IBM Aspera Shares Administrator Guide 1.9.1
IBM Aspera Shares Administrator Guide 1.9.1 Linux 64-bit: RedHat 6 & 7, CentOS 6 & 7 Revision: 1.9.1.106796 Generated: 05/20/2015 14:10 | Contents | 2 Contents Introduction............................................................................................................... 4 Installation................................................................................................................. 5 System Requirements............................................................................................................................................5 Installing Shares....................................................................................................................................................5 Configuring HTTP and HTTPS Fallback................................................................................................ 8 Installing Enterprise Server.................................................................................................................................. 9 Upgrading Shares..................................................................................................................................................9 Restoring Shares from a Backup........................................................................................................................12 Uninstalling Shares............................................................................................................................................. 12 Configuring a Directory Service (DS)............................................................................................................... 13 Installing an SSL Certificate for Shares............................................................................................................ 17 Configuring Shares........................................................................................................................18 Configuring Email.............................................................................................................................................. 18 Setting Up the SMTP Server................................................................................................................. 18 Updating Links in Email Notifications.................................................................................................. 18 Configure Email Settings........................................................................................................................19 Creating Email Templates.......................................................................................................................19 Creating and Modifying Variables......................................................................................................... 21 Configuring Security...........................................................................................................................................22 Configuring System Settings.............................................................................................................................. 23 Managing Nodes and Shares........................................................................................................24 Adding Nodes..................................................................................................................................................... 24 Adding Shares.....................................................................................................................................................27 Modifying Nodes................................................................................................................................................ 29 Browsing Nodes..................................................................................................................................................30 Modifying Shares................................................................................................................................................30 Browsing Shares................................................................................................................................................. 32 Searching Nodes and Shares.............................................................................................................................. 32 Transferring Content Between Shares................................................................................................................33 Managing Home Shares................................................................................................................34 Enabling and Disabling Home Shares............................................................................................................... 34 Managing User Accounts..............................................................................................................35 Configure User Preferences................................................................................................................................35 User Permissions.................................................................................................................................................36 Authorize a User, Group, or DS With Manager Permissions................................................................ 37 Creating Local Accounts.................................................................................................................................... 37 Adding Local Users................................................................................................................................ 37 Adding Local Groups............................................................................................................................. 40 Setting Up DS Users and Groups...................................................................................................................... 42 Importing DS Users................................................................................................................................42 Importing DS Groups............................................................................................................................. 42 Managing Users.................................................................................................................................................. 43 Setting Permissions for Individual DS Users.........................................................................................43 Managing Groups................................................................................................................................................46 Setting Permissions for Individual DS Groups...................................................................................... 46 Searching Accounts............................................................................................................................................ 50 | Contents | 3 Working with SAML.................................................................................................................... 51 Configuring SAML.............................................................................................................................................52 Configuring Your Identity Provider (IdP)..........................................................................................................53 Creating SAML Groups..................................................................................................................................... 54 Adding a SAML User to a Local Groups..........................................................................................................54 User Accounts Being Provisioned by SAML Just-In-Time (JIT) Provisioning.................................................54 Working with Rake Tasks............................................................................................................ 56 User Management Rake Tasks........................................................................................................................... 56 Group Management Rake Tasks.........................................................................................................................58 Share Management Rake Tasks..........................................................................................................................59 Node Management Rake Tasks.......................................................................................................................... 60 Other Configurations Using Rake Tasks............................................................................................................62 Configuring MySQL Server.........................................................................................................64 Using Another MySQL Server During Installation........................................................................................... 64 Using Another MySQL Server After Installation.............................................................................................. 64 Changing the Built-in MySQL Port................................................................................................................... 65 Configuring the Stats Collector................................................................................................... 66 Adding Existing Nodes to Stats Collector......................................................................................................... 66 Configure Stats Collector Log Levels................................................................................................................66 Lowering Stats Collector Polling Frequency..................................................................................................... 67 Retrieving Stats Collector Version Number.......................................................................................................67 Performing Maintenance Tasks................................................................................................... 68 Clearing Background Jobs..................................................................................................................................69 Fixing Services Not Running After Upgrading Shares..................................................................................... 69 Restart Shares Services.......................................................................................................................................69 Backing Up Shares and the Database................................................................................................................ 70 Gathering and Zipping Up All Logs for Support.............................................................................................. 70 Checking for SSH Issues....................................................................................................................................71 Monitoring...........................................................................................................................................................71 Viewing Activities.................................................................................................................................. 71 Viewing Background Jobs...................................................................................................................... 71 Viewing Errors and Warnings................................................................................................................ 71 Appendix.................................................................................................................. 72 Configuring a Remote Transfer-Server Node.................................................................................................... 72 Extending the Node Timeout............................................................................................................................. 74 Changing Nginx Ports........................................................................................................................................ 75 Open a MySQL Prompt..................................................................................................................................... 76 Generate an SSL Certificate...............................................................................................................................76 Setting Up Shares and Console on the Same Host............................................................................................77 Securing an SSH Server..................................................................................................................................... 78 Shares API Permissions......................................................................................................................................79 Troubleshooting...................................................................................................................................................80 Technical Support................................................................................................... 81 Feedback.................................................................................................................. 82 Legal Notice............................................................................................................. 83 | Introduction | 4 Introduction IBM Aspera Shares is a multinode web transfer application that enables companies to share content in the form of files and directories of any size within their organization or with external customers and partners. You can deploy Shares as either of the following: • • A single server solution that enables sharing content from a single content store and transfer node. A separate server that consolidates multiple content nodes into a single view, and enables management of user access and file transfers across all nodes. Shares is powered by IBM Aspera Enterprise Server, which features the Aspera Node API, a daemon providing REST-enabled file operations and a transfer management API. Shares is capable of managing one or more transfer nodes, which can be local, remote, or cloud-based file systems. Transfer nodes are accessed using the Aspera Node API, which is activated by the Aspera Enterprise Server license. With Shares you can perform the following tasks: • • • • • • • Navigate across files and folders to locate and initiate a high-speed file transfer. Use search, filtering, and sorting capabilities to find individual files or folders in content stores. Provide secure authenticated access with support for users, groups, and directory services. Manage access and visibility of nodes and directories. Manage user activities at the directory level. Set up a real-time activity feed that keeps track of user actions and operations such as creating, deleting, and renaming files and directories. You can also keep track of all administration and management functions. Configure system logging levels. | Installation | 5 Installation System Requirements The IBM Aspera Shares application requires the following: On the Shares server: • • Linux 64-bit: RedHat 6 & 7, CentOS 6 & 7, with kernel 2.4 or higher and libc version GLIB 2.3.4 or higher Shares package and license file Shares includes an Nginx web server listening on port 80 and 443. For best results, Aspera recommends using a machine that does not run a web server. If you are using a web server, keep port 80 or 443 open, configure either that server or the Nginx server to use different ports. If you are installing an IBM Aspera Enterprise Server and Shares on the same host and configure a firewall, close all ports that are not required. For details see the firewall configuration section of the IBM Aspera Enterprise Server documentation. On node machines: • • • IBM Aspera Enterprise Server 3.3.x (or later) or IBM Aspera Connect Server 3.3.x (or later). If older versions of these products are already installed and running on the system, upgrade to the required version before setting up the node server. See http://downloads.asperasoft.com/en/documentation/1 for information on installing or upgrading these products. Enterprise Server license file. Identify a directory to use for sharing data. On all machines (Shares and nodes): • • Verify that the machine's hosts file has an entry for 127.0.0.1 localhost (/etc/hosts or C:\WINDOWS \system32\drivers\etc\hosts). Verify that SELINUX is disabled through cat /etc/sysconfig/selinux. SELINUX can be permissive or disabled, but not enforced. Installing Shares For details on upgrading IBM Aspera Shares see Upgrading Shares on page 9 1. Download Shares from http://downloads.asperasoft.com/en/downloads/34. You need your Aspera credentials for downloading the software. 