tibco managed file transfer command center installation · 2016-08-16 · tibco® managed file...

TIBCO® Managed File Transfer CommandCenterInstallationSoftware Release 8.0.1August 2016

Two-Second Advantage®

Important Information

SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCHEMBEDDED OR BUNDLED TIBCO SOFTWARE IS SOLELY TO ENABLE THE FUNCTIONALITY (ORPROVIDE LIMITED ADD-ON FUNCTIONALITY) OF THE LICENSED TIBCO SOFTWARE. THEEMBEDDED OR BUNDLED SOFTWARE IS NOT LICENSED TO BE USED OR ACCESSED BY ANYOTHER TIBCO SOFTWARE OR FOR ANY OTHER PURPOSE.

USE OF TIBCO SOFTWARE AND THIS DOCUMENT IS SUBJECT TO THE TERMS ANDCONDITIONS OF A LICENSE AGREEMENT FOUND IN EITHER A SEPARATELY EXECUTEDSOFTWARE LICENSE AGREEMENT, OR, IF THERE IS NO SUCH SEPARATE AGREEMENT, THECLICKWRAP END USER LICENSE AGREEMENT WHICH IS DISPLAYED DURING DOWNLOADOR INSTALLATION OF THE SOFTWARE (AND WHICH IS DUPLICATED IN THE LICENSE FILE)OR IF THERE IS NO SUCH SOFTWARE LICENSE AGREEMENT OR CLICKWRAP END USERLICENSE AGREEMENT, THE LICENSE(S) LOCATED IN THE “LICENSE” FILE(S) OF THESOFTWARE. USE OF THIS DOCUMENT IS SUBJECT TO THOSE TERMS AND CONDITIONS, ANDYOUR USE HEREOF SHALL CONSTITUTE ACCEPTANCE OF AND AN AGREEMENT TO BEBOUND BY THE SAME.

This document contains confidential information that is subject to U.S. and international copyright lawsand treaties. No part of this document may be reproduced in any form without the writtenauthorization of TIBCO Software Inc.

TIBCO, Two-Second Advantage, TIBCO Managed File Transfer, TIBCO Managed File TransferCommand Center, TIBCO Managed File Transfer Internet Server, TIBCO Managed File TransferPlatform Server, TIBCO Managed File Transfer Platform Server Agent, and TIBCO Slingshot are eitherregistered trademarks or trademarks of TIBCO Software Inc. or its subsidiaries in the United Statesand/or other countries.

All other product and company names and marks mentioned in this document are the property of theirrespective owners and are mentioned for identification purposes only.

THIS SOFTWARE MAY BE AVAILABLE ON MULTIPLE OPERATING SYSTEMS. HOWEVER, NOTALL OPERATING SYSTEM PLATFORMS FOR A SPECIFIC SOFTWARE VERSION ARE RELEASEDAT THE SAME TIME. SEE THE README FILE FOR THE AVAILABILITY OF THIS SOFTWAREVERSION ON A SPECIFIC OPERATING SYSTEM PLATFORM.

THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSOR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.

THIS DOCUMENT COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICALERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN; THESECHANGES WILL BE INCORPORATED IN NEW EDITIONS OF THIS DOCUMENT. TIBCOSOFTWARE INC. MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S)AND/OR THE PROGRAM(S) DESCRIBED IN THIS DOCUMENT AT ANY TIME.

THE CONTENTS OF THIS DOCUMENT MAY BE MODIFIED AND/OR QUALIFIED, DIRECTLY ORINDIRECTLY, BY OTHER DOCUMENTATION WHICH ACCOMPANIES THIS SOFTWARE,INCLUDING BUT NOT LIMITED TO ANY RELEASE NOTES AND "READ ME" FILES.

Copyright ©2003-2016 TIBCO Software Inc. All rights reserved.

TIBCO Software Inc. Confidential Information

2

TIBCO® Managed File Transfer Command Center Installation

Contents

TIBCO Documentation and Support Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

Installation Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

Installation Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Database Guideline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

Creating an IBM DB2 Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Configuring Java on Windows or UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Installing MFTCC in Console Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Starting Automated Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

Installing MFTCC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

Installing MFTCC in Silent Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

SilentInstall.xml File Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Installing Connection Manager Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Starting CMS Automated Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Starting the CMS Service Automatically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22

Removing the CMS Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Upgrading MFTCC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Upgrading from Version 7.2.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Upgrading Java JDK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24

Configuring FIPS 140-2 Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Enabling FIPS Mode Manaully . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Setting the Browser to Use TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

Setting IBM Java Security to Use FIPS Certified Cryptographic Security Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

Setting the MFTCC Environment Variable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Taking the MFT Server Out of FIPS Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26

Changing the Default Logos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Uninstalling MFTCC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Uninstalling Connection Manager Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Appendix A. Installation Worksheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30

Appendix B. Certificate Update Guideline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Updating HTTPS Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

Appendix C. Starting the MFTCC Service Automatically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Starting the MFTCC Service on Windows Automatically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Starting the MFTCC Service on UNIX Automatically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34

Removing the MFTCC Service on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34

3


Appendix D. Setting HTTP SSL Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Appendix E. Configuring Web SSO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Appendix F. Configuring MFT for SAML SSO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Creating SAML Private Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38

Importing SAML Identity Provider Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Configuring SAML Service Provider Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40

Generating SAML Service Provider Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Sending SAML Service Provider Metadata to the Identity Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Restarting the MFT Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43

Updating MFT Shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43

Appendix G. Customizing Translation Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44

Appendix H. MFTCC Security Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

web.xml Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Server Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

General Suggestions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

4


TIBCO Documentation and Support Services

Documentation for this and other TIBCO products is available on the TIBCO Documentation site. Thissite is updated more frequently than any documentation that might be included with the product. Toensure that you are accessing the latest available help topics, please visit:

https://docs.tibco.com

Product-Specific Documentation

Documentation for TIBCO products is not bundled with the software. Instead, it is available on theTIBCO Documentation site at https://docs.tibco.com/products/tibco-managed-file-transfer-command-center.

The following documents for this product can be found on the TIBCO Documentation site:

● TIBCO Managed File Transfer Command Center Installation

● TIBCO Managed File Transfer Command Center Quick Start Guide

● TIBCO Managed File Transfer Command Center User's Guide

● TIBCO Managed File Transfer Command Center Command Line Utilities Guide

● TIBCO Managed File Transfer Command Center API Guide

● TIBCO Managed File Transfer Command Center Release Notes

How to Contact TIBCO Support

For comments or problems with this manual or the software it addresses, contact TIBCO Support:

● For an overview of TIBCO Support, and information about getting started with TIBCO Support,visit this site:

http://www.tibco.com/services/support

● If you already have a valid maintenance or support contract, visit this site:

https://support.tibco.com

Entry to this site requires a user name and password. If you do not have a user name, you canrequest one.

How to Join TIBCOmmunity

TIBCOmmunity is an online destination for TIBCO customers, partners, and resident experts. It is aplace to share and access the collective experience of the TIBCO community. TIBCOmmunity offersforums, blogs, and access to a variety of resources. To register, go to the following web address:

https://www.tibcommunity.com

5


https://docs.tibco.com

https://docs.tibco.com/products/tibco-managed-file-transfer-command-center

https://docs.tibco.com/products/tibco-managed-file-transfer-command-center

http://www.tibco.com/services/support

https://support.tibco.com

https://www.tibcommunity.com

Installation Requirements

Before installing TIBCO® Managed File Transfer Command Center, ensure that your system meets allthe hardware and software requirements and you have appropriate privileges to the installation.

In TIBCO Managed File Transfer (MFT) Command Center documentation set, MFTCC is used torepresent TIBCO MFT Command Center.

Installation AccountTo install MFTCC, you must have appropriate privileges.

Platform Account Privileges

MicrosoftWindows

No special privileges are required if you do not install MFTCC as a Windowsservice. You must be an administrator if you install MFTCC as a Windows service.

UNIX When installing MFTCC on a UNIX platform, it is good practice to install MFTCCunder a non-root user.

If you need MFTCC to listen on ports below 1025, you should use theiptables command to redirect requests to these ports to valid MFTCCports that are above 1024.

System RequirementsBefore installing MFTCC, ensure that your system meets the hardware and software requirements.

For information about the hardware and software requirements, as well as supported platforms, see theproduct readme.txt file.

NetworkAs with any enterprise application, changes might need to be made to firewall and other securitysystems in a production environment.

The following table lists default ports for services required and used within MFTCC:

Supported Database Default Port

MS SQL Server 1433

Oracle 1521\1522

SSL: 2484

MySQL 3306

IBM DB2 50000

These are the default ports. You have to check with the appropriate systems administrator to ensurethat these default ports are used in your enterprise.

Either HTTPS or HTTP can be used for soap calls. By default, MFTCC uses port 8443 for HTTPS andport 8080 for HTTP. These default values can be changed during the installation process.

MFTCC must be installed under a root user if you configure MFTCC to use ports below 1025. However,you can use the iptables command to redirect ports 443 and 80 to valid MFTCC ports that do not

6


require root access. For example, if you define port 8443 for HTTPS and port 8080 for HTTP, you canuse the following iptables commands to redirect port 443 to 8443 and port 80 to 8080:iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8443iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

When using the iptables command to redirect requests from ports below 1025, the iptablescommand must be executed from a root user.

Database GuidelineMFTCC provides a utility that can create and populate the required database tables. However, beforestarting the installation, you must create an MFTCC database in whichever database application youuse.

