IBM Aspera Application On Demand / Server On Demand (APOD / SOD) 3.7.3

Transcription

1 IBM Aspera Application On Demand / Server On Demand (APOD / SOD) Amazon Web Services Revision: Generated: 08/23/ :21

2 Contents 2 Contents Welcome to IBM Aspera Application Platform / Server On Demand (APOD / SOD)... 8 Logging in to IBM Aspera Application Platform / Server On Demand (APOD / SOD)...10 Logging In...10 Updating the Entitlement Key...10 Using SSH to Login to APOD...11 Updating the Entitlement Key Using the Terminal Managing User Accounts Accounts and Permissions Creating Console Groups...14 Creating Console Users Working with IBM Aspera Console Configuring Notifications Server Configuration...17 Configuring Notification Time Zones and Cutoff Times...18 Configuring Advanced Rulesets for Notifications View Notification Statistics Configuring Personal Notifications Configuring Notification Templates Creating a New Notification Template...21 Editing Templates Displaying Notification Templates for an Address...23 Managing Nodes The Localhost Node Adding Unmanaged Nodes...24 Editing the User or Group on a Node Set a Docroot for a Node User or Group Adding Endpoints Configuring Virtual Links Scheduling Virtual Links Setting Up Cloud Storage from the Console Enabling S3 Storage Using Console Enabling SoftLayer Storage Using Console Monitoring Console The Console Dashboard...30 The Activity Overview Transfer Details...34 Optimizing Node Reporting Monitoring Nodes Configuring the Map Access Logs... 38

3 Contents 3 Search for a Transfer Monitoring Sync Jobs...39 Enabling Sync Client Node Reporting...39 Enabling Async Server Node Reporting Monitor Sync Jobs...40 Transferring Files Starting a Simple Transfer...41 Creating a Smart Transfer Starting a Smart Transfer Sharing a Smart Transfer...48 Sharing a Smart Transfer with Personal Login Credentials...49 Queue Transfers...50 Configuring Queues for Nodes Configure Failover Groups...53 Creating a Cookie Parsing Rule Running Reports Creating a Basic Report Creating an Advanced Report Finalizing and Running a Report Editing Custom Variables Creating Custom Fields Configuring SSH Keys SSH Keys Storing SSH Keys on Console Transferring Files with an Endpoint Using SSH Keys Working With SSL Installing a Signed SSL Certificate Provided by Authorities Generating a New Self-Signed SSL Certificate...65 Regenerating Self-Signed SSL Certificate (Apache) Working with Shares and Directory Services Console and Shares on Same Machine Configuring the Directory Service Adding Remote Users...67 Adding Remote Groups Backing Up Console Database...67 Back Up Console with asctl...67 Backing Up Console with the Web UI Restoring the Console Database...68 Backing Up the Current Console Configuration...69 Restoring the Current Console Configuration...69 Managing the MySQL Database Configure MySQL Settings Running MySQL on a Separate Machine Purging Data from Console...71 Restoring Purged Data...71 Troubleshooting Console Updating your Console License Restart Console Services Resetting Console Admin Password Log Files Locate Configuration Files Appendix Configuring Console Defaults Understanding Space Watcher Working with Tags...78 Configure Background Processes... 79

4 Contents 4 Configure the Apache HTTP Server...80 asctl Command Reference Advanced Search Template Examples Node References Transfer References Report References Advanced Report Usage Notes Example Reports Working with IBM Aspera Shares Configuring Shares Options The Shares Home Page Configure User Preferences Configuring System Settings Managing Home Shares Configuring the Shares Time Zone and Time Format Configuring Logging Settings Configuring Transfer Settings Configuring HTTP and HTTPS Fallback Configuring the Web Server Securing Shares Configuring Shares Security Configuring Manager Permissions Moderate Self Registered Accounts Installing a Signed SSL Certificate Provided by Authorities Generating a New Self-Signed SSL Certificate Configuring Setting Up the SMTP Server Updating Links in Notifications Configure Settings Creating Templates Creating and Modifying Variables in Templates Managing Nodes Modifying Nodes Browsing Nodes Searching Nodes and Shares Managing User Accounts Understanding User Roles and Share Authorization Adding Local Users Configure User Settings Unlocking User Accounts and Changing Passwords Disabling and Deleting User Accounts Setting a User Account Expiration Date Assigning Users the Manager Role Disabling a User's Home Share Searching Accounts Managing Group Accounts Adding Local Groups Configure Local Group Settings Configuring the Directory Service Adding a Directory Service (DS) Importing Directory Service Users Importing Directory Service Groups Configure DS Users and Groups...172

5 Contents 5 Managing a Share Creating a Share Creating a Share from a Folder Modifying a Share Browsing a Share Authorizing Users to a Share Transferring Files Uploading and Downloading Content IBM Aspera Application Platform / Server On Demand (APOD / SOD) and the Connect Browser Plug-In The Transfers Window Monitoring Transfers Serving Connect from a Local Location Transferring Content Between Shares Using Bookmarks Monitoring Shares Monitoring Shares Activity Errors and Warnings Configuring the Stats Collector Adding Existing Nodes to Stats Collector Configure Stats Collector Log Levels Lowering Stats Collector Polling Frequency Retrieving Stats Collector Version Number Working with Rake Tasks Configure Users With Rake Tasks Configure Groups With Rake Tasks Configure a Share With Rake Tasks Configure Nodes With Rake Tasks Configure Server Settings With Rake Tasks Configuring MySQL Server Open a MySQL Prompt Using Another MySQL Server After Installation Changing the Built-in MySQL Port Backing Up and Restoring the Database Backing Up Shares and the Database Restoring Shares from a Backup Troubleshooting Shares Reset Shares Admin Password Restart Shares Services Fixing Services Not Running After Upgrading Shares Clearing Unresponsive Background Jobs Gathering and Zipping All Logs for Support Disabling SELinux Appendix Updating the License Checking for SSH Issues Adding a Dedicated CA File to Verify a Node SSL Certificate Changing Nginx Ports Disabling IPv6 Support in Shares Shares API Permissions Working with SAML SAML and APOD / SOD User Accounts Provisioned by Just-In-Time (JIT) Provisioning Configuring Your Identity Provider (IdP)

