to more than one group, a precedence can be set for each group.)

(3) Global

(4) Default

If a user is a member of multiple groups, a precedence setting can be assigned to each group. The following tableshows the setting values that a user asp1 is assigned in bold. In this example, asp1 is a member of both the adminand xfer groups. The admin group's precedence setting is 0, which supersedes the xfer group's setting of 1:

Options User asp1'sSettings

Group admin'sSettings

Group xfer'sSettings

Global Settings Default Settings

Target rate 5M 10M 15M 40M 45M

Min rate n/a 2M 8M 3M 0

Policy n/a n/a Low Fair Fair

Docroot n/a n/a n/a /pod/$(name) n/a

Encryption n/a n/a n/a n/a any

You can configure a group's precedence from the GUI or by editing aspera.conf. To configure it from the GUI,launch the application and click Configuration.

In the Server Configuration dialog, select the Groups tab, choose a group, and select the Precedence tab. (ThePrecedence tab does not appear if there are no groups.) Click the Override checkbox to override the inherited value(default), and enter a precedence number for the group.

Note: A group's precedence setting must be greater than or equal to 0, where 0 is the highest precedencelevel.

Before assigning group precedence by editing aspera.conf, first ensure that the groups have already been added in theapplication, so that they will appear as entries in aspera.conf.

Locate the aspera.conf file as follows:

/opt/aspera/etc/aspera.conf

In the file, locate the entry for each group, add the <precedence> option, and assign a precedence value as shown inthe example below.

<groups> <group> <name>admin</name> <precedence>0</precedence> ... </group> <group> <name>xfer</name> <precedence>1</precedence> ... </group></groups>

Setting Up a User's Public KeyInstall the public key provided by the clients to their user account.

Public key authentication is an alternative to password authentication, providing a more secure authentication methodthat allows users to avoid entering or storing a password, or sending it over the network. It is done by using the client

Page 35: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Managing Users | 35

computer to generate the key-pair (a public key and a private key), provide the public key to the server or the point-to-point, and have the public key installed on that machine.

Important: The Web UI currently doesn't support the key-based authentication. This feature is for transfersinitiated in the application and the ascp command.

1. Obtain the client's public key

The client should send you an e-mail with the public key, either a text string attached in the secure e-mail, or savedas a text file. In this example, the client's login user account is asp1.

For instructions of creating public keys, refer to Creating SSH Keys on page 95.2. Install the client's public key to its login user account

To install the account's public key, create a folder called .ssh in the user's home directory. This example sets up thepublic key for the following user:

Item Value

User name asp1

Key file /tmp/id_rsa.pub

Public key install location /home/asp1/.ssh/authorized_keys

Execute the following commands to install the client's public key:

$ mkdir /home/asp1/.ssh$ cat /tmp/id_rsa.pub >> /home/asp1/.ssh/authorized_keys$ chown -R asp1:asp1 /home/asp1/.ssh

Page 36: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| General Configuration Reference | 36

General Configuration Reference

The general transfer configuration options.

This section covers the general configuration options, which can be used for global, group, and user settings.

Configuring Symbolic LinksThis section describes how Aspera handles symbolic links in ascp. Both client-side and server-side handling can beconfigured using the command-line options and the aspera.conf file respectively.

Client-Side Symbolic Link Handling

See Advanced Symbolic Link Options (ascp) on page 36 for information about configuring client-side handlingfor symbolic links.

Server-Side Symbolic Link Handling

See Server-Side Symbolic Link Handling on page 36 for information about configuring server-side handling forsymbolic links.

Advanced Symbolic Link Options (ascp)

Client-side handling of symbolic links is configured from the following ascp command line:

$ ascp --symbolic-links=option

The following section describes the possible configuration options:

Configuration Options

Option Description

copy Copy only the alias file. If a file with the same nameexists at the destination, the symbolic link will not becopied.

copy+force Copy only the alias file. If a file with the same nameexists at the destination, the symbolic link will replacethe file. If the file of the same name at the destination is asymbolic link to a directory, it will not be replaced.

follow Follow symbolic links and transfer the linked files. Thisis the default option.

skip Ignore the symbolic link.

Server-Side Symbolic Link Handling

The following section describes how Aspera handle symbolic links in ascp based on settings configured in theaspera.conf file. The aspera.conf file can be found in the following location:

/opt/aspera/etc/aspera.conf

Page 37: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| General Configuration Reference | 37

Configuration Options

The following configuration options are set in the <file_system> section of the aspera.conf file:

<file_system> <symbolic_links>list_of_comma-separated_options</symbolic_links> </file_system>

Note: If no option is specified, the configuration defaults to create, follow.

Option Description Client Behavior Server Behavior

create Create symbolic links witharbitrary targets. This isoption set by default.

Skip if not configured. Symbolic links are alwayscopied to the server if theclient requests.

follow Follow symbolic linkswith targets inside docroot.If at any point the pathgoes outside the docroot,ascp will not complete thetransfer. This is option setby default.

Symbolic links are alwayscopied to the server if theclient requests.

Note: If thedocroot is asymbolic linkand is specifiedas the sourceor destination:As the receiver,follow the targetwidely (no docrootconstraint) andunconditionally(regardlessof symboliclink action(s)configured/requested).

Skip if not configured.Follow symbolic links withtargets inside the docroot.

Note: If thedocroot is asymbolic linkand is specifiedas the sourceor destination:As the sender,follow the targetwidely (no docrootconstraint) andunconditionally(regardlessof symboliclink action(s)configured/requested).

follow_wide Follow symbolic links witharbitrary targets, even ifthe targets are outside thedocroot.

Symbolic links are alwayscopied to the server if theclient requests.

Note: If thedocroot is asymbolic linkand is specifiedas the sourceor destination:As the receiver,follow the targetwidely (no docrootconstraint) andunconditionally(regardlessof symboliclink action(s)configured/requested).

Page 38: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| General Configuration Reference | 38

Option Description Client Behavior Server Behavior

none Take no action with thesymbolic link.

aspera.conf - AuthorizationThe configuration options in the aspera.conf <authorization/> section.

This topic shows you how to modify the aspera.conf <authorization/> section.

1. Open aspera.conf/opt/aspera/etc/aspera.conf

You can also find the configuration example in this path:

/opt/aspera/etc/samples/aspera-everything.conf2. Add or locate the <authorization/> section using a template

The following template includes all options:

<authorization> <transfer> <in> <value>allow</value> <!-- Incoming Transfer --> <external_provider> <url>...</url> <!-- Incoming External Provider URL --> <soap>...</soap> <!-- Incoming External Provider SOAP Action --> </external_provider> </in> <out> <value>allow</value> <!-- Outgoing Transfer --> <external_provider> <url>...</url> <!-- Outgoing External Provider URL --> <soap>...</soap> <!-- Outgoing External Provider SOAP Action --> </external_provider> </out> </transfer> <token> <encryption_type>aes-128</encryption_type> <!-- Token Encryption Cipher --> <encryption_key> </encryption_key> <!-- Token Encryption Key --> <filename_hash> </filename_hash> <!-- Token Filename Hash --> <life_seconds>86400</life_seconds> <!-- Token Life (seconds) --> </token></authorization>

3. Configuration options reference

The following table lists all configuration options:

Field Description Values Default

Incoming Transfers The default setting of allow enables users totransfer to this computer. Setting this to deny willprevent transfers to this computer. When set totoken, only transfers initiated with valid tokens

• allow• deny• token

allow

Page 39: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| General Configuration Reference | 39

Field Description Values Defaultwill be allowed to transfer to this computer. Token-based transfers are typically employed by webapplications such as Faspex and require a TokenEncryption Key.

Incoming External ProviderURL

The value entered should be the URL of theexternal authorization provider for incomingtransfers. The default empty setting disablesexternal authorization. Aspera servers can beconfigured to check with an external authorizationprovider. This SOAP authorization mechanismcan be useful to organizations requiring customauthorization rules.

HTTPURL

blank

Incoming External ProviderSOAP Action

The SOAP action required by the externalauthorization provider for incoming transfers.Required if External Authorization is enabled.

text string blank

Outgoing Transfers The default setting of allow enables users totransfer from this computer. Setting this to denywill prevent transfers from this computer. When setto token, only transfers initiated with valid tokenswill be allowed to transfer from this computer.Token-based transfers are typically employed byweb applications such as Faspex and require aToken Encryption Key.

• allow• deny• token

allow

Outgoing External ProviderURL

The value entered should be the URL of theexternal authorization provider for outgoingtransfers. The default empty setting disablesexternal authorization. Aspera servers can beconfigured to check with an external authorizationprovider. This SOAP authorization mechanismcan be useful to organizations requiring customauthorization rules.

HTTPURL

blank

Outgoing External ProviderSoap Action

The SOAP action required by the externalauthorization provider for outgoing transfers.Required if External Authorization is enabled.

text string blank

Token Encryption Cipher The cipher used to generate encrypted authorizationtokens.

• aes-128• aes-192• aes-256

aes-128

Token Encryption Key This is the secret text phrase that will be used toauthorize those transfers configured to requiretoken. Token generation is part of the Aspera SDK.See the Aspera Developer's Network (Token-basedAuthorization Topic) for more information.

text string blank

Token Filename Hash Which algorithm should filenames inside transfertokens be hashed with. Use MD5 for backwardcompatibility.

• sha1• MD5• sha256

sha1

Token Life (seconds) Sets token expiration for users of web-basedtransfer applications.

positiveinteger

86400 (24hrs)

Page 40: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| General Configuration Reference | 40

4. Validate aspera.conf

When you have finished updating aspera.conf, use this command to validate it:

$ /opt/aspera/bin/asuserdata -b -v -a

aspera.conf - TransferThe configuration options in aspera.conf's <transfer/>.

This topic shows you how to modify aspera.conf's <transfer/> section in a Terminal.

1. Open aspera.conf/opt/aspera/etc/aspera.conf

You can also find the configuration example in this path:

/opt/aspera/etc/samples/aspera-everything.conf2. Add or locate the <transfer /> section using a template

The following template includes all options:

<transfer> <in> <bandwidth> <aggregate> <trunk_id>109</trunk_id> <!-- Incoming VLink ID --> </aggregate> <flow> <target_rate> <cap></cap> <!-- Incoming Target Rate Cap --> <default>10000</default> <!-- Incoming Target Rate Default --> <lock>false</lock> <!-- Incoming Target Rate Lock --> </target_rate> <min_rate> <cap></cap> <!-- Incoming Minimum Rate Cap --> <default></default> <!-- Incoming Minimum Rate Default --> <lock>false</lock> <!-- Incoming Minimum Rate Lock --> </min_rate> <policy> <cap></cap> <!-- Incoming Policy Allowed --> <default></default> <!-- Incoming Policy Default --> <lock>false</lock> <!-- Incoming Policy Lock --> </policy> <priority> <cap></cap> <!-- Incoming Priority Allowed --> <default></default> <!-- Incoming Priority Default --> <lock>false</lock> <!-- Incoming Priority Lock --> </priority> <network_rc> <module></module> <!-- Incoming Rate Control Module --> <tcp_friendly>no</tcp_friendly> <!-- Incoming TCP Friendly Mode --> </network_rc> </flow> </bandwidth> </in> <out> <bandwidth> <aggregate> <trunk_id>109</trunk_id> <!-- Outgoing VLink ID --> </aggregate> <flow> <target_rate> <cap></cap> <!-- Outgoing Target Rate Cap --> <default>10000</default> <!-- Outgoing Target Rate Default --> <lock>false</lock> <!-- Outgoing Target Rate Lock --> </target_rate> <min_rate>

Page 41: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| General Configuration Reference | 41

<cap></cap> <!-- Outgoing Minimum Rate Cap --> <default>0</default> <!-- Outgoing Minimum Rate Default --> <lock>false</lock> <!-- Outgoing Minimum Rate Lock --> </min_rate> <policy> <cap></cap> <!-- Outgoing Policy Allowed --> <default></default> <!-- Outgoing Policy Default --> <lock>false</lock> <!-- Outgoing Policy Lock --> </policy> <priority> <cap></cap> <!-- Outgoing Priority Allowed --> <default></default> <!-- Outgoing Priority Default --> <lock>false</lock> <!-- Outgoing Priority Lock --> </priority> <network_rc> <module></module> <!-- Outgoing Rate Control Module --> <tcp_friendly>no</tcp_friendly> <!-- Outgoing TCP Friendly Mode --> </network_rc> </flow> </bandwidth> </out> <protocol_options> <bind_ip_address></bind_ip_address> <!--Bind IP Address--> <bind_udp_port>33001</bind_udp_port> <!--Bind UDP Port--> <disable_batching>false</disable_batching> <!--Disable Packet Batching--> <batch_size>1</batch_size> <!--Batch Size--> <datagram_size>1000</datagram_size> <!--Datagram Size--> <max_sock_buffer>0</max_sock_buffer> <!--Maximum Socket Buffer (bytes)--> <min_sock_buffer>0</min_sock_buffer> <!--Minimum Socket Buffer (bytes)--> <rtt_autocorrect>false</rtt_autocorrect> <!--RTT auto correction--> <rtt_reverse_infer>false</rtt_reverse_infer> <!--Reverse path congestion inference--> </protocol_options> <encryption> <content_protection_strong_pass_required> <!--Strong Password Required for Content Protection--> false </content_protection_strong_pass_required> <content_protection_required> <!--Content Protection Required--> false </content_protection_required> <allowed_cipher>any</allowed_cipher> <!--Encryption Allowed--> <fips_mode>false</fips_mode> <!--Transfer in FIPS-140-2-certified encryption mode--> </encryption> </transfer>

3. Configuration options reference

The following table explains all configuration options:

Field Description Values Default

Incoming Vlink ID The value sets Vlink ID for incomingtransfers. Vlinks are a mechanism to defineaggregate transfer policies. The defaultsetting of 0 disables Vlinks. One Vlink—the virtual equivalent of a network trunk—represents a bandwidth allowance that maybe allocated to a node , a group, or a user.Vlink ID is defined in each Vlink createdin Aspera Console. Vlink ID is a uniquenumeric identifier.

pre-defined value 0

Page 42: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| General Configuration Reference | 42

Field Description Values Default

Incoming Target RateCap (Kbps)

The value sets the Target Rate Cap forincoming transfers. The Target Rate Cap isthe maximum target rate that a transfer canrequest, in kilobits per second. No transfermay be adjusted above this setting, at anytime. The default setting of Unlimitedsignifies no Target Rate Cap. Clientsrequesting transfers with initial rates abovethe Target Rate Cap will be denied.

positive integer unlimited

Incoming Target RateDefault (Kbps)

This value represents the initial rate forincoming transfers, in kilobits per second.Users may be able to modify this rate inreal time as allowed by the software in use.This setting is not relevant to transfers witha Policy of Fixed.

positive integer 10000

Incoming Target RateLock

After an incoming transfer is started,its target rate may be modified in realtime. The default setting of false givesusers the ability to adjust the transfer rate.A setting of true prevents real-timemodification of the transfer rate.

• true• false

false

Incoming Minimum RateCap (Kbps)

The value sets the Minimum Rate Cap forincoming transfers. The Minimum RateCap is a level specified in kilobits persecond, below which an incoming transferwill not slow, despite network congestionor physical network availability. Thedefault value of Unlimited effectivelyturns off the Minimum Rate Cap.

positive integer unlimited

Incoming Minimum RateDefault (Kbps)

This value represents the initial minimumrate for incoming transfers, in kilobitsper second. Users may be able to modifythis rate in real time as allowed by thesoftware in use. This setting is not relevantto transfers with a Policy of Fixed.

positive integer 0

Incoming Minimum RateLock

After an incoming transfer is started, itsminimum rate may be modified in realtime. The default setting of false givesusers the ability to adjust the transfer'sminimum rate. A setting of true preventsreal-time modification of the transfer rate.This setting is not relevant to transfers witha Policy of Fixed.

• true• false

false

Incoming BandwidthPolicy Allowed

The value chosen sets the allowedBandwidth Policy for incoming transfers.Aspera transfers use fixed, high, fair andlow policies to accommodate network-sharing requirements. When set to any,the server will not deny any transfer basedon policy setting. When set to high,transfers with a Policy of high and less

• fixed• high• fair (regular)• low

any

Page 43: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| General Configuration Reference | 43

Field Description Values Defaultaggressive transfer policies (e.g. fair orlow) will be permitted. When set to fair,transfers of fair and low will be permitted,while fixed transfers will be denied.When set to low, only transfers with aBandwidth Policy of low will be allowed.

Incoming BandwidthPolicy Default

The value chosen sets the defaultBandwidth Policy for incoming transfers.The default policy value may beoverridden by client applications initiatingtransfers.

• fixed• high• fair (regular)• low

fair

Incoming BandwidthPolicy Lock

After an incoming transfer is started,its Policy may be modified in real time.The default setting of false gives usersthe ability to adjust the transfer's Policy.A setting of true prevents real-timemodification of the Policy.

• true• false

false

Incoming PriorityAllowed

The highest priority your client canrequest. Use the value 0 to unset thisoption; 1 to allow high priority, 2 toenforce normal priority.