2. To unpack, run the following command as root, where version is the package version: [root] $ rpm -Uvh aspera-shares-version.rpm The following is an example of what you can expect to see: [root] $ rpm -Uvh aspera-shares-1.9.1.100746-1.x86_64.rpm Preparing... ########################################### [100%] 1:aspera-shares ########################################### [100%] To use a remote MySQL server and disable the local MySQL server, add the connection information to this file: | Installation | 6 /opt/aspera/shares/etc/my.cnf.setup To complete the installation, please run this script as the root user: [root]$ /opt/aspera/shares/u/setup/bin/install 3. Run the install script: $ /opt/aspera/shares/u/setup/bin/install Starting aspera-shares ... Started Testing 20 times if MySQL is accepting connections ... Waiting for MySQL server to answer. mysqld is alive Writing /etc/init.d/aspera-shares ... Running chkconfig to add the service to the runlevels ... Generating a private key and self-signed certificate ... To install your own private key and certificate authority-signed certificate, replace these files /opt/aspera/shares/etc/nginx/cert.key /opt/aspera/shares/etc/nginx/cert.pem Creating the shares database ... Loading the shares database schema ... Initializing the shares database ... To create an admin user, run this command: /opt/aspera/shares/u/shares/bin/run rake aspera:admin NAME="admin" PASSWORD="jFOBTzkgoJBk836cVW3zFXTX7XvOJSg" EMAIL="[email protected]" Creating the stats collector database ... Generating stats collector keys ... Done The password is randomly generated, and you can copy and paste it to create the admin user. Note: If you forget to make a note of the password at installation time, you can reset it by running the following command from the Shares server root shell: /opt/aspera/shares/u/shares/bin/run rake aspera:admin NAME="admin" PASSWORD="jFOBTzkgoJBk836cVW3zFXTX7XvOJSg" EMAIL="[email protected]" 4. On the computer where Shares is installed, launch a web browser and navigate to http://shares_ip_address. The Shares login page appears. Log in using the administrator username and password you created during the installation process: 5. On the Change Password page that appears, provide a new password: | Installation | 7 6. The Shares login page appears again. Log in with your new password. 7. The License page appears. 8. In the Add/Change License dialog that appears, paste your license key, and click Save. 9. Configure the server's hostname or IP address to send emails from Shares to users by selecting Other > Web Server 10. Type the Shares server's hostname or IP address into the Host field. It is used as part of the URL in system emails to users. | Installation | 8 By default the port is set to 443, and SSL/TLS is selected. 11. Secure IBM Aspera Enterprise Server by doing the following: • • • Secure an SSH server. Configure a firewall. Set up SSL for nodes. For details on how to perform these tasks, see http://downloads.asperasoft.com/en/documentation/1. Configuring HTTP and HTTPS Fallback HTTP Fallback serves as a secondary transfer method when the Internet connectivity required for Aspera accelerated transfers (i.e., UDP port 33001, by default) is unavailable. When HTTP Fallback is enabled and UDP connectivity is lost or cannot be established, the transfer will continue over the HTTP protocol. Note: This feature requires configuring your settings in IBM Aspera Enterprise Server. For details on how to perform these tasks, see the "Configuring HTTP and HTTPS Fallback" topic in your transfer product's Administrator Guide. You may configure HTTP/HTTPS Fallback in the Aspera Enterprise Server GUI or modify aspera.conf. To edit your settings within the GUI, launch Enterprise Server and go to Configuration > Global (tab in left pane) > HTTP Fallback (tab in right pane). After modifying aspera.conf, run the following command (from Enterprise Server's bin directory) to validate your updated configuration file: $ /opt/aspera/bin/asuserdata -v Warning: If IBM Aspera Shares is set to use Encryption-at-Rest, downloading unencrypted content through HTTP Fallback will fail with the following errors: • • • • Downloading unencrypted file(s) or folder(s) will fail with the "Insufficient permissions" error. Downloading a mix of encrypted and unencrypted files or folders together will fail with the "Connection lost" error. Downloading a mix of folders, some folders with only encrypted files and other folders with only unencrypted files, will fail with the "Server refused request" error. Downloading encrypted file(s) or folder(s) with the wrong passphrase entered will fail with the "File decryption error, bad passphrase" error. What do you do if you need to change your HTTP Fallback port number? | Installation | 9 In the event that you need to modify your HTTP Fallback port number, configure the following section In your aspera.conf file (replacing <port> with your new port number): <http_server> <http_port><port></http_port> <https_port><port></https_port> <enable_http>true</enable_http> <enable_https>true</enable_https> </http_server> Installing Enterprise Server Installing IBM Aspera Enterprise Server involves the following tasks: • • • • Obtaining the license. Installing or upgrading Enterprise Server software. Configuring Enterprise Server to work with Shares. Optionally configuring HTTP fallback. For details on how to perform these tasks, see http://downloads.asperasoft.com/en/documentation/1 (or http:// downloads.asperasoft.com/en/documentation/37 for Isilon). Upgrading Shares Note: Aspera® recommends that you backup your system before performing an upgrade. For details on how to back up your system, see Backing Up Shares and the Database on page 70. 1. Download IBM Aspera Shares from http://downloads.asperasoft.com/en/downloads/34. You need your Aspera credentials for downloading the software. 2. Stop Shares services if you are currently running Shares 1.0.3 or earlier: [root] $ /etc/init.d/nginx stop [root] $ /etc/init.d/delayed_job stop 3. Run the following command as root and follow the instructions, where version is the package version: [root] $ rpm -Uvh aspera-shares-version.rpm The following is an example of the instructions displayed when the rpm command finds a version of Shares prior to 1.5. [root] $ rpm -Uvh aspera-shares-1.9.1.100746-1.x86_64.rpm Preparing... ########################################### [100%] You appear to be upgrading from a version that is too old. The currently installed version appears to be 1.0.3.69382-1 To upgrade, you must first back up your data and uninstall the old version. To back up your data: [root]$ /opt/aspera/shares/script/rake.sh backup DIR=/tmp This will create a backup directory with a name like | Installation | 10 /tmp/20130101012345 You can import the contents of that directory during installation. [root]$ cp /opt/aspera/shares/conf/cert.key /opt/aspera/shares/conf/ cert.pem /tmp/20130101012345 ## Stop the application [root]$ /etc/init.d/aspera_shares_nginx stop [root]$ /etc/init.d/aspera_shares_delayed_job stop ## Remove the service scripts that cause the application to start on server boot: First, use the distribution-specific tool to uninstall the service script from all runlevels: A. For RHEL, CentOS, or SUSE: [root]$ chkconfig --del aspera_shares_nginx [root]$ chkconfig --del aspera_shares_delayed_job B. For Debian or Ubuntu: [root]$ update-rc.d -f aspera_shares_nginx remove [root]$ update-rc.d -f aspera_shares_delayed_job remove Next, remove the service scripts: [root]$ rm /etc/init.d/aspera_shares_nginx [root]$ rm /etc/init.d/aspera_shares_delayed_job ## Uninstall the rpm: [root]$ rpm -e aspera-shares ## Back up any remaining files: [root]$ mv /opt/aspera/shares /opt/aspera/shares.bak ## Stop the system MySQL unless otherwise needed aspera-shares-1.9.1.100746 no longer uses the system-provided MySQL. To stop: [root]$ /etc/init.d/mysqld stop [root]$ chkconfig mysqld off --You are ready to install the new version and restore your backup. ## Install the rpm [root]$ rpm -Uvh rpm -Uvh aspera-shares-1.9.1.100746-1.x86_64.rpmc ## Run the install script [root]$ /opt/aspera/shares/u/setup/bin/install | Installation | 11 ## Restore your backup [root]$ /opt/aspera/shares/u/setup/bin/restore /tmp/20130101012345 error: install: %pre scriptlet failed (2), skipping error: %pre(aspera-shares-1.9.1.100746-1.x86_64) scriptlet failed, exit status 1 error: install: %pre scriptlet failed (2), skipping asperashares-1.9.1.100746-1 Upgrading from Shares 1.5+: If the rpm command finds Shares 1.5+ already installed on the system, it displays instructions like the following: [root] $ rpm -Uvh aspera-shares-1.9.1.100746-1.x86_64 Preparing... ########################################### [100%] Switching to the down runlevel ... runsvchdir: down: now current. Switched runlevel Checking status of aspera-shares ... Status is running Stopping aspera-shares ... Stopped 1:aspera-shares [100%] ########################################### To complete the upgrade, please run this script as the root user: [root]$ /opt/aspera/shares/u/setup/bin/upgrade 4. Run the upgrade script: [root] $ /opt/aspera/shares/u/setup/bin/upgrade Starting aspera-shares ... Started Waiting for MySQL server to answer mysqld is alive Migrating the Shares database ... Initializing the Shares database ... Migrating the stats collector database ... Done 5. If upgrading from Shares version prior to 1.5, restore the database: [root] $ /opt/aspera/shares/u/setup/bin/restore directory Checking status of aspera-shares ... Status is running mysqld is alive Restoring the Shares database ... Migrating the Shares database ... Initializing the Shares database ... Configuring the stats collector to poll all nodes ... Done | Installation | 12 6. Restart all Shares services. Run the following commands to restart all Shares services at once. # service aspera-shares stop # service aspera-shares start Refer to Restart Shares Services on page 69 for more information on how to restart your services. Note: If after upgrading you notice that only the MySQL service is running, see Fixing Services Not Running After Upgrading Shares on page 69 for instructions on how to fix the issue. Restoring Shares from a Backup Note: To perform a backup see Backing Up Shares and the Database on page 70. 1. Ensure that your IBM Aspera Shares backup is available. Verify that you have copied the Shares backup files to your new machine. See Backing Up Shares and the Database on page 70. 2. Stop Shares services. Run the following script as root. The script stops Shares services, restores Shares data, and restarts Shares. You cannot use this procedure with earlier versions of Shares. # /opt/aspera/shares/u/setup/bin/restore /your_backup_dir/backup_id For example, using the ID of the example directory generated in Backing Up Shares and the Database on page 70: Run the following command: # /opt/aspera/shares/u/setup/bin/restore /tmp/20130627025459 The Terminal will return the following information: Checking status of aspera-shares ... Status is running mysqld is alive Restoring the Shares database and config files ... Migrating the Shares database ... Initializing the Shares database ... Configuring the stats collector to poll all nodes ... Restoring the SSL certificates ... Done Uninstalling Shares Note: If you wish to retain your data for future installations of IBM Aspera Sharesthen you should backup your system before performing an uninstall. For details on how to back up your system, see Backing Up Shares and the Database on page 70. To remove Shares from the system, you must first stop its services from a terminal. Run the following command to remove the Shares application from the system: # rm /etc/init.d/aspera-shares # rpm -e aspera-shares | Installation | 13 Configuring a Directory Service (DS) Configuring a DS involves two tasks: • • Adding a DS account Configuring DS users and groups IBM Aspera Shares supports the Lightweight Directory Access Protocol (LDAP), and you can configure it to connect to a directory service. The following directory service databases are supported: • • • • Active Directory (AD) Apple Open Directory Fedora Directory Server Open LDAP Shares already has a default, local database. When you add local users, they will automatically be added to Admin > Accounts > Directories > Local Database. For information on setting up local users, see Adding Local Users on page 37. 1. To add a directory service account, log into Shares and navigate to Admin > Accounts > Directories > New. 2. Complete the form that appears with your specific directory service's settings and click Create ldap config. Option Description Directory Type Select a directory service type from one of the following options: • • • • Active Directory (AD) Apple Open Directory Fedora Directory Server Open LDAP Name Type a name for this directory service. Description Type a description for this directory service. | Installation | 14 Option Description Host The directory's address and port number. By default, unsecured LDAP uses port 389, unsecured global catalog uses port 3268, and global catalog over SSL uses port 3269. Base DN The search treebase, for example, dc=myCompany,dc=com for myCompany.com. Authentication Credentials • • Anonymous Bind Simple Bind If Simple Bind is selected, you must type your directory service user name, which is typically a Distinguished Name (DN), for example, CN=Administrator,CN=Users,DC=myCompany,DC=com)and directory service password. Encryption • • Unencrypted (Default port 389) Simple TLS (Default port 636) Note: Aspera recommends selecting Simple TLS to secure your server. By default, LDAP traffic is transmitted unsecured. You can make LDAP traffic confidential and secure by enabling TLS. After adding a DS to Shares, you can configure specific settings for your DS users and groups. 3. In the Detail tab, update the information that you entered for the DS account when you set it up. 4. In the Groups tab, edit the DS group permissions. To set specific permissions for an individual DS group, click the corresponding Edit button. If no groups appear, the number of records may exceed the limit for displaying a list in Shares. You can search for groups by name by | Installation | 15 entering a minimum of two characters. For details on editing a DS group, see Setting Permissions for Individual DS Groups on page 46. 5. In the Users tab, edit the DS users' permissions. Your DS users are listed on this page, unless the number of records exceeds limit for displaying a list in Shares. If no list appears, you can search for users by name by entering a minimum of two characters. To set specific permissions for an individual DS user, click the corresponding Edit button. For details on editing a DS user, see Setting Permissions for Individual DS Users on page 43. 6. In the Security tab, configure specific security settings for the entire directory. • • • If you select Disabled, no users from this directory can log into Shares. This also prevents you from giving individual DS users and DS groups access to log in. If you select Login, all users from this directory can log into Shares. If left clear, you may give individual DS users and DS groups access to log in. If you select Admin, all users in this directory have administrative permissions. If left clear, you may give individual DS users and DS groups administrative access. To configure DS users' security settings from their individual account pages, see Setting Permissions for Individual DS Users on page 43. | Installation | 16 7. In the Shares tab, authorize specific shares for this directory. Clicking Add Share displays a list of nodes and shares that are currently configured in Shares. Click Authorize to authorize a share. You can modify the directory's permissions for browsing, transferring, and performing file operations within it. The default permission is browse. To edit these permissions or disallow the directory's access to the share, click edit. | Installation | 17 Select permissions that directory users have for the authorized share. For example, everyone in this directory is allowed to browse the share. However, they cannot download, upload, perform any file operations, or receive notifications about content availability within the share. After modifying the settings, click Update. You may disallow access to this share by clicking Delete. Note: If you authorize a share for an entire directory, any group within that directory will inherit the same access permissions. 8. In the Activity tab, view and search for activities within the Activity directory. Search for a specific activity by typing search text into the Events text box. You can also search for activities by specifying a data and time range. Installing an SSL Certificate for Shares To install an SSL certificate that you have purchased, or you have generated as described in Generate an SSL Certificate on page 76, follow the steps below. 1. Rename the certificate files provided with IBM Aspera Shares. Locate the original cert.pem and cert.key files in /opt/aspera/shares/etc/nginx. Rename them as follows: # cd /opt/aspera/shares/etc/nginx # mv cert.pem cert.pem.orig # mv cert.key cert.key.orig 2. Copy your new SSL cert files to /opt/aspera/shares/etc/nginx. Rename the cert file cert.pem and rename the key file cert.key. 3. Restart the web service. Restart nginx as follows: # /opt/aspera/shares/sbin/sv restart nginx | Configuring Shares | 18 Configuring Shares Configuring Email From the Email menu, the following capabilities are available: • • • • Settings Templates Variables SMTP Setting Up the SMTP Server 1. Navigate to Admin > SMTP to configure the SMTP email server for IBM Aspera Shares. 