6 Contents 6 Configuring SAML Configuring SAML Creating SAML Groups Importing a SAML User to Shares Enterprise Server Configuration and Transfer Reference Managing Users from the Command Line Setting Up Transfer Users Setting Up Transfer Groups Configuration Precedence Setting Up a User's Public Key on the Server Managing Global Transfer Settings from the Command Line aspera.conf - Authorization aspera.conf - Transfer aspera.conf - File System aspera.conf - Filters to Include and Exclude Files Server-Side Symbolic Link Handling aspera.conf - Server-Side Encryption at Rest (EAR) Overview of Inline File Validation Inline File Validation with URI Inline File Validation with Lua Script Securing Your SSH Server Changing and Securing the TCP Port Restricting User Access Pre- and Post-Processing (Prepost) Setting Up Pre/Post Processing Pre/Post Variables Pre/Post Examples Setting Up Notification Notification Examples ascp: Transferring from the Command Line Ascp Command Reference Ascp General Examples Ascp File Manipulation Examples Ascp Transfers with Object Storage and HDFS Applying Filters to Include and Exclude Files Creating SSH Keys (Command Line) Ascp FAQs ascp4: Transferring from the Command Line with A Introduction to A A4 Command Reference Using A4 from the GUI Getting Started with the Aspera Trapd Service General Trap Configuration Reference Setting Docroots for Object Storage and HDFS URL Encoding Docroot Restriction for URI Paths Configuring for Small File Uploads Resuming Transfers to Object Storage and HDFS Naming Constraints Troubleshooting Trap Trapd Log Location Authentication and Authorization Installing SSL Certificates Setting Up Token Authorization...305

7 Contents 7 Configuring Token Authorization from the GUI Token Generation (Node API) Token Generation (astokengen) Configuring Token Authorization in aspera.conf Access Key Authentication Asconfigurator Reference The asconfigurator Utility Syntax and Usage Examples Reading Output User, Group and Default Configurations Trunk (Vlink) Configurations Central Server Configurations HTTP Server Configurations Database Configurations Server Configurations Client Configurations Troubleshooting Appendix Appendix Technical Support Legal Notice

8 Welcome to IBM Aspera Application Platform / Server On Demand (APOD / SOD) 8 Welcome to IBM Aspera Application Platform / Server On Demand (APOD / SOD) What is Aspera on Demand? The Aspera On Demand (AOD) offerings are Aspera client and server product bundles offered with a usage based license model. The AOD offerings are designed to run on cloud infrastructure; where possible, we provide pre-built virtual machine images or transfer services. AOD also provides a Direct-to-Cloud storage capability, enabling you to move your data from your on premises facility directly to object storage. Supported Object Storage Systems AOD supports Amazon Web Services, IBM Cloud, Google Cloud Platform and Microsoft Azure. The Aspera On Demand transfer platform is able to read and write files to a virtual machine as well as directly into object storage systems, such as Amazon S3, Softlayer SWIFT, Google Cloud Storage and Microsoft Azure Blob storage. What is IBM Aspera Application Platform / Server On Demand (APOD / SOD) The IBM Aspera Application Platform / Server On Demand (APOD / SOD) is a cloud-hosted application which allows users to centrally manage, monitor, and control Aspera servers and transfers. The APOD / SOD package includes the following Aspera products depending on your license: APOD / SOD License IBM Aspera Enterprise Server IBM Aspera ConsoleI APOD / SOD x x APOD / SOD without Console x APOD / SOD with Shares x BM Aspera Shares x x x Transfer Server Features Feature FASP transport technology A file-transfer protocol that dramatically speeds transfers over IP networks by eliminating the fundamental bottlenecks in conventional technologies. FASP features bandwidth control, resume, transfer encryption, content protection, and data integrity validation. Transfer server Allows an unlimited number of concurrent client transfers. Uses virtual links to manage aggregate bandwidth usage. ascp A command-line transfer program to initiate Aspera transfers. Virtual Links Enables you to create an aggregate bandwidth cap. HTTP Fallback Server An alternative transfer method for clients without Internet connectivity for fasp. Shares Web UI (Option available for Application Platform) A web-based interface that enables transfers for Aspera Connect clients. Includes the HTTP Fallback Server to allow clients without FASP connectivity to transfer using HTTP or HTTPS. This is limited to a one-server Shares license. For more information, see the Shares on Demand Admin Guide. You can transfer files to the following products:

9 Welcome to IBM Aspera Application Platform / Server On Demand (APOD / SOD) 9 IBM Aspera Connect Browser Plug-in (free download) IBM Aspera Desktop Client (Client license required) IBM Aspera Point-to-Point Client(Point-to-Point license required) IBM Aspera Enterprise Server (Enterprise Server license required) IBM Aspera Connect Server (Connect Server license required) Console Features IBM Aspera Console is used to create and manage users on the system, and to start and manage transfers between youser server and other Aspera clients. For convenience, this system also contains pre-configured users and groups. Features Transfer monitoring and control View, pause, resume, and cancel transfers and change transfer rates Transfer initiation Initiate and schedule transfer jobs remotely notification Notify users of transfer events with customizable messages Reporting Create detail and summary reports of transfer activity You can access this application with the following information and credentials: URL: Login: admin Password: your_instance_id Note: Once logged in, you can change the password of your admin account. Shares Features IBM Aspera Console is used to manage and share content among users in the form of files and directories of any size. Content management Browse, upload, and download files on your server Content access management Delegate permissions for files on the server by users and groups Features URL: Login: admin Password: your_instance_id Note: Once logged in, you can change the password of your admin account.

10 Logging in to IBM Aspera Application Platform / Server On Demand (APOD / SOD) 10 Logging in to IBM Aspera Application Platform / Server On Demand (APOD / SOD) Logging In If your IBM Aspera Application Platform / Server On Demand (APOD / SOD) license includes access to Console or Shares, log into APOD / SOD through the web browser. If your license does not include access to Console or Shares, you must SSH into the instance. For more information on using SSH to access APOD / SOD, see Using SSH to Login to APOD. Note: You must install Adobe Flash Player on your computer before using Console or Shares. You can download Flash Player from the following link: 1. Enter the On Demand server URL in your web browser console. For example, Tip: If your On Demand product includes access to Shares, entering the IP address without aspera/ console brings you to the Shares login page. For example, Your browser may notify you of an untrusted connection. If this occurs, follow the on-screen instructions to accept the security certificate. 2. On the login screen, enter your user name and password. If this is your first time logging in, Console prompts you to enter a valid customer ID and entitlement key. For more information on entitlement keys, see Updating the Entitlement Key. Updating the Entitlement Key APOD/SOD requires a valid license entitlement key to use its features. If your APOD/SOD includes either IBM Aspera Console or IBM Aspera Shares, you can enter your entitlement key through the web UI. Note: Entitlements are enabled per machine instance, not per app. For APOD/SOD licenses that allow access to both Console and Shares features, the entitlement portion of the procedure is slightly different. However, completing it for one enables the entitlement for both. Once the entitlement has been enabled from either app, it may take a few minutes for the other app to recognize the change. For more information about entitling Shares, see the IBM Aspera Shares On Demand Admin Guide. 1. If this is your first time entering your entitlement key, first log in to Console. You are prompted to update Console with your entitlement key. Enter your customer ID and entitlement key, and click Save.