• 0• 1• 2

1

Incoming Priority Default The initial priority setting. Use the value0 to unset this option, 1 to allow highpriority; 2 to enforce normal priority

• 0• 1• 2

2

Incoming Priority Lock To disallow your clients change thepriority, set the value to true

• true• false

false

Module (for incomingrate control)

Located within the incoming </network_rc> stanza, this hidden settingis meant for advanced users to select anincoming rate control module (which willonly be applied at the local "receiver"side). It should only be used with specialinstructions for debugging. Optionsinclude:

• delay-odp: queue scaling controller• delay-adv: advanced rate controller• air: FASP air

• delay-odp• delay-adv• air

blank

TCP Friendly (forincoming rate control)

Located within the incoming </network_rc> stanza, this hiddensetting is meant for advanced users to turnTCP-friendly mode on or off (which willonly be applied at the local "receiver"side when the transfer policy is set tofair). It should only be used with specialinstructions for debugging. If turned on("yes"), this mode allows an incomingFASP transfer to maintain relative fair

• yes• no

no

Page 44: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| General Configuration Reference | 44

Field Description Values Defaultbandwidth share with a TCP flow undercongestion.

Outgoing Vlink ID The value sets Vlink ID for outgoingtransfers. Vlinks are a mechanism to defineaggregate transfer policies. The defaultsetting of 0 disables Vlinks. One Vlink—the virtual equivalent of a network trunk—represents a bandwidth allowance thatmay be allocated to a node , a group, ora user. Vlink ID is defined in each Vlinkcreated in Aspera Console. The Vlink ID isa unique numeric identifier.

pre-defined value 0

Outgoing Target RateCap (Kbps)

The value sets the Target Rate Cap foroutgoing transfers. The Target Rate Cap isthe maximum target rate that a transfer canrequest, in kilobits per second. No transfermay be adjusted above this setting, at anytime. The default setting of Unlimitedsignifies no Target Rate Cap. Clientsrequesting transfers with initial rates abovethe Target Rate Cap will be denied.

positive integer unlimited

Outgoing Target RateDefault (Kbps)

This value represents the initial rate foroutgoing transfers, in kilobits per second.Users may be able to modify this rate inreal time as allowed by the software in use.This setting is not relevant to transfers witha Policy of Fixed.

positive integer 10000

Outgoing Target RateLock

After an outgoing transfer is started, itstarget rate may be modified in real time.The default setting of false gives usersthe ability to adjust the transfer rate.A setting of true prevents real-timemodification of the transfer rate.

• true• false

false

Outgoing Minimum RateCap (Kbps)

The value sets the Minimum Rate Cap foroutgoing transfers. The Minimum RateCap is a level specified in kilobits persecond, below which an outgoing transferwill not slow, despite network congestionor physical network availability. Thedefault value of Unlimited effectivelyturns off the Minimum Rate Cap.

positive integer unlimited

Outgoing Minimum RateDefault

This value represents the initial minimumrate for outgoing transfers, in kilobitsper second. Users may be able to modifythis rate in real time as allowed by thesoftware in use. This setting is not relevantto transfers with a Policy of Fixed.

positive integer 0

Outgoing Minimum RateLock

After an outgoing transfer is started, itsminimum rate may be modified in realtime. The default setting of false gives

• true• false

false

Page 45: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| General Configuration Reference | 45

Field Description Values Defaultusers the ability to adjust the transfer'sminimum rate. A setting of true preventsreal-time modification of the transfer rate.This setting is not relevant to transfers witha Policy of Fixed.

Outgoing BandwidthPolicy Allowed

The value chosen sets the allowedBandwidth Policy for outgoing transfers.Aspera transfers use fixed, high, fair andlow policies to accommodate network-sharing requirements. When set to any,the server will not deny any transfer basedon policy setting. When set to high,transfers with a Policy of high and lessaggressive transfer policies (e.g. fair orlow) will be permitted. When set to fair,transfers of fair and low will be permitted,while fixed transfers will be denied.When set to low, only transfers with aBandwidth Policy of low will be allowed.

• fixed• high• fair (regular)• low

any

Outgoing BandwidthPolicy Default

The value chosen sets the defaultBandwidth Policy for outgoing transfers.The default policy value may beoverridden by client applications initiatingtransfers.

• fixed• high• fair (regular)• low

fair

Outgoing BandwidthPolicy Lock

After an outgoing transfer is started, itsPolicy may be modified in real time. Thedefault setting of false gives usersthe ability to adjust the transfer's Policy.A setting of true prevents real-timemodification of the Policy.

• true• false

false

Outgoing PriorityAllowed

The highest priority your client canrequest. Use the value 0 to unset thisoption; 1 to allow high priority, 2 toenforce normal priority.

• 0• 1• 2

1

Outgoing Priority Default The initial priority setting. Use the value0 to unset this option, 1 to allow highpriority; 2 to enforce normal priority.

• 0• 1• 2

2

Outgoing Priority Lock To disallow your clients change thepriority, set the value to true

• true• false

false

Module (for outgoing ratecontrol)

Located within the outgoing </network_rc> stanza, this hidden settingis meant for advanced users to select anoutgoing rate control module (which willonly be applied at the local "receiver"side). It should only be used with specialinstructions for debugging. Optionsinclude:

• delay-odp: queue scaling controller

• delay-odp• delay-adv• air

blank

Page 46: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| General Configuration Reference | 46

Field Description Values Default• delay-adv: advanced rate controller• air: FASP air

TCP Friendly (foroutgoing rate control)

Located within the outgoing </network_rc> stanza, this hiddensetting is meant for advanced users to turnTCP-friendly mode on or off (which willonly be applied at the local "receiver"side when the transfer policy is set tofair). It should only be used with specialinstructions for debugging. If turned on("yes"), this mode allows an outgoingFASP transfer to maintain relative fairbandwidth share with a TCP flow undercongestion.

• yes• no

no

Bind IP Address Specify an IP address for server-sideascp to bind its UDP connection. If avalid IP address is given, ascp sends andreceives UDP packets only on the interfacecorresponding to that IP address.

Important: The bind addressshould only be modified(changed to an address other than127.0.0.1) if you, as the SystemAdministrator, understand thesecurity ramifications of doing so,and have undertaken precautionsto secure the SOAP service.

valid IPv4 address blank

Bind UDP Port Prevent the client-side ascp process fromusing the specified UDP port.

integer between 1and 65535

33001

Disable Packet Batching When set to true, send data packets backto back (no sending a batch of packets).This results in smoother data traffic at acost of higher CPU usage.

• true• false

false

Batch Size When set to "0" (default), the system usesa pre-computed batch size. Set this to "1"for high concurrency servers (senders)in order to reduce CPU utilization inaggregate.

Integer 0

Datagram Size Sets the datagram size on the server side.If size is set with both -Z (client side)and <datagram_size> (server side), the<datagram_size> setting is used. In caseswhere the client-side is pre-3.3, datagramsize is determined by the -Z setting,regardless of the server-side setting for<datagram_size>. In such cases, if there isno -Z setting, datagram size is based on thediscovered MTU and the server logs the

Integer 1492

Page 47: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| General Configuration Reference | 47

Field Description Values Defaultmessage "LOG Peer client doesn't supportalternative datagram size".

Maximum Socket Buffer(bytes)

Upper bound the UDP socket buffer of anascp session below the input value. Thedefault of 0 will cause the Aspera senderto use its default internal buffer size, whichmay be different for different operatingsystems.

positive integer 0

Minimum Socket Buffer(bytes)

Set the minimum UDP socket buffer sizefor an ascp session.

positive integer 0

RTT auto correction Enable auto correction of base (minimum)RTT measurement. This feature is helpfulfor maintaining accurate transfer rates inhypervisor-based virtual environments.

• true• false

false

Reverse path congestioninference

Enable reverse path congestion inference,where the default setting of "true" preventsthe transfer speed of a session frombeing adversely affected by congestionin the reverse (non data-sending) transferdirection. This feature is useful forboosting speed in bi-directional transfers.

• true• false

true

Strong PasswordRequired for ContentEncryption

When set to true, require the passwordfor content encryption to contain at least6 characters, of which at least 1 is non-alphanumeric, at least 1 is a letter, and atleast 1 is a digit.

• true• false

false

Content ProtectionRequired

When set to true,

• Users will be required on upload toenter a password to encrypt the files onthe server.

• Users will be given the option whendownloading to decrypt duringtransfer.

Important: When a transferfalls back to HTTP or HTTPS,content protection is no longersupported. If HTTP fallbackoccurs while downloading, then--despite entering a passphrase--the files will remain encrypted(i.e., enveloped). If HTTP fallbackoccurs while uploading, then--despite entering a passphrase--thefiles will NOT be encrypted (i.e.,enveloped).

• true• false

false

Encryption Allowed Describes the type of transfer encryptionaccepted by this computer. When set toany the computer allows both encryptedand non-encrypted transfers. When set to

• any• none• aes-128

any

Page 48: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| General Configuration Reference | 48

Field Description Values Defaultnone the computer restricts transfers tonon-encrypted transfers only. When set toaes-128 the computer restricts transfers toencrypted transfers only.

Do encrypted transfersin FIPS-140-2-certifiedencryption mode

When set to true, ascp will use a FIPS140-2-certified encryption module. Note:When this feature is enabled, transferstart is delayed while the FIPS module isverified.

• true• false

false

4. Validate aspera.conf

When you have finished updating aspera.conf, use this command to validate it:

$ /opt/aspera/bin/asuserdata -b -v -a

aspera.conf - File SystemThe configuration options in aspera.conf's <file_system/>.

This topic shows you how to modify aspera.conf's <file_system/> section in a Terminal.

1. Open aspera.conf/opt/aspera/etc/aspera.conf

You can also find the configuration example in this path:

/opt/aspera/etc/samples/aspera-everything.conf2. Add or locate the <file_system /> section using a template

Here is a template that includes all options:

<file_system> <access> <paths> <path> <absolute peer_ip="ip_address">/path/$(name)</absolute> <!-- Absolute Path (conditional) --> <absolute>/path/$(name)</absolute> <!-- Absolute Path --> <read_allowed>true</read_allowed> <!-- Read Allowed --> <write_allowed>true</write_allowed> <!-- Write Allowed --> <dir_allowed>true</dir_allowed> <!-- Browse Allowed --> </path> </paths> </access> <read_block_size>0</read_block_size> <!-- Read Block Size --> <write_block_size>0</write_block_size> <!-- Write Block Size --> <use_file_cache>true</use_file_cache> <!-- Use File Cache --> <max_file_cache_buffer>0</max_file_cache_buffer> <!-- Max File Cache Buffer--> <resume_suffix>.aspx</resume_suffix> <!-- Resume Suffix --> <preserve_attributes> </preserve_attributes> <!-- Preserve Attributes --> <overwrite>allow</overwrite> <!-- Overwrite --> <file_manifest>disable</file_manifest> <!-- File Manifest --> <file_manifest_path>path</file_manifest_path> <!-- File Manifest Path --> <pre_calculate_job_size>any</pre_calculate_job_size><!-- Pre-Calculate Job Size --> <storage_rc> <adaptive>true</adaptive> <!-- Storage Rate Control --> </storage_rc> <file_create_mode> </file_create_mode> <!-- File Create Mode --> <file_create_grant_mask>644</file_create_grant_mask><!-- File Create Grant Mask --> <directory_create_mode> </directory_create_mode> <!-- Directory Create Mode --> <directory_create_grant_mask>755</directory_create_grant_mask> <!-- Directory Create Grant Mask --> <excludes> <!-- Exclude Pattern --> <exclude></exclude>

Page 49: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| General Configuration Reference | 49

<exclude></exclude> ... </excludes> <partial_file_suffix>.partial</partial_file_suffix> <!-- Partial File Suffix --> </file_system>

3. Configuration options reference

The following table lists all configuration options:

Field Description Values Default

Absolute Path The Absolute Path is a path to the docroot, the area ofthe file system that is accessible to Aspera users. Thedefault empty value gives users access to the entirefile system. In aspera.conf, you can set multipledocroots and make them conditional based on the IPaddress from which the connection is made. To do so,set the absolute path as follows:

<absolute peer_ip="ip_address">path</absolute>

Note:

You may also specify an Amazon S3 docrootin the following URI format: s3://MY_ACCESS_ID:[email protected]/my_bucket/my_path

(where each of the MY_ACCESS_ID,MY_SECRET_KEY and my_bucket/my_path parts must be url_encoded).

S3 server side options are specified throughan additional query part in the URI, as shownbelow.

s3://MY_ACCESS_ID:[email protected]/my_bucket/my_path?storage-class=REDUCED_REDUNDANCY&server-side-encryption=AES256

Valid values are as follows:

• For storage-class: STANDARD(default if not specified) orREDUCED_REDUNDANCY.

• For server-side-encryption: AES256 isthe only valid value.

file path orAmazon S3URI

blank

Read Allowed Setting this to true allows users to transfer from thedesignated area of the file system as specified by theAbsolute Path value.

• true• false

blank

Write Allowed Setting this to true allows users to transfer to thedesignated area of the file system as specified by theAbsolute Path value.

• true• false

blank

Page 50: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| General Configuration Reference | 50

Field Description Values Default

Browse Allowed Setting this to true allows users to browse thedirectory.

• true• false

blank

Read Block Size (bytes) This is a performance-tuning parameter for an Asperasender (which only takes effect if the sender is aserver). It represents the maximum number of bytesthat can be stored within a block as the block is beingtransferred from the source disk drive to the receiver.The default of 0 will cause the Aspera sender to use itsdefault internal buffer size, which may be different fordifferent operating systems.

positiveinteger,where500MB or524,288,000bytes bytesis themaximumblock size.

0

Write Block Size (bytes) This is a performance-tuning parameter for an Asperareceiver (which only takes effect if the receiver isa server). It represents the maximum bytes withina block that an ascp receiver can write to disk. Thedefault of 0 will cause the Aspera receiver to use itsdefault internal buffer size, which may be different fordifferent operating systems.

positiveinteger,where500MB or524,288,000bytes bytesis themaximumblock size.

0

Use File Cache This is a performance tuning parameter for an Asperareceiver. Enable or disable per-file memory caching atthe data receiver. File level memory caching improvesdata write speed on Windows platforms in particular,but will use more memory. We suggest using a filecache on systems that are transferring data at speedsclose to the performance of their storage device, anddisable it for system with very high concurrency(because memory utilization will grow with thenumber of concurrent transfers).

• true• false

true

Max File Cache Buffer(bytes)

This is a performance tuning parameter for an Asperareceiver. This value corresponds to the maximal sizeallocated for per-file memory cache (see Use FileCache). Unit is bytes. The default of 0 will cause theAspera receiver to use its internal buffer size, whichmay be different for different operating systems.

positiveinteger

0

Resume Suffix File name extension for temporary metadata files usedfor resuming incomplete transfers. Each data file inprogress will have a corresponding metadata file withthe same name plus the resume suffix specified by thereceiver. Metadata files in the source of a directorytransfer are skipped if they end with the sender'sresume suffix.

text string .aspx

Preserve Attributes Configure file creation policy. When set to none, donot preserve the timestamp of source files. When setto times, preserve the timestamp of the source files atdestination.

Note: For Limelight storage, only the preservation ofmodification time is supported.

• none• times

blank

Page 51: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| General Configuration Reference | 51

Field Description Values Default

Overwrite Overwrite is an Aspera server setting that determineswhether Aspera clients are allowed to overwrite fileson the server. By default it is set to allow, meaning thatclients uploading files to the servers will be allowedto overwrite existing files as long as file permissionsallow that action. If set to deny, clients uploading filesto the server will not be able to overwrite existing files,regardless of file permissions.

• allow• deny

allow

File Manifest When set to text a text file "receipt" of all files withineach transfer session is generated. If set to disable,no File Manifest is created. The file manifest is a filecontaining a list of everything that was transferredin a given transfer session. The filename of the FileManifest itself is automatically generated based on thetransfer session's unique ID. The location where eachmanifest is written is specified by the File ManifestPath value. If no File Manifest Path is specified, thefile will be generated under the destination path at thereceiver, and under the first source path at the sender.

• text• disable

none

File Manifest Path Specify the location to store manifest files. Can be anabsolute path or a path relative to the transfer user'shome.

Note: File manifests can only be storedlocally. Thus, if you are using S3, or othernon-local storage, you must specify a localmanifest path.

text string blank

Pre-Calculate Job Size Configure the policy of calculating total job size beforedata transfer. If set to any, follow client configurations(-o PreCalculateJobSize={yes|no}). If set to no, disablecalculating job size before transferring. If set to yes,enable calculating job size before transferring.

• any• yes• no

any

File Create Mode Specify file creation mode (permissions). If specified,create files with these permissions (for example 0755),irrespective of File Create Grant Mask and permissionsof the file on the source computer. Only takes effectwhen the server is a non-Windows receiver.

positiveinteger(octal)

undefined

File Create Grant Mask Used to determine mode for newly created files if FileCreate Mode is not specified. If specified, file modeswill be set to their original modes plus the Grant Maskvalues. Only takes effect when the server is a non-Windows receiver and when File Create Mode is notspecified.

positiveinteger(octal)

644

Directory Create Mode Specify directory creation mode (permissions). Ifspecified, create directories with these permissionsirrespective of Directory Create Grant Mask andpermissions of the directory on the source computer.Only takes effect when the server is a non-Windowsreceiver.

positiveinteger(octal)

undefined

Page 52: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| General Configuration Reference | 52

Field Description Values Default

Directory Create GrantMask

Used to determine mode for newly created directoriesif Directory Create Mode is not specified. If specified,directory modes will be set to their original modes plusthe Grant Mask values. Only takes effect when theserver is a non-Windows receiver and when DirectoryCreate Mode is not specified.

positiveinteger(octal)

755

File Exclude Pattern List Exclude files or directories with the specified patternin the transfer. Add multiple entries for more exclusionpatterns. Two symbols can be used in the setting ofpatterns:

• * (Asterisk) Represents zero to many charactersin a string, for example, *.tmp matches .tmp andabcde.tmp.