2. To add a server's SMTP settings, select the SMTP option and complete the form, which requests the following information: Server SMTP server address Port SMTP port Domain Domain name Use TLS if available Aspera recommends turning TLS (Transport Layer Security) on to secure your email server. Timeout The timeout for connecting to SMTP servers. The default is 3 seconds. Username Email username Password Email password From Email sender’s address 3. To debug the SMTP server settings, click Send Test Email. Note: If you get the error "Net::SMTPUnknownError: could not get 3xx (550)" when sending a test message, you might be blocked by your domain as a potential spammer. Aspera recommends that you set an SPF record for your domain to identify which mail servers are allowed to send email on behalf of your domain. For more information about SPF and how to create an SPF record, see http://support.google.com/ a/bin/answer.py?hl=en&answer=33786&topic=2759192&rd=1 After you have configured the SMTP server, you can return to this page to view all Shares activity related to it in the Activity tab. Each reported activity event is accompanied by a tag. You can click the tag to find related activities. You can also perform an activity event search by clicking Search and entering the requisite information. Updating Links in Email Notifications IBM Aspera Shares generates links in email notifications using the host IP address set in its Web Server settings. Whenever you change the IP address of the Shares machine, you must update this host address as well. By default, the host address is set to example.com. Navigate to Admin > Web Server and update Host with your computer's IP Address. | Configuring Shares | 19 Configure Email Settings Select the email notification settings a new IBM Aspera Shares user will inherit by default. Item Description Notify users on share authorization. Notify users when they are granted to a new share. Notify users on transfer complete. Notify users when a new transfer is completed to a share (and share notification is enabled). Notify admins on user share authorization Reset. Notify admins when a user is authorized to a share Note: This option is available for admins only. Notify admins on self registration request. Notify admins when there is a new user self registration request and self registration is set to moderated. Note: This option is available for admins only. Note: Changing these preferences will not affect email settings for current users. Creating Email Templates IBM Aspera Shares comes with preconfigured notification templates, which you can access from the Templates link. To view a template, click the link for its name. To modify a template, create a new template by copying one of the preconfigured templates and editing it. You cannot modify or delete the preconfigured templates. When editing a new template, you can configure both an HTML and plain-text version, and you can use Shares built-in variables and variables you create. • • To create a template, determine the type of template you want, and click Copy. To select your template as the default to be used for sending test emails, click Default. This also enables activation. The Delivered check box is inactive when checked. It only indicates that a template is the original version delivered with Shares. | Configuring Shares | 20 • To edit the new template, click the link that is the template’s name. The page that appears when you edit a new template includes three sections for modifying the email template: Details Lets you change the name of the template and set the email subject line. HTML Template Lets you edit an HTML-formatted version of the template. Plain Template Lets you edit a plain-text version of the template. Email notifications always include the HTML and plain-text versions of the message. Therefore, you might want to modify both templates. Tip: It might be convenient to make changes in the plain-text template, then copy and paste the text to the equivalent location in the HTML template. The edit box for both versions can be open at the same time Using Variables in a Template To use variables in a template, click Template Substitution Variables at the bottom of the page. This opens the Substitution Variables dialog showing a list of variables that are available for this template. To see descriptions of each variable, click Show More: This dialog displays only those variables that you can enter in the type of template you are using, in this case, the SendTestEmail type. When you click or select text in a template edit box, the Add links in the variables list become active. Clicking Add for a variable inserts it or replaces the selected text in the edit box. For example: Select text in the edit box for the plain template, in this example, the word “User”: | Configuring Shares | 21 To replace “User” with the full name of the user who performed the action that triggers this notification, click Add for the by_full_name variable in the Substitution Variables dialog: “User” is replaced with the by_full_name variable. In the results box, the variable is displayed as “First Last” because the by_full_name variable cannot be fully interpreted until the notification has been triggered by the action or event associated with a user. Similarly, “aspera_username” is not a variable, but a display string that represents the variable by_username: Creating and Modifying Variables You can create or modify variables to be inserted in your IBM Aspera Shares notification templates. When editing a variable, you can configure both an HTML and plain-text version. Variables are useful for creating reusable boilerplate text that can be used across multiple email templates. 1. Click Email > Variables to open the Notification Variables page | Configuring Shares | 22 2. To modify one of the Shares built-in variables, click Edit. 3. To create a new variable, click New Notification Variable. After you have created a variable, it appears as a new entry in the Notification Variables list. When you create and modify templates, the new variable is also available in the Substitution Variables dialog and ready for use. Configuring Security Under Security, you can set the following options: Session timeout: Log out users after this many minutes of inactivity (1-480 minutes). Require strong passwords: Require passwords to be at least 8 characters and contain at least one uppercase letter, lowercase letter, number, and symbol. Password expiration interval: Reset the number of days before a user must change the password (1-720 or blank). Failed login count: Reset the number of failed logins within Failed login interval that will cause the account to be locked (1-20). Failed login interval: Number of minutes within which Failed login count results in account being locked (1-60). Self registration: Determines whether non-users can create or request user accounts. Choose from the following options: • • • none Not allowed. moderated You must approve the account before it is created. If you allow self-registration, the moderated setting is recommended for security. unmoderated After a user registers, the user’s account is automatically created. Self-Registration If users are allowed to self-register, they see a Request an Account link on the login page. After a user clicks this link and completes the form, you are prompted under Admin > Accounts > Self Registration to Approve, Deny, or Delete the user’s account. You can also perform a status search for new accounts. Admins can configure whether they receive emails whenever there's a new self registration request in their personal preferences. By default, admins are opted into receiving these emails. To change the default setting, see Configure Email Settings on page 19. The email template for such emails is also configurable. For more information on customizing templates, see Creating Email Templates on page 19. | Configuring Shares | 23 Configuring System Settings The following System Settings configuration options are available under the Other menu on the Admin page: Option Description Background Modify or reset the parameters that IBM Aspera Shares checks when running background jobs. License View or change your Shares license. Localization Configure your Shares server with your local timezone, date format, and time format. Logging Configure whether logged events trigger a warning or an error. Logos Add, edit, or delete a custom logo for your Shares Web UI. Messages Create a login page message for your users, and a home page message. Transfers • • • • • • • • • Web Server Min connect version The minimum version of the IBM Aspera Connect Browser Plug-in that can be used to transfer with Shares. The version must be in the form "X.Y" for example, 1, 1.2). If you are using IBM Aspera Shares on Demand, the minimum accepted version of Connect Browser Plug-in is 2.7.8, which is the default setting. Upload target rate For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use the node's settings. Upload target rate cap For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use the node's settings. Download target rate For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use the node's settings. Download target rate cap For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use the node's settings. Starting policy: Select the policy to be enforced when the transfer starts: Fixed The transfer transmits data at a rate equal to the target rate, although this may impact the performance of other traffic present on the network. High The transfer rate is adjusted to use the available bandwidth up to the maximum rate. Fair The transfer attempts to transmit data at a rate equal to the target rate. If network conditions do not permit that, it transfers at a rate lower than the target rate, but not less than the minimum rate. Low The transfer rate is less aggressive than Fair when sharing bandwidth with other network traffic. When congestion occurs, the transfer rate is decreased to the minimum rate, until other traffic retreats. Allowed policy: Select the policies that are available to the user during transfer. If you do not make any selections, the Inherit from node setting is displayed, which will apply the settings inherited from the node. Encryption: Select Optional or AES-128. If you do not make any selections, the Inherit from node setting is displayed, which will apply the settings inherited from the node. Encryption at rest: Select Optional or Required. If you do not make any selections, the Inherit from node setting is displayed, which will apply the settings inherited from the node. If you select Required, the uploaded files must be encrypted during a transfer to protect them while they are stored on a remote server. The uploader sets a password before uploading the file, and the downloader needs to enter that password to decrypt the file. Configure the web server settings, including the host, port, and whether SSL/TLS is enabled. The hostname or IP address entered into the Host field is used as part of the URL in Shares emails to users. For example, when an account is created for a user, that user will receive an email prompting the user to reset the password. This email contains a URL that points to whatever hostname or IP address is entered into the Host field. | Managing Nodes and Shares | 24 Managing Nodes and Shares Note: If you do not have browse permissions but have all other permissions, you can still perform Upload File and Upload Folder operations in the user interface (UI). However, you will not have permissions for other UI operations such as Delete or Download, and the contents of the share are not displayed. Managing nodes and IBM Aspera Shares involves the following administrative capabilities: Administrative Capability Description Node Administration • • • • Nodes are only visible to administrators. All administrators have the same level of privileges for all nodes. Administrators can create, edit and delete nodes. Shares requires user authentication to access the node. Share Administration • • • Only administrators can create, edit, and delete shares. Only administrators can change share authorizations. All administrators have the same level of privileges for share administration for all shares. Authorization Only administrators can change share authorizations. Precedence: • • • • • • Authorizations can be granted to users, groups, and directory services. Authorization at the user level takes precedence over the user's group or directory service authorization. • In the absence of user-level authorization, a user is granted the union of all authorizations for the user's groups and directory services. Administrators can view, edit, and remove authorizations. Users can be authorized for any subset of the operations on a share, where operations include the following: • • • • • • Browse Upload Download Make directory Delete directory or file Rename Adding Nodes Ensure that you have the following information available: • • • The node computer's hostname or IP address, along with a port and path (if applicable). The node API username and password that you created when you set up IBM Aspera Enterprise Server on the node machine. If you are adding a node on a remote server, first follow the instructions in Configuring a Remote Transfer-Server Node on page 72 to set up the remote transfer-server node. 1. On the IBM Aspera Shares Home window, click NODE+ to add a new node and complete the New Node configuration form. | Managing Nodes and Shares | 25 Field Description Example Value Name A description of the node. Headquarters Host The node computer's hostname or IP address, along with a port and path. The port field represents the port on which the node service is running. The default is 9092. The path field is an advanced feature used for URL Proxy operations. In nearly all cases, you may leave this field blank. In this example, Shares and Enterprise Server are installed on the same computer. That means our hostname is localhost and our node service port is HTTPS 9092. If the node is on a remote host, use the IP address or resolvable hostname. Note: When adding a local node multiple times, you must ensure each node uses localhost as the host. API Username The node API username that you created when node-admin you set up Aspera Enterprise Server on the node machine. This user is kept in the redis database for authentication between the Shares application and the node service. API Password The node API password that you created when you set up Enterprise Server on the node machine. s3cur3_p433 Use SSL To encrypt the connection to the node using SSL, select this check box. Although the node is configured to use an Aspera pre-installed and self-signed certificate (/opt/aspera/etc/ aspera_server_cert.pem), you can use your own certificate. To generate a new certificate, see the Enabled, by default. | Managing Nodes and Shares | 26 Field Description Example Value Setting UP SSL for Node topic in the IBM Aspera Enterprise Server Admin Guide. Note: After generating a new certificate, you must create a cert.pem file that contains the private key and the certificate. To do so, copy and paste the entire body of the key and cert files into a single text file. Then save the file as filename_cert.pem. Verify SSL Certificate To verify the SSL certificate, select this check box. Enabled, by default. Timeout Sets the number of seconds Shares will wait for this node to respond to a request. 30, by default Open Timeout Sets the number of seconds Shares will wait for the connection to this node to open. 10, by default Bytes free - warn Issues a warning message when the node has equal to or less than a specified number of storage bytes free. You can enter the number as G, MB, terrabytes, and bytes. 50G Percent free - warn Issues a warning message when the node has equal to or less than a specified percent of its storage free. 25% Bytes free - error Issues an error message when the node has equal to or less than a specified number of storage bytes free. You can input the number as G, MB, terrabytes, and bytes. 10G Percent free - error Issues an error message when the node has equal to or less than a specified percent of its storage free.. 10% 2. Click Create Node to save your entries. If your node has been created, it appears under the Nodes section on your Home page. 3. Browse or edit a node by selecting the node’s drop-down menu. From this drop-down menu, you can perform following tasks. • Browse the node | Managing Nodes and Shares | 27 • • • • Edit the node View shares View administrative activity Delete the node For detailed information on these functions, see Modifying Nodes on page 29. Note: You can add one machine as a node multiple times, in the cases that require different access credentials to see files in multiple areas of the system. When adding a local node multiple times, you must ensure each node uses localhost as the host. Adding Shares Ensure that you have the following information available: • • The name of the node that you want to put the share on. The node directory that you want to set up as the share. You can add shares by using one of the following methods: • • • In the Home window click SHARES+. See the following procedure. In the Home window click on a Node / Share / Bookmark, then select a folder and select Create Share. See the following procedure. In the Home window click on a Node / Share / Bookmark, then use the Share option in the dropdown menu next to the folder that you want to share. See the following procedure. 