11 Logging in to IBM Aspera Application Platform / Server On Demand (APOD / SOD) 11 Until you provide a valid license, you cannot use Console or Shares. If you need to review or update the entitlement information at a later time, go to Configuration > License. 2. Back up and restore the On Demand server configuration. The image instance does not store data when terminated; therefore,we advise that you back up the configuration before shutting down. Note: A full backup of the On Demand server configuration requires backing up the Shares configuration as well as the Console configuraiton. For information on backing up Shares, see the IBM Aspera Shares On Demand Admin Guide. For instructions to back up SOD/APOD, see Backing Up the Current Console Configuration. Using SSH to Login to APOD SSH password authentication is disabled. You must use SSH keys to connect if you plan to use SSH users to connect through the command line. If your license does not include access to Console or Shares, you must SSH into the instance. If your license includes access to Console or Shares, log in through the web browser. For more information on logging in through the web browser, see Logging In. Run the ssh command, providing the location of your.pem private key, port 33001, and the user ec2-user. # ssh -i /path/to/yourkey.pem -p ec2-user@instance_ip_address Note: Your private key (.pem file) needs to have correct permissions. If you just downloaded the key from Amazon Web Service, it most likely does not have correct permissions. If you get an error message about the key permissions when trying to SSH, change the permissions as follows: # chmod 600 /path/to/yourkey.pem After logging in for the first time, make sure you update your entitlment key to access APOD / SOD features. For more information, see Updating the Entitlement Key Using the Terminal

12 Logging in to IBM Aspera Application Platform / Server On Demand (APOD / SOD) 12 Updating the Entitlement Key Using the Terminal SSH password authentication is disabled. You must use SSH keys to connect if you plan to use SSH users to connect through the command line. To access APOD / SOD features, you must install a valid entitlement key using the Terminal. If your license includes Console or Shares, enter your entitlement key through the web UI. For more information, see Updating the Entitlement Key. 1. SSH into your instance. 2. Make sure there are no firewall ports open that are blocking outbound TCP Run the Aspera License Entitlement Engine (ALEE) command to register your entitlement key information. # /opt/aspera/bin/alee-admin register username entitlement_key For example: # /opt/aspera/bin/alee-admin register ec2-user d18bb7ba-7fac-409d-9200e2cbaf246d5c 4. Validate your entitlement key with the following commandment. # ascp -A Important: APOD / SOD uses the asperalee service to manage the entitlement key and the trapd service to access supported object storage. Both services are enabled by default. If you need to restart these service, use the following commands: # service asperalee restart # service asperatrapd restart Do not use the asalee-config.sh enable or disable commands to restart these services. These commands are only used to enable or disable the features: # /opt/aspera/bin/asalee-config.sh enable/disable # /opt/aspera/bin/astrap-config.sh enable/disable These commands recreate the symlink in /etc/init.d in CentOS 7 machines, resulting in a systemd bug. If you accidentally used these commands in an attempt to restart these services, restart the service using the service restart command to fix the issue.

13 Managing User Accounts 13 Managing User Accounts Accounts and Permissions Definition of Terms User: A user is a Console login account with customizable access permissions. Group: A group defines the transfer permissions of all its users. Transfer Path: A transfer path consists of two endpoints, the transfer direction (one-way or two-way), and a set of permissions that authorize starting transfers, monitoring transfers, and enabling notifications. Overview Console uses a combination of groups, transfer paths, and user accounts to manage to user permissions. A user that belongs to a group inherits permissions defined within the groups it belongs to. A group's permissions are defined by its transfer paths. If you have a non-admin user and you want them to be able to see certain transfers, you need to add them to a group. This group must have one or more transfer paths that specify the kinds of transfers that members of the group are allowed to see or control. Each group can contain one or more transfer paths. In the figure below, Group 1 contains two transfer paths, #1 and #2. A Console user inherits transfer permissions from all of the groups he or she belongs to. For example, Console User 2 belongs to both Group 1 and Group 2, and has the permissions to use Transfer Paths #1, #2, and #3. Tip: Console administrators are able to view and control all transfers. They automatically inherit permissions of any existing Console groups. They can add, edit, and delete any nodes, Console users, and Console groups. Default Console Groups When adding a new node, you have the option of creating three default groups associated with that node. Group name Transfer Administrators The users in this group can monitor, control, and set up notifications of all transfers on the node. They can start simple and smart transfers between this node and any node, and share smart transfer templates with other users. Transfer Initiators The users in this group can start simple and smart transfers between this node and any node. Transfer Monitors The users in this group can monitor and set up notifications of all transfers on this node.