• ? (Question Mark) Represents one character, forexample, t?p matches tmp but not temp.

text entries blank

Partial File Name Suffix Filename extension on the destination computer whilethe file is being transferred. Once the file has beencompletely transferred, this filename extension isremoved.

If hot folders will be used as the upload destination,the partial filename suffix should be set even if itmeans setting it to the default value .partial. Settingit prevents partial files from being downloaded from ahot folder.

Note: This option only takes effect when it isset on the receiver side.

text string blank

4. Validate aspera.conf

When you have finished updating aspera.conf, use this command to validate it:

$ /opt/aspera/bin/asuserdata -b -v -a

Page 53: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Global Transfer Settings | 53

Global Transfer Settings

The system-wide and default FASP transfer settings for your computer.

Global Bandwidth SettingsAllocate the global bandwidth for FASP file transfers.

Aspera's FASP transport has no theoretical throughput limit. Other than the network capacity, the transfer speed maybe limited by rate settings and resources of the computers. This topic describes how to optimize the transfer rate bysetting up the global rate settings.

To create global bandwidth using the command line, open the aspera.conf (/opt/aspera/etc/aspera.conf) with atext editor. The following example sets the global bandwidth with these values:

Item Value

Upload bandwidth limit (outgoing): 88 Mbps (88000 Kbps)

Download bandwidth limit (incoming): 99 Mbps (99000 Kbps)

<?xml version='1.0' encoding='UTF-8'?><CONF version="2"> ... <trunks> <trunk> <!-- Create a Vlink with 88000 Kbps bandwidth cap. --> <id>108</id> <!-- ID: 108 --> <capacity><value>88000</value></capacity> <on>true</on> </trunk> <trunk> <!-- Create a Vlink with 99000 Kbps bandwidth cap. --> <id>109</id> <!-- ID: 109 --> <capacity><value>99000</value></capacity> <on>true</on> </trunk> </trunks>

<default> <!-- Global settings.--> <transfer> <out> <!-- Use Vlink ID: 108 for global outgoing bandwidth. --> <bandwidth><aggregate><trunk_id>108</trunk_id></aggregate></bandwidth> </out> <in> <!-- Use Vlink ID: 109 for global incoming bandwidth. --> <bandwidth><aggregate><trunk_id>109</trunk_id></aggregate></bandwidth> </in> </transfer> </default></CONF>

Page 54: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Global Transfer Settings | 54

Setting Up Virtual LinksCreate and apply the aggregate bandwidth cap.

Virtual link (Vlink) is a feature that allows "virtual" bandwidth caps. Transfer sessions assigned to the same "virtual"link conform to the aggregate bandwidth cap and attain an equal share of it. This section first shows you how to set upVlinks, then explains how to apply it to computers or users.

Follow these steps to configure Vlinks:

1. Create Vlinks in aspera.conf

To create Vlinks, open aspera.conf with a text editor:

/opt/aspera/etc/aspera.conf

You can refer to the configuration example:

/opt/aspera/etc/samples/aspera-everything.conf

Locate or create the section <trunks>...</trunks>. For each vlink, add a <trunk>...</trunk>:

<CONF version="2"> ... <trunks> <trunk> <id>108</id> <!-- Vlink ID --> <name>50Mbps cap</name> <!-- Vlink Name --> <capacity> <value>50000</value> <!-- Capacity --> </capacity> <on>true</on> <!-- On --> <mcast_port>55001</mcast_port> <!-- Multicast Port --> <mcast_ttl></mcast_ttl> <!-- Multicast TTL --> </trunk> </trunks></CONF>

Here is a description of the Vlink tags:

# Tag Description Values Default

1 Vlink ID The Vlink ID. Sessions assigned with thesame trunk ID share the same bandwidthcap.

positive integer between1 and 255.

N/A

2 Vlink Name The Vlink name. This value has noimpact on actual bandwidth capping.

text string blank

3 Capacity This value reflects the virtual bandwidthcap in Kbps. When applying this Vlinkto a transfer (e.g. Default outgoing), thetransfer's bandwidth will be restricted bythis value.

positive integer in Kbps 50000

4 On Select true to activate this Vlink; selectfalse to deactivate it.

true/false false

5 Multicast Port This sets the UDP port through whichvirtual link sends and receives multicastcommunication messages. Sessionssharing the same virtual bandwidth capneeds to have the same port number. To

positive integer between1 and 65535

55001

Page 55: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Global Transfer Settings | 55

# Tag Description Values Defaultavoid port conflicts, it is recommended touse the default UDP port 55001. Do NOTset the port number to the same one usedby FASP data transfer (33001).

6 Multicast TTL This sets the Time-to-Live (TTL) field inthe IP headerfor Vlink multicast packets.

positive integer between1 and 255

blank

2. Apply a Vlink to a transfer

You can assign a Vlink to a global, a user, or a group settings in the aspera.conf.

In this example, assuming we have created three vlinks: 108, 109 and 110, apply these vlinks to the outgoingbandwidth of global and a user:

<CONF version="2"> ... <default> <transfer> <out> <bandwidth><aggregate> <trunk_id>108</trunk_id> <!-- Vlink #108 for the default outgoing sessions. --> </aggregate></bandwidth> </out> <in> ... </in> </transfer> </default> <aaa><realms><realm> <users> <user> <name>asp1</name> <transfer> <out> <bandwidth><aggregate> <trunk_id>109</trunk_id> <!-- Vlink #109 to the user asp1's outgoing sessions. --> </aggregate></bandwidth> </out> <in> ... </in> </transfer> </user> </users> </realm></realms></aaa></CONF>

Important: If you have a local firewall on your server (Windows firewall, Linux iptables or Mac ipfw), thenyou will need to allow the Vlink UDP port (55001, by default) for multicast traffic.

Transfer Server ConfigurationSet up the transfer server and more global/default settings.

Note: To configure the transfer server, you must run the application with admin or root privileges in order toenable the Configuration screen.

Page 56: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Global Transfer Settings | 56

To configure the Aspera Central transfer server in a Terminal, open aspera.conf with a text editor (/opt/aspera/etc/aspera.conf), locate or create the transfer server's section <central_server>...</central_server>:

<CONF version="2"> ...<central_server> <address>127.0.0.1</address> <!-- Address --> <port>40001</port> <!-- Port --> <persistent_store>enable</persistent_store> <!-- Persistent store --> <files_per_session>1000</files_per_session> <!-- Files per session --> <persistent_store_path>blank</persistent_store_path> <!-- Persistent store path --> <persistent_store_max_age>86400</persistent_store_max_age> <!-- Max Age (sec) --> <persistent_store_on_error>ignore</persistent_store_on_error><!-- Ignore on error --> <compact_on_startup>enable</compact_on_startup> <!-- Compact on startup--></central_server></CONF>

The Aspera Central transfer server's configuration options:

Field Description Values Default

Address This is the network interface address on which thetransfer server listens. The default value 127.0.0.1enables the transfer server to accept transfer requestsfrom the local computer; The value 0.0.0.0 allowsthe transfer server to accept requests on all networkinterfaces for this node. Alternatively, a specific networkinterface address may be specified.

Valid IPv4address

127.0.0.1

Port The port at which the transfer server accepts transferrequests.

Positive integerbetween 1 and65535

40001

Persistent Storage Retain data that is stored in the database between rebootsof Aspera Central.

• Enable• Disable

Enable

Files per session The maximum number of files that can be retained forpersistent storage.

Positive integer 1000

Persistent StoragePath

Path to store data between reboots of Aspera Central.If the path is currently a directory, then a file is createdwith the default name central-store.db. Otherwise, thefile will be named as specified in the path.

Valid system path /opt/aspera/var/

(if product isinstalled indefault directory)

Maximum age(Seconds)

Maximum allowable age (in seconds) of data to beretained in the database.

Positive integer 86400

Exit Central onstorage error

Terminate the Aspera Central server if an error writing tothe database occurs.

• Ignore• Exit

Ignore

Compactdatabase onstartup

Enable or disable compacting (vacuuming) the databasewhen the transfer server starts.

• Enable• Disable

Enable

For additional Connect Server features (Database Logger, HTTP Fallback), refer to the following sections:

Page 57: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Global Transfer Settings | 57

Category Description

Database Logger on page 67 Using a MySQL database to keep track of all transfers on your server.

Configuring HTTP and HTTPSFallback on page 23

Configure the HTTP Fallback server for your Connect Server, allowing filetransfer through HTTP.

If you are configuring the Connect Server in a Terminal, refer to these sections:

Category Description

aspera.conf - Authorization on page 38 Connection permissions, token key, and encryptionrequirements.

aspera.conf - Transfer on page 40 Incoming and outgoing transfer bandwidth and policy settings.

aspera.conf - File System on page 48 Network IP, port, and socket buffer settings.

If you have modified these settings in command line, execute these commands to restart Aspera Central and HTTPFallback Server:

OS Command

Solaris$ /etc/init.d/asperacentral restart$ /etc/init.d/asperahttpd restart

FreeBSD$ /etc/rc.d/asperacentral restart$ /etc/rc.d/asperahttpd restart

Page 58: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Managing the Node API | 58

Managing the Node API

Managing the IBM Aspera Enterprise Server Node API

Overview: Aspera Node APICapabilities of the Aspera Node API

The Aspera Node API is a feature of IBM Aspera Connect Server that provides a RESTful interface for fullprogrammatic control of the Aspera transfer server environment. The Node API is a daemon that supports APIs forremote file operations, as well as initiating uploads and downloads.

The Node API includes the following features and functionality:

• An HTTPS (by default port 9092) and HTTP (by default port 9091) interface.• An API encoded in JSON.• The API is authenticated and the node daemon uses its own application-level users (node users).• A node admin utility called “asnodeadmin,” which can be utilized to add and manage node users.

You can use the Node API to set up the following configurations:

• Set up a remote transfer server for Aspera Faspex. In this configuration, the Aspera Faspex Web UI is on MachineA, while the transfer server (an Enterprise Server node) is on Machine B. Machine A communicates with MachineB over HTTPS, by default.

• Set up nodes for Aspera Shares. In this configuration, the Aspera Shares Web UI is on Machine A, while contentnodes (Enterprise Server nodes) are created on Machines B, C and D. Users can then be granted permission toaccess specific directories (shares) on nodes B, C and D.

Node API SetupSetting up the Aspera Node API.

To set up the Aspera Node API, follow the instructions below. These instructions assumed that you have alreadyinstalled Enterprise (or Connect) Server 3.0+.

1. Create a Node API username.

Aspera's Web applications authenticate to the remote node service using a Node API username and password. Thefollowing command creates a Node API user/password and associates it with a file transfer user, asp1, which youwill create in the next step. The Node API credentials can then be used to create nodes. Note that different nodesmay use different Node API username/password pairs.

# /opt/aspera/bin/asnodeadmin -a -u node_api_username -p node_api_passwd -x asp1

2. Create a file transfer user.

The file transfer user authenticates the actual ascp transfer, and must be an operating system account on the node.To create a transfer user—for example, asp1—run the following command:

# useradd asp1

After you've created the operating system account, set up this user in Connect Server. For instructions on settingup a user, see .

Page 59: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Managing the Node API | 59

Note: The file transfer user requires a docroot. After setting a user's docroot, be sure to perform a reload,as described in aspera.conf for Nodes.

3. (Optional) Change HTTPS port and/or SSL certificate.

The Aspera Node API provides an HTTPS interface for encrypted communication between node machines (onport 9092, by default). To modify the HTTPS port, see aspera.conf for Nodes. For information on maintaining andgenerating a new SSL certificate, see Setting up SSL for your Nodes on page 64.

Setting up Node UsersUsing asnodeadmin to set up node users

The asnodeadmin program can be used to manage (add, modify, delete, and list) node users. For each node user,you must indicate the following:

• Node username• Node user's password• Transfer/system username, which must be an operating system account on the node. This username is critical,

since it's the user who authenticates the actual ascp transfer. If the transfer user is not mapped to the node user,then you will receive an error.

Recall in the topic "Node API Setup," we created a node user and linked this user to file transfer user "asp1." Forasnodeadmin usage, please refer to the topic "Node Admin Tool."

Important: Note that adding, modifying or deleting a node-user triggers automatic reloading of the conf andlicense files, as well as the user database.

Usage Examples

(All short options; use asnodeadmin -h to see the corresponding long options).

1. Add user “usr1” with password “pwd1” (will be prompted to enter if the -p option is not given) and associatedtransfer/system user “aspera”:

# asnodeadmin -au usr1 -x aspera [-p pwd1]

2. Add user “usr2” with password “pwd2” and associated system/transfer user “root”:

# asnodeadmin -au usr2 -p pwd2 -x root

3. Modify user “usr1” by assigning it a different password, “pwd1.1”:

# asnodeadmin -mu usr1 -p pwd1.1

4. List users in the current user DB:

# asnodeadmin -l

5. Delete user “usr1”:

# asnodeadmin -du usr1

Node Admin ToolUsage Instructions for asnodeadmin

The help file below displays asnodeadmin options, which can be used to configure node users.

Page 60: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Managing the Node API | 60

Note: Running asnodeadmin requries root privileges.

$ sudo /opt/aspera/bin/asnodeadmin -h

Usage: asnodeadmin [options]

Options:-h,--help Display usage.-A,--version Display version.-f conf_file Conf file pathname (default: aspera.conf).--reload Reload configuration settings, including the conf file (also done implicitly upon user add, modify and delete).-a,--add Add a user (also reloads configuration).-d,--del[ete] Delete an existing user (also reloads configuration).-m,--mod[ify] Modify an existing user (also reloads configuration).--acl-add Add new ACLs for a user. May be used with -m or -a.--acl-set Sets ACLs (clears old ACLs) for a user. May be used with -m or -a.--acl-del Deletes ACLs for a user. May be used with -m.--acl-list Lists all current ACLs for a user.--internal Required for adding, modifying, or deleting internal users.-l,--list List users.-u,--user=username Specify username.-p,--{pwd|password}=passwd Specify password.-x,--xuser=xfer_username Specify system transfer user.-b,--backup=filename Back_up user data to a file.-r,--restore=filename Restore user data from a file.-P Display hashed passwords as well when listing users.-L local_log_dir Local logging directory (default: no logging).-D... Debug level (default: no debug output).--transfer-log-del xnid Delete an individual transfer from the activity log.--transfer-log-cleanup Delete all transfers from the activity log older than activity_retention_hrs.--db-shutdown Shut down the database.

aspera.conf for NodesEditing aspera.conf for your node configuration.

In your aspera.conf file, use the <server> section (shown below) to configure your node machines. The aspera.conf file is found in the following location:

/opt/aspera/etc/aspera.conf

Note: Each of the settings below requires certain services to be restarted in order for any changes to takeeffect. The services to restart are noted in the To Activate Changes column in the table below, and thecommands to restart these services are given at the end of this topic.

<server> <server_name>your_hostname</server_name> <!-- hostname or IP address -->

Page 61: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Managing the Node API | 61

<http_port>9091</http_port> <!-- integer (1 - 65535) --> <https_port>9092</https_port> <!-- integer (1 - 65535) --> <enable_http>false</enable_http> <!-- true | false --> <enable_https>true</enable_https> <!-- true | false --> <cert_file> <!-- full path; .chain file same /path/filename --> </cert_file> <max_response_entries>1000</max_response_entries> <!-- max entries to return in response --> <max_response_time_sec>10</max_response_time_sec> <!-- max seconds to wait for long operation --> <db_dir></db_dir> <!-- path to dir where DB file will be saved --> <db_port>31415</db_port> <!-- integer (1 - 65535) --> <enable_sslv2>true</enable_sslv2> <!-- boolean true or false --> <ssl_ciphers>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:...</ssl_ciphers> <!-- ssl_ciphers: see full default list in table below --> <ssl_protocol>sslv23</ssl_protocol> <!-- sslv3, sslv23, tlsv1, tlsv1.1, or tlsv1.2 --></server>

Setting Description Default Value ToActivateChanges...

<server_name> Hostname or IP address. hostname Restartnodeservice

<http_port> HTTP service port. 9091 Restartnodeservice

<https_port> HTTPS service port. 9092 Restartnodeservice

<enable_http> Enable HTTP for the Node APIservices.

false Restartnodeservice

<enable_https> Enable HTTPS for the Node APIservices.

true Restartnodeservice

<cert_file> Full pathname of SSL certificate(.pem and existing support for.chain).

/opt/aspera/etc/aspera_server_cert.pem

Restartnodeservice

<max_response_entries> Maximum number of entries toreturn in a response..

1000 Reloadnodeconfiguration.

Page 62: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Managing the Node API | 62

Setting Description Default Value ToActivateChanges...

<max_response_time>s Maximum amount of time to waitfor a long-running operation.

10 Reloadnodeconfiguration.

<db_dir> Path to the directory where thedatabase file is saved. Beforechanging this value, you shouldback up your database. See RedisDB Backup/Restore on page63.

/opt/aspera/var Restartthe nodeand DBservices.

<db_port> Database service port. Beforechanging this value, you shouldback up your database. See RedisDB Backup/Restore on page63.

31415 Restartthe nodeand DBservices.

<ssl_ciphers> The SSL encryption ciphersthat the server will allow, eachseparated by a colon (:). Thisoption may also be set in the<client> section, in which case,when this machine functions asa client, the specified ciphersare requests to the server. If anyof the ciphers in the server'sallow list coincide with thosein the client's request list,communication is allowed;otherwise it is denied.