1. On the Home window, click SHARES+ to add a new share and complete the New Share configuration form. Field Description Example Value Name The name of the share is only a description, which means that multiple shares can also have the same name. my first share Node Select a node from the drop-down list. This drop-down Select any node from the list is automatically populated with nodes that you drop-down list. have previously configured. See Adding Nodes on page 24. | Managing Nodes and Shares | 28 Field Description Example Value Directory Click Browse... to browse a nodes directories. A directory called documents. You are prompted to select a directory in the pop-up window. You have several options: • • • • You can perform a search for a directory by typing its name into the text field and clicking Search. You can perform an advanced search by clicking Advanced and typing criteria into the text field. You can sort the directory list by: • Type • Size • Size descending • Last modified • Last modified descending You can select a radio button next to the directory that you want to be the share, then click Select. Bytes free - warn Issues a warning message when the share has equal to or less than a specified number of storage bytes free. You can enter the number as G, MB, terrabytes, and bytes. 5G Percent free - warn Issues a warning message when the share has equal to or less than a specified percent of its storage free. 25% Bytes free - error Issues an error message when the share has equal to or less than a specified number of storage bytes free. You can enter the number as G, MB, terrabytes, and bytes. 1G Percent free - error Issues an error message when the share has equal to or less than a specified percent of its storage free. 10% 2. Click Create Share to save your entries. If the share has been created, it appears under the Shares section on your Home page. 3. From the share’s drop-down menu, you can perform the following tasks: • • • • • • • • Browse View activities Make comments Choose notification options Edit View authorizations View administrative activity Delete the share | Managing Nodes and Shares | 29 For detailed information on these functions, see Modifying Shares on page 30 . Modifying Nodes After you have created a node, it appears under the NODES section on your Home page. Use the drop-down menu to the right of the node name to browse, edit, view shares, view administrative activities, or delete the node. Action Description Browse node See Browsing Nodes on page 30. Edit Select Edit from the drop-down list to the right of the node's name. From the node's Detail view, you can check the node's status by performing a test, verify its free space, and delete the node. You can also change the details that you provided during the configuration step. See Adding Nodes on page 24 for details. Shares Select Shares from the drop-down list to the right of the node's name. This is also accessible from the node's Detail view. You can view the name and directory for each of the node's shares and edit each share. When you click Edit, the share's detail page appears. See Modifying Shares on page 30. Admin Activity Select Admin Activity from the drop-down list to the right of the node's name. This is also accessible from the node's Detail view. You can view a list of all administrative activity that has occurred on the selected node. You can also search for activity based on tagged events or a date range. Delete Select Delete from the drop-down list to the right of the node's name to delete the node from Share. This is also accessible from the node's Detail view. | Managing Nodes and Shares | 30 Browsing Nodes When you browse a node, you can see all directories that exist on that node. You can also search for a directory name and sort the directory list. The following buttons enable you to perform actions on a directory or directories. Action Description Bookmark Create a shortcut to the selected directory. If you do not select any directory, the bookmark is the node's root directory. Download Download the selected directory or directories using the IBM Aspera Connect Browser Plug-in. Upload Upload a file or folder from another machine to this node using the Aspera Connect browser plugin. Delete Delete the selected directory or directories. New Folder Create a new directory on the node. Rename Rename an existing directory on the node. Create Share Create a share for the selected directory. You can only select one directory at a time. Click Create Share to open the New Share dialog. This dialog is prepopulated with the node and directory information. To complete the other fields, see Adding Nodes on page 24. Sort Sort the directories of a node by: • • • • • Type Size Size Descending Last Modified Last Modified Descending Modifying Shares After you have created a share, it appears under the SHARES section on your Home page. | Managing Nodes and Shares | 31 Use the drop-down menu to the right of the share name to do the following on a share: • • • • • • Browse View activities, administrative activities, and authorizations Make comments Choose notification options Edit Delete the share Action Description Browse share See Browsing Shares on page 32. Activity Select Activity from the drop-down list to the right of the share's name. A list of all activity that has occurred on the selected share appears. You can also search for activity based on tagged events or a date range. Comments Select Comments from the drop-down list to the right of the share's name. A list of any comments that have been made about the share appears. You can also add your own comments. Notifications Select Notifications to choose to be notified when new content has been added to your share. Edit Select Edit from the drop-down list to the right of the share's name. From the share's Detail view, you can check the share's status by performing a test, verify its free space, and delete the share. You can also change the details that you provided during the configuration step. See Adding Shares on page 27. Authorizations Selecting Authorizations from the drop-down list opens the Authorizations tab for the share. For existing users, groups, and directories, you can use the check boxes to add, delete, and change authorizations for browsing, file transfer, file operations, and notifications. To give new users and groups access to this share, use the Authorize User and Authorize Group links. To add directories to this share, use the Authorize Directory link. You can also search the system for users. Refer to the User Permissions on page 36 topic for more information on the different user roles. Admin Activity Select Admin Activity from the drop-down list to the right of the share's name. This is also accessible from the share's Detail view. You will see a list of all admin activity that has occurred on the selected share. You may also search for activity based on tagged events or a date range. | Managing Nodes and Shares | 32 Action Description Delete Select Delete from the drop-down list to the right of the share's name to delete the share. This is also accessible from the share's Detail view. Browsing Shares When you browse a share, you see all files and directories within that share. You can also search for a directory name and sort the directory list. You can perform following actions on a directory or directories: Action Description Bookmark Create a shortcut to the selected directory. If you do not select any directory, the bookmark is the node's root directory. Download Download the selected directory or directories using the Aspera® Connect™ browser plugin. Upload Upload a file or folder from another machine to this node using the Aspera Connect browser plugin. Delete Delete the selected directory or directories. New Folder Create a new directory on the node. Rename Rename an existing directory on the node. Create Share Create a share for the selected directory. You can only select one directory at a time. Click Create Share to open the New Share dialog. This dialog is prepopulated with the node and directory information. To complete the other fields, see Adding Nodes on page 24. Searching Nodes and Shares You can perform keyword searches in a node or share, or accounts list. To perform a search on a share or node, select a share or a node on your Home page, then within the Name: box, enter a keyword for your search. You can also enable or disable the Search sub-folders option. Shares appends | Managing Nodes and Shares | 33 any keyword that you enter with *. Therefore, if you enter the keyword "Dec", the search actually performs as "*Dec*"and aspera Shares returns any string that contains this word. To perform a keyword search and limit the number of results, use Advanced search. You can set the following filters: Size Enter minimum or maximum values. Include the unit of measure as bytes, MB, or GB. Last Modified Enter from date or to date. Select a date from the popup calendar. Transferring Content Between Shares Note: This feature is supported only by IBM Aspera Enterprise Server 3.4.5 or later. You can transfer content from any share for which you have download permission to any share for which you have upload permission. Conversely, you can transfer content to any share for which you have upload permission from any share for which you have download permission. 1. Select one or more files or folders from a Share for which you have download permission. 2. Drag the files or folders to a Share for which you have upload permission, or to a bookmark. When a transfer occurs, a transfer window opens showing the current status of each transfer that is being made. In the Transfer dialog, you can also perform the following actions: Action Description Pause Temporarily pause a transfer. Resume Resume a previously paused transfer. Clear all Clear transfers from the list. Remove Remove transfer from the list. (This will also cancel any paused transfers.) | Managing Home Shares | 34 Managing Home Shares When Home Shares are enabled, users will automatically have a private share added and authorized when they first log into Shares. Home share creation for new users applies to all new users, including local users, directory users, and SAML users. Users can give other users access to their home folders. You can choose which node to use for home directories. A new directory is created on the node, and a share is added to the user’s account. The user’s name is used for both the directory and share name. Home shares are treated like regular shares by the application. Therefore, you can choose to authorize additional users to these shares or remove them individually after the initial creation. If you disable home shares on a node, any existing home directories on the node are not deleted. When you log in, you can see all the home shares under the HOME SHARES heading. Note: If the home share creation fails when a user first logs in, an error is logged in the activity log. The next time the user logs in, another attempt to create the home folder is made. Enabling and Disabling Home Shares 1. On the Admin window, under Other, click Home Shares. The Home Shares dialog appears. 2. To enable the automatic creation of home shares, select the check box new to Enable Home Shares. To disable home shares, leave the check box clear. 3. From the Node drop-down list, select a node. You can also add a new node by clicking New Node. See Adding Nodes on page 24 for details on how to add a node. 4. Select the default directory or click Browse to select a different directory for the home share. 5. Click Save. Note: When you disable home shares, home shares that already exist are not affected, and existing users can use their existing home shares. However, home shares for new users will not be created. Note: When you modify the destination directory or node for home shares, existing home shares do not change to point to the new destination. However, home shares for new users are created at the new destination. | Managing User Accounts | 35 Managing User Accounts Configure User Preferences To configure your individual user account's settings, select your username in the top right corner and select Preferences. Here you can change general settings such as your first and last name, your password, and your email address. You can also change your email notification options, configure your system display, and choose to suppress the Aspera Connect install dialog. Email Settings Note: All notifications are enabled by default. | Managing User Accounts | 36 Item Description Notify me when I am granted access to a new share Receive an email whenever you are given access to a new share. Notify me when a new transfer is completed to a share (and share notification is enabled) Receive an email when new content has been added to your share. An admin must enable notifications for that share for you to receive an email. Notify me when a user is authorized to a share Receive an email whenever a user is given access to a share. Note: This option is available for admins only. Notify me when a new user has requested an account Receive an email whenever a new user requests an account when self-registration is enabled and set to moderated. Note: This option is available for admins only. Display Item Description Time Zone The time zone for your system. Date Order The order that date, month, and year are displayed. Date Delimiter Separates the date, month, and year. Time Format Display a 12-hour time format or a 24-hour time format. Number Delimiter Denotes the thousands place in a number. For example, if a comma (,) is chosen as the delimiter: "1,000". Note: Number delimiter and separator cannot be the same. Number Separator Denotes the decimal place in a number. For example, if a period () is chosen as the delimiter: "10.25". Note: Number delimiter and separator cannot be the same. Items Per Page: The number of items Shares will display per page. The default is 50. Connect Install Dialog As you navigate through the Shares web UI, each page check for the presence of the Connect browser plugin. If the plugin is not present, it shows a message to download the plugin. Changing the value of this option from the default "false" to "true" will stop Shares from auto-prompting on each visited page. User Permissions There are three levels of permissions for an account authorized to access a share. | Managing User Accounts | 37 Admin Users with the admin permission can create new shares and users and have full rights to modify or remove all existing shares and users. Managers Administrators can use the manager permission to delegate the creation of Shares and Users to another user without giving that account full administration privileges. Assigning a user to a share as its manager gives that user administrative privileges for that share and all inherited subdirectories. If a user creates a new share within a managed share, the manager of the share automatically gains administrative rights to the new share as well. Refer to Authorize a User, Group, or DS With Manager Permissions on page 37 for instructions on how to authorize manager permissions for a user. Restrictions on the Manager Permission Though a user with manager permissions effectively becomes the admin for that share, there are the following restrictions: • • • • • • A manager cannot modify or delete the top-level share or any shares above it. A manager cannot create a share at the same level of the first Shares. For a manager to administer a group, the manager must have manager permissions for all of that group's shares. Managers cannot edit Admin User properties, but they can edit other managers by navigating to Admin > Users. A manager cannot create new users or groups if those users or groups will inherit shares not managed by the manager. For a manager to change the password or email of a user, the manager should be a manager of all of that user's shares. User A user can access any share it has authorizations to access, but the actions it is allowed to take can be set and managed by any user with administrative priviliges for that share. Some common actions include browsing, uploading, and downloading files, and modifying the directory holding the files. Authorize a User, Group, or DS With Manager Permissions The following instructions describe the process of authorizing a user, group, or directory service (DS) with permission to manage a share. 1. Use the drop-down menu to the right of the share and select Authorizations. 2. Add a user, group, or DS. Use the Authorize User, the Authorize Group, and the Authorize Directory links. 3. Search for the name of the user, group, or DS you want to give access to the share. Once you have found the correct user, group, or DS, click the Add button. 4. On the Authorizations page, check the manage box to enable management of the share. The user, group, or DS should now be authorized with permissions to create and modify Shares and Users within the managed share. Creating Local Accounts Adding Local Users Administrators can create IBM Aspera Shares user accounts that are automatically added to the local database. For DS users, see Importing DS Users on page 42. After creating local users you can add them to a local Shares group. 