14 Managing User Accounts 14 Creating Console Groups and Users For instructions on creating a new Console group, see Creating Console Groups. For instructions on creating a new Console user, see Creating Console Users. Creating Console Groups Console uses a combination of groups, transfer paths, and user accounts to manage to user permissions. A user that belongs to a group inherits permissions defined within the groups it belongs to. A group's permissions are defined by its transfer paths. If you have a non-admin user and you want them to be able to see certain transfers, you need to add them to a group. This group must have one or more transfer paths that specify the kinds of transfers that members of the group are allowed to see or control. Tip: Console administrators are able to view and control all transfers. They automatically inherit permissions of any existing Console groups. They can add, edit, and delete any nodes, Console users, and Console groups. Important: You must first manually add a group to the node OS before you can add it in Console. 1. Go to Accounts > Groups and click New Group. 2. Enter the group name and a brief description. When finished, click Create. You are redirected to a page that allows you to configure the group. 3. Click Add Transfer Path. A transfer path determines a user's permissions to create, initiate, and monitor transfers from one endpoint to another. A transfer path consists of two endpoints, the transfer direction (one-way or two-way), and a set of permissions that authorize starting transfers, monitoring transfers, and enabling notifications. 4. Select the endpoints for the transfer path. For a unidirectional transfer path, set Endpoint 1 as your source endpoint and Endpoint 2 as your destination endpoint. Order does not matter for a bidirectional transfer path. If you specify a node user in an endpoint, users in the group are limited to monitoring only transfers on the node machine that involve the specified node user. An example of such a transfer is a transfer initiated using the specified node user's credentials. Selecting "Any" grants users transfer path permissions to all nodes. Important: When you select Any as an endpoint and permit users to start simple or smart transfers, users can enter arbitrary addresses for file transfers. 5. Choose the direction of the transfer path. A transfer path can be unidirectional or bidirectional. Unidirectional (to): Console users can create, initiate, and monitor transfers initiated from Endpoint 1 to Endpoint 2 (depending on the transfer path permissions) but not the other way around. Bidirectional (to/from): Console users can create, initiate, and monitor all transfers (depending on the transfer path permissions) between Endpoint 1 or Endpoint Choose the permissions you want to give users in the group. Item Start Simple Transfers Users can start a simple transfer. Start Smart Transfers Users can start smart transfers. Create Smart Transfers Users can to create a smart transfer template. Share Smart Transfers Users can to share smart transfer templates with other users. Control Transfers started by others Users can control other users' transfers. For example, they can stop, pause, and set the rate of a transfer, and so on.

15 Managing User Accounts 15 Item View Transfers started by others Users can view other users' transfers on the same transfer paths. Opt-in to notifications Users can enable notifications for this transfer path. 7. Optional: Enter a description for this transfer path. 8. When finished, click Create. The Editing Group Details screen displays the new transfer path in the Transfer Paths list. To modify or remove the transfer path, click edit or delete, respectively. 9. Add users to the group. Select a Console user from the members drop-down and click Add. Tip: Alternatively, you can assign group members through user management. See Creating Console Users. 10. Click Update. Creating Console Users Console user is a Console login account with customizable access permissions. Except for administrator accounts, Console user permissions are managed through group assignment. A Console user inherits permissions from its groups. Note: Console users are not directly related to the login account to a node. 1. Go to Accounts > Users and click New User. 2. Enter a login username, the user's first and last name and an address. Set the user's time zone. Important: All activity on the Console is dated according to the user's time zone. 3. Optional: Select Set password to create a password for the user account. If you do not set a password, Console generates a temporary password for the account and s the password to the user. Tip: You can change password requirements in the Console Password Options section. Go to Configuration > Defaults For more information on password requirements, see Configuring Console Defaults. 4. Optional: Disable user login by clearing Active (allow user to login). If you wish to finish setting permissions for the user account before allowing the user to log in, disable the account by clearing Active (allow user to login). To re-enable the account, return to these settings and select Active (allow user to login). User login is enabled by default. 5. Optional: Disable reporting features for the user by clearing Reports Allowed. 6. When finished, click Create. The system sends an account creation notification to the designated with the account's username and password. If you do not set a password, Console generates a temporary password for the account and include that in the . The following step is only applicable when creating non-admin users. All admin users have full permissions to all groups and transfer paths. After creating a non-admin user, Console redirects you to the user permissions page. 7. Assign the user to Console groups. Assign the user to groups with the desired transfer-path permissions. To assign the user to a group, select a group from the drop-down menu and click Add. You can review the Console user's transfer permissions in a table listing all transfer paths accessible by this user

16 Managing User Accounts 16 Once the Console user account is created, users can log in to Console with the proper account credentials. To deactivate this account or make other changes to it, go to Accounts > Users. Locate the account you want to change in the list of all Console users. To deactivate or reactivate the account, change it to a Console administrator, or modify any of the basic account information, click edit. To modify transfer permissions and group membership, click permissions. To remove a Console user from the system, click delete.

17 Working with IBM Aspera Console 17 Working with IBM Aspera Console Configuring Notifications Server Configuration IBM Aspera Console needs to connect to a Simple Mail Transfer Protocol (SMTP) server to send notifications Go to Notifications > Server. Enter the SMTP server information [A, B, C]. Optional: Enable Transport Layer Security (TLS) [D] if available. Choose the authentication type [E] of your server. If your SMTP server requires login credentials, select Login required under Authentication type and enter your login credentials. Otherwise, select Open authentication. 5. In the 'From' address [F] and 'From' name [G] fields, enter the default sender address and sender name that appear in notifications when they receive an notification. 6. Enter your address and select Save settings and send test . Check your inbox for the confirmation titled settings test. If you do not receive the , review your settings or check your spam folder.

18 Working with IBM Aspera Console 18 Configuring Notification Time Zones and Cutoff Times 1. Go to Notifications > Notification Options. 2. Select a default time zone for timestamps. 3. Enter a cut-off time for delivering older s. Configuring Advanced Rulesets for Notifications Configure advanced rulesets for automated generation of additional notifications beyond the simple announcement of transfer events. IBM Aspera Application Platform / Server On Demand (APOD / SOD) checks configured rulesets whenever a transfer starts, completes successfully, or errors out for the final time (the transfer runs out of retries or Console detects a transfer that was supposed to retry but never did). If the transfer matches the ruleset, Console sends an notification to the designated recipients Go to Notifications > Advanced Rulesets and click Create New Ruleset. Enter a description of the ruleset. Optional: Disable the ruleset to control when the ruleset comes into effect. Select a filter. Filter Address Filter by the IP address of a node machine. Cookie Filter by information in a transfer cookie. For more information on transfer cookies, see Creating a Cookie Parsing Rule. Contact Filter by the contact assigned by Console. A contact can be a Console user name, a Faspex user name, a SSH account, or a customized value obtained from a transfer cookie. For example, a contact can be "admin console", "aspera ssh", or "aspera faspex" and so on. Failover Group Name Filter by the failover group name of the node. For more information about failover groups, see Configure Failover Groups. Faspex Metadata Filter by metadata found in a Faspex file package.