If you override this setting,the override is always used.However, if you do not overrideit, the default setting depends onthe settings for <ssl_protocol>.If <ssl_protocol> is set to sslv23,then a large, relatively weakselection of suites is allowed.If the protocol is anything else,then a smaller, stronger selectionof suites is allowed. Many olderweb browsers cannot handlethe stronger set of suites, inwhich case you may encountercompatibility issues.

All of the following:

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHATLS_ECDHE_RSA_WITH_AES_256_CBC_SHATLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHADHE-RSA-AES256-SHADHE-DSS-AES256-SHAAES256-SHAAES128-SHA256DHE-RSA-AES128-SHADHE-DSS-AES128-SHARC2-CBC-MD5

Restartnodeservice.

<ssl_protocol> The SSL protocol versions thatthe server will allow. This optionmay also be set in the <client>section, in which case, when thismachine is a client, the specifiedprotocols function as requests tothe server. If any of the protocols

sslv23 Restartnodeservice.

Page 63: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Managing the Node API | 63

Setting Description Default Value ToActivateChanges...

in the server's allow list coincidewith those in the client's requestlist, communication is allowed;otherwise it is denied.

Supported values: sslv3, tlsv1,tlsv1.1, tlsv1.2, and sslv23.Despite its name, specifyingsslv23 (the default) allows allsupported protocols, including allTLS versions.

<enable_sslv2> Setting to true (default) enablesSSLv2. If <ssl_protocol>is not set (or is explicitly setto its default sslv23), setting<enable_sslv2> to false allowsonly SSLv3 and TLSv1.x—thatis, all protocols except SSLv2.If <ssl_protocol> is set to anyvalue other than sslv23, settingsfor <enable_sslv2> settings haveno effect.

true Restartnodeservice.

Note: Running the commands below requries root privileges.

Restarting the Node Service

$ sudo /etc/init.d/asperanoded restart

Reloading the Node Configuration

$ sudo asnodeadmin --reload

Restarting the Node and DB Services

$ sudo /etc/init.d/asperanoded stop $ sudo /opt/aspera/bin/asnodeadmin --db-shutdown$ sudo /etc/init.d/asperanoded start

Note: The DB service is started automatically when you restart the node service.

Redis DB Backup/RestoreInstructions for backing up and restoring the database.

To back up and restore the Redis database (and your user data up to the point-in-time of the backup operation), followthe instructions below. Note that the backup and restore operations should be used for the following scenarios:

Page 64: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Managing the Node API | 64

• If you need to change the Redis database port number (<db_port/> in aspera.conf), you should first back upthe Redis database. Once you have changed the port number, you need to restore the database.

• Basic backup and restore (after a data-loss event).

1. Back up the Redis database.

Use the following command to back up your Redis database (before changing the port number):

$ sudo /opt/aspera/bin/asnodeadmin -b /your/backup/dir/database.backup

Important: When backing up the Redis database, all user data up to that point-in-time will be saved tothe backup file. Restoring the database (see Step 2, below) does not delete users added after this snapshotwas taken. Thus, if you added any users after backing up the database, then they will still exist in thesystem and will not be affected by the restore operation.

2. Restore the Redis database.

Use the following command to restore your Redis database:

$ sudo /opt/aspera/bin/asnodeadmin -r /your/backup/dir/database.backup

Recall the "Important Note" in Step 1, which stated that restoring the database does not delete users added afterthe database snapshot was taken. If you do not want to keep users that have been added since the last backupoperation, you can delete them after performing the restore with the asnodeadmin command -du username.

3. Restart the asperanoded service.

Use the following command(s) to restart the asperanoded service (requires a restart rather than a reload):

$ sudo /etc/init.d/asperanoded restart

Setting up SSL for your NodesCommunicating with Aspera nodes over HTTPS

The Aspera Node API provides an HTTPS interface for encrypted communication between node machines (on Port9092, by default). For example, if you are running the Faspex Web UI or the Shares Web UI on Machine A, you canencrypt the connection (using SSL) with your transfer server or file-storage node on Machine B. Enterprise Servernodes are pre-configured to use Aspera's default, self-signed certificate (aspera_server_cert.pem), located inthe following directory:

/opt/aspera/etc/To generate a new certificate, follow the instructions below.

About PEM Files: The PEM certificate format is commonly issued by Certificate Authorities. PEM certificateshave extensions that include .pem, .crt, .cer, and .key, and are Base-64 encoded ASCII files containing "-----BEGINCERTIFICATE-----" and "-----END CERTIFICATE-----" statements. Server certificates, intermediate certificates, andprivate keys can all be put into the PEM format.

1. Enter the OpenSSL command to generate your Private Key and Certificate Signing Request

In this step, you will generate an RSA Private Key and CSR using OpenSSL. In a Terminal window, enterthe following command (where my_key_name.key is the name of the unique key that you are creating andmy_csr_name.csr is the name of your CSR):

$ openssl req -new -nodes -keyout my_key_name.key -out my_csr_name.csr

2. Enter your X.509 certificate attributes

After entering the command in the previous step, you will be prompted to input several pieces of information,which are the certificate's X.509 attributes.

Page 65: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Managing the Node API | 65

Important: The common name field must be filled in with the fully qualified domain name of the serverto be protected by SSL. If you are generating a certificate for an organization outside of the US, see http://www.iso.org/iso/english_country_names_and_code_elements for a list of 2-letter, ISO country codes.

Generating a 1024 bit RSA private key....................++++++................++++++writing new private key to 'my_key_name.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [US]:Your_2_letter_ISO_country_codeState or Province Name (full name) [Some-State]:Your_State_Province_or_CountyLocality Name (eg, city) []:Your_CityOrganization Name (eg, company) [Internet Widgits Pty Ltd]:Your_CompanyOrganizational Unit Name (eg, section) []:Your_DepartmentCommon Name (i.e., your server's hostname) []:secure.yourwebsite.comEmail Address []:[email protected]

You will also be prompted to input "extra" attributes, including an optional challenge password. Please note thatmanually entering a challenge password when starting the server can be problematic in some situations (e.g.,when starting the server from the system boot scripts). You can skip inputting a challenge password by hitting the"enter" button.

...Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:

After finalizing the attributes, the private key and CSR will be saved to your root directory.

Important: If you make a mistake when running the OpenSSL command, you may discard the generatedfiles and run the command again. After successfully generating your key and Certificate Signing Request,be sure to guard your private key, as it cannot be re-generated.

3. Send CSR to your signing authority

You now need to send your unsigned CSR to a Certifying Authority (CA). Once completed, you will have valid,signed certificate.

Important: Some Certificate Authorities provide a Certificate Signing Request generation tool on theirWebsite. Please check with your CA for additional information.

4. (Optional) Generate a Self-Signed Certificate.

At this point, you may need to generate a self-signed certificate because:

• You don't plan on having your certificate signed by a CA• Or you wish to test your new SSL implementation while the CA is signing your certificate

Page 66: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Managing the Node API | 66

You may also generate a self-signed certificate through OpenSSL. To generate a temporary certificate (which isgood for 365 days), issue the following command:

openssl x509 -req -days 365 -in my_csr_name.csr -signkey my_key_name.key -out my_cert_name.crt

5. Create the PEM file.

After generating a new certificate, you must create a pem file that contains both the private key and thecertificate. To do so, copy and paste the entire body of the key and cert files into a single text file and savethe file as aspera_server_cert.pem (before overwriting, be sure to back-up the existing pem file asaspera_server_cert.old), in the following directory:

/opt/aspera/etc/6. Enable SSL options in aspera.conf

See aspera.conf for Nodes on page 60 for information about enabling specific SSL protocols with<ssl_protocol> and enabling specific encryption ciphers with <ssl_ciphers>.

7. Restart the node service.

You must restart (not reload) the Aspera node service after generating a new certificate. To do so, run thefollowing command(s):

# /etc/init.d/asperanoded restart

Page 67: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Database Logger | 67

Database Logger

Using a MySQL database to keep track of all transfers on your server.

Setting Up Database LoggerImport Database Logger's schema to the MySQL database, and set up the proper access permissions.

The Database Logger is a feature that record all the server's Aspera transactions to a MySQL database. Follow thesteps below to set it up.

Important: To migrate the database from Version {X} to the latest version, please refer to the last step in theinstructions below.

1. Prepare the MySQL Database Server

The Database Logger supports MySQL Server 5 and above. Prepare a system with MySQL installed andconfigured. The latest MySQL software download can be found at http://dev.mysql.com/downloads/.

2. Create the database

Locate the Database Logger schema file in the following location:

/opt/aspera/var/create_logger_database.sql

Copy the file to the computer that runs the MySQL Server, and use the following commands to import this fileinto the database. This example uses the following settings:

Item Value

MySQL login root

Database Loggerschema file location:

/temp/create_logger_database.sql

$ mysql -u root -p < /temp/create_logger_database.sql$ mysql -u root -p aspera_consolemysql> show tables;

When finished, the database aspera_console will be imported to the MySQL Server. You should see the tables ofthis database.

3. Set up the MySQL user for Database Logger

A database user with proper permissions is required for Database Logger. In the following example, the useraccount is created with the setup:

Item Value

MySQL login logger

Password logger-password

IP address of remotemachine

10.0.0.5

1> CREATE USER 'logger'@'10.0.0.5' IDENTIFIED by 'logger-password';2> GRANT SELECT, INSERT, UPDATE ON aspera_console.fasp_files TO 'logger'@'10.0.0.5';

Page 68: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Database Logger | 68

3> GRANT SELECT, INSERT, UPDATE ON aspera_console.fasp_sessions TO 'logger'@'10.0.0.5';4> GRANT SELECT, INSERT, UPDATE ON aspera_console.fasp_nodes TO 'logger'@'10.0.0.5';5> GRANT INSERT ON aspera_console.fasp_rates TO 'logger'@'10.0.0.5';6> FLUSH PRIVILEGES;

4. Modify MySQL Settings (Only if MySQL server is on Windows)

If you are running the database on a Windows machine, open the MySQL config file, for example:

C:\Program Files\MySQL\MySQL Server (Version)\my.ini

Find the line that says [mysqld], and add the line immediately under it:

skip-name-resolve

5. (For database migrations only) Use the *.sql scripts to migrate the database.

To migrate your database to the most current version, use the scripts provided in the following directory:

/opt/aspera/var/

The command to execute the scripts is shown below, however, they must be executed in a specific order.

$ mysql -u root -p < migrate_logger_database_VER1_to_VER2.sql

The required order is displayed below.

$ mysql -u root -p < "migrate_logger_database_7715_to_11340.sql" $ mysql -u root -p < "migrate_logger_database_11340_to_34300.sql" $ mysql -u root -p < "migrate_logger_database_34300_to_60784.sql"

The Database Logger's schema can be found in the document Aspera Database Logger Schema.

Configuring the Database LoggerUpdate the settings in the Aspera configuration to establish connections with the MySQL database.

To configure Database Logger in a Terminal, open aspera.conf with a text editor (/opt/aspera/etc/aspera.conf).Locate or create the section <database>...</database>:

<CONF version="2"> ... <database> <server> <!-- Host IP --> 127.0.0.1 </server> <port> <!-- Port --> 4406 </port> <user> <!-- User --> logger </user> <password> <!-- Password --> logger-password </password> <database_name> <!-- Database Name --> aspera_console </database_name> <threads> <!-- Threads --> 10 </threads>

Page 69: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Database Logger | 69

<exit_on_database_error> <!-- Stop Transfers on Database Error --> false </exit_on_database_error> <session_progress> <!-- Show Session Progress --> true </session_progress> <session_progress_interval> <!-- Session Progress Interval --> 1 </session_progress_interval> <file_events> <!-- Show File Events --> true </file_events> <file_progress> <!-- Show File Progress --> true </file_progress> <files_progress_interval> <!-- File Progress Interval --> 1 </files_progress_interval> <files_per_session> <!-- File Per Session --> 0 </files_per_session> <ignore_empty_files> <!-- Ignore Empty Files --> false </ignore_empty_files> <ignore_no_transfer_files> <!-- Ignore No-transfer Files --> false </ignore_no_transfer_files> <rate_events> <!-- Show Rate Events --> true </rate_events> </database> ...</CONF>

Note:

You can find a Database Logger configuration example in this file:

/opt/aspera/etc/samples/aspera-everything.conf

If you have modified these settings in command line, execute these commands to restart Aspera Central and HTTPFallback Server:

$ /etc/init.d/asperacentral restart$ /etc/init.d/asperahttpd restart

OS Command

Solaris$ /etc/init.d/asperacentral restart$ /etc/init.d/asperahttpd restart

FreeBSD$ /etc/rc.d/asperacentral restart$ /etc/rc.d/asperahttpd restart

Here is a list of all the Database Logger configuration options:

# Field Description Values Default

1 Host IP The MySQL server's IP address. valid IPv4 address 127.0.0.1

Page 70: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Database Logger | 70

# Field Description Values Default

2 Port The MySQL server's port number. integer between 1and 65535

4406

3 User User login for the database server. text string blank

4 Password The database user account's password. text string blank

5 Database Name Name of the database used to store Asperatransfer data.

text string blank

6 Threads The number of parallel connections usedfor database logging. A higher valuemay be useful when a large number offiles are being transferred within a giventimeframe.

integer between 1and 40

10

7 Stop Transfers onDatabase Error

Quits all ongoing transfers and no newtransfers are permitted when a databaseerror prevents data from being written tothe database. Set this to true if all transfersmust be logged by your organization.

• true• false

false

8 Show SessionProgress

Setting this value to true will log transferstatus such as number of files transferred,and bytes transferred, at a given interval.

• true• false

true

9 Session ProgressInterval

The frequency at which an Aspera nodelogs transfer session information, inseconds. up to 65535 seconds.

integer between 1and 65535

1

10 Show File Events Setting this value to true enables thelogging of complete file paths and filenames. Performance may be improvedwhen transferring datasets containingthousands of files. Also see File PerSession for setting a threshold for thenumber of files to log per session.

• true• false

true

11 Show File Progress Setting this value to true will log filestatus such as bytes transferred, at a giveninterval.

• true• false

true

12 File ProgressInterval

The frequency at which an Aspera nodelogs file transfer information, in seconds.

integer between 1and 65535

1

13 Files Per Session The value set will be the cut-off point forfile names logged in a given session. Forinstance, if the value is set to 50, the first50 file names will be recorded for anysession. The session will still record thenumber of files transferred along withthe number of files completed, failed orskipped. The default setting of 0 logs allfile names for a given session.

positive integer orzero (all file names)

0

14 Ignore Empty Files Setting this to true will block the loggingof zero-byte files.

• true• false

false

Page 71: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Database Logger | 71

# Field Description Values Default

15 Ignore No-transferFiles

Setting this to true will block the loggingof files that have not been transferredbecause they exist at the destination at thetime the transfer started.

• true• false

false

16 Show Rate Events Setting this to true will log changes madeto the Target Rate, Minimum Rate, andTransfer Policy by any user or Asperanode administrator during a transfer.

• true• false

true

17 Node Registration Setting this to true will cause the databaselogger to register the node automaticallyon startup.

• true• false

true

Page 72: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Pre- and Post-Processing (Prepost) | 72

Pre- and Post-Processing (Prepost)

Execute scripts before and after the FASP file transfers on your server.

Setting Up Pre/PostEnable the pre- and post-processing on your server.

Your Aspera server executes a shell script at a pre-defined location.

/opt/aspera/var/

This script is executed as a result of four (4) transfer events:

• Session start• Session end• Start of each individual file transfer in the session• End of each individual file transfer in the session

aspera-prepost can also execute additional shell scripts, Perl scripts, native executables and Java programs. Asperasets several environment variables for aspera-prepost, as well as for you to use in your own, custom scripts. Theseenvironment variables are described in detail within the topic Pre/Post Variables on page 73. Depending onusage, pre_ and post_processing may consume a great amount of system resources. Please evaluate your own systemperformance and apply this feature appropriately.

Caution: Please take caution in creating pre- and post-processing scripts, as an unsafe script can compromisea server. As with CGI scripts, it is recommended that you take precautions in testing a pre/post script beforeplacing it into use (e.g., taint checking, ensuring proper quotes, etc.). Also note that a pre/post script will runas the same user who authenticates for the transfer. To prevent a pre/post script from performing an actionwith elevated or special user permissions, the script needs to check the $USER variable.

Follow the steps below to set up pre/post processing for your Aspera transfer product.

1. Set up the shell script file

Locate the following file:

/opt/aspera/var/aspera-prepost.disable

This file runs the perl script "aspera-notif.pl." aspera-notif.pl is an email notification script thatsends emails (according to user-defined filters) to one or more recipients. Filters and lists are defined in the Asperaconfiguration file aspera.conf, which is located in /opt/aspera/etc/.

Copy the contents of aspera-prepost.disable into a new file, and name it as follows:

/opt/aspera/var/aspera-prepost

Ensure that execute privileges are enabled (At least r-xr-xr-x):2. Create your scripts

The pre/post processing script, aspera-prepost, can contain the pre/post processing steps, as well as executeother programs (including other .bat scripts). Often, aspera-prepost checks for certain conditions (based on theenvironment variables) and then calls a specific external executable based on those conditions. Recall that aspera-prepost is executed as a result of four (4) transfer events:

• Session start• Session end• Start of each individual file transfer in the session• End of each individual file transfer in the session

Page 73: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Pre- and Post-Processing (Prepost) | 73

You can use the variables TYPE and STARTSTOP to specify a particular state. For the complete list of allvariables, refer to Pre/Post Variables on page 73.