For more information about the supported databases, see Installation Requirements.

Have your database administrator create a database as well as a user name and password on the serverthat will host the MFTCC database tables. It is good practice to name the database and user name ascfcc, but this is not required. This user must have the ability to read, write, and create tables in theMFTCC database. The exact steps to create a database vary significantly depending on the databaseapplication you use. See the documentation provided by your database vendor for information of howto create a database.

Pay attention to the following points when creating a database:

● Database password must not contain an equal sign (=).

● If you use an MSSQL server database, you can configure the MSSQL server properties under theSecurity tab to perform authentication via SQL Server or Windows. The default option is Windows.

● If you use an IBM DB2 database, see Creating an IBM DB2 Database for information of how to createan IBM DB2 database.

● If you use an Oracle 10i or later, using Cost Based Optimization (CBO), it is good practice to tune theoptimization for first_rows of the MFTCC database. To enable this, you have to issue the followingcommand from SQL*Plus as SYSDBA after creating the database:

alter system set optimizer_mode=first_rows_100;

The DB2 user account used for the MFTCC installation must not have the DBA roleassigned; otherwise, the installation will fail. The DB2 user needs only the following rightgranted:

GRANT CONNECT, RESOURCE TO <schema>

Creating an IBM DB2 DatabaseIf you use an IBM DB2 database, you must perform the following operations.

The database, buffer pool, and table space names defined in the following example are suggestedvalues. You can substitute names that follow your naming standards if necessary. These changes shouldbe made through the IBM DB2 Control Center or an equivalent tool.

Procedure

1. Create a DB2 database.The only required value is the database name. For example, you can assign a database name, suchas MFTCCDB.

2. Create a DB2 buffer pool with a page size of 32K.Assign a buffer pool name, such as MFTCCBP. This buffer pool will be needed in later steps.

7


3. Create a DB2 table space.Assign this table space a name, such as MFTCCTS. This table space should be defined as typeRegular and use the buffer pool defined in step 2. Create a DB2 container with a unique name, suchas C:\DB2Container\CFCCCTS. This directory will be automatically created by DB2 when the tablespace definition is completed.

4. Create a second DB2 table space.Assign this table space a name, such as MFTCCTTS. This table space should be defined as typeSystem Temporary and use the buffer pool defined in step 2. Create a DB2 container with a uniquename, such as C:\DB2Container\CFCCCTTS. This directory will be automatically created by DB2when the table space definition is completed.

Configuring Java on Windows or UNIXBefore installing MFTCC, a Java Software Development Kit (JDK) must have been installed.

MFTCC installation and configuration requires the bin directory of the JDK to be in your PATHenvironment variable. Instructions on how to do this are as follows.

If you want to run the application server as a Windows service , you must set the JAVA_HOMEenvironment variable for your system. See Appendix C. Starting on Startup Automatically for moreinformation.

Procedure

1. Set the JAVA_HOME environment variable to point to the Java\jdk directory.

For example,

● On Windows: set JAVA_HOME=C:\Program Files\Java\jdk1.8.0_66

● On UNIX: export JAVA_HOME=/opt/java/jdk1.8.0_66

2. Set the PATH variable to point to the Java\bin directory:

For example,

● On Windows: set PATH=%JAVA_HOME%\bin:%PATH% or PATH=C:\Program Files\Java\jdk1.8.0_66\bin;%PATH%

● On UNIX: export PATH=$JAVA_HOME/bin:$PATH or export PATH=/opt/java/jdk1.8.0_66/bin:$PATH

3. Verify that the path is correctly set by using the following command:

Windows and UNIX: java –version

See the following sample output:java version "1.8.0_66"Java(TM) SE Runtime Environment (build 1.8.0_66-b26)Java HotSpot(TM) 64-Bit Server VM (build 25.66-b25, mixed mode)

8


Installing MFTCC in Console Mode

You can install MFTCC in console mode.

To install MFTCC in console mode, perform the following operations:

1. Starting Automated Installation2. Installing MFTCC

Starting Automated InstallationTo start the automated installation process of MFTCC, you have to complete some necessary steps.

Prerequisites

Ensure that the following prerequisites are met:

● A Java JDK must be installed. For more information, see Configuring Java on Windows or UNIX.● Download the JCE Unlimited Strength Jurisdiction Policy files from the following website and place

the files into the Java security directory, for example, C:\Program Files\Java\jdk1.8.0_66\jre\lib\security.

http://www.oracle.com/technetwork/java/index.html● MFTCC install scripts must be located in the same directory as the cfcc.jar file.● If you execute MFTCC on a UNIX environment, ensure that the install.sh script have the

execute attribute.● If you are installing MFTCC on one of the supported UNIX platforms and have uploaded the files

needed for installing on UNIX, the default permissions must be set as follows:cfcc.jar -r-- r-- r-- 444CMAInstall.jar -r-- r-- r-- 444connmgr.jar -r-- r-- r-- 444EULA.txt -r-- r-- r-- 444install-config.xml -r-- r-- r-- 444installer.jar -r-- r-- r-- 444install.sh -r-x r-x r-x 555log4j.properties -r-- r-- r-- 444log4j-1.2.17.jar -r-- r-- r-- 444server.jar -r-- r-- r-- 444

Procedure

1. Type the following command on the command line to start the automated installation:

● On Windows: install● On UNIX: ./install.sh MFT Installer Release 8.0.1 (supports all 8.0 versions)Please note that this install will perform multiple App Server restarts.For this install, press the ENTER key to accept defaults and continue.You must read the license agreement before proceeding with the installation.Press enter to display the agreement.

2. Press Enter to display the End User License Agreement (EULA), and type yes to accept the licenseagreement.You can type s to skip to the end of the agreement.

3. Press Enter to continue.

If you have added the JAVA_HOME variable and set the PATH variable as instructed in ConfiguringJava on Windows or UNIX, the product will detect the version at this point. It is required that the

9


http://www.oracle.com/technetwork/java/index.html

Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files must be installedbefore MFTCC installation. If they are not installed, the message shown as follows will be displayedand the installation will stop.In order to use 256 bit secure keys you must download the JCE Unlimited StrengthJurisdiction Policy Files from http://www.oracle.com/technetwork/java/index.html. After downloading, place the files into C:\Program Files\Java\jdk1.8.0_66\jre\lib\security.Installation failed! Details are in the install.log file.

Installing MFTCCAfter starting the automated installation, you must complete all installation steps to complete theinstallation.

When installing MFTCC on a Windows system, a Java window labeled MFT server will be displayedduring installation. This window must be kept open for the MFT server to continue running. Closingthis window will shut down the web application. You can start and stop the MFT server by running thestartup and shutdown scripts in the MFTCC_Install\server\bin directory for the appropriatesystem.

Procedure

1. This step will extract the distribution file named cfcc.jar and set up the Java mail if it is notalready configured.

In this step, the application server is also be installed and configured, and the JAVA_HOMEenvironment variable is detected.

If you install MFTCC on a Windows system, you will also be prompted to define whether to run theapplication server as a Windows service.

When you choose to install MFTCC as a Windows service, if an MFTCC Windows servicealready exists, the existing MFTCC Windows service is stopped and a new Windowsservice is installed and started.Is the application server installed as a Windows service or do you want to run it as a Windows service? y/n/? [y]:Stopping service MFT Command Center ....................

If you install MFTCC on a UNIX system using IBM Java, you will also be prompted to enable FIPSmode on the application server. After putting the server into FIPS mode, MFT will only use FIPScertified cryptographic modules when using SSL (HTTPS and FTPS), SFTP (SSH), and AS2. If youwant to change your FIPS mode configurations at a later time, see Configuring FIPS 140-2 Manuallyfor more details on configuring FIPS mode manually.Found distribution file c:\MFTCC\cfcc.jarUse C:\MFTCC\cfcc.jar as the distribution? y/n [y]:Extracting distribution file: C:\MFTCC\cfcc.jar................................................................................Distribution extracted successfully!

Is the application server installed as a Windows service or do you want to run it as a Windows service? y/n/? [y]:

Installing application server to C:\MFTCC\server..............................................................................................

Using C:\MFTCC\server as path to the application server installation.C:\MFTCC\server\conf\Catalina\localhost

2. This step will set up the connection to the MFTCC database that you created.

In this example, Oracle is used as the database server. When using Oracle, you must have the JDBCdriver on the system.

10


If you use an MS SQL database that uses Windows authentication, you must add thedomain parameter with the domain name to the end of the database URL. To do this, typen when prompted with the default statement, Use database URL:. You can enter a newdatabase URL to use. Copy and paste the URL that is contained in the brackets, and thenadd a semicolon and the domain parameter at the end, for example,jdbc:jtds:sqlserver://10.1.2.182:1433/MFTCC;domain=DomainName, and then pressEnter.

Step 2 Verifying database connectionSelect database server type:Enter 1 for MSSQLEnter 2 for MySQL Enterprise Server or Community ServerEnter 3 for OracleEnter 4 for DB2: 3

Oracle selected as database server type.

Enter the DNS name or IP Address of the database server...[localhost]:mftdbEnter the database port number.................................[1521]:

Will you connect to the Oracle DB Server via an SID or a Service Name?1. SID2. Service NamePlease enter 1 for SID or 2 for Service Name. [1]: [log: 2]Enter the service name........................................[cfcc]:Enter the database UserID......................................[cfcc]:Enter the database Password....................................[cfcc]:Please confirm the password:

Use database URL: [jdbc:oracle:thin:@mftdb:1521/cfcc? y/n [y] :

Verifying database connection using the following URL:jdbc:oracle:thin:@mftdb:1521/cfccThe Oracle JDBC driver is not shipped with this product.The database vender will be able to supply the necessary file(s).Please copy the jar file(s) into the C:\MFTCC\server\lib directory.After the files are copied, press the enter key to continue.