19 Working with IBM Aspera Console 19 Filter File Path Filter by the file path of the transfer. SSH User Filter by the username of the SSH user that started the transfer. Tags Filter by the JSON hash used to tag the transfer. For more information on transfer tags, see Working with Tags. 5. Select the side to apply the filter. Side Either Apply the filter to both sides. Source Apply the filter to the source node. Destination Apply the filter to the destination node. Client Apply the filter to the node initiating the transfer request. Server Apply the filter to the node receiving the transfer request. 6. Select the comparator and enter the value. Note: Select NOT to exclude entries matching the value. For example, set the following parameters to send an notification every time a node with the defined IP address participates in a transfer. MATCH SIDE Address Either NOT COMPARISON VALUE = Designate recipients. Enter an address and click Add. Select an template for each transfer event. 8. Click Create. The newly created template appears on the Advanced Rulesets page where you can disable or enable, edit, copy, and delete rules. View Notification Statistics You can monitor notification activity in the Session Notifications report for each transfer. To view the report, go to a transfer's Sessions Details page. Click The Statistics column contains either a link describing the type of notifications configured for that session or None if no notifications were configured. Click the link to display the Session Notifications page.

20 Working with IBM Aspera Console 20 The Session Notifications page provides the following information about the transfer: Session Details: This section gives basic information about the transfer, such as its name, status, and start and stop times Configured Notifications: This section shows which types of notification were configured for this transfer (start, success, or error) and the name of the template configured for each. Messages Sent (or Attempted) This section shows which types of notification were actually sent or attempted for this transfer (start, success, or error) and the name of the template used for each. You can see more detail about a message by clicking on it to launch the Message Details page, which provides more detail about a message, including its content. You can also resend messages listed in this section by clicking resend. This may be useful in cases where recipients are not receiving messages due to server or configuration issues. Configuring Personal Notifications Individual users can manage personal notifications from their Preferences menu. 1. Open the Preferences page and select Notifications. 2. Select templates for notifications that are triggered by the following events: transfer start, transfer success, or transfer error. You can create new templates or modify existing templates by going to Notifications > Templates. For more information on how to create and modify templates, see Editing Templates. 3. Select or clear global notifications. By default, Console notifies you for transfers that you start when those transfers start, succeed, or fail. 4. For each specific transfer path listed, select or clear notifications for transfer path. These notifications are disabled by default. 5. Click Update.

21 Working with IBM Aspera Console 21 Configuring Notification Templates Creating a New Notification Template IBM Aspera Application Platform / Server On Demand (APOD / SOD) allows you to create and modify notification templates based on three transfer events: transfer start, transfer success, and transfer error. You can customize s based on recipient needs by creating a new template. For example, an error notification to an internal admin typically contains as much information as possible, while a notice to an outside party might contain a bare minimum of information. You can edit the included default templates, create and edit new templates, and change which templates are used as defaults. 1. Go to Notifications > Templates. 2. Click on the appropriate "Create new..." link. To create a new template, click Create new transfer start template (A), Create new transfer success template (B), or Create new transfer error template (C) depending on the situation for which you want to send an notification. The new template (D) appears listed under the default template.

22 Working with IBM Aspera Console Rename the template. Click Edit Plain Template to open the plain text editor. Enter a descriptive name of this template in the Template name field. At this point, you can edit the template. For more information on editing templates, see Editing Templates. Otherwise, click Save to rename the template and return to the template preview page. Note: To ensure that information displays correctly in the , edit both the plain text and HTML code versions of the template. 4. Optional: Make this template the default template. Return to the Templates page by clicking the Templates tab. Find your renamed template and click default. Editing Templates IBM Aspera Application Platform / Server On Demand (APOD / SOD) allows you to create and modify notification templates based on three transfer events: transfer start, transfer success, and transfer error. You can customize s based on recipient needs by creating a new template. For example, an error notification to an internal admin typically contains as much information as possible, while a notice to an outside party might contain a bare minimum of information. You can edit the included default templates, create and edit new templates, and change which templates are used as defaults. 1. Go to Notifications > Templates. 2. Click edit for the template you want to configure. Note: To ensure that information displays correctly in the , edit both the plain text and HTML code versions of the template. 3. Click Edit Plain Template. Field Template name Modify the name of the template displayed in Console. From Name Enter the name displayed as the sender. Reply-to Address Enter the address receiving replies from the recipient. Subject Modify the subject line. Body Modify, add, or remove the default text. The yellow box at the top of the page lists special text strings you can use in the message body. Console replaces the strings with the appropriate value in the actual . The available text strings differ depending on the type of template (transfer start, transfer success, or transfer error)

23 Working with IBM Aspera Console 23 For an example of how to edit the plain text version of the template, see Template Example: Creating a Simple Notification for a Successful Transfer. 4. Click Save. 5. Click Edit HTML Template. Field Template name Modify the name of the template displayed in Console. From Name Enter the name displayed as the sender. Reply-to Address Enter the address receiving replies from the recipient. Subject Modify the subject line. Body Modify, add, or remove the default text. The yellow box at the top of the page lists special text strings you can use in the message body. Console replaces the strings with the appropriate value in the actual . The available text strings differ depending on the type of template (transfer start, transfer success, or transfer error) For an example of how to edit the HTML code of the template, see Template Example: Adding Company Branding to Your Template. 6. Click Save. 7. Optional: Test the template. Enter an address in the field and click Send Test Optional: Make this template the default template. Return to the Templates page by clicking the Templates tab. Find your renamed template and click default. You can take the following actions for the new template: Set this template as your personal default from your Personal Preferences page. Select this template when creating a transfer. Select this template for an Advanced Ruleset. Displaying Notification Templates for an Address See a list of notifications enabled for a given address. The results show the recipient's node endpoints, smart transfers, and user preferences. The results also list the templates selected as the default for each transfer event (start, success, failure). 1. Go to Notifications > Templates

24 Working with IBM Aspera Console In the Search field, enter the address (full or partial) and click Search. In the example below, the results display all pre-configured notification templates related to the address "jdean". Managing Nodes The Localhost Node IBM Aspera Shares is automatically configured with a localhost node. Go to Nodes and the node appears on the list. Adding Unmanaged Nodes It is best practice to keep all your nodes up to date with the latest version of IBM Aspera Enterprise Server, IBM Aspera Connect Server, or IBM Aspera Point-to-Point Client. Verify the machine's product version with the administrator of the node. 1. Go to Nodes. Click List Unmanaged Nodes. 2. Click New Unmanaged Node.