3. Include custom shell scripts in aspera-prepost

Custom scripts can be written directly into the file aspera-prepost. For example, to add the custom script"script1.pl" to your pre/post script, insert the following line (into aspera-prepost):

...perl script1.pl...

Pre/Post VariablesThe predefined variables for setting up the pre- and post-processing.

The following tables list all pre/post variables:

Note: Pre/post variables are case-sensitive.

For Type Session and Type File

Variable Description Values Example

COOKIE The user-defined cookie string. string "$COOKIE" == cookie-string

DIRECTION The transfer direction. • send• recv

"$DIRECTION" == send

ERRCODE The error code. string "$ERRCODE" == 1

ERRSTR The error string. string "$ERRSTR" == FASP error

MANIFESTFILE The full path to the manifest file. string "$MANIFESTFILE" == /log

PEER The peer name or IP address. string or validIPv4 address

"$PEER" == 10.0.0.1

SECURE Transfer encryption. • yes• no

"$SECURE" == no

SESSIONID The session id. string "$SESSIONID" == 1

STARTSTOP The status start or stop. • Start• Stop

"$STARTSTOP" == Start

STATE The transfer state. • started• success• failed

"$STATE" == success

TOKEN The user-defined security token. string "$TOKEN" == token-string

TYPE The event type. • Session• File

"$TYPE" == Session

USER The user name string "$USER" == asp1

USERID The user ID string "$USERID" == 501

Page 74: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Pre- and Post-Processing (Prepost) | 74

Variable Description Values Example

USERSTR The user string, such as additionalvariables.

string "$USERSTR" == -q

For Type Session

Variable Description Values Example

FILE_CSUM Destination checksum of the mostrecently transferred file.

string "$FILE_CSUM" == checksum

FILE1 The first file. string "$FILE1" == first-file

FILE2 The second file. string "$FILE2" == second-file

FILECOUNT The number of files. positiveinteger

"$FILECOUNT" >= 5

FILELAST The last file. string "$FILELAST" == last-file

LICENSE The license account and serial number. string "$LICENSE" == license-string

MINRATE The initial minimum rate, in Kbps. positiveinteger

"$MINRATE" == 50

PEERLICENSE The peer's license account and serialnumber.

string "$PEERLICENSE" == license-string

RATEMODE The transfer policy. • adapt• fixed

"$RATEMODE" == adapt

SOURCE The full path of the source file. string "$SOURCE"== /tmp

TARGET The full path of the target directory. string "$TARGET" == .

TARGETRATE The initial target rate, in Kbps. positiveinteger

"$TARGETRATE" == 100

TOTALBYTES The total bytes transferred. positiveinteger

"$TOTALBYTES" >=100000000

TOTALSIZE The total size of files being transferredin bytes.

positiveinteger

"$TOTALSIZE" >= 500000000

For Type File

Variable Description Values Example

DELAY The measured network delay, inms.

positive integer "$DELAY" <= 1

FILE The file name. string "$FILE" == file-name

LOSS The network loss in percentage. double-digit fixed point value "$LOSS" >= 5.00

OVERHEAD The total number of duplicatepackets.

positive integer "$OVERHEAD" >= 1

RATE The transfer rate in Kbps. double-digit fixed point value "$RATE" >= 10.00

REXREQS The total number ofretransmission requests.

positive integer "$REXREQS" >= 3

Page 75: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Pre- and Post-Processing (Prepost) | 75

Variable Description Values Example

SIZE The file size in bytes. positive integer "$SIZE" >= 5000000

STARTBYTE The start byte if resumed. positive integer "$STARTBYTE" >= 100000

Pre/Post ExamplesPre- and post-processing script examples.

Pre- and post-processing script examples are shown below ("bash" syntax). To run these examples on your ownsystem, do the following:

Note:

• Save the example to /opt/aspera/var/myscript.sh.• Ensure that the script file is executable -- for example:

chmod +x /opt/aspera/var/myscript.sh

• Add a line /opt/aspera/var/myscript.sh to /opt/aspera/var/aspera-prepost to callmyscript.sh.

• Be sure not encounter an exit condition in aspera-prepost before you call your script.

1. Shell - Change file and directory permissions

In the shell script, change file and directory permissions after receiving, and log into the file /tmp/p.log:

#!/bin/bashif [ $TYPE == File ]; then if [ $STARTSTOP == Stop ]; then echo "The file is: $FILE" >> /tmp/p.log chmod 777 $FILE fifi

2. Shell - Forward files to another computer

In the shell script, transfer received files to a third computer 10.10.10.10, and remove the local copy.

Important: For this example to work properly, the server's host key must be cached.

#!/bin/[email protected]:/tmpRATE=10mexport ASPERA_SCP_PASS=asperaif [ $TYPE == File ]; then if [ $STARTSTOP == Stop ]; then if [ $STATE == success ]; then if [ $DIRECTION == recv ]; then logger -plocal2.info "Move file $FILE to $TARGET" ascp -T -o RemoveAfterTransfer=yes -l $RATE $FILE $TARGET

Page 76: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Pre- and Post-Processing (Prepost) | 76

fi fi fifi

3. Shell - Create a log of successfully transferred files

In the shell script, store successfully transferred files as a list into the file /tmp/aspera.transfer.log:

#!/bin/bashif [ $TYPE == File ]; then if [ $STARTSTOP == Stop ]; then if [ $SIZE -gt 0 ]; then if [ `expr $SIZE - $STARTBYTE` -gt 0 ]; then echo `date` >> /tmp/aspera.transfer.log echo "$STATE $FILE $SIZE bits transferred" >> /tmp/aspera.transfer.log fi fi fifi

Setting Up Email NotificationConfigure the email notification, a prepost application.

Email Notification is a built-in Pre- and Post-Processing application that generates customized emails based ontransfer events. Your server should have Pre- and Post-Processing configured in order to run this application. Referto Setting Up Pre/Post on page 72. Email Notification requires an SMTP server that matches the followingconfigurations:

• An open SMTP server you can reach on your network• The SMTP Server must not use any external authentication or SSL.

Follow these steps to set it up:

1. Prepare the Email Notification configuration template

Open the aspera.conf file:

/opt/aspera/etc/aspera.conf

Locate or create the section <EMAILNOTIF>...</EMAILNOTIF>:

<CONF version="2"> ... <EMAILNOTIF> <MAILLISTS mylist = "[email protected], [email protected]" myadminlist = "[email protected]" />

<FILTER MAILLISTS = "mylist" TARGETDIR = "/content/users" />

<MAILCONF DEBUG = "0" FROM = "[email protected]" MAILSERVER = "mail.example.com" SUBJECT = "Transfer %{SOURCE} %{TARGET} - %{STATE}" BODYTEXT =

Page 77: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Pre- and Post-Processing (Prepost) | 77

"Aspera transfer: %{STATE}%{NEWLINE}%{TOTALBYTES} bytes in %{FILECOUNT} files: %{FILE1}, %{FILE2}, ...%{FILELAST}." /> </EMAILNOTIF></CONF>

You can find the aspera.conf example in this path:

/opt/aspera/etc/sample/aspera-sample.email.conf2. Set up the basic Notification function in <MAILCONF />

<MAILCONF /> defines the general email configuration, including the sender, the mail server, and the body text.In the SUBJECT and BODYTEXT options, the Pre- and Post-Processing variables can be used with the format%{variable}, such as %{STATE} for the variable STATE. For the complete list of the variables, Refer to Pre/PostVariables on page 73.

MAILCONF Field Description Values Example

FROM Required The e-mailaddress to send notificationsfrom.

a valid emailaddress

FROM="[email protected]"

MAILSERVER Required The outgoingmail server (SMTP).

A valid URL MAILSERVER="mail.example.com"

SUBJECT General subject of the e-mail.

text string SUBJECT="Transfer:%{STATE}"

BODYTEXT General body of the e-mail. text string BODYTEXT="Transfer has %{STATE}."

DEBUG Print debugging info andwrite to the logs.

"0" = off, "1"= on

DEBUG="0"

3. Create mailing lists in <MAILLISTS />

<MAILLISTS /> defines sets of mailing lists. For example, to create the following mailing list:

Item Value

Mailing list name list1

Emails to include [email protected], [email protected]

Specify the mailing list in the form:

<MAILLISTS list1 = "[email protected], [email protected]"/>

4. Set up mailing filters in <FILTER />

<FILTER /> defines E-mail Notification conditional filters. When the conditions are met, a customized email willbe sent to the indicated mailing list. Multiple filters are allowed.

The values in the filter are matched as substrings, for example, USER = root means the value would match stringslike root, treeroot, and root1. The Pre- and Post-Processing variables can be used with the format %{variable},such as %{STATE} for the variable STATE. For the complete list of the variables, Refer to Pre/Post Variables onpage 73.

FILTER Field Description Values Example

MAILLISTS Required The e-mail lists to send to.Separate lists with comma (,).

text string MAILLISTS="mylist"

Page 78: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Pre- and Post-Processing (Prepost) | 78

FILTER Field Description Values Example

USER Login name of the user whotransferred the files.

text string USER="asp1"

SRCIP Source IP of the files. a valid IPv4address

SRCIP="10.0.1.1"

DESTIP Destination IP of the files. a valid IPv4address

DESTIP="10.0.1.5"

SOURCE The top-level directories and filesthat were transferred.

text string SOURCE="/folder1"

TARGETDIR The directory that the files were sentto.

text string TARGETDIR="/folder2"

SUBJECTPREFIX The Email subject, preceded by theSUBJECT in <MAILCONF />.

text string SUBJECTPREFIX="Sub"

BODYPREFIX The e-mail body, preceded by theBODYTEXT in <MAILCONF />.

text string BODYPREFIX="Txt"

TOTALBYTESOVER Send e-mail when total bytestransferred is over this number. Thisonly applies to e-mails sent at the endof a transfer.

positiveinteger

TOTALBYTESOVER="9000"

SENDONSESSION Send e-mail for the entire session. yes / no SENDONSESSION="yes"

SENDONSTART Send e-mail when transfer isstarted. This setting is dependent onSENDONSESSION="yes".

yes / no SENDONSTART="yes"

SENDONSTOP Send e-mail when transfer isstopped. This setting is dependent onSENDONSESSION="yes".

yes / no SENDONSTOP="yes"

SENDONFILE Send e-mail for each file within asession.

yes / no SENDONFILE="yes"

Email Notification ExamplesEmail Notification configuration examples.

This topic demonstrates the Email Notification setup with the following examples:

1. Notify when a transfer session is completed

When a transfer session is finished, an e-mail with brief session summary will be sent to "list1".

<EMAILNOTIF> <MAILLISTS list1 ="[email protected], [email protected]" />

<MAILCONF FROM="Aspera Notifier &lt;[email protected]&gt;" MAILSERVER="smtp.companyemail.com" BODYTEXT="%{NEWLINE}Powered by Aspera Inc." />

Page 79: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Pre- and Post-Processing (Prepost) | 79

<FILTER MAILLISTS="list1" SENDONSESSION="yes" SUBJECTPREFIX="Aspera Transfer - %{USER} " BODYPREFIX="Status: %{STATE}%{NEWLINE} File Count: %{FILECOUNT}" /></EMAILNOTIF>

2. Notify when a session is initiated and completed

Send a transfer notice e-mail when a transfer is initiated. Send a summary e-mail when finished.

<EMAILNOTIF> <MAILLISTS list1 ="[email protected], [email protected]" /> <MAILCONF FROM="Aspera Notifier &lt;[email protected]&gt;" MAILSERVER="smtp.companyemail.com" SUBJECT=" by %{USER}" BODYTEXT="%{NEWLINE}Powered by Aspera Inc." />

<FILTER MAILLISTS="list1" SENDONSTART="yes" SENDONSTOP="no" SUBJECTPREFIX="Transfer Started" BODYPREFIX="Source: %{PEER}%{NEWLINE} Target: %{TARGET}" />

<FILTER MAILLISTS="list1" SENDONSTART="no" SENDONSTOP="yes" SUBJECTPREFIX="Transfer Completed" BODYPREFIX=" Status: %{STATE}%{NEWLINE} File Count: %{FILECOUNT}%{NEWLINE} Source: %{PEER}%{NEWLINE} Target: %{TARGET}%{NEWLINE} Bytes Transferred: %{TOTALBYTES} Bytes%{NEWLINE} " /></EMAILNOTIF>

3. Send different email text for regular transfers and for Aspera Sync transfers

When Aspera Sync triggers a transfer (assuming only Aspera Sync uses the folder /sync-folder), an emailmessage will be sent to "mediaGroup". When a regular transfer occurs (files are sent to /upload), a differentnotification will be sent to "mediaLead" and "adminGroup".

<EMAILNOTIF> <MAILLISTS mediaGroup ="[email protected], [email protected]" mediaLead ="[email protected]" adminGroup ="[email protected], [email protected]" />

<MAILCONF FROM="Aspera Notifier &lt;[email protected]&gt;" MAILSERVER="smtp.companyemail.com" BODYTEXT="%{NEWLINE}Powered by Aspera Inc." />

Page 80: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Pre- and Post-Processing (Prepost) | 80

<FILTER MAILLISTS="mediaGroup" SENDONSESSION="yes" DESTIP="192.168.1.10" TARGETDIR="/sync-folder" SUBJECTPREFIX="Aspera Sync #1 - From %{PEER}" BODYPREFIX="Status: %{STATE}%{NEWLINE} File Count: %{FILECOUNT}" />

<FILTER MAILLISTS="mediaLead,adminGroup" SENDONSESSION="yes" TARGETDIR="/upload" SUBJECTPREFIX="Transfer - %{USER}" BODYPREFIX=" Status: %{STATE}%{NEWLINE} Source: %{PEER}%{NEWLINE} File Count: %{FILECOUNT}%{NEWLINE} Bytes Transferred: %{TOTALBYTES} Bytes%{NEWLINE} " /></EMAILNOTIF>

Page 81: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Transferring from the Command Line | 81

Transferring from the Command Line

Ascp Command Reference

The executable ascp (Aspera secure copy) is a command-line FASP transfer program. This topic covers the completecommand usage, including general syntax guidelines, supported environment variables, a synopsis, and commandoptions.

General Syntax Guidelines

Item Decription

symbols used in the paths Use single-quote (' ') and forward-slashes (/) on all platforms.

Characters to avoid / \ " : ' ? > < & * |

Environment Variables

If needed, you can set the following environment variables for use with the ascp command:

Item Initiation Command

Password ASPERA_SCP_PASS=password

Token ASPERA_SCP_TOKEN=token

Cookie ASPERA_SCP_COOKIE=cookie

Content Protection Password ASPERA_SCP_FILEPASS=password

Proxy Server Password ASPERA_PROXY_PASS=proxy_server_password

Ascp Usage

ascp options [[user@]srcHost:]source_file1[,source_file2,...] [[user@]destHost:]target_path

Important: If you do not specify a username for the transfer, the local username will be authenticated (bydefault). In the case of a Windows machine and a domain user, the transfer server will strip the domain fromthe username (for example, authenticating Administrator, rather than DOMAIN\Administrator).Thus, you will need to specify a domain explicitly, if applicable to the user.

Special Considerations for URI Paths

URIs are supported in paths, but only under the following restrictions:

• URIs can only be specified on the command line.• If source paths are specified with a URI, all source paths specified on the command line must be from the same

cloud storage account, and all must include URIs.• If source paths are specified with a URI, no docroot (download), local docroot (upload), or source prefix can be

specified.• If a destination path is specified with a URI, no docroot (upload) or local docroot (download) can be specified.

Page 82: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Transferring from the Command Line | 82

• The special schemes stdio:// and stdio-tar:// are supported on the client only. Usage as a destination(upload) or source (download) is undefined.

• If required, URI passphrases can either be embedded in the URI or specified with the applicable environmentvariable ASPERA_SRC_PASS or ASPERA_DST_PASS.

Ascp Options

Option Description

-h, --help Display usage.

-A, --version Display version and license information; then exit.

-T Disable encryption for maximum throughput.

-d Create target directory if it doesn't already exist.

-p Preserve file timestamps for source modification time (mtime) and last access time(atime).

Important: On Windows, mtime and atime may be affected when the systemautomatically adjusts for Daylight Savings Time (DST). For details, see the MicrosoftKB article, http://support.microsoft.com/kb/129574.

Important: On Isilon IQ OneFS systems, last access time (atime) is disabledby default (see sysctl efs.bam.atime_enabled). You will see atime isset to be the same as mtime when using -p option. Use the command "sysctlefs.bam.atime_enabled=1" to enable the preservation of atime on yourIsilon system.

Note: For Limelight, only the preservation of modification time (mtime) issupported.

-q Quiet mode (to disable progress display).

-v Verbose mode (prints connection and authentication debug messages in the log file).For information on log files, see Log Files on page 105 Log Files in the user guidefor IBM Aspera Connect Server, Enterprise Server, Point-to-Point Client, or DesktopClient.

-6 Enable IPv6 address support. When using IPv6, the numeric host can be written insidebrackets. For example, [2001:0:4137:9e50:201b:63d3:ba92:da] or[fe80::21b:21ff:fe1c:5072%eth1].

-D | -DD | -DDD Specify the debug level, where each D is an additional level of debugging.

-l max_rate Set the target transfer rate in Kbps (default: 10000 Kbps). If the ascp client does notspecify a target rate, it will be acquired from aspera.conf (server-side, as the localaspera.conf target rate setting doesn't apply). If local or server aspera.confrate caps are specified, the "starting" (default) rates will be not higher than the cap.