Successfully established connection to the database.

Start to set up pooling parametersSelect database pooling settings. Enter y to use database pooling, and n for nopooling. [y]:

Input max active connections (positive integer). [400]:

Input max idle pool size (positive integer). [20]:

Input min idle pool size (positive integer). [10]:

Input max wait time to get a connection when there is no available connection (in minutes). [1]:

Input time between eviction runs to clean up pool (in minutes). [20]:

Input min evictable idle time before a connection can be removed from pool (in minutes). [40]:

Database pooling flag: use poolingMax active connections: 400Max idle pool size: 20Min idle pool size: 10Max wait to get a connection when there is no available connection: 1 minutesTime between eviction runs to clean up pool: 20 minutesMin evictable idle time before a connection can be removed from pool: 40 minutes

Use these parameters for database connection pooling? y/n [y]:

11


3. This step will install the database and populate the database tables.Step 3 Configuring the databaseExecuting database creation utility....cmd /E:1900 /c setupdb.bat "amRiYzpvcmFjbGU6dGhpbjpAMTkyLjE2OC43OC44OToxNTIxOm1mdDhz" oracle bWZ0cWE? ******** oracle.jdbc.driver.OracleDriver BASE64Allocating DBSetup object...Determining database version.... Installing database...Updating database...Updating tables...……Updating records...Done updating database.Successfully installed database: jdbc:oracle:thin://oracleserver:1521:cfccSuccessfully populated DB tables with default information.adding URIEncoding attribute to http connector

If you already have an MFTCC database, you will be prompted to back up the database that you areusing, because the database will be updated during the MFTCC installation process.Step 3 Configuring the databaseDatabase will be modified for new features. Please backup database before proceeding.Do you wish to continue? y/n [y]

4. This step will configure MFTCC for SSL communication.

If you do not have a certificate, a self-signed certificate will be created during the installationprocess. You can either use a certificate issued by a certificate authority (CA) or use a self-signedcertificate. During the installation process, you can choose the signature algorithm that will be usedto sign the self-signed certificate; the highest strength is SHA512 with RSA and the lowest strengthis SHA256.

Pay attention to the following points:● Self-signed certificates are only practical for testing purposes, but do not allow you to

get up and run quickly while you wait for an external CA to sign a certificate for you.

● Assigning port numbers below 1024 (so-called low-numbered ports) can only bebound to by root on UNIX systems.

Step 4 Evaluating the application server installation for HTTPS connectorsReading the application server configuration file: C:\MFTCC\server\conf\serverxmlFound no pre-existing HTTPS connectors!Do you have a pre-exisiting Java Keystore to be used as a server key for SSL comunication? y/n/? [n]:

Creating keystore for SSL communicationEnter the keystore path and filename..[C:\MFTCC\keystore\keystore.jks]:Directory C:\MFTCC\keystore does not exist! Create? y/n [y]:Enter the keystore password (at least 6 characters)..[changeit]: Enter the alias of your private key......................[cfcc]:Enter the DNS Name or IP Address of your server............:10.97.142.191Select the signature and key algorithms you wish to use........:1. SHA256 with RSA2. SHA384 with RSA3. SHA512 with RSAPlease enter your selection. [1]: Enter your Company Name..............................[Optional]:TIBCOEnter your Organizational Unit Name..................[Optional]:Web DebtEnter the City where your company is located.........[Optional]:Palo AltoEnter the State where your company is located........[Optional]:CAEnter the two-letter country code for this unit......[Optional]:US

Keystore filename : C:\MFTCC\keystore\keystore.jksKeystore password : ********

12


Key alias : cfccServer address : 10.97.142.191Signature and key alg: SHA256withRSAOrganization : TIBCOOrganizational Unit : Web DebtLocality : Palo AltoState : CACountry : USCreate a keystore with the above information? y/n [y]:

Creating keystore......C:\Program Files\Java\jdk1.8.0_40\bin\keytool -genkey -keystore C:\MFTCC\keysore\keystore.jks -storepass ******** -keypass ******** -keyalg RSA -sigalg SHA256withRSA -alias cfcc -keySize 2048 -validity 3650 -dname CN=10.97.142.191, O=TICO, OU=Web Dept, L=Palo Alto, ST=CA, C=US

Enter the HTTPS Port to listen for connections… [8443]:

5. This step will configure the MFTCC components and ports on the application server.

In this example, to provide the most secure environment, the connector is set to only allow secureciphers by default. To view those ciphers, type V for them to be displayed. If you want the server tosupport all ciphers, you can select option 2. The AJP port is used for forwarding requests from anHTTP server.Step 5 Updating the application server Connector Configuration

Default HTTPS Connector parameters for port 8443:The Default Verbosity Level - 2The Default Debug Level - 2The Default Buffer size - 2048The Default Connection Timeout - 60000The Default DNS Lookup set to - trueThe Default Max active requests - 128The Default Min Processors - 5The Default Max Processors - 100

Accept these parameters? y/n [y]:Select the SSL ciphers you wish to the server to support.1. Secure ciphers2. All ciphersPlease enter your selection or v to view secure ciphers. [1]:Enter the HTTP port to listen for connections... [8080] :

Enter the port to listen for shutdown requests... [8005] :

Enter the AJP port... [8009] :

6. This step will configure the context root that will be used in the URL.

The context name must be set to an alphanumeric name. Using special characters within a contextname can cause unpredictable results.Step 6 Evaluating the application server installation for contextsEnter the context root for this installation ........[cfcc]

Reading context configuration file: C:\MFTCC\server\conf\Catalina\localhost\cfcc.xmlFound no pre-existing Contexts

If you are upgrading, you will be prompted to backup your present settings because onlyone instance of cfcc can exist on the server.

7. This step will extract the cfcc.war file to install the MFTCC application.Step 7 Installing web applicationUse C:\MFTCC\server\webapps\cfcc as the installation directory? y/n/? [y]:

Extracting distribution\cfcc.war to C:\MFTCC\server\webapps\cfcc

13


8. This step will verify the context configuration for MFTCC.Step 8 Updating the application server context configuration

Default Context parameters:The Default Log File Prefix - localhost_cfcc_The Default Log File Suffix - .txtThe Default Log File Timestamp - trueThe Default Log File Verbosity Level - 2The Default Log File Debug Level - 0

Add a new context with the above parameters? y/n/? [y]:

9. This step will update the MFTCC web.xml file and install the MFTCC Administrator service.Step 9 Configuring web.xml

Enter the name of the host on which the application will run. [SystemA]:

Enter a directory to store log files......[c:\MFTCC\logs]:

Configure web.xml with the above parameters? y/n [y]:Starting the application server................... [OK]

10. This step will deploy the MFTCC web service.Step 10 Deploying servicesExecuting deploy command.Cmd /E:1900 /c deploy.bat 127.0.0.1 8080 admin ****** cfccThis may take a few moments......

11. This step will generate SOAP stubs that MFTCC will use.Step 11 Generating SOAP StubsExecuting genstubs command.Cmd /E:1900 /c genstubs.sh 10.97.142.191 8080 admin ******** cfcc httpThis may take a few moments......

12. This step will install the Soap stubs generated for the MFTCC web service.Step 12 Installing SOAP StubsExecuting installstubs command.Cmd /E:1900 /c installstubs.sh c:\MFTCC\server\webapps\cfccThis may take a few moments......

Restarting the application serverStopping the application server................................. [OK]Starting the application server................................. [OK]

13. This step will copy the JMS files.

If you are using the JMS interface, you must copy the JMS jar files to the MFTCC_Install\server\webapps\cfcc\WEB-INF\lib directory.Step 13 Copy JMS files

If you are using the JMS interface, you must copy the JMS jar files to thefollowing location:C:\MFTCC\server\webapps\cfcc\WEB-INF\libThese jar files are typically found in the JMS Server installation.Restart the MFT server after copying the jar files.You can configure and test the JMS settings through the Command Center.Go to the Management > Manage Services > Configure JMS Service page.On that page you can click on help for a list of the provider specific jar files.

Press the enter key to continue.

Installation completed! Details are in the install.log file.

What to do next

After MFTCC is installed, you can access the MFTCC Administrator web pages using one of thefollowing URLs:

14


● https://[DNS_HostName] :[httpsPort] /[context] /control?view=view/admin/start.jsp

● https://[DNS_HostName] :[httpsPort]/admin

If the default context is not used during the installation process, the redirection file for this shortcut andothers mentioned later in this manual will need to be updated to redirect to the non-standard context.Follow the following instructions to make these changes:

The redirection files can be found in the MFTCC_Install\server\webapps\ROOT directory. Use a texteditor to open and change the cfcc context in these files to the new context chosen during theinstallation process. After making the changes, save and close the files.

When you are prompted for a user ID and password, you must log in with the administratorcredentials of admin and changeit.

15


Installing MFTCC in Silent Mode

You can install MFTCC in silent mode by using the SilentInstall.xml file.

You must start the installation process using the proper user authorization. For more information, see Installation Requirements.