25 Working with IBM Aspera Console Enter the node's Address (IP or domain name) and Name Note: Console does not send notifications when an unmanaged node is using a fully qualified domain name (FQDN) instead of an IP address if the transfer is started by IBM Aspera Enterprise Server or IBM Aspera Point-to-Point Client. Console still sends notifications for transfers started by Console. Select the default endpoint type from the drop-down menu. You can still change the endpoint type when you add an endpoint to this node. Configure SSH. Enter the SSH Port number and select the SSH Encryption method from the drop-down menu. Click Create when finished. To verify that your new node has been created, select List Unmanaged Nodes and look for your unmanaged node in the table. A connection should be established between Console and your unmanaged node. To edit or remove a node, go to Nodes and click List Managed Nodes for a list of managed nodes. Click edit or delete for the designated node. Editing the User or Group on a Node IBM Aspera Application Platform / Server On Demand (APOD / SOD) can configure user and group account settings for managed nodes that have valid admin credentials saved in Console. 1. Go to Nodes and click edit for the node you want to edit. Click Accounts. 2. Make sure that the group or user you want to configure has already been created and is available on the node machine. Console automatically detects new groups and users and lists them under the node's Accounts tab, but if the group or user is not listed, click Add Group or Add User. 3. Depending on whether you want to configure a node user or a node group, select Users or Groups. 4. Select the edit link for the user or group account you want to edit. 5. Configure the user or group account's transfer options. For more detailed information on these options, see Node Account-Level Configuration Options. 6. When you are finished, click Save changes.

26 Working with IBM Aspera Console 26 Set a Docroot for a Node User or Group A document root, or docroot, is the area of a machine that a system user has permission to access. Setting docroots are important for maintaining security by keeping unqualified users from accessing confidential information. To set a docroot for a node user or group, you must have already added them into Console. For more information about adding node users or groups to Console, see Editing the User or Group on a Node. 1. Go to Nodes and click edit for the node. 2. Go to Accounts and click edit for the user or group you want to configure. 3. Expand the Docroot configuration section and click Browse. Choose the file directory you want to set as the docroot. The docroot is a security feature that allows you to restrict the area asperawatchfolderd can access. If you need to acces the entire file system, you can set the docroot path as / or leave it empty. The directory you choose is configured in the aspera.conf configuration file on the transfer node. For example, if you configure the docroot path to be / for the user root, configuring the docroot adds the following configuration to the <aaa> section of aspera.conf: <aaa> <realms> <realm> <users> <user> <name>root</name> <file_system> <access> <paths> <path> <absolute>/</absolute> </path> </paths> </access> </file_system> </user> </users> </realm> </realms> </aaa> 4. Click Save changes. Adding Endpoints An endpoint serves as a transfer source or destination for transfers initiated in the Console UI between nodes (managed or unmanaged) and between nodes and clusters. It is defined by a login credential and address. These appear in the Transfer drop-down menus for Source and Destination as login@address, such as xasp1@ for a node or ats-aws-us-east-1.aspera.io for a managed cluster. When a node or cluster is added to Console, a "wildcard" endpoint is automatically created with the form *@address. The wildcard endpoint is listed as just the IP address or domain name. When a user selects the wildcard endpoint as a source or destination, they must enter credentials to authorize the transfer. Wildcard endpoints enable you to monitor all transfers on a node per user account or access key. Console admins can add more endpoints to nodes and clusters, and configure them with credentials. The credentials required to set up and use an endpoint depend on the endpoint type: SSH: An Aspera transfer user's username and either a password or SSH key. Node API: An Aspera node username and password. (Only supported for managed nodes) Access Key: An Aspera access key and secret. (Only supported for clusters)

27 Working with IBM Aspera Console 27 When you create a new endpoint, you can enter the credentials or leave the password/secret field blank (you must provide a login - a username or access key). Sharing a credentialled endpoint with a user who does not have login credentials allows that user to send or receive files without compromising the security of your nodes. When the password for the endpoint is not set, the user must enter it when initiating a transfer. These credentials are then stored in the user's Saved Endpoints under the Preferences tab. Tip: To use domain names as transfer endpoints, create an unmanaged node using a domain name, then add an endpoint to this unmanaged node. 1. Open the Endpoint dialog for a node or cluster. To add an endpoint to a managed node or cluster, go to Nodes and click edit for the node or cluster to which you want to add an endpoint. To add an endpoint to an unmanaged node, go to Nodes > List Unmanaged Nodes and click edit for the node or cluster to which you want to add an endpoint. Click the Endpoints tab. 2. Add a new endpoint. Click Add Endpoint and enter the following information: Endpoint type: Select the endpoint type from the drop-down menu. Login: The username or access key. Password: The password, SSH public key, or secret. If left blank, users must enter the password, SSH public key, or secret to authorize a transfer with the endpoint. To use SSH keys, the user must have their private key configured in Console. For instructions, see SSH Keys. Important: When using SSH key authentication, make sure that the key file on the node is not a shared key. On the node computer, the key file should be a "private" key in the specified user account. Label: Optional descriptive name for the endpoint. Default is login@node_address address: The address to receive notifications of transfer activity on this endpoint. You can enter multiple addresses by clicking Add after each one, then select which notifications to send to which addresses from the drop-down menus. Click Create. 3. Verify that your endpoint is configured correctly and that the connection works. The new endpoint appears in the list of endpoints. To test the connection, click test and, on the following page, Test Connecting to Host. If successful, a confirmation message appears in green at the top of the page. If unsuccessful, a description of the error appears in red at the top of the page and the SSH Client Log appears at the bottom of the page. The endpoint is now configured. If Password Saved is selected in the Endpoints table, the endpoint contains a password, an SSH key, or a secret, depending on the endpoint type, and permitted users are not required to enter credentials to use this endpoint. To edit or remove an endpoint, click edit or delete. Configuring Virtual Links Configure Virtual Links (Vlink) on a node to create a "virtual" bandwidth cap for the node. Transfer sessions assigned to the same Vlink take up equal shares of the capped bandiwdth. 1. Go to Nodes, find the desired node, and click edit. Click Vlinks > New Vlink. 2. Enter a number for the Vlink ID and name the Vlink. Sessions assigned with the same ID share the same bandwidth cap. 3. Select True to activate the Vlink. 4. Enter a value for the capacity. When applying this Vlink to a transfer, the transfer's bandwidth will be restricted by this value. 5. Click Create. After creating a new Vlink, you have the option of configuring the Vlink to run on a schedule by clicking Edit Time Varying Schedule and then New Schedule. For more information on scheduling Vlinks, see Scheduling Virtual Links.