1. Log into Shares and navigate to Admin > Accounts > Users > New | Managing User Accounts | 38 2. Enter the following details: • • • • • First Name Last Name Username Email Address Initial Login action (you can either send a login link that takes the user to the set-password page, or set a temporary password on the user's behalf). The User dialog appears, displaying with the tabs described in the following table: Tab Description Detail Update the local user's name, username, and email address, or delete the local user from Shares. Member of Add this user to a local group by selecting one from the drop-down list. Only local groups that have been added to Shares appear on this list. Note: You cannot add local users to a DS group, only to local groups. For instructions on configuring DS users, see Importing DS Users on page 42. After adding a local user to a local group, you can click Edit to modify the group's settings, or click Remove to delete the user from the group. Clicking Edit takes you to local group's configuration page. See Adding Local Groups on page 40 for details on modifying a local group's settings. Security You can update the following security settings: • • • • • • • Shares Send the user a password reset link. Disable the user's account. If you disable this user's account in this dialog, the user cannot log into Aspera Shares even if the user belongs to a group that has group access permissions. Allow the user to log into the Shares application. Make this user an administrator. Allow the user to log into the API. Users who do not have Browse permissions, can still log into the API and perform transfer and file operations. Set an account expiration date. Set a temporary password. Click Add Share to authorize specific shares for the local user to access. If this user belongs to a local group, and the group has access to a share, that share is listed here because permission to access the share is inherited from the group. A list of nodes and shares appears. Click Authorize to authorize a share. | Managing User Accounts | 39 Tab Description You can modify the local user's permissions for browsing, transferring, and performing file operations within it. The default permission is browse. If browse is not selected, the local user is only able to access functions if the user has been made an API user To edit these permissions or disallow the local user's access to the share, click edit. Select permissions that the local user has for the authorized share. After modifying the settings, click Update. You may disallow access to this share by clicking Delete. Preferences Select a timezone and input any comments. Transfer Setting You can override settings of Shares and groups, if the user belongs to a group, by implementing transfer settings specifically for this user. Click Override these settings to make transfer settings changes in the enabled text boxes. Transfer settings include the following: • • • Upload target rate For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use the node's settings. Upload target rate cap For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use the node's settings. Download target rate For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use the node's settings. | Managing User Accounts | 40 Tab Description • • Download target rate cap For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use the node's settings. Starting policy: Select the policy to be enforced when the transfer starts: Fixed The transfer transmits data at a rate equal to the target rate, although this may impact the performance of other traffic present on the network. • High The transfer rate is adjusted to use the available bandwidth up to the maximum rate. • Fair The transfer attempts to transmit data at a rate equal to the target rate. If network conditions do not permit that, it transfers at a rate lower than the target rate, but not less than the minimum rate. • Low The transfer rate is less aggressive than Fair when sharing bandwidth with other network traffic. When congestion occurs, the transfer rate is decreased to the minimum rate, until other traffic retreats. Allowed policy: Select the policies that are available to the user during transfer. If you do not make any selections, the Inherit from node setting is displayed, which will apply the settings inherited from the node. Encryption: Select Optional or AES-128. If you do not make any selections, the Inherit from node setting is displayed, which will apply the settings inherited from the node. Encryption at rest: Select Optional or Required. If you do not make any selections, the Inherit from node setting is displayed, which will apply the settings inherited from the node. If you select Required, the uploaded files must be encrypted during a transfer to protect them while they are stored on a remote server. The uploader sets a password before uploading the file, and the downloader needs to enter that password to decrypt the file. • • • • Activity View and search for Shares activities by this user. Adding Local Groups Administrators can create IBM Aspera Shares local groups, in which all users who belong to the group have the same Shares access permissions and belong to the local database, rather than a DS. 1. Log in to Shares and navigate to Admin > Accounts > Groups > New. 2. Enter the new local group's Name. The Group dialog appears, which displays following six tabs: | Managing User Accounts | 41 3. Configure specific settings for your new local group: Tab Description Detail Update the local group’s name, username, and email address, or delete the local group from Shares. Member of Add members to the local group by selecting local users from the drop-down list. You will only see local users who have been added to Aspera Shares. Note: You cannot add DS users to a local group. You can configure DS groups by navigating to Admin > Accounts > Directories. After adding a member to your local group, you can click Edit to modify users’ settings, or click Remove to delete them from the group. When you click Edit, the individual user's configuration page appears. See Adding Local Users on page 37 for details on modifying a local user's settings. Security Configure specific security settings for all members of the group, including whether members of the group can log into Shares, and whether all groups are administrators. • • If you select Login, all users in this group can log into Shares. If left clear, you may give individual users access to log in. If you select Admin, all users in this group have administrative permissions. If left clear, you may give individual users administrative access. To configure users' security settings from their individual account pages, see Adding Local Users on page 37 for details. Shares Click Add Share to authorize specific shares for the members of this group to access. A list of nodes and shares that are currently configured in Shares appears. Click Authorize to authorize a share. After authorizing a share, you can modify the group's permissions for browsing, transferring, and performing file operations within it. The default permission is browse. To edit these permissions or disallow the group's access to the share, click edit. Select permissions that group members have for the authorized share. Click Update. You can disallow access to this share by clicking Delete. Transfer Setting You can override Shares settings for this group by implementing transfer settings specifically for members of this group. Click Override these settings to make transfer settings changes in the enabled text boxes. Transfer settings include the following: • • • • • Upload target rate For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use the node's settings. Upload target rate cap For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use the node's settings. Download target rate For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use the node's settings. Download target rate cap For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use the node's settings. Starting policy: Select the policy to be enforced when the transfer starts: • Fixed The transfer transmits data at a rate equal to the target rate, although this may impact the performance of other traffic present on the network. | Managing User Accounts | 42 Tab Description High The transfer rate is adjusted to use the available bandwidth up to the maximum rate. • Fair The transfer attempts to transmit data at a rate equal to the target rate. If network conditions do not permit that, it transfers at a rate lower than the target rate, but not less than the minimum rate. • Low The transfer rate is less aggressive than Fair when sharing bandwidth with other network traffic. When congestion occurs, the transfer rate is decreased to the minimum rate, until other traffic retreats. Allowed policy: Select the policies that are available to the user during transfer. If you do not make any selections, the Inherit from node setting is displayed, which will apply the settings inherited from the node. Encryption: Select Optional or AES-128. If you do not make any selections, the Inherit from node setting is displayed, which will apply the settings inherited from the node. Encryption at rest: Select Optional or Required. If you do not make any selections, the Inherit from node setting is displayed, which will apply the settings inherited from the node. If you select Required, the uploaded files must be encrypted during a transfer to protect them while they are stored on a remote server. The uploader sets a password before uploading the file, and the downloader needs to enter that password to decrypt the file. • • • • Click Save to keep the new settings or Cancel cancel setting changes. You may also click Use Inherited Settings to return to the application-wide transfer configuration. Activity View and search for Shares activities by this group. Setting Up DS Users and Groups Importing DS Users 1. Click Admin > Users > Search. The User Search dialog appears. 2. Type the username or at least two characters of the username and click Search. A list of users that match the characters appears. 3. Click Edit next to the username to import the user. You can now edit the user’s profile. For details on how to edit a user’s profile, see Adding Local Users on page 37. Importing DS Groups 1. Click Admin > Groups > Search. The Group Search dialog appears. | Managing User Accounts | 43 2. Type the group name or at least two characters of the group name and click Search. A list of groups that match the characters appears. 3. Click Edit next to the group to import the group. You can now edit the group’s profile. For details on how to edit a group’s profile, see Adding Local Groups on page 40. Managing Users Setting Permissions for Individual DS Users You can configure DS users with unique settings. Clicking Edit for a corresponding DS user. Tab Description Detail View the DS user's name, modify the directory, or delete the user from the IBM Aspera Shares application. Member of Displays all groups to which this DS user belongs. If the number of groups exceeds 100, a search facility is opened. A group's Edit link takes you to a DS group's configuration page. For details on modifying DS group settings, see Importing DS Groups on page 42. Security Click Security to update the following settings: • • • • • Shares Disable the user's account. The user is unable to log into Shares even if the user belongs to a group or directory that has access permissions. Allow the user to log into Shares. Make this user an Administrator. Allow the user to log into the API. Users who do not have Browse permissions, can still log into the API and perform transfer and file operations. Set an account expiration date. Click Add Share to authorize specific shares for the DS user to access. If this user belongs to a DS group, and the group has access to a share, that share is listed here because permission to access the share is inherited from the group. The same is true if the entire directory has access to this share. | Managing User Accounts | 44 Tab Description A list of nodes and shares appears. Click Authorize to authorize a share. . You can modify the DS user's permissions for browsing, transferring, and performing file operations within it. The default permission is browse. If browse is not selected, the DS user is only able to access functions if the user has been made an API user To edit these permissions or disallow the DS user's access to the share, click edit. Select permissions that the DS user has for the authorized share. After modifying the settings, click Update. You may disallow access to this share by clicking Delete. Preferences Select a timezone and add any comments. | Managing User Accounts | 45 Tab Description Transfer Settings You can override settings of Shares for this user by implementing transfer settings specifically for this. Click Override these settings to make transfer settings changes in the enabled text boxes. Transfer settings include the following: • • • • • Upload target rate For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use the node's settings. Upload target rate cap For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use the node's settings. Download target rate For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use the node's settings. Download target rate cap For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use the node's settings. Starting policy: Select the policy to be enforced when the transfer starts: • • Fixed The transfer transmits data at a rate equal to the target rate, although this may impact the performance of other traffic present on the network. High The transfer rate is adjusted to use the available bandwidth up to the maximum rate. | Managing User Accounts | 46 Tab Description Fair The transfer attempts to transmit data at a rate equal to the target rate. If network conditions do not permit that, it transfers at a rate lower than the target rate, but not less than the minimum rate. • Low The transfer rate is less aggressive than Fair when sharing bandwidth with other network traffic. When congestion occurs, the transfer rate is decreased to the minimum rate, until other traffic retreats. Allowed policy: Select the policies that are available to the user during transfer. You can also select Inherit from node to use the node’s setting. Encryption: Select Optional or AES-128. You can also select Inherit from node to use the node’s setting. Encryption at rest: Select Optional or Required. You can also select Inherit from node to use the node’s setting. If you select Required, the uploaded files must be encrypted during a transfer to protect them while they are stored on a remote server. The uploader sets a password before uploading the file, and the downloader needs to enter that password to decrypt the file. • • • • Activity View and search for Shares activities by a specific user. Managing Groups Setting Permissions for Individual DS Groups You can configure DS groups with unique settings. Click Edit for a corresponding DS group and to configure the following group settings. Tab Description Detail View the DS group's name, modify the directory, or delete the directory from IBM Aspera Shares. Member Of If this group is a member of another group, this tab provides that information. | Managing User Accounts | 47 Tab Description Members Displays this group's DS members and enables you to edit corresponding DS user settings. For details on editing DS user settings, see Importing DS Users on page 42. Security Configure specific security settings for all members of the DS group, including whether all members of the group can log into Shares, and whether all members of the group are administrators. If you leave these check boxes clear, you can configure local users’ security settings from their individual account pages. See Adding Local Users on page 37 for details. Shares Authorize specific shares for the members of this DS group to access. Clicking Add Share provides a list of nodes and shares that are currently configured in the Shares application’s Authorize link. | Managing User Accounts | 48 Tab Description Click Authorize to authorize a share. You can modify the DS group's permissions for browsing, transferring, and performing file operations within it. The default permission is browse. To edit these permissions or disallow the DS group's access to the share, click edit. Note: If you authorized a share for this DS group's entire directory, then this group will inherit the same access permissions for that share. Note: If you authorize the share for this DS group's entire directory, the Inherited? column is populated with the text "Inherited." Select permissions that group members have for the authorized share. For example, our accounting department is allowed to browse, download, and upload spreadsheets, to perform all file operations within the Spreadsheets share. After modifying the settings, click Update. You may disallow access to this share by clicking Delete. Transfer Settings You can override the settings of Shares for this group by implementing transfer settings specifically for members of this group. Click Override these settings to make transfer settings changes in the enabled text boxes. | Managing User Accounts | 49 Tab Description Transfer settings include the following: • • • • • Upload target rate For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use the node's settings. Upload target rate cap For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use the node's settings. Download target rate For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use the node's settings. Download target rate cap For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use the node's settings. Starting policy: Select the policy to be enforced when the transfer starts: Fixed The transfer transmits data at a rate equal to the