Procedure

1. Download and extract the installation package to an installation directory on your computer.

2. Create your SilentInstall.xml file by executing the silent-setup program.

● On Windows: silent-setup

● On UNIX: ./silent-setup.sh

For more information on the format and parameters of the SilentInstall.xml file, see SilentInstall.xml File Parameters.

3. On a command line, navigate to the MFTCC_Install directory and start the installation in silentmode by executing the following command:

● On Windows: install.bat silent

● On UNIX: ./install.sh silent

SilentInstall.xml File ParametersAll the parameters in the SilentInstall.xml file are required unless otherwise indicated.

The following example shows a sample SilentInstall.xml file:<?xml version="1.0" encoding="UTF-8" standalone="no"?><silentinstall><arg name="db_type" value="mysql"/><arg name="db_host" value="localhost"/><arg name="db_port" value="3306"/><arg name="db_ssl" value=""/><arg name="db_ciphers" value=""/><arg name="db_name" value="mft800"/><arg name="db_oracle_type" value=""/><arg name="db_user" value="root"/><arg name="db_password" value="$$ENCODED:dCbWgIvpILRQgr5QivE1d8L7F2A="/><arg name="db_drivertype" value=""/><arg name="db_url" value=""/><arg name="db_driverfilename" value="mysql-connector-java-3.1.12-bin.jar"/><arg name="httpsport" value="7443"/><arg name="httpport" value="7080"/><arg name="shutdownport" value="7005"/><arg name="ajpport" value="7009"/><arg name="keystore" value="keystore.jks"/><arg name="keystorepassword" value="$$ENCODED:QjhpudCGsR+s7YD91UB7ZKI0UV8="/><arg name="keystorealias" value="cfcc"/><arg name="admininstall" value="false"/><arg name="hostname" value=""/><arg name="context" value="cfcc"/><arg name="adminuser" value="admin"/><arg name="adminpassword" value="$$ENCODED:/8juoLVihSCqRDVNaq1moV7SD38="/><arg name="allow_root" value="false"/><arg name="win_service" value="false"/><arg name="fips" value="false"/></silentinstall>

16

Database Settings

Parameter Description

db_type Defines the type of the database you use.

The valid values are: mysql, oracle, db2, and mssql.

db_host Defines the IP name or IP address of the database server.

db_port Defines the port that the database is listening on.

db_ssl Defines whether the database connections use SSL/TLS.

The valid values are as follows:

● true: uses TLS/SSL for database connections.

● false: uses clear database connections.

db_ciphers Defines the database ciphers to be used when using Oracle databaseconnections in SSL mode.

db_name Defines the name of the database or schema.

db_oracle_type Defines the Oracle database type.

The valid values are sid and service.

db_user Defines the user name that has access to the defined database.

db_password Defines the password for the database user.

Two formats for this password can be used: clear text password andbase64 encoded encrypted password. The base64 encoded encryptedpassword is generated by an MFT program and cannot be set by editingthe file.

db_drivertype Defines the driver type when multiple driver types are available.

The valid values are jtds and microsoft.

db_url Allows you to override the URL that MFT will normally generate.

This parameter is optional. When used, it will cause the installer to ignorethese parameters: db_host, db_port, and db_name.

db_drivefilename Defines the name of the JDBC driver file.

The JDBC driver file must be located in the same directory asthe other MFT installation files.

17


Server Port Settings


httpsport Defines the HTTPS port number.

httpport Defines the HTTP port number.

shutdownport Defines the server shutdown port number.

ajpport Defines the server AJP port number.

Keystore Settings


keystore Defines the name of the keystore file used by the HTTPS connector.

The keystore file must be located in the same directory as theother MFT installation files.

keystorepassword Defines the password for the keystore.

Two formats for this password can be used: clear text password andbase64 encoded encrypted password. The base64 encoded encryptedpassword is generated by an MFT program and cannot be set by editingthe file.

keystorealias Defines the keystore key alias used by the HTTPS connector.

Miscellaneous Settings


hostname Defines the host name for the MFT application.

This is an optional parameter. When not defined, the host name of thecomputer where MFTCC is being installed is used. When defined, thisparameter overrides the host name.

context Defines the context for the MFT server.

adminuser Defines the admin user that is used to connect to the MFT server tovalidate that it is operational.

adminpassword Defines the credentials for the admin user.

allow_root Defines whether the MFT application can be installed by a root user.

The valid values are true and false.

18



win_service Defines whether the MFT application should be run as a Windowsservice.


fips Defines whether the MFT application must be running in FIPS mode.


admininstall Defines whether the Admin service will be installed for this MFTapplication.

19


Installing Connection Manager Server

CMS must be installed in the internal network behind the firewall. CMS works with CMA, which istypically found in DMZ installations where firewall tules do not allow connections to be initiated fromthe DMZ to the internal network.

Prerequisites

Ensure that the following prerequisites are met:

● You must be the system administrator of the operating system to complete the CMS installation.

● A Java JDK must have been installed, if you have not already set the JAVA_HOME variable asrequired for the MFTCC installation, set this variable along with the PATH statement. See Configuring Java on Windows or UNIX for more information.

If you do not install CMS when installing MFTCC and install CMS separately, you have to first start theautomated installation of CMS. See Starting CMS Automated Installation for more information of howto start the automated installation of CMS.

Procedure

1. This step Installs the CMS in the current running directory.CMS Step 1 Install CMS Server

CMS will be installed in directory: C:\MFT730CMS\cmsserver............

2. This step defines the ports that CMS uses in the environment.

By default, CMS uses HTTPS port 48443 and shutdown port 48005.CMS Step 2 Configure CMS Server portsCMS will use the following Server Ports:: HTTPS Port....................: 48443: Shutdown Port.................: 48005Note: The default values will work in most environments.To Accept these ports hit <Enter>. Otherwise type N and press <ENTER>:[y]Testing Server ports:Testing https port 48443: Successful!Testing shutdown port 48005: Successful!Server Port tests successful. Press <Enter> to Continue

3. This step sets up the default ports to be used for the communication between CMS and CMA.CMS Step 3 Configure Connection Manager Agent (CMA)Now we will define the Connection Manager Agents (CMA).Enter the CMA Host Name or IP Address.........[]:10.97.142.89CMA will use the following Command and Data ports.CMA Command IP Port...............: 48000CMA Data IP Port..................: 48001Note: The default values will work in most environments.To Accept these ports ............:[y]

4. This step configures the password used by MFTCC to configure CMS.

By default, the password is set to changeit. You can change the password later through MFTCC ifneeded.CMS Step 4 Configure the password used by Command Center to configure CMS.Command Center requires a password to configure CMSEnter the password used by Command Center to configure CMS.....[changeit]:Default password:[changeit] will be usedEnter 'y' to confirm, Enter 'n' to re-enter password...[y]

5. This step starts the CMS application server and tests the connection.

20


CMS will attempt to connect to CMA every 30 seconds until a connection is successful.CMS Step 5 Starting the CMS ServerThe Connection Manager Server is startingTesting Connection Manager Server connection:Try 0 to contact to the application serverTry 1 to contact to the application serverConnection Manager test successfulCMS will connect to the CMA agent every 30 seconds until a connection issuccessful: (10.97.142.89:48000 )

6. This step displays some final instructions to help you log in and configure CMS through MFTCC.CMS Step 6 CMS Installation CompleteNow you can install the Connection Manager Agent(CMA) on host 10.97.142.89The CMA is distributed with the MFT Internet Server. CMA can be installed andconfigured during the MFT Internet Server installation in the DMZ. During theMFT Internet Server CMA installation you will be prompted for the followinginformation:: When prompted for "CMA Command IP Port" enter: 48000: When prompted for "CMA Data IP Port" enter: 48001Most of these configuration options can be changed through the Command Centeradmin pages. To configure this CMA through Command Center, do the following:: Management ==> Connection Manager ==> Add Connection Manager Node: Set a unique name for this CM Node: Set the IP Address to the IP Address or Host Name of this machine: Set the IP Port to HTTPS Port 48443: Set the Password in the Server credentials to the password you just enteredConnection Manager Server installation completed successfully!Installation details are in the cmsinstall.log file.

For more information about configuring the connection, see TIBCO Managed File TransferCommand Center User 's Guide.

Starting CMS Automated InstallationCMS can be installed when MFTCC is installed or it can be installed at a later time. If you install CMS ata later time, you have to start CMS automated installation.

Procedure

1. Copy the CMSInstall.jar file which is located in the MFTCC_Install directory to the directory onthe machine that runs the application.

2. Extract the file using the jar –xvf CMSInstall.jar command.

The following files are shown, if you install CMS on one of the supported UNIX systems, the defaultpermissions are also display:cmsinstall.batCMSInstall.jar -r-- r-- r-- 444cmsinstall.sh -r-x r-x r-x 555cmsserver.jar -r-- r-- r-- 444connmgr.jar -r-- r-- r-- 444installer.jar -r-- r-- r-- 555log4j.properties -r-- r-- r-- 444log4j-1.2.17.jar -r-- r-- r-- 444server.jar -r-- r-- r-- 444

3. Issue the following command to start the CMS automated installation:

● On Windows: cminstall● On UNIX: ./cmsinstall.sh

The following information is displayed. In this example, the default values are accepted.MFT Connection Manager Server

The MFT Connection Manager consists of two components:

21


: MFT Connection Manager Agent(CMA): Distributed with MFT Internet Server: MFT Connection Manager Server(CMS): Distributed with MFT Command Center

This program will guide you through the CMS installation.The CMS is deployed in the internal network and coordinates the creation ofsessions to the CMA running in the DMZ.