28 Working with IBM Aspera Console 28 Scheduling Virtual Links After creating a new virtual link, you have the option of configuring the Vlink to run on a schedule. 1. Go to Nodes, find the desired node, and click edit. Click Vlinks, find the desired Vlink, and click edit. 2. Click Edit Time Varying Schedule and click New Schedule. Configure the following options. Options On the following days Select the days or set of days for which the bandwidth rate cap is enforced. From the following time Enter a time to start the bandwidth rate cap. To the following time Enter a time to stop the bandwidth rate cap. Set the rate to Enter a value for the scheduled virtual bandwidth cap. When applying this Vlink to a transfer, the transfer's bandwidth will be restricted by this value based on the configured schedule. Note: Overlapping time schedules are not supported. If there are overlapping schedules, they are not accurately reflected in the Vlinks chart, and precedence is indeterminate. 3. Click Update. Setting Up Cloud Storage from the Console Enabling S3 Storage Using Console IBM Aspera Application Platform / Server On Demand (APOD / SOD) can use S3 storage for a node transfer user by specifying the storage in the user docroot. Use this user to transfer files to and from your S3 storage. The steps below assume the following: You have purchased and booted up your Aspera On Demand product. You have created an S3 bucket. You have permissions to create IAM roles or change the policies of your IAM. You know how to SSH as root to your Aspera On Demand instance. 1. In Console, select a node and edit its transfer user from the Accounts tab. 2. Expand Docroot, click Override, and paste the S3 docroot for that user using the following syntax: S3://access_id:secret_key@s3.amazonaws.com/my_bucket/my_path

29 Working with IBM Aspera Console 29 Use URL encoding for special characters in your S3 Access ID and secret key. For example, encode a slash character ( / ) by replacing it with %2F and encode a plus character ( + ) by replacing it with %2B. Click on the Save Changes button. For more information about setting a user's docroot, see Editing the User or Group on a Node. 3. Restart the Aspera NodeD service on the node. SSH into the node and run the following command: # ssh -i identity_file -p ec2-user@ec2_host_ip # service asperanoded restart Configure advanced S3 storage settings and test your configuration. 4. Optional: Enable advanced S3 storage settings. Enable Reduced Redundancy Storage (RRS): Append the following to the docroot:?storage-class=reduced_redundancy For example, enter: S3://access_id:secret_key@s3.amazonaws.com/my_bucket/my_path?storageclass=REDUCED_REDUNDANCY Enable S3 Server Side Encryption (SSE). Append the following to the docroot:?server-side-encryption=aes256 For example, enter: S3://access_id:secret_key@s3.amazonaws.com/my_bucket/my_path?serverside-encryption=AES Test your configuration. Perform a test transfer using an Aspera client to the account configured with the S3 docroot. For information on starting a transfer, see Starting a Simple Transfer. Enabling SoftLayer Storage Using Console IBM Aspera Application Platform / Server On Demand (APOD / SOD) can use SoftLayer storage for a node transfer user. Use this user to transfer files to and from your SoftLayer storage. Caution: When transferring files larger than 64 MB to SoftLayer storage, an.aspera-segment directory is created at the destination. Do not move this directory or modify any files in it. Doing so may cause corruption or loss of data.

30 Working with IBM Aspera Console Go to Nodes and click the edit button for the node. 2. Go to Accounts and click edit for the account to configure with SoftLayer access. Note: You can also create a new account by clicking on the Add User button. For information on how to add a new account, see Editing the User or Group on a Node. 3. Enter the SoftLayer docroot. Expand Docroot, click Override, and paste the SoftLayer docroot for that user using the following syntax: swift://username:api key@object Storage URI/bucket_name? aspera.swift.endpoint.auth-path=%2fauth%2fv1.0 Use URL encoding for special characters. For example, encode the colon ( : ) by replacing it with %3A. 4. Click on the Save Changes button. 5. Restart asperanoded on the node. SSH into the node and run the following command: # service asperanoded restart 6. Test your configuration. Perform a test transfer using an Aspera client to the account configured with the SoftLayer object storage docroot. For information on starting a transfer, see Starting a Simple Transfer. Monitoring Console The Console Dashboard The Dashboard provides a quick overview of all transfer activities and the statuses of nodes for which you have monitoring permissions. It gives continuous updates and helps identify transfer and node problems. Go to Dashboard. The Dashboard contains the following six panels: Current Transfers Current Transfers lists up to ten ongoing transfers on all monitored nodes. To view all active transfers, click the Current Transfers header.

31 Working with IBM Aspera Console 31 Scheduled Transfers Scheduled Transfers lists up to ten scheduled transfers on all monitored nodes. To view all scheduled transfers, click the Scheduled Transfers header. Recent Transfers Recent Transfers lists up to ten recent transfers on all managed nodes. To view all recent transfers, click the Recent Transfers header. Problem Transfers Problem Transfers lists up to ten transfers with errors on all managed nodes. To view all transfers with errors, click the Problem Transfers header.

32 Working with IBM Aspera Console 32 Map The map shows the status of all your monitored nodes and shows the transfers between them. If a node fails, the icon becomes red in the map, and the node and the problem are listed in the table below the map. Nodes are not automatically added to maps. They must be configured. For more information, see Configuring the Map. Note: You can choose to hide or display the map and bandwidth chart by clicking the blue arrow ( the map. ) next to Bandwidth The Bandwidth chart shows bandwidth usage of your monitored nodes. If you select one or more nodes on the map, the chart shows the cumulative bandwidth of the selected nodes.

33 Working with IBM Aspera Console 33 Note: You can choose to hide or display the map and bandwidth chart by clicking the blue arrow ( the map. ) next to The Activity Overview The Activity Overview page lists all transfers on all managed nodes. View the Activity Overview page by going to Activity. You can narrow down the list with the filter and advance into a transfer's session detail page. The Activity Overview screen displays the following information: Item NAME The transfer's name. DETAILS The transfer initiator, source, and destination. START This transfer's start time. END The estimated time of arrival, or the transfer completion time. STATUS Current status of this transfer. AVG RATE The transfer rate of the active transfer, or the average rate of a past transfer. ACTIONS Show all available actions. For example, pause and cancel for a running transfer or rerun for a past transfer.