-m min_rate Set the minimum transfer rate in Kbps (efault: 0. If the ascp client does notspecify a minimum rate, it will be acquired from aspera.conf (server-side, asthe local aspera.conf minimum rate setting doesn't apply). If local or serveraspera.conf rate caps are specified, the "starting" (default) rates will be not higherthan the cap.

-u user_string Apply a user string, such as variables for pre- and post-processing.

-i private_key_file Use public key authentication and specify the private key file. Typically, the privatekey file is in the directory $HOME/.ssh/id_[algorithm].

-w{r|f} Test bandwidth from server to client (r) or client to server (f). Currently a beta option.

Page 83: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Transferring from the Command Line | 83

Option Description

-K probe_rate Set probing rate (Kbps) when measuring bottleneck bandwidth.

-k{0|1|2|3} Enable resuming partially transferred files at the specified resume level (default: 0).Note that this must be specified for your first transfer; otherwise, it will not work forsubsequent transfers. Resume levels:

• 0 – Always retransfer the entire file.• 1 – Check file attributes and resume if the current and original attributes match.• 2 – Check file attributes and do a sparse file checksum; resume if the current and

original attributes/checksums match.• 3 – Check file attributes and do a full file checksum; resume if the current and

original attributes/checksums match.

Note that when a complete file exists at the destination (no .aspx), the source filesize is compared with the destination file size. When a partial file and a valid .aspxfile exist at the destination, the source file size is compared with the file size recordedinside the .aspx file.

-Z dgram_size Specify the datagram size (MTU) for FASP. By default, the detected path MTU isused. (Range: 296 - 10000 bytes)

Note: As of version 3.3, datagram size can also be enforced by the server using<datagram_size> in aspera.conf. If size is set with both -Z (client side) and<datagram_size> (server side), the <datagram_size> setting is used. If theclient-side is pre-3.3, datagram size is determined by the -Z setting, regardless of theserver-side setting for <datagram_size>. In this case, if there is no -Z setting,datagram size is based on the discovered MTU and the server logs the message "LOGPeer client doesn't support alternative datagram size".

-g read_size Set the read-block size, a performance-tuning parameter for an Aspera sender (whichonly takes effect if the sender is a server). It represents the maximum number of bytesthat can be stored within a block as the block is being transferred from the source diskdrive to the receiver. The default of 0 will cause the Aspera sender to use its defaultinternal buffer size, which may be different for different operating systems. Note that500M (524,288,000 bytes) is the maximum block size.

-G write_size This is a performance-tuning parameter for an Aspera receiver (which only takeseffect if the receiver is a server). It represents the maximum bytes within a block thatan ascp receiver can write to disk. The default of 0 will cause the Aspera receiverto use its default internal buffer size, which may be different for different operatingsystems. Note that 500M (524,288,000 bytes) is the maximum block size.

-L local_log_dir Specify a logging directory in the local host, instead of using the default directory.

-R remote_log_dir Specify a logging directory in the remote host, instead of using the default directory.

-S remote_ascp Specify the name of the remote ascp binary (if different).

-e prepost Specify an alternate pre/post command. Be sure to use the complete path and filename.

-O fasp_port Set the UDP port to be used by FASP for data transfer. (Default: 33001)

-P ssh-port Set the TCP port to be used for FASP session initiation. (Default: 33001)

-C nid:ncount Use parallel transfer on a multi-node/core system. Specify the node id (nid) and count(ncount) in the format 1:2, 2:2. Assign each participant to an independent UDP port.

Page 84: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Transferring from the Command Line | 84

Option Description

-E pattern Exclude files or directories with the specified pattern from the transfer. This optioncan be used multiple times to exclude many patterns. Up to 16 patterns can be used byusing -E. Two symbols can be used in the pattern, as shown below.

• * (asterisk) represents zero or more characters in a string, for example *.tmpmatches .tmp and abcde.tmp.

• ? (question mark) represents a single character, for example t?p matches tmp butnot temp.

-f config_file Specify an alternate Aspera configuration file (default is aspera.conf).

-W token_string Specify the token string for the transfer.

-@[range_low:range_high]

Transfer only part of a file. This option only works when downloading a singlefile and does not support resuming. The argument to "-@" may omit either or bothnumbers, and the ":" delimiter. For example, -@3000:6000 transfers bytes betweenpositions 3000 to 6000; -@1000: transfers from 1000 to the end of the file; and -@:1000 transfers from beginning to 1000.

-X rexmsg_size Adjust the maximum size in bytes of a retransmission request. (Max: 1440).

--mode=mode Specify the transfer direction, where mode is either send or recv.

--user=username The user name to be authenticated by the transfer server.

Important: If you do not specify a user name for the transfer, the local usernamewill be authenticated (by default). In the case of a Windows machine and a domainuser, the transfer server will strip the domain from the username (e.g. authenticating"Administrator," rather than "DOMAIN\Administrator"). Thus, you willneed to explicitly specify a domain, if applicable to the user.

--host=hostname The server's address.

--policy=fixed |high | fair | low

Set the FASP transfer policy.

• fixed – Attempts to transfer at the specified target rate, regardless of theactual network capacity. This policy transfers at a constant rate and finishes in aguaranteed time. This policy typically occupies most of the network's bandwidth,and is not recommended in most file transfer scenarios. In fixed mode, a maximum(target) rate value is required.

• high – Monitors the network and adjusts the transfer rate to fully utilize theavailable bandwidth up to the maximum rate. When congestion occurs, a ittransfers at a rate twice of a session with fair policy. In this mode, both themaximum (target) and the minimum transfer rates are required.

• fair – Monitors the network and adjusts the transfer rate to fully utilize theavailable bandwidth up to the maximum rate. When other types of traffic build upand congestion occurs, it shares bandwidth fairly by transferring at an even rate. Inthis mode, both the maximum (target) and the minimum transfer rates are required.

• low – Similar to fair mode, the low policy uses the available bandwidth up to themaximum rate, but is much less aggressive when sharing bandwidth with othernetwork traffic. When congestion builds up, the transfer rate is reduced to theminimum rate until other traffic retreats.

Important: If --policy is not set, ascp uses the server-side policy setting (fairby default).

--file-list=filename Take the list of sources to transfer from filename. The file list supports UTF-8 files andinput from standard input through "-". The sources can exist on either the local host or

Page 85: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Transferring from the Command Line | 85

Option Descriptionthe remote host (in terms of download), but not on both. Each source must be specifiedon a separate line:

srcsrc2...srcN

Use with URIs: The sources listed in the file list cannot be URIs. To use --file-list with cloud storage, you must specify the cloud storage with a URI in either aroot, source prefix, or command-line destination parameter, subject to the limitationsdescribed above in Special Considerations for URI Paths.

Important: Multiple --file-list and --file-pair-list options are notsupported in a single ascp command. If multiple file lists are specified, all but the lastwill be ignored. In addition, you cannot also include file names on the command linewhen you use --file-list. Only files from the file list will be transferred.

--file-pair-list=filename

Take the list of sources and corresponding destinations from filename. Note that thereis no command-line equivalent. Source and destination arguments in the file list cannotbe URIs. Each source and each destination must be specified on a separate line:

src1dst1src2dst2...srcNdstN

Use with URIs: The sources and destinations listed in the file list cannot be URIs. Touse --file-pair-list with cloud storage, you must specify the cloud storagewith a URI in either a root, source prefix, or command-line destination parameter,subject to the limitations described above in Special Considerations for URI Paths.

Important: Multiple --file-list and --file-pair-list options are notsupported in a single ascp command. If multiple file lists are specified, all but thelast will be ignored. In addition, you cannot also include file names on the commandline when you use --file-pair-list. Only files from the file-pair list will betransferred.

--source-prefix=prefix

Add prefix to the beginning of each source path. This is either a conventional path or itcan be a URI but only if there is no root defined.

--symbolic-links=method

Specify rule to handle symbolic links. This option takes following values: (Default:follow)

• follow – Follow symbolic links and transfer the linked files.• copy – Copy only the alias file. If a file with the same name exists on the

destination, the symbolic link will not be copied.• copy+force – Copy only the alias file. If a file with the same name exists on the

destination, the symbolic link will replace the file. If the file of the same name onthe destination is a symbolic link to a directory, it will not be replaced.

• skip – Skip the symbolic links.

--remove-after-transfer

Add this option to remove all source files (excluding the source directory) once thetransfer has completed.

Page 86: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Transferring from the Command Line | 86

Option Description

--move-after-transfer=archivedir

Move source files and copy source directories to archivedir after they are successfullytransferred. Because directories are copied, the original source tree remains in place.The archivedir is created if it does not already exist. If the archive directory cannot becreated, the transfer proceeds and the source files remain in their original location.

Example upload:

ascp --move-after-transfer=C:\Users\Bob\Archive C:\Users\Bob\srcdir\file0012 [email protected]:/

Result:

• file0012 is transferred to bob's docroot on 10.0.0.1• file0012 is moved (not copied) from its original location to C:\Users\Bob

\Archive

Example download:

ascp --move-after-transfer=Archive [email protected]:/srcdir C:\Users\Bob

Result:

• srcdir is downloaded to C:\Users\Bob on the current machine.• srcdir is moved (not copied) from its original location to the archive directory

[email protected]:/Archive on the server.

As with transfers, by default, no portion of the path above the transferred file ordirectory is included when the file or directory is moved to the archive (unless --src-base is specified).

The --src-base=prefix option preserves paths in the archive directory thesame way as it preserves them with transfers. That is, when --src-base=prefixis specified, files are moved to the archivedir including the portion of the path thatremains when prefix is removed.

Example:

ascp --src-base=C:\Users\Bob --move-after-transfer=C:\Users\Bob\Archive C:\Users\Bob\srcdir\file0012 [email protected]:/

Result:

• file0012 is transferred to bob's docroot on 10.0.0.1. The file is transferred andincludes the path minus the prefix — that is, to srcdir/file0012.

• file0012 is moved to C:\Users\Bob\Archive. The file is moved andincludes the path minus the prefix — that is, to C:\Users\Bob\Archive\srcdir\file0012.

Once files have been moved to the archive, the original source directory tree remainsintact. To remove empty source directories that remain after files have been moved,include the flag --remove-empty-directories on the command line. Thisremoves empty source directories except for those that are specified as the source totransfer.

Restrictions:

• archivedir must be on the same file system as the source. If the specified archive ison a separate file system, it will be created (if it does not exist), but an error will be

Page 87: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Transferring from the Command Line | 87

Option Descriptiongenerated and files will not be moved to it. For cloud storage, archivedir must be inthe same cloud storage account.

• archivedir is subject to the same docroot restrictions as the source.• --remove-after-transfer and --move-after-transfer are

mutually exclusive; including both in the same command generates an error.

--remove-empty-directories

Remove empty source directories once the transfer has completed (not including adirectory specified as the source to transfer).

--skip-special-files

Skip special files (for example, devices and pipes).

--file-manifest=output

Generate a list of all transferred files, where output is none or text (Default: none)

--file-manifest-path=directory

Specify the path to the file manifest.

Important: File manifests can only be stored locally. Thus, if you are using S3, orother non-local storage, you must specify a local manifest path.

--file-manifest-inprogress-suffix=suffix

Specify the suffix of the file manifest's temporary file.

--precalculate-job-size

Add this option to calculate total size before transfer. Note that the server sideaspera.conf setting overrides the ascp command-line option.

--overwrite=method Overwrite files with the same name. This option takes following values (Default: diff):

• always – Always overwrite the file.• never – Never overwrite the file. However, note that if the parent folder is not

empty, its access, modify, and change times may still be updated.• diff – Overwrite if file is different from the source (i.e., if a complete file exists

at the destination (no .aspx file) and is the same as the source file, then leave itunmodified (no change on timestamp/attributes either); otherwise re-transfer thewhole source file). Note this policy interacts with the resume policy.

• older – Overwrite if file is older than the source.

Important: When --overwrite=diff, you must also consider the resumepolicy (-k{0|1|2|3}). If -k0 (or no -k specified), the source and destination filesare always deemed to be different, thereby implying always overwrite. If -k1, thesource and destination files are compared based on file attributes (currently, just filesize). If -k2, the source and destination files are compared based on sparse checksum.If -k3, the source and destination files are compared based on full checksum.

--save-before-overwrite

If a transfer will overwrite an existing file, move the existing file tofile.yyyy.mm.dd.hh.mm.ss.index.ext, where index is set to 1 at the beginning of eachnew second and incremented for each file saved in this manner during the samesecond. File attributes are maintained in the renamed file.

Note: This option requires that --partial-file-suffix also be enabled.

With the exception of --overwrite=never, specifying --overwrite with --save-before-overwrite has no affect. If --overwrite=never, any filethat would be overwritten remains unchanged. If --overwrite is set to any othervalue, files that would be overwritten are renamed using the convention describedabove.

Page 88: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Transferring from the Command Line | 88

Option Description

--file-crypt=crypt Encrypt or decrypt files. Replace crypt with encrypt or decrypt. A passphrase isrequired.

--file-checksum=hash

Report checksums for transferred files, where hash is sha1, md5, or none.

--partial-file-suffix=suffix

Filename extension on the destination computer while the file is being transferred.Once the file has been completely transferred, this filename extension will beremoved. (Default: blank)

Note: This option only takes effect when it is set on the receiver side.

--src-base=prefix Specify the prefix to be stripped off from each source object. The remaining portion ofthe source path is kept intact at the destination.

For example, the "clips" directory on the remote computer contains the followingfolders and files:

/clips/outgoing/file1/clips/outgoing/folderA/file2/clips/outgoing/folderB/file3

In this case, to transfer all folders and files within the "outgoing" folder (but not the"outgoing" folder, itself), run the following command:

$ ascp -d --src-base=/clips/outgoing/ [email protected]:/clips/outgoing/ /incoming

Result: The following folders and files appear in the "incoming" directory at thedestination:

(docroot)/incoming/file1(docroot)/incoming/folderA/file2(docroot)/incoming/folderB/file3

Files outside of the source base (for example, /temp/file4) are not transferred,and warnings are generated.

Without --src-base

If --src-base is not used, and the source item is a folder, the contents of the folderare transferred, along with the folder itself. For example:

$ ascp -d [email protected]:/clips/outgoing/ /incoming

Result:

(docroot)/incoming/outgoing/file1(docroot)/incoming/outgoing/folderA/file2(docroot)/incoming/outgoing/folderB/file3

If --src-base is not used, and the source item is a file, only the file is transferred,not the folders in the file's path. For example:

$ ascp -d [email protected]:/clips/outgoing/file1 [email protected]:/clips/outgoing/folderA/file2 /incoming

Page 89: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Transferring from the Command Line | 89

Option DescriptionResult:

(docroot)/incoming/file1(docroot)/incoming/file2

For further examples, with and without --src-base, see Ascp File ManipulationExamples on page 91

Use with URIs

The --src-base option performs a character-to-character match with the sourcepath specifying a file or directory. Hence for cloud storage, it is necessary that --src-base specify the URI in the same manner the source parameters are specified(for example, if the source includes and embedded passphrase, the source base mustalso include an embedded passphrase or it will not match the source files/directories).

--proxy=proxy_url Specify the address of the Aspera proxy server. proxy_url takes the form of:

dnat[s]://[username]@server:port

The default ports for DNAT and DNATS protocols are 9091 and 9092.

--preserve-file-owner-uid

(OS X and Linux/UNIX systems only.) Preserve transferred files' owner information(uid).

Note: This option requires the transfer user be authenticated as a superuser.

--preserve-file-owner-gid

(OS X and Linux/UNIX systems only.) Preserve transferred files' group information(gid).

Note: This option requires the transfer user be authenticated as a superuser.

--ignore-host-key If you're prompted to accept a host key when connecting to a remote host, ascpignores the request.

--check-sshfp=fingerprint

Check against the server SSH host key fingerprint (for example,f74e5de9ed0d62feaf0616ed1e851133c42a0082).

--apply-local-docroot

Apply the local docroot. This option is equivalent to setting the environment variableASPERA_SCP_DOCROOT.

ascp Options for HTTP Fallback

Option Description

-y {0|1} Enable HTTP Fallback transfer server when UDP connection fails. Set to 1 to enable(default: 0).

-j {0|1} Encode all HTTP transfers as JPEG files. Set to 1 to enable (default: 0).

-Y key_file The HTTPS transfer's key file name.

-I cert_file The HTTPS certificate's file name.

-t port Specify the port for HTTP Fallback Server.

-x proxy_server Specify the proxy server address used by HTTP Fallback.

Page 90: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Transferring from the Command Line | 90

Ascp General ExamplesExamples of initiating FASP file transfers using the ascp command.