target rate, although this may impact the performance of other traffic present on the network. • High The transfer rate is adjusted to use the available bandwidth up to the maximum rate. • Fair The transfer attempts to transmit data at a rate equal to the target rate. If network conditions do not permit that, it transfers at a rate lower than the target rate, but not less than the minimum rate. • Low The transfer rate is less aggressive than Fair when sharing bandwidth with other network traffic. When congestion occurs, the transfer rate is decreased to the minimum rate, until other traffic retreats. Allowed policy: Select the policies that are available to the user during transfer. You can also select Inherit from node to use the node’s setting. Encryption: Select Optional or AES-128. You can also select Inherit from node to use the node’s setting. Encryption at rest: Select Optional or Required. You can also select Inherit from node to use the node’s setting. If you select Required, the uploaded files must be encrypted during a transfer to protect them while they are stored on a remote server. The uploader sets a • • • • | Managing User Accounts | 50 Tab Description password before uploading the file, and the downloader needs to enter that password to decrypt the file. You can also select Inherit from node to use the node's settings. Click Save to keep the new settings or Cancel cancel setting changes. You may also click Use Inherited Settings to return to the application-wide transfer configuration. Activity View and search for activity by members of this DS group. Searching Accounts To search for accounts from the Admin tab: 1. Under Accounts, select Groups or Users depending on what account type you want to search for. 2. Click the "Search" link at the top of the page. 3. Enter at least two characters for your search query. You can search by username, first name, or last name. Note: Shares does not support searching by full name. For example, if you are searching for a user "jd_user1" with first name "John" and last name "Doe", searching "John" or "Doe" would both return "jd_user1", but searching "John Doe" would not return the user. | Working with SAML | 51 Working with SAML IBM Aspera Shares supports Security Assertion Markup Language (SAML) 2.0, an open, XML-based standard that allows secure web domains to exchange user authentication and authorization data. With the SAML model, you can configure the Shares web application as a SAML "online service provider" (SP) that contacts a separate online "identity provider" (IdP) to authenticate users who will use Shares to access secure content. With SAML enabled and configured, a user logging into Shares is redirected to the IdP sign-on URL. If the user has already signed in with the IdP, the IdP sends a SAML assertion back to Shares. The user is now logged into Shares. When SAML is enabled, Shares creates a user account based on the information provided by a SAML response, and therefore the Shares user account does not need to be created manually. However, any changes to the account that are made on the DS server are not picked up by SAML. These instructions assume you are already familiar with SAML and already have an identity provider (IdP) -- either third-party or internal -- that meets the following requirements: • • • • can be configured to use an HTTP POST binding can be connected to the same directory service being used by Shares (however, SAML and DS cannot be used together) will not be configured to use pseudonyms can be configured to return assertions to the SP (Shares) that include the entire contents of the signing certificate Note: SAML and directory services should not be enabled together. Although there is a directory service behind a SAML IdP, Shares users will not have access to it. If Shares is being set up to use SAML, the following is recommended: (1) directory service sync should be disabled; and (2) existing directory service users should first be removed from the Shares system. Setting up an Identity Provider Please refer to Configuring Your Identity Provider (IdP) on page 53 for information on setting up an identity provider for Shares. Enabling SAML Authentication in Shares Please refer to Configuring SAML on page 52 for instructions on how to enable SAML authentication in Shares. Creating SAML Groups Please refer to Creating SAML Groups on page 54 for instructions on how to set up SAML groups in Shares. Adding individual SAML Users to a Local Group Please refer to Adding a SAML User to a Local Groups on page 54 for instructions on how to add individual SAML users to a local group. User Accounts Being Provisioned by SAML Just-In-Time (JIT) Provisioning Please refer to User Accounts Being Provisioned by SAML Just-In-Time (JIT) Provisioning on page 54 for information on SAML Just-In-Time (JIT) Provisioning for Shares. Note: Shares provides a mechanism for administrators to bypass the SAML login and log in using a local username and password. This allows administrators to log in and correct server settings, including a misconfigured SAML setup. To bypass the SAML login and sign in with the regular login, add local=true to the end of the login URL. For example: https://server_ip/login?local=true | Working with SAML | 52 Configuring SAML Before following the instructions below, have the following information on hand: • • IdP Single Sign-On URL IdP Certificate Fingerprint OR IdP Certificate 1. In IBM Aspera Shares, navigate to Admin > Directories. 2. For the SAML IdP entry, click Edit. The Detail tab appears with the following form: 3. Select the check box Log in using a SAML Identity Provider. 4. (Optional) Enable SAML login redirection. If enabled, entering the default Shares URL will direct users to the SAML login page. If disabled, the Shares URL will direct users to the local login page. Figure 1: Local login page | Working with SAML | 53 5. Enter the SAML entry-point address provided by the IdP in the IdP Single Sign-On URL text box. 6. Enter either the IdP Certificate Fingerprint or the IdP Certificate. 7. Click Save to keep your changes, or Cancel to cancel your changes. A Shares administrator can bypass the SAML login and sign in with the regular login form by adding the local=true parameter to the login URL, for example: https://10.0.176.30/login?local=true Configuring Your Identity Provider (IdP) IdP Requirements The following instructions to configure SAML for IBM Aspera Shares assume that you have an IdP that meets the following requirements: • • • • • • Supports SAML 2.0 Able to use an HTTP POST binding. Able to connect to the same directory service being used by Shares. Not configured to use pseudonyms. Can return assertions to Shares that include the entire contents of the signing certificate. If prompted, set to sign the SAML response. (Signing the SAML assertion is optional.) You must set the following information to set up your Identity Provider to work with Shares: Name ID Format urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified Entity ID https://www.our-shares-server.com/aspera/shares/auth/saml/ metadata Binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST Callback URL https://www.our-shares-server.com/aspera/shares/auth/saml/ callback You can retrieve this data directly from auth/saml/metadata if the IdP is capable of reading SAML XML metadata for a service provider. Assertion Message Elements Shares expects assertion messages from an IdP to contain the following elements: Element Required? Format SAML_SUBJECT yes urn:oasis:names:tc:SAML:1.1:nameidformat:unspecified email yes urn:oasis:names:tc:SAML:1.1:nameidformat:unspecified given_name yes urn:oasis:names:tc:SAML:1.1:nameidformat:unspecified id yes urn:oasis:names:tc:SAML:1.1:nameidformat:unspecified surname yes urn:oasis:names:tc:SAML:1.1:nameidformat:unspecified | Working with SAML | 54 Note: Shares users with SAML accounts may appear to be unaffected by session timeouts. Because a session cookie is still active on the IdP server, users are logged in again automatically without the login page. Creating SAML Groups SAML groups are created in IBM Aspera Shares one of two ways: • • Creating a SAML group in Shares using the web UI and logging in as a SAML user. The Shares SAML group will be mapped to the external SAML group. A SAML group is automatically created in Shares when a user logs in using SAML credentials. The following instructions describe how to create a SAML group in Shares using the web UI> 1. When SAML is enabled, you can create SAML groups by navigating to Admin > Groups. 2. Click New SAML Group to create a SAML group. 3. Enter the group name, which is the distinguished name (DN). 4. Click Create Group to create the SAML group. You can view and manage your SAML group in the Groups section under Admin. Adding a SAML User to a Local Groups If there are specific SAML users you want to manage in Shares instead of in SAML, you can add these SAML users to a local Shares group. Note: You cannot add DS users to a local group. 1. Import SAML user. Import the SAML group the user is a member of into Shares by logging in as a user in that SAML group. A SAML group is automatically created when a user logs in using SAML credentials. For more information on creating SAML groups, refer to Creating SAML Groups on page 54. 2. Create new Shares group. Navigate to Admin > Groups and select New. Give your group a name and select Create Group. 3. Add the imported SAML user. Within your new group, select the Members tab, select the SAML user from the dropdown, then click the Add button. User Accounts Being Provisioned by SAML Just-In-Time (JIT) Provisioning When new user accounts are being provisioned through SAML JIT Provisioning, new SAML groups are created when the SAML response contains group information, and that group does not yet exist in IBM Aspera Shares. A SAML user belonging to multiple groups will get permissions and settings of all groups the user belongs to. For | Working with SAML | 55 example, if group A disallows sending to external users but group B does not, users who belong to both groups are allowed to send to external users. Settings that require specific handling are as follows: • • • • Account expiration is only enabled if all groups to which a user belongs specify account expiration. If account expiration is enabled, the expiration date is set to the latest expiration date from among all groups. For the settings “Server Default”, “Yes” or “Allow”, and “No” or “Deny”, the setting is set to “Yes” if any group specifies yes, and it is set to “No” if all groups are set to no. Otherwise it is set to the server default For package deletion policy, override is enabled if all groups specify override, or the least restrictive group setting is less restrictive than the server-wide setting. If override is enabled, the least restrictive group setting is used. “Do nothing” is less restrictive than “Delete files after all recipients download all files,” which in turn is less restrictive than “Delete files after any recipient downloads all files.” For advanced transfer settings, override is enabled if all groups specify override or if any group specifies any transfer rate that is higher than the server default. If override is enabled, each transfer rate is set to the higher of the highest value from among the groups and the server default. The minimum rate policy is locked only if all groups specify the setting. | Working with Rake Tasks | 56 Working with Rake Tasks Rake tasks can be used to configure and manage IBM Aspera Shares users, groups, shares, and nodes from the command line. 1. Navigate to the shares folder. cd /opt/aspera/shares/u/shares/bin 2. Test that your rake tasks are working correctly. ./run rake -T Note: Repeat the above steps each time you need to run rake tasks to prepare your environment to run rake tasks. See below for a list of all the rake tasks you can run in Shares. User Management Rake Tasks on page 56 Group Management Rake Tasks on page 58 Share Management Rake Tasks on page 59 Node Management Rake Tasks on page 60 Other Configurations Using Rake Tasks on page 62 User Management Rake Tasks The following rake tasks cover how to create, modify and delete users as well as how to export and import users from .csv files. Tip: Square brackets in usage statements denote optional arguments and need not be included when running the commands. Note: Linux users must navigate to /opt/aspera/shares/u/shares/bin/ in the Terminal before running rake tasks. Create User Command Usage Syntax Example rake data:user:create -- --username <username> -password <password> --email <email> --first_name <first_name> --last_name <last_name> ././run rake data:user:create -- --username user -password 3x@mp13_p@zzw0rd --email [email protected] --first_name John --last_name Doe | Working with Rake Tasks | 57 Delete User Command Usage Syntax Example rake data:user:delete -- --username <username> ./run rake data:user:delete -- --username user Updating User Command Usage Syntax Example rake data:user:update -- --username <username> --password <password> --email <email> --first_name <first_name> --last_name <last_name> ./run rake data:user:update -- --username user -password 3x@mp13_p@zzw0rd --email [email protected] --first_name John --last_name Doe Export a List of Users Command Usage Syntax Example rake data:user:export --path <path> ./run rake data:user:export --path /tmp Note: Exporting will not write user passwords to the .csv file. You must add them manually if you want passwords in the exported .csv file. Import Users (from .csv) Command Usage Syntax Example rake data:user:import -- --path <path> ./run rake data:user:import -- --path /tmp/users.csv Note: The format of the .csv file should be, for each user: Username, Email, First Name, Last Name, Password Users for whom no passwords are specified will be given a random password and must click the Forgot your username and password? link before logging in. | Working with Rake Tasks | 58 Group Management Rake Tasks The following rake tasks cover how to create and delete groups and how to add or delete users from a group. Tip: Square brackets in usage statements denote optional arguments and need not be included when running the commands. Note: Linux users must navigate to /opt/aspera/shares/u/shares/bin/ in the Terminal before running rake tasks. Create Group Command Usage Syntax Example rake data:group:create -- --group_name <group_name> ./run rake data:group:create -- --group_name users Delete Group Command Usage Syntax Example rake data:group:delete -- --group_name <group_name> ./run rake data:group:delete -- --group_name users Add User to a Group Command Usage Syntax Example rake data:group:user:add -- --username <username> -group_name <group_name> ./run rake data:group:user:add -- --group_name user -group_name users Remove User from a Group Command Usage Syntax Example rake data:group:user:remove -- --username <username> -group_name <group_name> ./run rake data:group:user:remove -- --username user -group_name users | Working with Rake Tasks | 59 Share Management Rake Tasks The following rake tasks cover how to create, modify, and delete a share and how to manage a user or group's share permissions. Tip: Square brackets in usage statements denote optional arguments and need not be included when running the commands. Note: Linux users must navigate to /opt/aspera/shares/u/shares/bin/ in the Terminal before running rake tasks. Create Share Command Usage Syntax rake data:share:create -- --node_name <node_name> -share_name <share_name> --directory <directory> Example ./run rake data:share:create -- --node_name aspera -share_name share1 --directory /mnt Delete Share Command Usage Syntax rake data:share:delete -- --share_name <share_name> Example ./run rake data:share:delete -- --share_name share1 Modify Share Note: Same syntax as create share. Change the values as needed to modify the attributes of a share with the specified name. Command Usage Syntax Example rake data:share:create -- --node_name <node_name> -share_name <share_name> --directory <directory> ./run rake data:share:create -- --node_name aspera -share_name share1 --directory /mnt Manage User's Share Permissions Command Usage Syntax rake data:user:share_permissions -- --username <username> -share_name <share_name> | Working with Rake Tasks | 60 Command Usage [--<INSERT DESIRED PERMISSION> <true or false> --<INSERT DESIRED PERMISSION> <true or false> ...] Where valid permissions are: • • • • • • • • Example browse_permission download_permission upload_permission mkdir_permission delete_permission rename_permission content_availability_permission manage_permission ./run rake data:user:share_permissions -- --username users -share_name share1 --upload_permission true --mkdir_permission true Manage Group's Share Permissions Command Usage Syntax rake data:group:share_permissions -- --group_name <group_name> -share_name <share_name> [--<INSERT DESIRED PERMISSION> <true or false> --<INSERT DESIRED PERMISSION> <true or false> ...] Where valid permissions are: • • • • • • • • Example browse_permission download_permission upload_permission mkdir_permission delete_permission rename_permission content_availability_permission manage_permission ./run rake data:group:share_permissions -- --groupname users -share_name share1 --upload_permission true --mkdir_permission true Node Management Rake Tasks The following rake tasks cover how to create and delete a node. Tip: Square brackets in usage statements denote optional arguments