Press <ENTER> to continue with the Connection Manager Server installation.

Starting the CMS Service AutomaticallyBy default, CMS is not configured to automatically start on startup. You can configure CMS to startautomatically at startup.

On Windows, navigate to the <CMS_Install>\server\bin directory and issue the followingcommand: service install. Then choose the processor you are currently running when you areprompted to do so.

After the script completes running, you can now open your Services window and view the CMS servicelisted.

Removing the CMS ServiceYou can navigate to the <CMS_Install>\server\bin directory and issue the service removecommand to remove the CMS service when necessary.

22


Upgrading MFTCC

You can upgrade MFTCC from a previous version.

Some steps in the upgrading process varies depending on the version of MFTCC you have installedpresently.

Both TIBCO MFT Command Center and TIBCO® Managed File Transfer Internet Server can beinstalled on the same server sharing a database as long as different ports are used. By default, TIBCOMFT Command Center 8.0.1 uses port 8080 for HTTP and port 8443 for HTTPS. TIBCO Managed FileTransfer (MFT) Internet Server 8.0.1 uses port 7080 for HTTP and port 7443 for HTTPS.

You must always back up the database before you upgrade MFTCC. Before upgrading the final instanceof TIBCO MFT Internet Server or TIBCO MFT Command Center from version 7.2.x, 7.3.x or 8.0.0 to8.0.1, you must take an additional backup of the database, which will be used if you need to revert to aprior version of MFT.

If you use DB2 database and upgrade MFTCC from a previous version to version 8.0.1, the databaseuser must have database administrator right.

See the following introductions on how to upgrade MFTCC from a previous version:

● Upgrading from Version 7.2.0 - 7.2.4

For those upgrading from release level 7.2.0 and above, you must upgrade to version 7.2.5 beforeupgrading to version 8.0.1. Follow the instructions given in TIBCO Managed File Transfer CommandCenter Installation of version 7.2.5.

● Upgrading from Version 7.2.5

For more information, see Upgrading from Version 7.2.5.

Upgrading from Version 7.2.5You can upgrade MFTCC from version 7.2.5 to version 8.0.1.

Prerequisites

You must upgrade TIBCO MFT Internet Server to version 7.2.5 or higher before upgrading TIBCO MFTCommand Center to version 8.0.1.

Procedure

1. Create a new installation directory to hold the MFTCC 8.0.1 installation files needed on the serverwhere MFTCC 7.2.5 is installed and running.

2. Stop the application or service.

3. Uninstall MFTCC.If it is running on Windows, see Removing the MFTCC Service on Windows for information onhow to uninstall MFTCC.

4. Verify all the prerequisites are met by reading through the MFTCC Readme file.

5. Follow the instructions in Installing MFTCC.

Result

When the installation is finished and you no longer want to keep the version 7.2.5 installation on yourserver, you can delete the old installation directory.

23


Upgrading Java JDKWhen upgrading the Java JDK that is being used by MFTCC, you have to update a few items of JavaJDK before MFTCC starts to use the new Java JDK.

Procedure

1. If MFTCC is running on a Windows system and is running as a service, stop the MFTCC service.

2. Navigate to the MFTCC_Install\server\bin directory and issue the service remove command.

3. Update the JAVA_HOME environment variable on the system pointing to the new JDK directory.And then run the java -version command to verify the version.

4. Update the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy files.For more information, see Starting Automated Installation.

5. If MFTCC is installed on a Windows system, navigate to the MFTCC_Install\server\bin directoryand issue the service install command to install MFTCC to run as a service.

6. Start MFTCC.

24


Configuring FIPS 140-2 Manually

You can enable the FIPS mode during MFTCC installation. In this case, the installer configures FIPSmode automatically and no further action is necessary. If you do not enable FIPS mode during MFTCCinstallation, you have to go through the required configurations to enable FIPS 140-2 manually.

To enable the FIPS mode, your environment must support FIPS mode and have an IBM Java that isconfigured to run in FIPS mode.

For information of how to enable FIPS mode manually, see Enabling FIPS Mode Manually.

For information of how to take the MFT server out of FIPS mode, see Taking the MFT server out of FIPSmode.

Enabling FIPS Mode ManaullyIf you do not enable FIPS mode during MFTCC installation, you have to go through the requiredconfigurations to enable FIPS 140-2 manually.

Prerequisites

To enable FIPS mode, your Java JDK environment must be configured to support FIPS mode.

To put MFT into FIPS mode, perform the following operations:

1. Setting the Browser to Use TLS

2. Setting IBM Java Security to Use FIPS Certified Cryptographic Security Provider

3. Setting the MFTCC Environment Variable

Setting the Browser to Use TLSAll browsers used to access MFTCC must be set to use transport layer security (TLS) to make a secureconnection and login after putting MFTCC into FIPS mode.

Procedure

1. Open your browser, click Tools > Internet Options.

2. Click the Advanced tab.

3. Scroll down to the Security section in the list, and select the Use TLS version_number check box.

4. Click Ok and refresh your page.

Result

You should now be able to log into MFTCC.

Setting IBM Java Security to Use FIPS Certified Cryptographic Security ProviderAfter setting your browser to use TLS, you have to set the IBM java.security file.

Procedure

1. Stop the application server.

For information on starting and stopping the application server, see the informationprovided at the end of Installing MFTCC.

25


2. Navigate to the JAVA_HOME\jre\lib\security directory and open the java.security file.

3. Remove the pound sign (#) from the following statement.#security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS

If you do not see the following statement in your file, you must add it to the top of the list.

4. Reset the security provider number values for the other security providers to number they innumber order from 1 through 11.

5. Save your changes and exit the file after you finish editing the file.

6. Navigate to the MFTCC_Install\server\webapps\CONTEXT_NAME\WEB-INF directory and open theweb.xml file.

7. Search for the SSHSecurityProvider parameter and configure it as follows:<context-param><param-name>SSHSecurityProvider</param-name><param-value>com.ibm.crypto.fips.provider.IBMJCEFIPS</param-value></context-param>

8. Save the file after you finish the configurations.

What to do next

Set the MFTCC environment variable and restart the MFT server. See Setting the MFTCC EnvironmentVariable.

Setting the MFTCC Environment VariableAfter setting the IBM Java security to use the FIPS certified cryptographic security provider, you have toset the MFTCC environment variable required by the MFT server.

The setenv.sh file which is located in the MFTCC_Install\server\bin directory, sets environmentvariables needed by the MFT server. The file should be shown as follows:#!/bin/shCATALINA_OPTS="-Xms512m -Xmx4096m"FIPS_MODE="false"

Change the value of the FIPS_MODE parameter to true.

Save the file and start your application server. MFTCC now operates in the FIPS mode.

Taking the MFT Server Out of FIPS ModeYou can take the MFT server out of FIPS mode manually if you have enabled it.

If FIPS mode is enabled manually, you have to undo the changes you made when putting MFT intoFIPS mode. If FIPS mode is configured automatically during MFTCC installation, see Configuring FIPS140-2 Manually for more details on which files to edit.

Procedure

1. Remove FIPS certified cryptographic provider from the list of providers in the java.security file.

When removing the cryptographic provider from the java.security file, you can eithercomment out the line with the pound sign (#) or delete the line. You must fix the order ofthe providers after that.

2. Set the MFT environment variable FIPS_MODE to false in the setenv.sh file.

3. Remove the provider name from the SSHSecurityProvider parameter in the web.xml file.

26


Changing the Default Logos

You can customize some logos within MFTCC.

You can customize the following logos:

● The following logo is used by MFTCC Administrator and is displayed in the upper-left corner ofyour browser. It is named as mft-cc-logo.png with a size of 204x88, and is located in theMFTCC_Install\server\webapps\cfcc\view\images directory.

● The following logo is used by MFTCC Administrator login. It is named as product_logo_cc.pngwith a size of 716x146, and is located in the MFTCC_Install\server\webapps\cfcc\login\imagesdirectory.

● The following logo is used by MFTCC Administrator login. It is named as corporate_logo.pngwith a size of 95x30, and is located in the MFTCC_Install\server\webapps\cfcc\login\imagesdirectory.

● The following is used by MFTCC Administrator login help pages. It is named as mft_logo.pngwith a size of 268x64, and is located in the MFTCC_Install\server\webapps\cfcc\login\imagesdirectory.

Procedure

1. Navigate to the directory where the logo is located.

2. Rename the logo by adding .old after the file extension. For example: logo.png.old.

3. Copy your new logo into the directory and ensure that the file name, type, and size match theoriginal file in the directory.

4. Refresh your browser.

27


Uninstalling MFTCC

You can uninstall MFTCC if you want.

If you have CMS installed, you have to first uninstall CMS. See Uninstalling Connection ManagerServer for information of how to remove the CMS service.

If MFTCC is installed as a Windows service, see Removing the MFTCC Service on Windows for detailson removing the MFTCC service.

To remove MFTCC from Windows or UNIX, delete the MFT_Install directory.

28


Uninstalling Connection Manager Server

You can remove CMS if you want.

If CMS has been installed as a Windows service, see Removing the CMS Service. for more details onremoving CMS.

To remove CMS from Windows or UNIX, delete the CMS_Install directory.

29


Appendix A. Installation Worksheet

This worksheet is designed to allow you to have a location to collect information that will be usedthroughout the installation and configuration of MFTCC.