This topic demonstrates the ascp command with the following examples:

• Fair-policy transfer, without encryption

Transfer with fair rate policy, with maximum rate 100 Mbps and minimum at 1 Mbps:

$ ascp -T --policy=fair -l 100m -m 1m /local-dir/files [email protected]:/remote-dir

• Fixed-policy transfer, without encryption

Transfer all files in \local-dir\files to 10.0.0.2 with target rate 100 Mbps and encryption OFF:

$ ascp -T -l 100m /local-dir/files [email protected]:/remote-dir

• Specify a UDP port

To perform a transfer with UDP port 42000:

$ ascp -l 100m -O 42000 /local-dir/files [email protected]:/remote-dir

• Authenticate with public key

To perform a transfer with public key authentication with key file <home dir>/.ssh/asp1-key local-dir/files:

$ ascp -T -l 10m -i ~/.ssh/asp1-key local-dir/files [email protected]:/remote-dir

• Authenticate with a login that contains space

Enclose the target in double-quotes when spaces are present in the username and remote path:

$ ascp -l 100m local-dir/files "User [email protected]:/remote directory"

• Transfer with a network shared location

Send files to a network shares location \\1.2.3.4\nw-share-dir, through the computer 10.0.0.2:

$ ascp local-dir/files [email protected]:"//1.2.3.4/nw-share-dir/"

• Parallel transfer on a multi-core system

Use parallel transfer on a dual-core system, together transferring at the rate 200Mbps, using UDP ports 33001 and33002. Two commands are executed in different Terminal windows:

$ ascp -C 1:2 -O 33001 -l 100m /file [email protected]:/remote-dir &$ ascp -C 2:2 -O 33002 -l 100m /file [email protected]:/remote-dir

• Use content protection

Upload the file space\file to the server 10.0.0.2 with password protection (password: secRet):

$ set ASPERA_SCP_FILEPASS=secRet ascp -l 10m --file-crypt=encrypt local-dir/file [email protected]:/remote-dir/

Download from the server 10.0.0.2 and decrypt while transferring:

$ set ASPERA_SCP_FILEPASS=secRet ascp -l 10m --file-crypt=decrypt [email protected]:/remote-dir /local-dir

Page 91: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Transferring from the Command Line | 91

If the password-protected file is downloaded without descrypting (file1.aspera-env, with aspera-envappended), on the local computer, decrypt the file as file1:

$ set ASPERA_SCP_FILEPASS=secRet asunprotect -o file1 file1.aspera-env

Ascp File Manipulation ExamplesExamples of manipulating files using the ascp command.

This topic demonstrates file manipulation using the ascp command with the following examples:

1. Upload directory contents to remote computer

Upload the "/content/" directory to the remote server.

$ ascp /data/content/ [email protected]:/storage/

Result => /storage/content/*

Upload the "/content/" directory to the remote server, but strip the srcbase path and preserve the rest of thefile structure.

$ ascp --src-base=/data/content /data/content/ [email protected]:/storage

Result => /storage/*2. Upload directory contents to remote computer and create the destination folder if it does not already exist

Upload the "/content/" directory to the remote server and create the "/storage2" folder since it does notexist.

$ ascp -d /data/content/ [email protected]:/storage2/

Result => /storage2/content/*3. Download directory contents from remote computer

Download the "/content/" directory to the remote server, but strip the srcbase path and preserve the rest of thefile structure.

$ ascp --src-base =/storage/content [email protected]:/storage/content/ /data

Result => /data/*4. Upload selected files and directories to a remote computer and preserve directory structure

Upload the selected file and directory to the remote server, but strip the srcbase path and preserve the rest of thefile structure.

$ ascp --src-base=/data/content /data/content/monday/file1 /data/content/tuesday/ [email protected]:/storage

Results => /storage/monday/file1 AND /storage/tuesday/*5. Download selected files and directories from a remote computer and preserve directory structure

Download the selected file and directory from the remote server, but strip the srcbase path and preserve the rest ofthe file structure.

$ ascp --src-base=/storage/content [email protected]:/storage/content/monday/file1 [email protected]:/storage/content/tuesday/ /data

Page 92: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Transferring from the Command Line | 92

Results => /data/monday/file1 AND /data/tuesday/*6. Remove source files from the local computer after transferring them to the remote computer

Remove the "/content/" directory of the local computer after the contents (excluding partial files) have beentransferred to the remote computer.

$ ascp -k2 -E "*.partial" --remove-after-transfer --remove-empty-directories /data/content [email protected]:/storage

Result => /storage/content/*

Remove the "/content/" directory of the local computer after the contents (excluding partial files) have beentransferred to the remote computer. Strip the srcbase path and preserve the rest of the file structure

$ ascp -k2 -E "*.partial" --src-base=/data/content --remove-after-transfer --remove-empty-directories /data/content [email protected]:/storage

Result => /storage/*

Important: For version 2.7.1, the "-d" option is required when specifying the "--src-base" option ifthe target directory does not exist. As of version 2.7.3+, this constraint has been removed.

Ascp Transfers to Cloud StorageExamples of using the ascp command to initiate FASP transfers to cloud storage.

If you have access to cloud storage that is hosted by Aspera On Demand, you can use ascp to transfer to it.

With Docroot Already Configured

If your transfer server account already has a docroot set up, ascp transfers to S3 storage, Google storage, Akamai,Softlayer, and Azure are the same as regular ascp transfers:

ascp options myfile username@server:/targetpath

For examples, see Ascp General Examples on page 90.

In some cases, ascp transfers to cloud storage can be made without a preconfigured docroot. See the examplesbelow.

With No Docroot Configured: S3

If the transfer server account does not have a docroot, you can still transfer to S3 as long as you know your S3 AccessID and Secret Key and you have an S3 bucket. The syntax is:

ascp options --mode=send --user=username --host=s3_server_addr files_to_send \

Page 93: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Transferring from the Command Line | 93

s3://access_id:[email protected]/s3_bucket

For example:

ascp --mode=send --user=bob --host=s3.asperasoft.com myfiles \s3://1K3C18FBWF9902:[email protected]/demos2014

With No Docroot Configured: Softlayer

If the transfer server account does not have a docroot, you can still transfer with the following syntax:

ascp options --mode=send --user=root --host=ip_addr files_to_send \swift://softlayer_username:[email protected]/container

Example Upload:

ascp --mode=send --user=root --host=192.155.218.130 bigfile.txt \swift://XYZOS303446-2:bob:[email protected]/test

Example Download:

ascp --mode=recv --user=root --host=192.155.218.130 \swift://XYZOS303446-2:bob:[email protected]/test/bigfile.txt /tmp/

With No Docroot Configured: Azure

If the transfer server account does not have a docroot, you can still transfer. First set an Aspera environment variablewith the password:

Windows Command Prompt: set ASPERA_SCP_PASS = password

Linux: export ASPERA_SCP_PASS=password

Then run ascp with the following syntax:

ascp options --mode=send --user=username --host=server files_to_send azu://storage:[email protected]/abc

For example:

Windows Command Prompt: set ASPERA_SCP_PASS = fslk47CLwlj

Linux: export ASPERA_SCP_PASS=fslk47CLwlj

ascp --mode=send --user=AS037d8eda429737d6 --host=dev920350144d2.azure.asperaondemand.com bigfile.txt \azu://astransfer:[email protected]/abc

Page 94: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Transferring from the Command Line | 94

Token GenerationUsage and examples for astokengen

Overview

A token authorizes the download of one or more files, or an upload of one or more files into a directory (calleddestination root). It supports the traditional “cp” paradigm of ascp (copy file1, file2, file3 to directory) or source/destination pairs (ascp --file-pair-list).

Functionality

• Authorizes uploads of one or more files to a destination• Authorizes downloads of one or more files or directories• Authorizes uploads of one or more files as source/destination pairs• Authorizes downloads of one or more files as source/destination

Usage

1. astokengen --mode=send [OPTS] -u USER --dest=PATH [-v TOKEN] 2. astokengen --mode=send [OPTS] -u USER --file-pair-list=FILENAME --dest=DEST

[-v TOKEN] 3. astokengen --mode=recv [OPTS] -u USER -p PATH [-p PATH …] [-v TOKEN] 4. astokengen --mode=recv [OPTS] -u USER --file-list=FILENAME [-v TOKEN] 5. astokengen --mode=recv [OPTS] -u USER --file-pair-list=FILENAME [-v TOKEN] 6. astokengen -t TOKEN [OPTS]

Option (short form) Option (long form) Description

-A --version Print version information.

--mode=MODE Direction of the transfer mode (send | recv)

-p --path=PATH Source path

--dest=DEST Destination path

-u --user=USER Generate the token for this user name. This name is embeddedin the token and also used to retrieve further information fromaspera.conf (user_value and token_life_seconds).

--file-list=FILE Specifies a file name that contains a list of sources for adownload token. Each line of the file contains a single source andblank lines are ignored.

--file-pair-list=FILE

Specifies a file name that contains a multiplexed list of sourceand destination pairs for an upload or download token. Each pairof lines encodes one source and one destination and blank linesare ignored.

-v TOKEN Verify token against user and path parameters.

-t TOKEN Display the contents of the token.

-k PASSPHRASE Passphrase to decrypt token. For use with -t.

-b Assume user name and paths are encoded in base64.

Page 95: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Transferring from the Command Line | 95

Examples

Description Example

Example file list/monday/first_thing.txt/monday/next_thing.txt /monday/last_thing.txt

Example file-pairlist /monday/first_thing.txt

/archive/monday/texts/first_thing /monday/next_thing.txt /archive/monday/texts/next_thing /monday/last_thing.txt /archive/monday/texts/last_thing

Common upload In a common upload, only the destination is encoded into the token.

astokengen --user=USER --dest=PATH --mode=send

The destination is encoded into the token. Source paths are not allowed and will causeastokengen to fail. --path and --file-list are illegal in this case.

Paired upload The destination is pre-pended to each of the destinations in the paired list file and they are allencoded into the token. The destinations are in each odd numbered line of the file (1, 3, 5, 7,etc).

astokengen --user=USER --dest=PATH --file-pair-list=FILENAME --mode=send

--path and --file-list are illegal in this case.

Commondownload

The specified paths are encoded into the token.

astokengen --user=USER --path=FILE1 --path=FILE2 --mode=recv astokengen --user=USER --file-list=FILENAME --mode=recv

--dest and --file-pair-list are illegal in this case.

Paired download The source files from the pair list are encoded in the token. The sources are in each evennumbered line of the file (0, 2, 4, 6, 8, etc.).

astokengen --user=USER --file-pair-list=FILENAME --mode=recv

--dest, --path and --file-list are illegal in this case.

Creating SSH KeysCreate a key pair for your computer.

Public key authentication (SSH Key) is a more secure alternative to password authentication that allows users to avoidentering or storing a password, or sending it over the network.

Public key authentication uses the client computer to generate the key-pair (a public key and a private key). Thepublic key is then provided to the remote computer's administrator to be installed on that machine.

Page 96: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Transferring from the Command Line | 96

If you are using this machine as a client to connect to other Aspera servers with public key authentication, you need togenerate a key-pair for the selected user account. Follow these instructions:

1. Create a .ssh in your home directory

Create a .ssh folder in your user account's home directory if it does not exist:

$ mkdir /home/username/.ssh

Go to the .ssh folder and continue:

$ cd /home/username/.ssh

2. Run ssh-keygen to generate an SSH key-pair

Run the following command in the .ssh folder. The program prompts you for the key-pair's filename. PressENTER to use the default name id_rsa. For a passphrase, you can either enter a password, or press return twice toleave it blank:

$ ssh-keygen -t rsa

3. Retrieve the public key file

When created, the key-pair can be found in your home directory's .ssh folder (assuming you generated the keywith the default name id_rsa):

/home/username/.ssh/id_rsa.pub

Provide the public key file (for example, id_rsa.pub) to your server administrator, so that it can be set up for yourserver connection. The instructions for installing the public key on the server can be found in the Setting Up aUser's Public Key on page 34; however, the server may be installed on an operating system that is different fromthe one where your client has been installed.

4. Start a transfer using public key authentication with the ascp command

To transfer files using public key authentication on the command line, use the option -i private_key_file. Forexample:

$ ascp -T -l 10M -m 1M -i ~/.ssh/id_rsa myfile.txt [email protected]:/space

In this example, you are connecting to the server (10.0.0.2, directory /space) with the user account jane and theprivate key ~/.ssh/id_rsa.

Ascp FAQs

This topic lists frequently asked questions regarding ascp command:

1. How do I control the transfer speed?

Page 97: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Transferring from the Command Line | 97

You can specify a transfer policy that determines how a FASP transfer utilizes the network resource, and you canspecify target and minimum transfer rates where applicable. With the ascp command, use the following flags tospecify transfer policies that are fixed, fair, high, and low:

Policy Command template

Fixed--policy=fixed -l target_rate

Fair--policy=fair -l target_rate -m min_rate

High--policy=high -l target_rate -m min_rate

Low--policy=low -l target_rate -m min_rate

2. What should I expect in terms of transfer speed? How do I know if something is "wrong" with the speed?

Aspera's FASP transport has no theoretical throughput limit. Other than the network capacity, the transfer speedmay be limited by rate settings and resources of the computers. To verify that your system's FASP transfer canfulfill the maximum bandwidth capacity, prepare a client machine to connect to this computer, and test themaximum bandwidth.

Note: This test will typically occupy the majority of a network's bandwidth. It is recommended that thistest be performed on a dedicated file transfer line or during a time of very low network activity.

On the client machine, start a transfer with fixed policy. Start with a lower transfer rate and increase graduallytoward the network bandwidth (e.g. 1m, 5m, 10m...). Monitor the transfer rate and make sure that it fulfills yourbandwidth:

$ ascp -l 1m source-file destination

To improve the transfer speed, you may also upgrade the following hardware components:

Component Description

Hard disk The I/O throughput, the disk bus architecture (e.g. RAID, IDE, SCSI, ATA, and FiberChannel).

Network I/O The interface card, the internal bus of the computer.

CPU Overall CPU performance affects the transfer, especially when encryption is enabled.

3. How do I ensure that if the transfer is interrupted / fails to finish, it will resume the transfer without re-transferringthe files?

Use the -k flag to enable resume, and specify a resume rule:

• -k 0 Always retransfer the entire file.• -k 1 Check file attributes and resume if they match.• -k 2 Check file attributes and do a sparse file checksum; resume if they match.• -k 3 Check file attributes and do a full file checksum; resume if they match.

4. How does Aspera handle symbolic links?

ascp command follows symbolic links by default. There is a -o SymbolicLink flag that offers handlingoptions:

• --symbolic-links=follow: Follow symbolic links and transfer the linked files.• --symbolic-links=copy: Copy only the alias file.

Page 98: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Transferring from the Command Line | 98

• --symbolic-links=skip: Skip the symbolic links.5. What are my choices regarding file overwrites on the destination computer?

In ascp, you can specify the overwriting rule with the following flags:

• --overwrite=always: Always overwrite the file.• --overwrite=never: Never overwrite the file.• --overwrite=diff: Overwrite if file is different from the source.• --overwrite=older: Overwrite if file is older than the source.

Note: For --overwrite=diff, if a complete file exists on the destination computer (i.e., no .aspxfile) and is the same as the source file, then the destination file will remain unmodified (no changeon timestamp/attributes either). Otherwise the entire source file will be retransferred. Note this policyinteracts with the resume policy.

Page 99: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Configuring for the Cloud | 99

Configuring for the Cloud

Cloud Configuration for Enteprise Server Nodes

Configuring aspera.conf for S3The following example explains how to modify aspera.conf for AWS S3 transfers. You must meet the followingprerequisites before modifying aspera.conf:

• You have permissions to access the S3 bucket.• You know your username's S3 Access ID and Secret Key.

Note: For Aspera on Demand, you can also enter these settings from Console.

<?xml version='1.0' encoding='UTF-8'?><CONF version="2"><server> <server_name>aspera.example.com</server_name> </server><aaa> <realms><realm><users> <user> <name>UserName</name> <authorization> <transfer> <in> <value>token</value> </in> <out> <value>token</value> </out> </transfer> <token> <encryption_key>YourSuperSecretKey</encryption_key> </token> </authorization> <file_system> <access> <paths> <path> <absolute></absolute> <read_allowed>true</read_allowed> <!-- Read Allowed: boolean true or false --> <write_allowed>true</write_allowed> <!-- Write Allowed: boolean true or false --> <dir_allowed>true</dir_allowed> <!-- Browse Allowed: boolean true or false --> <restrictions> <!-- File access restrictions. Multiple entries are allowed. --> <restriction>s3://*</restriction> <restriction>!azu://*</restriction> </restrictions> </path> </paths> </access> </file_system> </user> </users></realm></realms>

Page 100: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Configuring for the Cloud | 100

</aaa></CONF>

Docroot Restrictions for URI Paths

A configuration with both a docroot absolute path (docrooted user) and a restriction is not supported.

The primary purpose of restrictions is to allow access to certain storage (for example, Amazon S3) for clients thathave their own storage credentials. In this case, instead of using docroots in aspera.conf, use a docroot restriction.

Configuration:

<paths> <path> <restrictions> <restriction>s3://*</restriction> </restrictions> </path></paths>

You can also configure restrictions once for all users by setting <restriction> in the default section.

Functionality:

A docroot restriction limits the files a client is allowed to access for browsing and transfers. Files are rejectedunless they match any restrictions that are present. Restrictions work for URI paths (for example, s3://*) and areprocessed in the following order:

1. If a restriction starts with "!", any files that match are rejected.2. If a restriction does not start with a "!", any files that match are kept.3. If any restrictions other than "!" exist, and the file does not match any of them, the file is rejected.4. Files that fail restrictions during directory iteration are ignored as if they do not exist.

Page 101: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Appendix | 101

Appendix

Restarting Aspera ServicesInstructions on restarting Aspera services after configuration changes

If Aspera Central is stopped, or if you have modified the <central_server...> or <database...> sections withinaspera.conf, then you will need to restart the service by entering the following command in a Terminal window:

OS Command

Solaris$ /etc/init.d/asperacentral restart

FreeBSD$ /etc/rc.d/asperacentral restart

Restart asperahttpd and asperanoded if you have modified any setting within aspera.conf. To restart, use thecommands below.