and need not be included when running the commands. Note: Linux users must navigate to /opt/aspera/shares/u/shares/bin/ in the Terminal before running rake tasks. | Working with Rake Tasks | 61 Create Node Command Usage Syntax Example rake data:node:create -- --name <name> --host <host> -api_username <api_username> --api_password [--options <value> <api_password> [--options] ./run rake data:node:create -- --name aspera --host localhost -api_username xfer1 --api_password 3x@mp13_p@zzw0rd Note: You must create a node user and password to finish creating the new node. Refer to the Setting up Node Users section in the Enterprise Server Administrator Guide for instructions on how to create a node user. Delete Node Command Usage Syntax Example rake data:node:delete -- --name <name> ./run rake data:node:delete -- --name aspera Update Node Command Usage Syntax Example rake data:node:update -- --name <name> [--options] ./run rake data:node:update -- --name aspera Options When running the create and update tasks above, you can add the following options to your command to edit their values: Option Default --port <port> 9092 --ssl (true | false) true --verify_ssl (true | false) false --timeout <timeout> 30 --open_timeout <open_timeout> 10 | Working with Rake Tasks | 62 Other Configurations Using Rake Tasks The following rake tasks cover how to add or configure an LDAP, configure web server settings, and configure smtp server settings. Tip: Square brackets in usage statements denote optional arguments and need not be included when running the commands. Note: Linux users must navigate to /opt/aspera/shares/u/shares/bin/ in the Terminal before running rake tasks. Add or Configure LDAP Command Usage Syntax Example rake data:ldap_config -- --directory_type <directory_type> -name <name> [--description <description>] --host <host> --port <port> [--base_dn <base_dn>] -authentication_method <authentication_method> [--username <username> --password <password> -encryption <encryption>] ./run rake data:ldap_config -- --directory_type ActiveDirectory -name test_dir --host ldap.aspera.us --port 1234 -base_dn OU=AsperaDirectory,DC=aspera,DC=asperasoft,DC=com --authentication_method simple --username user1 -password 3x@mp13_p@zzw0rd --encryption simple_tls Where acceptable directory types are: • • • • ActiveDirectory OpenDirectory FedoraDirectoryServer OpenLdap Where acceptable authentication methods are: • • anonymous simple (Simple bind requires a username and a password.) Where acceptable encryption types are: • • unecrypted simple_tls_tls Note: Encryption is, by default, set to unencrypted. | Working with Rake Tasks | 63 Configure web server settings Command Usage Syntax Example rake data:web_server -- --host <host> --port <port> --tls <tls> ./run rake data:web_server -- --host this.is.an.example -port 1234 --tls true Configure smtp server settings Command Usage Syntax Example rake data:smtp_server -- --server <server> --port <port> -domain <domain> --tls <tls> --username <username> --password <password> --from <from> ./run rake data:smtp_server -- --server example_server -port 1234 --domain example.domain --tls true --username <username> user1 --password 3x@mp13_p@zzw0rd --from [email protected] Note: The first time this task is run, it will create a new entry, and require an entry for all of the fields. Afterward, tunning the task again will only modify specified fields, leaving non-specified fields the same. | Configuring MySQL Server | 64 Configuring MySQL Server Using Another MySQL Server During Installation on page 64 Using Another MySQL Server After Installation on page 64 Changing the Built-in MySQL Port on page 65 Using Another MySQL Server During Installation When installing the .rpm, a message is printed describing how to use another mysql server. The message is: To use a remote MySQL server and disable the local MySQL server, add the connection information to this file: /opt/aspera/shares/etc/my.cnf.setup The default contents of my.cnf.setup are: [client] user password host port = root = = localhost = 4406 Update the contents of my.cnf.setup with your MySQL server information. If you set a password in my.cnf.setup, then the install script assumes an already configured MySQL server is available, and uses the values in my.cnf.setup. Additionally, the built-in MySQL server is disabled. Using Another MySQL Server After Installation To use another MySQL server after rpm installation has occurred, you must update .my.cnf files and application configuration files. 1. Update the .my.cnf files with your MySQL server information in each of the following locations: • /opt/aspera/shares/.my.cnf • /opt/aspera/shares/u/shares/.my.cnf • /opt/aspera/shares/u/stats-collector/.my.cnf 2. Update the Shares application config file located at /opt/aspera/shares/u/shares/config/ database.yml. Replace the bolded example variables with your MySQL server information. production: database: shares username: "mysql_user" password: "3xamp13MySQLp4zzw0rd1234567" host: 10.0.0.0 port: 1234 encoding: utf8 reconnect: false pool: 5 | Configuring MySQL Server | 65 production_stats_collector: database: stats_collector username: "mysql_user" password: "3xamp13MySQLp4zzw0rd1234567" host: 10.0.0.0 port: 1234 encoding: utf8 reconnect: false pool: 5 3. Update the stats collector configuration file located at /opt/aspera/shares/u/stats-collector/ etc/persistence.xml. Replace the bolded example variables with your MySQL server information. <!-- connection URL: jdbc:mysql://HOST:PORT/DATABASE --> <property name="hibernate.connection.url" value="jdbc:mysql://10.0.0.0:1234/stats_collector"/> <property name="hibernate.connection.username" value="mysql_user"/> <property name="hibernate.connection.password" value="3xamp13MySQLp4zzw0rd1234567"/> 4. Restart all services. Run the following commands to restart all Shares services at once. # service aspera-shares stop # service aspera-shares start 5. Disable the built-in MySQL server. To stop the built-in MySQL from running, you must remove it from the runlevels that include it. Run the following commands: rm /opt/aspera/shares/etc/runit/runlevels/setup/mysqld rm /opt/aspera/shares/etc/runit/runlevels/up/mysqld Changing the Built-in MySQL Port Edit the my.cnf file to change the built-in MySQL port. The my.cnf file can be found at /opt/aspera/shares/etc/my.cnf. Find the [mysqld] section and change the value for port. For example, to add the port 12345, make the following edits in my.cnf: [mysqld] port = 12345 | Configuring the Stats Collector | 66 Configuring the Stats Collector Adding Existing Nodes to Stats Collector on page 66 Configure Stats Collector Log Levels on page 66 Lowering Stats Collector Polling Frequency on page 67 Retrieving Stats Collector Version Number on page 67 Adding Existing Nodes to Stats Collector The following steps assume you have already set up the RUBY environment necessary to run rake tasks. If you have not done so, refer to Working with Rake Tasks on page 56 for instructions on how to do so. If you have already set up the environment, continue on to the next step. 1. Navigate to the shares folder. cd /opt/aspera/shares/u/shares/bin 2. Run the following rake tasks to add existing nodes to stats collector: run rake aspera:stats_collector:add_all_nodes Configure Stats Collector Log Levels Edit the stats collector logging configuration file (logback.xml) to enable more detailed informaiton in its logs. 1. Open the logback.xml file located at /opt/aspera/shares/u/stats-collector/etc/ logback.xml. 2. Towards the bottom of the file, change INFO to DEBUG in the following section: Change the INFO flag to DEBUG. The log level flag is set to INFO by default. <root level="${statscollector.log.level:-INFO}"> <appender-ref ref="FILE"/> <appender-ref ref="STDERR" /> </root> 3. Restart stats collector for the changes to take effect. Run the following command: # /opt/aspera/shares/sbin/sv restart stats-collector Stats collector logs should now show debugging information. To change log levels back to normal, open the logback.xml file and change DEBUG back to INFO. | Configuring the Stats Collector | 67 Lowering Stats Collector Polling Frequency Lowering the frequency that stats collector polls nodes for statistics can free up memory and lower the load on your server. This is especially applicable to cases where the stats collectors of multiple machines are all polling a single node for statistics. 1. Access the stats-collector.properties file. Find the stats-collector.properties file at /opt/aspera/shares/u/stats-collector/etc/statscollector.properties. 2. Uncomment and change the polling.period variable: ## The time period at which nodes are polled for new statistics. ## Default 1s # polling.period= For example, increase the polling period to 5 seconds to lower the load on your server: ## The time period at which nodes are polled for new statistics. ## Default 1s polling.period=5s 3. Restart stats collector for the changes to take effect. Run the following command: # /opt/aspera/shares/sbin/sv restart stats-collector Retrieving Stats Collector Version Number Run the following command: /opt/aspera/shares/u/stats-collector/bin/run java -jar lib/statscollector-admin.jar -A | Performing Maintenance Tasks | 68 Performing Maintenance Tasks The following system configuration options are available under the Other menu on the Admin page: System Settings Option Description Background Modify or reset the parameters that IBM Aspera Shares checks when running background jobs. License View or change your Shares license. Localization Configure your Shares server with your local timezone, date format, and time format. Logging Configure whether logged events trigger a warning or an error. Logos Add, edit, or delete a custom logo for your Shares Web UI. Messages Create a login page message for your users, and a home page message. Transfers • • • • • • Min connect version The minimum version of the Aspera Connect™ browser plugin that can be used to transfer with Shares. The version must be in the form "X.Y" for example, 1, 1.2. If you are using Aspera On-Demand Shares, the minimum accepted version of Connect is 2.7.8, which is the default setting. Upload target rate For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use the node's settings. Upload target rate cap For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use the node's settings. Download target rate For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use the node's settings. Download target rate cap For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use the node's settings. Starting policy: Select the policy to be enforced when the transfer starts: Fixed The transfer transmits data at a rate equal to the target rate, although this may impact the performance of other traffic present on the network. • High The transfer rate is adjusted to use the available bandwidth up to the maximum rate. • Fair The transfer attempts to transmit data at a rate equal to the target rate. If network conditions do not permit that, it transfers at a rate lower than the target rate, but not less than the minimum rate. • Low The transfer rate is less aggressive than Fair when sharing bandwidth with other network traffic. When congestion occurs, the transfer rate is decreased to the minimum rate, until other traffic retreats. Allowed policy: Select the policies that are available to the user during transfer. If you do not make any selections, the Inherit from node setting is displayed, which will apply the settings inherited from the node. Encryption: Select Optional or AES-128. If you do not make any selections, the Inherit from node setting is displayed, which will apply the settings inherited from the node. Encryption at rest: Select Optional or Required. If you do not make any selections, the Inherit from node setting is displayed, which will apply the settings inherited from the node. If you select Required, the uploaded files must be encrypted during a transfer to protect them while they are stored on a remote server. The uploader sets a password before uploading the file, and the downloader needs to enter that password to decrypt the file. • • • • | Performing Maintenance Tasks | 69 Option Description Web Server Configure the web server settings, including the host, port, and whether SSL/TLS is enabled. The hostname or IP address entered into the Host field is used as part of the URL in Shares emails to users. For example, when an account is created for a user, that user will receive an email prompting the user to reset the password. This email contains a URL that points to whatever hostname or IP address is entered into the Host field. Clearing Background Jobs If IBM Aspera Shares background jobs are not responding, they can be cleared using the command line. 1. Clear background jobs in MySQL. Run the following command: # /opt/aspera/shares/bin/run mysql -e 'delete from delayed_jobs' 2. Restart Aspera background jobs. # /opt/aspera/shares/sbin/sv restart shares-background-default-0 Fixing Services Not Running After Upgrading Shares After an upgrade, it may seem that only MySQL is running and the other services are missing. The problem may be that an error during the upgrade left Shares in the "setup" runlevel instead of the "up" runlevel. to fix the problem, you need to change the current runlevel to be the "up" runlevel. Important: Do not add symlinks to /opt/aspera/shares/etc/runitrunlevels/setup. Use the following command from runit: /opt/aspera/shares/sbin/runsvchdir up Shares is now at the "up" runlevel and the other services should now work. Restart Shares Services Some troubleshooting fixes may require that you stop, start, or restart one or more IBM Aspera Shares services. Restarting All Shares Services Run the following commands to restart all Shares services at once. # service aspera-shares stop # service aspera-shares start Restarting Individual Services Follow this syntax: Restart a service: #/opt/aspera/shares/sbin/sv restart [command service] | Performing Maintenance Tasks | 70 For example, to start and stop the stats-collector command service: # /opt/aspera/shares/sbin/sv restart stats-collector Note: Command services support all sv commands including stop, start, and restart. Command services include: • • • • • crond mysqld nginx shares-background-0 stats-collector Tip: The shares-background-0 command service runs scheduled jobs in queue, such as sending emails. Backing Up Shares and the Database Tip: The Shares web UI and nginx service will still be available while performing a backup. 1. Run the following script as a root user. The script stops Shares services, backs up all necessary files, and restarts Shares. You cannot use this procedure with earlier versions of Shares. # /opt/aspera/shares/u/setup/bin/backup /your_backup_dir For example: # /opt/aspera/shares/u/setup/bin/backup /tmp Creating backup directory /tmp/20130627025459 ... Checking status of aspera-shares ... Status is running mysqld is alive Backing up the Shares database and config files ... Backing up the SSL certificates ... Done 2. Make a note of the ID of the created backup directory for future use. In the above example example: 20130627025459. For instructions on how to restore a backup of Shares, see Restoring Shares from a Backup on page 12. Gathering and Zipping Up All Logs for Support Aspera Technical Support often requires system logs to help troubleshoot errors. The following command gathers the logs created by IBM Aspera Shares, background processes, and stats collector into a .zip file that can be sent to Aspera Technical Support. Gather and zip up logs for support: Run this command in one line: tar czvf /tmp/shares-logs-backup-`date "+%Y-%m-%d-%H-%M-%S"`.tar.gz \ /opt/aspera/shares/u/shares/log/production.log* \ /opt/aspera/shares/var/log/shares-background-0/current \ /opt/aspera/shares/var/log/shares-background-0/*.s \ /opt/aspera/shares/u/stats-collector/logs/statscollector.*log* \ ; | Performing Maintenance Tasks | 71 Checking for SSH Issues Aspera® recommends that you review your SSH log periodically for signs of a potential attack. Locate and open your syslog, for example, /var/log/auth.log or /var/log/secure. Depending on your system configuration, syslog's path and file name may vary. Look for invalid users in the log, especially a series of login attempts with common user names from the same address, usually in alphabetical order. For example: ... Mar 10 18:48:02 sku sshd[1496]: Failed password for invalid user alex from 1.2.3.4 port 1585 ssh2 ... Mar 14 23:25:52 sku sshd[1496]: Failed password for invalid user alice from 1.2.3.4 port 1585 ssh2 ... If you have identified attacks: • • Check the SSH security settings. Report attackers to your ISP's abuse email, for example, abuse@your-isp. Monitoring From the Admin menu, the following monitoring capabilities are available from the left navigation menu: • • • Activity Background Jobs Errors and Warnings Viewing Activities Click Activity, to view all activity that has occurred on the IBM Aspera Shares server. Activities reported include the following: • • • • • • Nodes and shares created and deleted Logins and logouts Directories created and deleted Files deleted Node and share status Transfers to shares Each reported activity event is accompanied by a tag. Click the tag to find related activities. To perform an activity event search, click Search and enter the requisite information. Viewing Background Jobs To view, start, or delete background jobs that are running on the IBM Aspera Shares server, click Background Jobs. Viewing Errors and Warnings To view or search for errors and warnings that have occurred on the IBM Aspera Shares server, click Errors and Warnings. | Appendix | 72 Appendix Configuring a Remote Transfer-Server Node Follow the steps below to set up a remote transfer-server node for IBM Aspera Shares. Important: Note that all steps must be performed on the remote machine (transfer server), as the root user. 1. Set up the Node API. The Node API must be set up in the IBM Aspera Enterprise Server for Shares to communicate with the remote machine. Refer to the Node API Setup section in the Managing the Node API section of the IBM Aspera Enterprise Server Administrator's Guide for instructions on how to set up the Node API in Enterprise Server. 