You can use this worksheet to gather information before the installation of MFTCC. You might also usethe defaults provided by the installation program.

Web Server Information

1. Have you downloaded and installed the Sun/IBM Java JDK: ______________________

2. Is the JAVA_HOME variable set: ______________________

3. Have you downloaded and installed the Java AES encryption policy files: ______________________

Database Information

1. What is the DNS or IP address and port number for the Internet Server database:______________________

2. What database administrator ID and password should be used: ______________________

Java Keystore Information

This information is optional because MFTCC will create one if no one provided.

1. What is the path and file name of your java keystore: ______________________

2. What is your keystore password: ______________________

3. What is the alias for the private key: ______________________

MFTCC Application Information

1. What is the DNS or IP address of the server where MFTCC application is being installed?______________

2. What context root do you want to use (default option is cfcc): ______________________________

3. In what directory should log files be kept (defaults option is the install directory):______________________________

LDAP Information

This information is optional because you might not be using LDAP for authentication.

1. LDAP server type: ___________________________

2. DNS or IP address of the LDAP server: ______________________________

3. What is the LDAP port number: _________________________

4. What is the LDAP administrator DN:________________________________________________________

5. What is the password for the user DN: ___________________________

30


Appendix B. Certificate Update Guideline

MFTCC uses two types of certificates. You can use and update the certificates within MFTCC.

MFTCC uses the following two types of certificates:

● HTTPS certificate: used for communicating with MFTCC using HTTPS (HTTP over SSL).

● Applet certificate: used to sign the Java applets used by TIBCO MFT Internet Server to transfer files.

It is good practice to create a new keystore for each type of certificate. Most certificate authorities (CA)require separate certificates for HTTPS and applet signing. You must purchase the correct certificates.

Updating HTTPS CertificateTo obtain a new HTTPS certificate from CA, a certificate request must be issued. You must record allsteps executed and their output into the cert.https.log file for tracking.

Pay attention to the following points:● The commands listed here are only examples and do not include all the options that the keytool

program offers. Careful consideration must be taken when generating your key pair for yourenvironment. Consult with your web Administrator.

● Each certificate requires a separate keystore.

● CA might have specific options required for creating an HTTPS certificate. Review the instructionsprovided by the CA before generating the certificate request.

Procedure

1. Issue the following sample command to generate a Java keystore and key pair where the certificatewill be considered valid for 365 days:keytool –genkey –v –alias cfcc –keyalg RSA –keysize 2048 –keypasschangeit –keystore MFTIS_Install\keystore\newkeystore.jks -storepasschangeit –validity 365

In the sample command, the keypass and storepass values are the same. These two values must matcheach other. It is good practice to use the same keystore and storepass values that are used to createthe original keystore. This way you will not have to update the keystore password in the productconfiguration files.

The keytool utility will display messages requesting more information about the certificate request.When the keytool utility prompts What is your first and last name. You must enter the DNSname that is used to access MFTCC. For example, you can enter mft.yourcompany.com as the DNSname. This DNS name is used as the Common Name (CN) in the certificate. HTTPS requires CN tomatch the DNS name used to access the HTTPS server.

2. Generate a certificate request.

You can use the following sample command:keytool –v –certreq –alias cfcc –file MFTIS_Install\keystore\cfcc.csr –keypass changeit –keystore MFTIS_Install\keystore\newkeystore.jks -storepass changeit

3. Submit the certificate request file created in the previous sample command to CA.

4. Install the CA certificate into the MFTCC keystore by performing the following steps:a) Save the certificate returned by the CA to a file Cert_File.b) Run the following keytool command to import the certificate:

keytool –v –import –alias cfcc -trustcacerts –file Cert_File -keystore Keystore_File_Name

31


Some CAs now issue an intermediate certificate along with the main certificate. If thisis true for your CA, import certificates using unique aliases to the keystore created in Step 1. This step is required to prevent the client from receiving a certificate warning.

5. Navigate to the MFTCC_Install\server\conf directory and change the keystore path in theserver.xml file to update the MFT server to use the new keystore.a) Look for the connector associated with the HTTPS port.b) Update the keystoreFile parameter to point to the new keystore.c) If the password is changed, update the keystorePass parameter with the new keystore

password.

You can rename your old keystore file, for example, org.keystore.jks. And then renamethe new keystore to have the old file name in the same location. This way no changes areneeded to the server.xml file which is located in the MFTCC_Install\server\confdirectory, and then you can go to Step 6.

6. Stop and start MFTCC.

7. Verify that the MFT server is listening on the defined port.

8. Perform a file transfer to verify that MFTCC is functioning correctly.

32


Appendix C. Starting the MFTCC Service Automatically

By default, the application server is not configured to automatically start on startup. You can set up anautomatic start for the MFTCC embedded application server on UNIX and Windows systems.

Starting the MFTCC Service on Windows AutomaticallyYou can set up an automatic start for the MFTCC embedded application server on Windows systems.

Procedure

1. Check whether the JAVA_HOME system environment variable is configured on your server.

You can follow the following steps to set the variable:a) Open your System Properties window and click the Advanced tab.b) Click Environment Variables.c) In the Environment Variables window, search for the JAVA_HOME variable in the System

variables panel.d) Set the JAVA_HOME variable to make it points to your Java JDK file. For example, C:\Program

Files\Java\jdk1.8.0_66.

If you cannot find the JAVA_HOME variable in the list, you must add the JAVA_HOME variablepointing to your Java JDK file.

If you created a new variable, you must restart the system before the new variable isrecognized.

2. Navigate to the MFTCC_Install\server\bin directory and stop your present MFTCC applicationusing the shutdown command.

3. Run the following install command from the same directory: service install.

4. Choose the processor you are currently running with when you are prompted to do so.

After the script completes running, you can open your Services window and see the MFTCC servicelisted as follows:

33


The MFTCC service is installed by default using the Manual startup option.

5. Restart Windows.

6. Open the Services window, right-click MFTCC and click Properties.

7. Set Startup Type to Automatic and click OK.MFTCC will start automatically at next startup of Windows.

Starting the MFTCC Service on UNIX AutomaticallyYou can use a number of methods to start MFTCC on different UNIX/Linux operating systemsautomatically.This example is for the Red Hat Linux Enterprise operating system; however, it has been testedsuccessfully on many other UNIX and Linux distributions. The instructions for setting automatic starton Red Hat Linux are as follows:

Procedure

1. Add the JAVA_HOME variable to the setenv.sh file which is located in the MFTCC_Install/server/bin directory.

2. Add the startup.sh script to the /etc/rc.local file.For example: /opt/MFTCC/server/bin/startup.sh

Removing the MFTCC Service on WindowsYou can remove the automatic start feature of MFTCC on windows by stopping the MFT server service.

Navigate to the MFTCC_Install\server\bin directory and run the service remove command. Thefollowing message is displayed: The service 'MFT_Command_Center' has been removed.

34


Appendix D. Setting HTTP SSL Ciphers

For an increased level of HTTP SSL security in MFTCC, it is good practice to run the server in FIPSmode. If you do not run your MFTCC in FIPS mode, you have to set higher HTTP SSL cipher strengthfor client connections.

By default, ciphers are set to the TLS protocol using 128 bit encryption or higher. You can edit theserver.xml file which is located in the MFTCC_Install\server\conf directory to set certain SSLciphers.

A default HTTP connector is defined in this file, as shown in the following example:<Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="128" ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" clientAuth="false" compression="off" connectionLinger="-1" connectionTimeout="60000" disableUploadTimeout="true" enableLookups="true" keystoreFile="C:\MFTIS\keystore\keystore.jks" keystorePass="changeit" keystoreType="JKS" maxKeepAliveRequests="100" maxThreads="150" port="443" protocol="org.apache.coyote.http11.Http11Protocol" proxyPort="0" redirectPort="-1" scheme="https" secure="true" server="MFTServer" socket.txBufSize="131072" sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" sslProtocol="TLS" tcpNoDelay="true" trustManagerClassName="com.proginet.sift.tomcat.ssldap.TrustAllMgr"/>

The following example forces client connections to maintain cipher strengths of 128 bit or higher. Theciphers in this example are from Oracle Java 8 update 40.ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256"

The following example will force client connections to maintain cipher strengths of 256 bit or higher.The ciphers in this example are from Oracle Java 8 update 40.

ciphers="TLS_RSA_WITH_AES_256_CBC_SHA256"

35


Only certain browsers will support 256 bit cipher strength.

In these examples, the ciphers are limited in default connector to show how to change the ciphers.Limiting the cipher to one is not realistic, this is only for demonstration purposes:<Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="128" ciphers=" TLS_RSA_WITH_AES_256_CBC_SHA256" clientAuth="false" compression="off" connectionLinger="-1" connectionTimeout="60000" disableUploadTimeout="true" enableLookups="true" keystoreFile="C:\MFTIS\keystore\keystore.jks" keystorePass="changeit" keystoreType="JKS" maxKeepAliveRequests="100" maxThreads="150" port="443" protocol="org.apache.coyote.http11.Http11Protocol" proxyPort="0" redirectPort="-1" scheme="https" secure="true" server="MFTServer" socket.txBufSize="131072" sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" sslProtocol="TLS" tcpNoDelay="true" trustManagerClassName="com.proginet.sift.tomcat.ssldap.TrustAllMgr"/>

After you have saved your changes, you must restart the application server.