OS Command

Solaris$ /etc/init.d/asperahttpd restart$ /etc/init.d/asperanoded restart

FreeBSD$ /etc/rc.d/asperahttpd restart$ /etc/rc.d/asperanoded restart

Optimizing Transfer PerformanceTips about testing and improving your computer's transfer performance.

To verify that your system's FASP transfer can fulfill the maximum bandwidth capacity, prepare a client machine toconnect to this computer, and do the following tests:

1. Start a transfer with Fair transfer policy

On the client machine, open the user interface and start a transfer. Go to the Details to open the Transfer Monitor.

Page 102: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Appendix | 102

To leave more network resources for other high-priority traffic, use the Fair policy and adjust the target rate andminimum rate by sliding the arrows or entering values.

2. Test the maximum bandwidth

Note:

This test will typically occupy a majority of the network's bandwidth. It is recommended that this test beperformed on a dedicated file transfer line or during a time of very low network activity.

Use Fixed policy for the maximum transfer speed. Start with a lower transfer rate and increase gradually towardthe network bandwidth.

To improve the transfer speed, you may also upgrade the related hardware components:

Component Description

Hard disk The I/O throughput, the disk bus architecture (e.g. RAID, IDE, SCSI, ATA, and FiberChannel).

Network I/O The interface card, the internal bus of the computer.

CPU Overall CPU performance affects the transfer, especially when encryption is enabled.

Page 103: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Appendix | 103

Create an SSL Certificate (Apache)Follow the steps below to generate an RSA Private Key, Certificate Signing Request (CSR) and optional self-signedcertificate using OpenSSL. For your organization's internal and/or testing purposes, Aspera® also provides the PEMfiles aspera_server_cert.pem and aspera_server_key.pem, which are located in the following directory:

/opt/aspera/etc/

About PEM Files:

The PEM certificate format is commonly issued by Certificate Authorities. PEM certificates have extensions thatinclude .pem, .crt, .cer, and .key, and are Base-64 encoded ASCII files containing "-----BEGIN CERTIFICATE-----"and "-----END CERTIFICATE-----" statements. Server certificates, intermediate certificates, and private keys can allbe put into the PEM format. Apache and other similar servers use PEM format certificates.

1. Install OpenSSL.

OpenSSL is used to generate an RSA Private Key and a Certificate Signing Request (CSR), and can also beutilized to generate self-signed certificates for testing purposes or internal usage. Your Operating System mayhave OpenSSL already installed or may come with precompiled OpenSSL packages. For your convenience, Asperaprovides an OpenSSL binary in the following directory:

/Aspera product's installation directory/bin/

You may also visit http://www.openssl.org/source for a repository of all OpenSSL distribution tarballs. Asperaadvises that you review your specific operating system's documentation for information on installing and/orupgrading OpenSSL packages.

Important: (For Solaris users) If you are running Solaris, you may need to temporarily set yourLD_LIBRARY_PATH to point to the Aspera OpenSSL libraries. Thus, before running OpenSSL, run thefollowing commands in a Terminal window:

$ LD_LIBRARY_PATH=/opt/aspera/lib:$LD_LIBRARY_PATH $ export LD_LIBRARY_PATH

After running Aspera OpenSSL, you can remove /opt/aspera/lib from the path.2. Enter the OpenSSL command to generate your Private Key and Certificate Signing Request.

In this step, you will generate an RSA Private Key and CSR using OpenSSL. In a Terminal window, enterthe following command (where my_key_name.key is the name of the unique key that you are creating andmy_csr_name.csr is the name of your CSR):

$ openssl req -new -nodes -newkey rsa:2048 -keyout my_key_name.key -out my_csr_name.csr

3. Enter your X.509 certificate attributes.

After entering the command in the previous step, you will be prompted to input several pieces of information,which are the certificate's X.509 attributes.

Important: The common name field must be filled in with the fully qualified domain name of the serverto be protected by SSL. If you are generating a certificate for an organization outside of the US, pleaserefer to the link http://www.iso.org/iso/english_country_names_and_code_elements for a list of 2-letter,ISO country codes.

Generating a 1024 bit RSA private key....................++++++................++++++writing new private key to 'my_key_name.key'-----

Page 104: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Appendix | 104

You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [US]:Your_2_letter_ISO_country_codeState or Province Name (full name) [Some-State]:Your_State_Province_or_CountyLocality Name (eg, city) []:Your_CityOrganization Name (eg, company) [Internet Widgits Pty Ltd]:Your_CompanyOrganizational Unit Name (eg, section) []:Your_DepartmentCommon Name (i.e., your server's hostname) []:secure.yourwebsite.comEmail Address []:[email protected]

You will also be prompted to input "extra" attributes, including an optional challenge password. Please note thatmanually entering a challenge password when starting the server can be problematic in some situations (e.g.,when starting the server from the system boot scripts). You can skip inputting a challenge password by hitting the"enter" button.

...Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:

After finalizing the attributes, the private key and CSR will be saved to your root directory.

Important: If you make a mistake when running the OpenSSL command, you may discard the generatedfiles and run the command again. After successfully generating your key and Certificate Signing Request,be sure to guard your private key, as it cannot be re-generated.

4. Send CSR to your signing authority

You now need to send your unsigned CSR to a Certifying Authority (CA). Once the CSR has been signed, youwill have a real Certificate, which can be used by Apache.

Important: Some Certificate Authorities provide a Certificate Signing Request generation tool on theirWebsite. Please check with your CA for additional information.

5. (Optional) Generate a Self-Signed Certificate

At this point, you may need to generate a self-signed certificate because:

• You don't plan on having your certificate signed by a CA• Or you wish to test your new SSL implementation while the CA is signing your certificate

Important: Aspera provides PEM files for internal and/or testing purposes, which is described at thebeginning of this topic.

You may also generate a self-signed certificate through OpenSSL. This temporary certificate will generate an errorin the client's browser to the effect that the signing certificate authority is unknown and not trusted. To generate atemporary certificate (which is good for 365 days), issue the following command:

openssl x509 -req -days 365 -in my_csr_name.csr -signkey my_key_name.key -out my_cert_name.crt

6. Copy Key and Certificate into target directory

After receiving your signed certificate from your CA, copy the files into Apache's /conf directory and edityour httpd-ssl.conf file (note that you can store the certificate and key in any directory, as long as the path(s)

Page 105: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Appendix | 105

are updated in your configuration file. For additional information, please continue to the topic Create an SSLCertificate (Apache).

Enable SSL (Apache)Set up an SSL certificate for your IBM Aspera Connect Server Web UI.

To enable an SSL certificate for your IBM Aspera Connect Server Web UI, follow the steps below. Note that theseinstructions assume that you have already purchased your key and have created your certificate and key files.

1. Locate your Apache configuration file and open with a text editor

Note that your Apache configuration file name may vary based on your system platform. Typically, your Apacheconfiguration file is named httpd.conf. If you cannot locate the configuration file for your system's version ofApache, please refer to your platform's documentation.

2. Verify/update Apache's configuration file and save

Open your httpd.conf file and ensure that the "httpd-ssl.conf Include" line is uncommented.

Include conf/extra/httpd-ssl.conf

Add the following section to your configuration file (httpd.conf):

Apache Version Directive

Apache 2.2<IfModule ssl_module> Listen 443</IfModule>

Apache 1.3, 2.0<IfDefine SSL> Listen 443</IfDefine>

3. Verify or update Apache's SSL configuration file and save.

Open Apache's SSL configuration file (typically named httpd-ssl.conf or ssl.conf). If you cannot locatethe configuration file, refer to your platform's documentation.

Update the SSLCertificateFile and SSLCertificateKeyFile information within httpd-ssl.conf so that it correspondswith the certificate path(s) and file name(s) that you have created or are currently using. For example:

... SSLCertificateFile /path/to/my_cert_name.crtSSLCertificateKeyFile /path/to/my_key_name.key...

4. Restart your Apache Web Server and test your SSL connection.

After restarting your Apache Web server, go to the https://your-server-ip-or-name to test your SSL setup. Notethat this must be the same hostname that you entered into the common name field when creating yourcertificate. For details, please refer to Create an SSL Certificate (Apache).

Log FilesLocate the log files related to the Aspera product.

The log file includes detailed transfer information and can be useful for review and support requests.

Page 106: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Appendix | 106

To view the application log, go to Tools > View Log.

On FreeBSD, the transfer logs are recorded in the system log file:

Platform Path

FreeBSD /var/log/messages

On Solaris, additional configuration is required to log Aspera's FASP transfers to the system log. To do so, open thefile syslog.conf with a text editor:

/etc/syslog.conf

Add the following line in the file:

local2.info /var/log/aspera.log

If your syslog.conf contains any information regarding 'wild card log files', such as *.info;*.err, in syslog.conf, appendlocal2.none. For example, change this line:

*.info;*.err /var/adm/system.log

To this:

*.info;*.err;local2.none /var/adm/system.log

When finished, touch the log file as root, and restart system log process:

$ touch /var/log/aspera.log$ svcadm restart svc:/system/system-log:default

Setting Up Token Authorization

When accounts on a transfer server are configured to require token authorization, only transfers initiated with a validtoken are allowed to transfer to or from the server. The token authorization requirement can be set for individualusers, entire user groups, or globally for all users. Token authorization can be set independently for incoming transfersand outgoing transfers.

Token authorization is a requirement for initiating transfers with the Shares product.

Set up token authorization for a transfer user as follows:

1. Choose or create the transfer user on the server.The examples below use the transfer user asp1.

2. Log in as the user to ensure that any created files are owned by the user.Create the directory .ssh and the file authorized_keys if they don't already exist. For example:

3. Append the token-authorization public key to the user's authorized_keys file.Aspera provides a public key in the file aspera_id_dsa.pub stored in the following location:

4. Ensure that .ssh and .ssh/authorized_keys are owned by the user.

5. Make sure the user has no password.If the system does not allow this, create a very large password.

6. Make sure the user's login shell is aspshell.For information on setting this, see Securing your SSH Server on page 10.

7. Configure the user for token authorization

Page 107: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Appendix | 107

To configure user authorization from aspera.conf, see Configuring Token Authorization With aspera.conf on page107.

Note:

Instead of setting authorization for each user individually, you can set it for a group, or set it globally forall users.

8. Create a node user and associate it with the transfer user.The examples below use the Node API user nuser.

Configuring Token Authorization With aspera.conf

Requirements:

• You have created a transfer user on your server.• You have set up the transfer user with an SSH public key as described in Setting Up Token Authorization on page

106.

The examples below use a transfer user called asp1.

1. Locate aspera.conf and open it with a plain-text editor

2. Add an authorization section for the userIn the following example, the user section for asp1 contains an <authorization> section that specifies thefollowing:

• a <transfer> section specifying that both incoming and outgoing transfers (in and out) should use tokenencryption

• a <token> section with an encryption key, which should be string of random characters (at least 20recommended)

Alternatively, you can configure token-authorization settings in a <group> section to be applied to all users in thegroup. Or, you can configure the settings in the <default> section to apply them globally for all users.

<user> <name>asp1</name> <authorization> <transfer> <in> <value>token</value> </in> <out> <value>token</value> </out> </transfer> <token> <encryption_key>gj5o930t78m34ejme9dx</encryption_key> </token> </authorization> <file_system> ... ... </file_system> </name></user>

Page 108: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Appendix | 108

Product LimitationsDescribes any limitations that currently exist for Aspera transfer server and client products.

• Path Limit: The maximum number of characters that can be included in any pathname is 4096 characters.

Page 109: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Troubleshooting | 109

Troubleshooting

Clients Can't Establish ConnectionTroubleshoot the problem that your clients cannot connect to your IBM Aspera Connect Server.

The following diagram shows the troubleshooting procedure if clients can't establish a FASP transfer connection toyour Connect Server. Follow the instructions to identify and resolve problems:

1. Test SSH ports and HTTP port

To verify the SSH and HTTP connection ports, on the client machine, open a Terminal or a Command Prompt,and use the telnet command to test it. For example, to test connection to a computer (10.0.1.1) through a port(TCP/33001), use this command:

$ telnet 10.0.1.1 33001

On Connect Server, test both the SSH connection ports and the web server ports (HTTP and HTTPS).

If the client cannot establish connections to your Connect Server, verify the port number and the firewallconfiguration on the Connect Server machine.

2. Test UDP ports

If you can establish an SSH connection but not a FASP file transfer, there might be a firewall blockage of FASP'sUDP port. Please verify your UDP connection.

3. Verify SSH service status

If there is no firewall blockage between the client and your Connect Server, on the client machine, try establishinga SSH connection in a Terminal or a Command Prompt: (Connect Server address: 10.0.1.1, TCP/33001)

$ ssh [email protected] -p 33001

Page 110: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Troubleshooting | 110

If the SSH service runs normally, the client should see a message prompting to continue the connection or fora password. However, if you see a "Connection Refused" message, which indicates that the SSH service isn'trunning, review your SSH service status. Ignore the "permission denied" message after entering the password,which is discussed in next steps.

4. Applied authentication method is enabled in SSH

If you can establish a SSH connection, but it returns "permission denied" message, the SSH Server on yourConnect Server may have password authentication disabled:

Permission denied (publickey,keyboard-interactive).

Open your SSH Server configuration file with a text editor:

/etc/ssh/sshd_config

To allow public key authentication, add or uncomment the PubkeyAuthentication yes. To allow passwordauthentication, add or uncomment PasswordAuthentication yes. Here is a configuration example:

...PubkeyAuthentication yesPasswordAuthentication yes...

To reload SSH service, execute the command:

OS Version Instructions

Solaris$ pfexec svcadm refresh ssh

FreeBSD$ sudo /etc/rc.d/sshd reload

5. Verify the Apache configuration

If the client can access your Connect Server through the HTTP or HTTPS port, but the client's browser doesn'tbring up Aspera Web UI, there may be configuration problems when setting up the Apache HTTP server. Refer toConfiguring Apache on page 18 and review the configuration.

6. Verify that the user credentials are correct, and has sufficient access permissions to its docroot

To make sure that the client can establish a SSH connection to your Connect Server, and has correct system usercredentials, execute this command on the client machine: (Connect Server address: 10.0.1.1, login: asp1/aspera)

$ ssh [email protected] -p [email protected]'s password:

Enter the user's password when prompted. If you see "Permission denied" message, you may have a wronguser credentials, or the user account doesn't have sufficient access permissions to its docroot. Refer to SettingUp Transfer Users on page 30 for instructions about setting up the user account, and review the user's docrootdirectory's permissions.

7. Verify that the user is set up for Web UI authentication

On top of SSH authentication, Connect Server uses Apache's authentication to authorize Web UI access. If theclient can establish SSH connections, but cannot pass the authentication over web browser, it is likely that the useraccount is not configured for Web UI correctly. To do so, execute the following command: (User name: asp1)

$ htpasswd /opt/aspera/etc/webpasswd asp1

Page 111: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Troubleshooting | 111

Important: Use the -c option ONLY if this is the first time running htpasswd to create the webpasswdfile. Do not use the -c option otherwise.

If you still encounter connection problems after going through these steps, contact Technical Support on page 112.

Page 112: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Technical Support | 112

Technical Support

For further assistance, you may contact Aspera through the following methods:

Contact Info

Email [email protected]

Phone +1 (510) 849-2386

Request Form https://support.asperasoft.com/anonymous_requests/new/

The technical support service hours:

Support Type Hour (Pacific Standard Time, GMT-8)

Standard 8:00am – 6:00pm

Premium 8:00am – 12:00am

We are closed on the following days:

Support UnavailableDates

Weekends Saturday, Sunday

Aspera Holidays See our Website.

Page 113: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Feedback | 113

Feedback

The Aspera Technical Publications department wants to hear from you on how Aspera can improve customerdocumentation. To submit feedback about this guide, or any other Aspera product document, visit the Aspera ProductDocumentation Feedback Forum.

Through this forum, you can let us know if you find content that is not clear or appears incorrect. Aspera alsoinvites you to submit ideas for new topics, and for improvements to the documentation for easier reading andimplementation. When you visit the Aspera Product Documentation Feedback Forum, remember the following:

• You must be registered to use the Aspera Support Website at https://support.asperasoft.com/.• Be sure to read the forum guidelines before submitting a request.

Page 114: IBM Aspera Connect Server 3.5download.asperasoft.com/download/docs/entsrv/3.5.5/cs_admin_bsd-solaris/pdf2/Connect...IBM Aspera Connect Server is a web-based file server that enables

| Legal Notice | 114

Legal Notice

© 2008-2015 Aspera, Inc., an IBM Company. All rights reserved.

Licensed Materials - Property of IBM5725S58© Copyright IBM Corp., 2008, 2015. Used under license.US Government Users Restricted Rights- Use, duplication or disclosure restricted by GSA ADP ScheduleContract with IBM Corp.

Aspera, the Aspera logo, and FASP transfer technology are trademarks of Aspera, Inc., registered in the UnitedStates. Aspera Connect Server, Aspera Drive, Aspera Enterprise Server, Aspera Point-to-Point, Aspera Client,Aspera Connect, Aspera Cargo, Aspera Console, Aspera Orchestrator, Aspera Crypt, Aspera Shares, the AsperaAdd-in for Microsoft Outlook, and Aspera Faspex are trademarks of Aspera, Inc. All other trademarks mentionedin this document are the property of their respective owners. Mention of third-party products in this document isfor informational purposes only. All understandings, agreements, or warranties, if any, take place directly betweenthe vendors and the prospective users.