2. Create the system user "shares". This is the user who authenticates the actual ascp transfer, and must be an operating system account. Run the following commands to create the system user "shares". # /usr/sbin/groupadd -r shares # /usr/sbin/useradd -r shares -s /bin/aspshell-r -g shares 3. Create and configure the "shares" package directory. Run the following commands to configure the "Shares" directory /home/shares/ and the shares_packages subdirectory: # mkdir -p /home/shares/shares_packages # chown shares:shares /home/shares/ # chown shares:shares /home/shares/shares_packages 4. Configure aspera.conf. Add the shares package directory as a docroot in aspera.conf. The aspera.conf file can be found in the following location: /opt/aspera/etc/aspera.conf Below is a typical Shares aspera.conf file. Yours may differ, particularly if you have installed other Aspera products. Modify the following, as necessary: • • • In the file below, look for the <absolute> tag to see how the docroot has been defined in this installation, and adjust yours accordingly. Look for the <server_name> tag below, and ensure that SERVER_IP_OR_NAME has been replaced with the name or IP address of your server. In the <central_server> section, set <persistent_store> to enable as shown below. Shares 3.5+ requires persistent storage to be enabled. By default, <persistent_store> is disabled (not set). <?xml version='1.0' encoding='UTF-8'?> <CONF version="2"> <central_server> <address>127.0.0.1</address> <port>40001</port> <compact_on_startup>enable</compact_on_startup> <persistent_store>enable</persistent_store> <persistent_store_on_error>ignore</persistent_store_on_error> <persistent_store_max_age>86400</persistent_store_max_age> | Appendix | 73 <event_buffer_overrun>block</event_buffer_overrun> </central_server> <default> <file_system> <pre_calculate_job_size>yes</pre_calculate_job_size> </file_system> </default> <aaa> <realms> <realm> <users> <user> <name>shares</name> <file_system> <access> <paths> <path> <absolute>/home/shares/shares_packages</absolute> <show_as>/</show_as> <dir_allowed>true</dir_allowed> </path> </paths> </access> <directory_create_mode>770</directory_create_mode> <file_create_mode>660</file_create_mode> </file_system> <authorization> <transfer> <in> <value>token</value> </in> <out> <value>token</value> </out> </transfer> <token> <encryption_key>af208360-dbdd-4033-a35b-2370941f37e9</ encryption_key> </token> </authorization> </user> </users> </realm> </realms> </aaa> <http_server> <http_port>8080</http_port> <enable_http>1</enable_http> <https_port>8443</https_port> <enable_https>1</enable_https> </http_server> <server> <server_name>SERVER_IP_OR_NAME</server_name> </server> </CONF> After modifying aspera.conf, restart Aspera Central and Aspera NodeD services. # /etc/init.d/asperacentral restart # /etc/init.d/asperanoded restart 5. Verify you have installed a valid Shares license on your transfer server. | Appendix | 74 If you need to update your transfer server license (by following the instructions in the Updating Product License section of the Enterprise Server Admin Guide), you must reload the asperanoded service afterwards. Reload the asperanoded service by running asnodeadmin.exe, found in the following location: # /opt/aspera/bin/asnodeadmin --reload 6. Set up the node user. Run the following commands to set up the node user (where "node-admin" is the node user, "s3cur3_p433" is his password and "shares" is the system user), and then reload asperanoded. # /opt/aspera/bin/asnodeadmin -a -u node-admin -p s3cur3_p433 -x shares # /opt/aspera/bin/asnodeadmin --reload 7. Install the Aspera Connect™ key. First, locate your Aspera Connect key as follows: /opt/aspera/var/aspera_id_dsa.pub Then, run the following commands to create a .ssh folder (if it does not already exist) in the shares user's home directory: # mkdir -p /home/shares/.ssh Run the following commands to create the keyfile authorized_keys (if it does not already exist), and append the key text to it: # cat /opt/aspera/var/aspera_id_dsa.pub >> /home/shares/.ssh/ authorized_keys Run the following commands to change the key directory and keyfile's ownership to the shares user and set permission bits: # # # # # chown chown chmod chmod chmod shares:shares /home/shares/.ssh shares:shares /home/shares/.ssh/authorized_keys 600 /home/shares/.ssh/authorized_keys 700 /home/shares 700 /home/shares/.ssh 8. Set up token authorization. Refer to the Setting Up Token Authorization topic in the Aspera Enterprise Server Administrator's Guide. Extending the Node Timeout Edit the client.rb file located at /opt/aspera/shares/u/shares/lib/node_api/client.rb. Near line 28, modify :timeout ==> 30 to another value. Below, 30 has been replaced by 60 to lengthen the timeout value to one minute: def rest_client_site(path = base_url) RestClient::Resource.new(path, :user => username, :password => password, :verify_ssl => verify_ssl, :timeout => 60, :open_timeout => 10, # TODO: what should the timeouts be? :headers => { | Appendix | 75 ) end } :content_type => :json, :accept => :json, Changing Nginx Ports 1. Open the IBM Aspera Shares Nginx config file found at /opt/aspera/shares/etc/nginx/ nginx.conf. 2. Update the the HTTP and HTTPS server blocks with your desired ports. These are the default settings for the two server blocks: server { listen 80 deferred; return 301 https://$host$request_uri; } server { listen 443 deferred; ssl on; } Update the values of the listen and return directives with the desired ports: server { listen 9080 deferred; return 301 https://$host:9443$request_uri; } server { listen 9443 deferred; ssl on; } 3. Update the passenger_pre_start directive located at /opt/aspera/shares/etc/nginx/conf.d/ shares-pre-start.conf. The default value for passenger_pre_start is the following: passenger_pre_start https://example.com:443/; Update the passenger_pre_start with your desired port. For example: passenger_pre_start https://example.com:9443/; Note: Prior to Shares 1.8, the passenger_pre_start directive is in the main nginx.conf file. 4. Tell Nginx to reload its config file. /opt/aspera/shares/sbin/nginx -s reload | Appendix | 76 Open a MySQL Prompt Open up a MySQL client prompt. # /opt/aspera/shares/bun/run mysql Generate an SSL Certificate Generate your own private key, csr and pem file. To generate a new certificate, follow the instructions provided below using the OpenSSL command-line binary (/ opt/aspera/shares/bin/openssl). 1. Enter the OpenSSL command to generate your Private Key and Certificate Signing Request. In this step, you will generate an RSA Private Key and CSR using OpenSSL. In a Terminal window, enter the following command (where my_key_name.key is the name of the unique key that you are creating and my_csr_name.csr is the name of your CSR): $ openssl req -new -nodes -newkey rsa:2048 -keyout my_key_name.key out my_csr_name.csr 2. Enter your X.509 certificate attributes. After entering the command in the previous step, you will be prompted to input several pieces of information, which are the certificate's X.509 attributes. Important: The common name field must be filled in with the fully qualified domain name of the server to be protected by SSL. If you are generating a certificate for an organization outside of the US, please refer to the link http://www.iso.org/iso/english_country_names_and_code_elements for a list of 2-letter, ISO country codes. Generating a 1024 bit RSA private key ....................++++++ ................++++++ writing new private key to 'my_key_name.key' ----You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----Country Name (2 letter code) [US]:Your_2_letter_ISO_country_code State or Province Name (full name) [SomeState]:Your_State_Province_or_County Locality Name (eg, city) []:Your_City Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your_Company Organizational Unit Name (eg, section) []:Your_Department Common Name (i.e., your server's hostname) []:secure.yourwebsite.com Email Address []:[email protected] You will also be prompted to input "extra" attributes, including an optional challenge password. Please note that manually entering a challenge password when starting the server can be problematic in some situations (e.g., | Appendix | 77 when starting the server from the system boot scripts). You can skip inputting a challenge password by hitting the "enter" button. ... Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: After finalizing the attributes, the private key and CSR will be saved to your root directory. Important: If you make a mistake when running the OpenSSL command, you may discard the generated files and run the command again. After successfully generating your key and Certificate Signing Request, be sure to guard your private key, as it cannot be re-generated. 3. Send CSR to your signing authority You now need to send your unsigned CSR to a Certifying Authority (CA). Once the CSR has been signed, you will have a real Certificate, which can be used by Apache. Important: Some Certificate Authorities provide a Certificate Signing Request generation tool on their Website. Please check with your CA for additional information. 4. (Optional) Generate a Self-Signed Certificate At this point, you may need to generate a self-signed certificate because: • • You don't plan on having your certificate signed by a CA Or you wish to test your new SSL implementation while the CA is signing your certificate You may also generate a self-signed certificate through OpenSSL. This temporary certificate will generate an error in the client's browser to the effect that the signing certificate authority is unknown and not trusted. To generate a temporary certificate (which is good for 365 days), issue the following command: openssl x509 -req -days 365 -in my_csr_name.csr -signkey my_key_name.key out my_cert_name.crt Setting Up Shares and Console on the Same Host Important: You need to ensure that you install IBM Aspera Console before you install IBM Aspera Shares. 1. Install Console 2. Install Shares .rpm, but do not run the install script 3. Use a text editor to open the my.cnf.setup file located at: /opt/aspera/shares/etc/my.cnf.setup Provide the MySQL username and password that you used during the install of Console. [client] user password host port = = = = root aspera 127.0.0.1 4406 | Appendix | 78 4. Run the Shares installer. /opt/aspera/shares/u/setup/bin/install 5. Disable the Apache Web Server. asctl apache:stop 6. Create a symlink to a file located at /opt/aspera/shares/etc/nginx/locations-enabled/ console. ln -s ../locations-available/console /opt/aspera/shares/etc/nginx/ locations-enabled/ 7. Restart the Nginx service. service aspera-shares restart Securing an SSH Server SSH servers listen for incoming connections on TCP port 22. Therefore, port 22 is subjected to unauthorized login attempts by hackers trying to access unsecured servers. To prevent unauthorized server assess, you can turn off port 22 and run the service on a random port between 1024 and 65535. The following task requires root access privileges. Aspera® transfer products ship with OpenSSH listening on both TCP/22 and TCP/33001. Aspera recommends using TCP/33001 only and disabling TCP/22. 1. Use a text editor to open the SSH configuration file. /etc/ssh/sshd_config Note: Before changing the default port for SSH connection, verify with your network administrators that TCP/33001 is open. Notify users of the port change 2. Add the new SSH port Port 22 Port 33001 Note: Before changing the default port for SSH connections, verify that TCP/33001 is open. To enable TCP/33001 while you are migrating from TCP/22, open port 33001 within the sshd_config file where SSHD is listening on both ports. 3. Disable TCP/22 by commenting it out in the sshd_config file. 4. Disable TCP/22 by modifying /etc/services so that the only open SSH port is TCP/33001. 5. In OpenSSH versions 4.4 and later, disable SSH tunneling to avoid potential attacks by adding the following lines at the end of the sshd_config file. As a result only Root users are permitted to tunnel. ... AllowTcpForwarding no Match Group root AllowTcpForwarding yes Depending on your sshd_config file, you may have additional instances of AllowTCPForwarding that are set to the default Yes. Review your sshd_config file for other instances and disable as appropriate. Disabling TCP forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders. Review your user and file permissions, and see the following instructions on modifying shell access. | Appendix | 79 6. Update authentication methods by adding or uncomment PubkeyAuthentication yes in the sshd_config file and comment out PasswordAuthentication yes. ... PubkeyAuthentication yes #PasswordAuthentication yes PasswordAuthentication no ... 7. Disable root login by commenting out PermitRootLogin yes in the sshd_config file and adding PermitRootLogin No. ... #PermitRootLogin yes PermitRootLogin no ... Administrators can then use the su command if root privileges are needed. 8. Restart the SSH server to apply the new settings. Restart or reload the SSH Server using the following commands: OS Version Instructions RedHat (restart) $ sudo service sshd restart RedHat (reload) $ sudo service sshd reload Debian (restart) $ sudo /etc/init.d/ssh restart Debian (reload) $ sudo /etc/init.d/ssh reload Shares API Permissions Aspera products such as IBM Aspera Drive and IBM Aspera Enterprise Server have integrated capabilities for working with IBM Aspera Shares. Such products interact with Shares using the API. To allow the API to correctly access the users shares please below ensure that the permissions are correctly configured. 1. For each Shares user, ensure that the API Login check box is checked under the Security tab. On Shares 1.6 and later versions, this permission is enabled by default whenever new users are created. 2. Create shares, and authorize users for each share. The table below describes the mapping between the API permissions and Shares user permissions. API Permission to Allow Share Permissions that should be Enabled View browse and download Edit upload, rename, mkdir Delete delete | Appendix | 80 Troubleshooting Issue: I have forgotten my IBM Aspera Shares Administrator password Solution: You can reset your Shares Administrator password by opening a root terminal on your Shares server and then run the following command: /opt/aspera/shares/u/shares/bin/run rake aspera:admin NAME="admin" PASSWORD="example-password" EMAIL="[email protected]" | Technical Support | 81 Technical Support For further assistance, you may contact Aspera through the following methods: Contact Info Email [email protected] Phone +1 (510) 849-2386 Request Form https://support.asperasoft.com/anonymous_requests/new/ The technical support service hours: Support Type Hour (Pacific Standard Time, GMT-8) Standard 8:00am – 6:00pm Premium 8:00am – 12:00am We are closed on the following days: Support Unavailable Dates Weekends Saturday, Sunday Aspera Holidays See our Website. | Feedback | 82 Feedback The Aspera Technical Publications department wants to hear from you on how Aspera can improve customer documentation. To submit feedback about this guide, or any other Aspera product document, visit the Aspera Product Documentation Feedback Forum. Through this forum, you can let us know if you find content that is not clear or appears incorrect. Aspera also invites you to submit ideas for new topics, and for improvements to the documentation for easier reading and implementation. When you visit the Aspera Product Documentation Feedback Forum, remember the following: • • You must be registered to use the Aspera Support Website at https://support.asperasoft.com/. Be sure to read the forum guidelines before submitting a request. | Legal Notice | 83 Legal Notice © 2012-2015 Aspera, Inc., an IBM Company. All rights reserved. Licensed Materials - Property of IBM © Copyright IBM Corp., 2012, 2015. Used under license. US Government Users Restricted Rights- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Aspera, the Aspera logo, and FASP transfer technology are trademarks of Aspera, Inc., registered in the United States. Aspera Connect Server, Aspera Drive, Aspera Enterprise Server, Aspera Point-to-Point, Aspera Client, Aspera Connect, Aspera Cargo, Aspera Console, Aspera Orchestrator, Aspera Crypt, Aspera Shares, the Aspera Add-in for Microsoft Outlook, and Aspera Faspex are trademarks of Aspera, Inc. All other trademarks mentioned in this document are the property of their respective owners. Mention of third-party products in this document is for informational purposes only. All understandings, agreements, or warranties, if any, take place directly between the vendors and the prospective users.
© Copyright 2024