36


Appendix E. Configuring Web SSO

MFTCC works in a web SSO environment which typically includes a software component thatperforms all authentications. SSO software forwards all requests to the MFT software and passes datain the HTTP request or the HTTP session to define the user that is authenticated. MFT will extract andvalidate this information. You can use the httpssocustomization.xml file to customize the MFTCCauthentication method for web SSO.

The httpssocustomization.xml file is located in the MFTCC_Install\server\webapps\context\WEB-INF directory. It contains detailed information about how to configure the MFT server for webSSO and defines the parameters that should be sent by the SSO server and the validation performed byMFT.

Open the XML file and read the instructions to configure the MFTCC web application for your SSOenvironment.

37


Appendix F. Configuring MFT for SAML SSO

TIBCO MFT Internet Server and TIBCO MFT Command Center support Single Sign On (SSO) whenusing SAML (Security Assertion Markup Language). When using SAML for SSO, TIBCO MFT InternetServer and TIBCO MFT Command Center perform the role of service provider (SP).

Prerequisites

You must install and configure a SAML identity provider (IdP) before configuring SAML for the MFTserver.

Each SAML implementation is different and often requires significant work to integrate MFT into theSAML infrastructure. Typical SAML implementations will require TIBCO Professional Services to workin conjunction with your SAML support staff to ensure a smooth SAML implementation.

To configure TIBCO MFT Internet Server and TIBCO MFT Command Center SAML integration, youmust perform the following operations:

1. Creating SAML Private Keys

2. Importing SAML Identity Provider Metadata

3. Configuring SAML Service Provider Metadata

4. Generating SAML Service Provider Metadata

5. Sending SAML Service Provider Metadata to the Identity Provider

6. Restarting the MFT Server

7. Updating MFT Shortcuts

SAML is configured on a server by server basis. Each MFT server that needs to use SAML must beconfigured independently of the other MFT servers.

For detailed descriptions of individual SAML fields, see the help information for the SAMLadministrator pages.

After the SAML configuration is updated, you must restart the MFT Server. The SAML information isloaded at startup time and cannot be refreshed.

Creating SAML Private KeysYou can create SAML private keys through the Administration > Protocol Keys > System Keys >Create Key option.

The following figure shows the Create System Key page:

38


On this page, set the System Key Type field to SAML System Key, enter the required information, andthen click Create Key.

After the SAML system key is created, you can reference this key on the Configure SAML ServiceProvider MetaData page.

As an alternative, you can import a SAML key from a JAVA keystore through the Administration >Protocol Keys > System Keys > Import Key option.

Importing SAML Identity Provider MetadataYou can import SAML identity provider metadata through the Administration > SAML > ImportSAML IDP MetaData option.

The identity provider will provide the metadata that must be imported into MFT. The identity providermetadata is typically distributed in a file and consists of XML that describes the identity provider. Ittypically contains the following information:

● X.509 certificates used to sign and encrypt SAML data

● Single Sign On and Single Log Out end points

The following figure shows the Import SAML Identity Provider MetaData page:

39


Paste the data in the identity provider metadata into this page, and then click Import. MFT will validatethat the data is in a proper XML format and contains valid identity provider data.

Configuring SAML Service Provider MetadataYou can configure SAML service provider metadata through the Administration > SAML > ConfigureSAML SP MetaData option.

The following figure shows the Configure SAML Service Provider MetaData page:

40


This page configures the following MFT SAML attributes:


Enabled Defines whether SAML should be enabled (Yes) or disabled (No)

Service Provider

Id

Defines the SAML service provider name.

It must be unique across all SP servers in the SAML environment.

SAML User Id

Attribute

Defines the SAML attribute that MFT will use as the user ID.

SAML Host URL Defines the URL of the MFT server.

SAML Encrypt Key Defines the SAML system key that will be used to encrypt SAML messages.

SAML Sign Key Defines the SAML system key that will be used to sign SAML messages.

LDAP

Authenticators

Defines the LDAP authenticators that will be scanned for a match on theSAML user ID.

You can select multiple authenticators that will be scanned for matches on theuser ID.

When a successful SAML authentication occurs, MFT will extract the user ID from the SAML attributedefined by the SAML User Id Attribute field. If this user is defined by an MFT LDAP authenticator,MFT needs to determine which authenticator defines the user ID.

For example, assume that two LDAP authenticators (Customer and Internal) have been defined and theuser acctuser has been authenticated by SAML. MFT will perform the following checking. The firstmatch defines the user ID used for the session.

41


● Search the database for a match on the user acctuser.● Search the database for a match on Customer-acctuser.● Search the database for a match on Internal-acctuser.

You must make sure that a user ID defined by SAML is unique within all authenticators defined.

After entering the necessary information, click Update to update the database.

Generating SAML Service Provider MetadataYou can generate SAML service provider metadata through the Administration > SAML > GenerateSAML SP MetaData option.

Before generating SAML service provider metadata, you must configure SAML service providermetadata on the Configure SAML SP MetaData page.

The following figure shows the Generate SAML Service Provider MetaData page:

Click Generate to generate the service provider metadata. A text box that contains the service providermetadata is displayed. This information must then be sent to the SAML identity provider.

The following figure shows sample SAML metadata:

42


Sending SAML Service Provider Metadata to the Identity ProviderAfter generating the SAML service provider metadata, you can sent the metadata to the identityprovider.

Copy and paste the data information generated in Generating SAML Service Provider Metadata into afile, save the file, and send the file to the identity provider.

Optionally, depending on the requirements of the identity provider, you might need to send the serviceprovider metadata as text in an email.

Restarting the MFT ServerWhen configuring TIBCO MFT Internet Server and TIBCO MFT Command Center SAML integration,in some conditions, you must restart the MFT server.

In the following conditions, you must restart the MFT server:

● When you import new identity provider metadata.

● When the security provider configuration is changed.

Updating MFT ShortcutsYou can update the MFT shortcuts to redirect users to the SAML login pages.

The following shortcuts are located in the <MFT Install>\servers\webapps\ROOT directory:

● samladmin: redirects you to the administrator page after SAML authentication is completed.

● samlbrowser: redirects you to the FT Browser page after SAML authentication is completed.

● samljava: redirects you to the FT Java page after SAML authentication is completed.

You can use these shortcuts or rename them to names you choose. When the user goes to one of thesepages, they will be redirected to SAML for authentication. When authentication is completed, the userwill be redirected to the page defined by the shortcuts. If you change the context from the default ofcfcc, you must change the context in these files.

The following shortcuts are located in the <MFT Install>\servers\webapps\context\logindirectory:

● ssoadmin: redirects you to the administrator page after SAML authentication is completed.

● ssobrowser: redirects you to the FT Browser page after SAML authentication is completed.

● ssojava: redirects you to the FT Java page after SAML authentication is completed.

These file names are hardcoded in the MFT code. When the user is authenticated by SAML, the usergenerally specifies the client that they want to use. When authentication is completed, the user will beredirected to the desired client based on the URLs in these files. If you change the context from thedefault of cfcc, you must change the context in these files.

43


Appendix G. Customizing Translation Tables

MFTCC is shipped with four ASCII to EBCDIC conversion tables to convert ASCII characters toEBCDIC characters and vice versa.

By default, the Comtblg.dat file which is located in the MFTCC_Install\server\webapps\context\translate directory is used by the system. The following table lists the conversion tables:

Conversion Description

Comtblg.classic The comtblg.dat file shipped with prior versions (before version 7.2).

Comtblg.cp037 Extended ASCII table that is based on IBM Code page 037.

Comtblg.cp1047 Extended ASCII table that is based on IBM Code page 1047.

Comtblg.dat ASCII/EBCIDIC table used by MFTPS at run time.

By default, it is a copy of the Comtblg.cp037 file.

The Comtblg.dat file is used by the system. If one of the other conversion tables needs to be used or acustomized table is created, rename the existing Comtblg.dat file and copy the new table to theComtblg.dat file. The default file used for conversion must be named Comtblg.dat.

Occasionally, the default translation table is not exactly what is needed. In these situations, anadministrator can define a new translation table to be used by the MFTCC installation.

The following example demonstrates how to alter the text JSY contained in a file to read CAT on theremote z/OS system:

Procedure

1. Create a customized translation table.a) Navigate to the MFTCC_Install/server/webapps/context/translate directory and copy the

Comtblog.cp037 file to an empty directory on the MFTCC web server, and then rename it asComtblg.dat.The Comtblg.dat file contains the following table, which converts data from ASCII to EBCDICcharacter and from EBCDIC to ASCII character.

44


The following figure shows the table being placed in an Excel spreadsheet for demonstrationpurpose only:

45


b) To convert from an ASCII system (Windows) to an EBCDIC system (z/OS), you have to look upthe EBCDIC character for each ASCII character and replace it with the EBCDIC character thatyou want.For example, the ASCII value for J is 4A; if you want to translate J to 4A, you have to go the chartabove and locate the 4 column and slide your finger to the right until you are in the A column;the EBCDIC value for J is D1. If you want to translate J to C, you have to replace D1 with C3which is the EBCDIC value for C. Do the same to translate S to A and Y to T.

2. Replace the existing Comtblg.dat file.a) Navigate to the MFTCC_Install/server/webapps/context/translate directory, rename the

existing Comtblg.dat file as org.Comtblg.dat.b) Copy the new Comtblg.dat file that is customized step 1 to this folder.

This file is now your default conversion table used by the system.

46


Appendix H. MFTCC Security Best Practices

You can secure MFTCC through installation configurations, web.xml parameter configurations, andMFT server configurations.

InstallationYou can follow the following recommendations to securing MFTCC at installation.

Installation User on UNIX

Install as a non-root or an unprivileged user. If you want to use ports below 1025, use the UNIXiptables command to redirect these ports to ports 8443 and 8080. See Network for more details onredirecting ports.

Provide only the necessary rights to update the MFT_Install directory and any directories where*LOCAL data will be saved.

Installation User on Windows

Install as a normal user, for example : Non Administrator. Normal users can use ports below 1024.

Provide only the necessary rights to update the MFT_Install directory and any directories where*LOCAL data will be saved.

Securing the JDBC connection

If possible, configure the JDBC driver to use SSL/TLS. Contact your database administrator forinstructions on how to do this.

Using Secure Ciphers

During the installation process, you will be prompted to use only secure ciphers. Use the default valueof secure ciphers. This will ensure that only secure ciphers will be accepted during SSL negotiation.This applies to HTTPS connections as well as FTPS and Platform Server SSL connections.

Admin Service

Do not install the MFT Admin service on computers located in the DMZ. Only install the MFT Adminservice on computers in the internal network.

HTTPS Certificate

Purchase an HTTPS SSL certificate from a well-known certificate authority. The default certificate is aself-signed certificate, which will prompt the browser users a warning that the certificate is not trusted.When creating a keystore, use a strong password instead of the default password.

MFT Java applet is now signed with a TIBCO certificate so that you do not need to sign MFT Javaapplet.

47


web.xml ParametersYou can secure MFTCC via the following web.xml parameters.


TLSCipherSuite This parameter defines the ciphers used by MFT in any SSL/TLSconnections.

If you select the Use Secure Ciphers Only parameter during theinstallation process, this parameter will be filled in with secure ciphers.When the FTP service is started, all secure ciphers supported will bedisplayed. You can select any ciphers from the displayed list to add tothis parameter. Multiple ciphers must be delimited with a comma.

This parameter only applies to FTPS (FTP over SSL) and PlatformServer SSL connections. HTTPS connections use the parameters in theserver.xml ciphers parameter.

TLSProtocols This parameter defines TLS protocols that will be supported by FTPSand Platform Server SSL.

The valid values are: TLSv1, TLSv1.1, and TLSv1.2.

By default, any TLS protocol is supported.

Before changing this parameter, ensure that all FTPS and PlatformServer clients and servers support the defined TLS protocol.

This parameter only applies to FTPS (FTP over SSL) and PlatformServer SSL connections. HTTPS connections use the parameters in theserver.xml SSLEnabledProtocols parameter.

SSHCipherSuite This parameter defines the ciphers supported by MFT SFTP client andservers.

When the MFT SFTP service is started, all SSH ciphers supported aredisplayed. You can select the ciphers that you want to support.Multiple ciphers must be delimited with a comma.

SSHKeyExchange This parameter defines SSH key exchange algorithms supported byMFT SFTP client and servers.

When the MFT SFTP service is started, all SSH key exchangealgorithms supported are displayed. You can select the key exchangealgorithms that you want to support. Multiple key exchangealgorithms must be delimited with a comma.

By default, the diffie-hellman-group1-sha1 protocol isremoved by MFT, because it is vulnerable to the logjamattack. Some old SFTP clients and servers require thisparameter; therefore, occasionally you need to update thisparameter to include this key exchange algorithm. You mustinclude all key exchange algorithms that are supported.

48



SSHDigestSuite This parameter defines the digest (hash) suites supported by MFTSFTP client and servers.

When MFT SFTP service is started, all SSH digests supported aredisplayed. You can select the digests that you want to support.Multiple digests must be delimited with a comma.

PasswordHashNew This parameters defines the password digest used by MFT.

You have to use the defined value of SHA=256.

UnsecuredHTTPSupport This parameter defines whether HTTP support is allowed.

The default value is No, which indicates that HTTP support is notallowed and only HTTPS will be accepted. If you require HTTPsupport, set this value to Yes.

When using HTTP, no encryption of credentials or data willbe performed.

AllowedReferersForXfe

rNavigation

This parameter adds HTTP referrer checking to the JSP pages that areused to navigate the directory tree structure. In addition to the URL,you have to add the loopback address.

This parameter is defined in the web.xml file. It only needs to be set inInternet Server instances. It is ignored in MFTCC.

AllowedReferersAdminJ

SP

This parameter adds HTTP referrer checking to the Administrator JSPpages. In addition to the URL, you have to add the loopback address.

This parameter needs to be set both in MFTCC instances and InternetServer instances, where the Admin service is installed.

DisplayFTPBanner This parameter defines whether MFT will display FTP and SFTPbanners.

If this parameter is set to Yes, you can define the banners or welcomemessage displayed in the Admin Configure SSH Server and ConfigureFTP Server pages.

Anonymous This parameter defines whether anonymous user can be used withoutauthenticating the password.

If you enter the value anonymous in this parameter, you must alsocreate a user called anonymous. Because the password is not validated,you must not give anonymous user access to any secure file or folders.

Redirect HTTP to

HTTPS

This parameter allows you to redirect HTTP requests to HTTPS port.

Uncomment the following parameter from the web.xml file, which willautomatically redirect HTTP requests to the HTTPS port.<!-user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint->

49



SecurityFilter This parameter defines whether a browser can be allowed to render apage in a frame, an iFrame, or an object. This parameter prevents youfrom framing and clickjacking attacks.

By setting this parameter to SAMEORIGIN, the browser can use the pagein a frame if the server including it in a frame is the same as the oneserving the page. By setting this parameter to DENY, all attempts to loadthe page in a frame will fail.

The default value is SAMEORIGIN.

Server ConfigurationsYou can follow the following recommendations to secure MFTCC through configurations.

Configuration in Admin Client

● Remove unnecessary default users or unnecessary rights from these users.

● Assign only necessary rights to users.

● Use LDAP for authentication.

● Enable global password rules.

● Enable global lockout.

● Allow users to reset their passwords.

● Use the MFT delegated administration feature if possible.

● AdministratorRight must be limited to a selected few of people.

● Assign the minimum right that a user needs to access the system.

● Be cautious executing commands or Java class on an alert or scheduled job. Commands and javaprograms will execute under the rights of the MFT server process.

● Configure time of a day and days of the week that transfers can be executed.

Server Options: Server File Name Prefix

When defining a server, you can expand the Server Options section on the Add Server page and use theServer File Name Prefix parameter.

This parameter defines the directory that is prefixed to the server file name defined on the transferdefinition. It allows you to restrict user access to a particular directory and ensures that when a transferdefinition is created, the transfer definition cannot access data outside of this defined directory.

This parameter can be used for all server types, but it is particularly important when defining a serverof *Local type.

SFTP and FTP banners

Banner pages will be displayed by MFT when you log on to the MFT SFTP and FTP servers. It is goodpractice to create a generic banner pages that does not include the name of the software running or therelease.

50


General SuggestionsYou can follow the following general recommendations to secure MFTCC.

Java System Security

Use the newest Java server JRE that is supported by the product. While the products will work with aJava JDK, It is good practice to use Java server JRE.

Do not use GNU Java that is shipped with some Linux instances. Use Oracle or IBM Java that isappropriate for your MFT instance.

Setting Cookies to HTTPOnly

By default, HTTPOnly is not set for MFT generated cookies. Because MFT Java client will not workwhen a cookie is set to HTTPOnly. If you do not use MFT Java client, you can set the cookies toHTTPOnly by perform the following operation:

Set the usehttponly parameter in the web.xml file which is located in the MFTIS_Install/server/conf/catalina/localhost directory to true.

Setting the HTTPOnly attribute will cause MFT Java client to fail.

Configuring the Session Timeout

The session timeout is set to 30 minutes by default. This is good for most installations. If you need tolower this, you must make the following two changes: :

● The session-timeout parameter in the web.xml file located in the MFTIS_install/server/confdirectory

● The SessionTimeOut parameter in the web.xml file located in the MFTIS_install/webapps/cfcc/WEB-INF directory

Certificate Authentication

MFT supports certificate authentication for the following protocols:

● Platform Server SSL

● SFTP

● FTPS

● HTTPS

Whenever possible, use certificate authentication. Certificate authentication is relatively simple to setup on SFTP, Platform Server, and FTPS. It is much more complicated on HTTPS, because you need toupdate the certificate manager and select a certificate for the browser. Because of the difficulty inimplementing HTTPS certificate authentication, it is good practice not to use this.

Two Factor Authentication

MFT supports RADIUS protocol. Some token providers allow access to their servers through RADIUSprotocol. MFT can be configured through the web.xml file to support RADIUS protocol. When RADIUSprotocol is turned on, all password validation of the MFT instance is sent to the RADIUS sever. You candefine users that are excluded from RADIUS password checking; these users will be authenticatedthrough standard database or LDAP authentication.

51


Users/Passwords

● After the product is installed, change the password for the administrator and for other predefinedusers.

● Disable any predefined users that you will not be using.

● You can configure time of a day and days of the week that users can access the system.

● You can configure an IP address for a user that will limit the user to log on to MFT only from that IPaddress.

Anonymous Access

You must not give anonymous users rights to upload or download sensitive data.

End User Education

● When the browser offers to save MFT password, you should select No.

● After using MFT, you have to log off and close the browser.

● You should not use MFT and browse other website at the same time.

52


tibco managed file transfer command center installation · 2016-08-16 · tibco® managed file...

Documents