34 Working with IBM Aspera Console 34 The Current panel lists all currently active transfers, including running and queued transfers. The Past panel shows previous transfers, including those that were completed, canceled, or those that generated errors. The filter options on the top can be used to narrow down the list. Item History Select the time frame to display the started transfers. Scheduled Select the time frame to display the scheduled transfers. Status Select a specific transfer status to display. Search Search for keywords in transfer sessions. You can also perform an advanced search by clicking on the advanced link. For more information on searching, see Search for a Transfer. Transfer Details Overview Details about a particular transfer can be accessed by clicking on a transfer shown in listings of past, current, and scheduled transfers. These lists can be found in three locations: The Activity Overview page The Console Dashboard The Managed Node Detail page (the specific node from Nodes in the Console menu) Ongoing Transfers For an ongoing transfer, the Session Detail page provides the transfer monitor that displays current transfer status. You can control the transfer through the options shown at the top of the graph.

35 Working with IBM Aspera Console 35 Important: The failed files counter may count "directories" if the network failed at some point or the user cancelled the transfer. Finished or Failed Transfers For a finished or failed transfer, the Session Detail page provides detailed information about the transfer's state, endpoints, and statistics. The Session Files panel lists all files being transferred in this session. Click on a file to review its information. You can use the search box to show only specific files or groups of files. Note: When searching for files, "*" is not a wildcard. Any string you enter is treated as a "search within". In other words, the string "foo" will match "123foo", "foo456", and "123foo456".

36 Working with IBM Aspera Console 36 Console also lets you monitor notification information that includes messages about transfer starts, successes, errors, and what notification templates were used under the Statistics column. Next to Notifications is a link describing some combination of start, success, and error depending on what notifications were configured for the transfer, or None if no notifications were configured. Select the link to see the Session Notifications page. For more information, see View Notification Statistics. Multiple-Session Transfer A multiple-session transfer is a smart transfer with more than one destination. In the Activity Overview page, clicking on a multiple-session transfer reveals all sessions in the transfer. To drill down to the particulars of each session, click the Session Detail button to open its Session Detail page. Optimizing Node Reporting By default, managed nodes report the filenames of the first 1,000,000 files of a transfer to Console. However, reporting this many filenames, especially if multiple managed nodes are reporting transfer sessions of several thousands of files, can slow transfers. You can decrease the number of filenames that are reported by each endpoint by configuring all managed nodes. This configuration affects all transfer reporting, including transfers initiated by Aspera Hotfolders and Aspera Sync. The total number of files transferred, completed, failed, and skipped are still reported, but filenames are logged only for the files up to the specified number. Perform the following steps on every managed node: 1. Decrease the number of files that are reported. Run the following command: # asconfigurator -x "set_central_server_data;files_per_session,1000" With this setting, only the first 1000 filenames are reported to Console and logged. 2. Restart asperacentral and asperanoded to activate your changes. Run the following command in a Terminal window to restart asperacentral: # /etc/init.d/asperacentral restart Run the following commands to restart asperanoded: # /etc/init.d/asperanoded restart Monitoring Nodes You can monitor the node status and manage the transfers on a node. Navigating to Nodes from the Console menu will bring you to the list of managed nodes. To view a list of unmanaged nodes, click the List Unmanaged Nodes button. To monitor a node, click on the node.

37 Working with IBM Aspera Console 37 Monitor Transfers on a Node On the Node Detail page, the transfer chart shows all inbound and outbound transfers on this node. To control a transfer session, select a session from the graph, and use the control options above the graph to control it. The table lists all sessions on this node. Use Pause and Cancel to control an ongoing session. Configuring the Map You can configure Console to display the locations of your nodes on the dashboard map. 1. Go to Configuration > Map. 2. Select or upload a map image for use on the Console dashboard. Upload a new map image: Click Upload Map File. Upload the file and then click select. For best results, Aspera strongly recommends using an image with a ratio of 16:9 (for example, 800 x 450). Select existing map image: Choose one of two default map images or any previously uploaded image as the dashboard map by clicking the select link. Note: To delete a map image you have uploaded, click the delete link. 3. Configure node to show on map. Edit your node and click the Map tab. Select Show on Map. Click and drag the green icon to its proper location on the map. The configured nodes appear on the map on the Dashboard. Ongoing transfers between nodes are represented by a line between the nodes.

38 Working with IBM Aspera Console 38 Access Logs Once you have created accounts for Console users, you can monitor their activity from the Accounts > Access Log tabs. The User Access Log displays user logins and logouts, concurrent logins and session timeouts. Search for a Transfer

39 Working with IBM Aspera Console 39 You can search for a transfer from any page in IBM Aspera Application Platform / Server On Demand (APOD / SOD) by using the search bar in the top right corner of the page. If you want to refine your search, you can access the Advanced Search dialog by selecting the blue drop-down arrow next to the search bar. Console will search all transfers within the last 24 hours for transfers that match the search criteria. For more information about the advanced search form, see Advanced Search. Monitoring Sync Jobs Enabling Sync Client Node Reporting The instructions below describe how to configure the IBM Aspera Sync client reporting to Console when the client is a managed node. Note: If both client and server involved in a Sync job are Console managed nodes, then reporting can come from either node, both nodes, or neither node using the async_activity_logging setting in aspera.conf. For example, to receive reporting from both the client and server, set async_activity_logging to true on both. The server is reported as the local host. For more information on server reporting, see Enabling Async Server Node Reporting. Transfer Reporting The Sync client reports transfers associated with Sync jobs if <async_management_activity_logging> is set to true in aspera.conf, which is the default configuration. The transfer name is listed as the Sync session name. In the example below, the Sync session "ny-push-london" is reported under Transfers. This setting can be modified by running the following command: # asconfigurator -x "set_client_data;async_management_activity_logging,value" Setting the value to false disables reporting transfers associated with Sync jobs to Console. You do not need to restart the Aspera Node API service for the new setting to be activated. If you are syncing empty directories then no transfers are reported; the creation of the empty directories at the destination is not reported as a transfer. Sync Job Reporting The Sync client reports Sync jobs to Console if <async_kvstore_activity_logging> is set to true in aspera.conf. The default value is false, such that no Sync jobs are reported. To modify this setting, run the following command: # asconfigurator -x "set_client_data;async_kvstore_activity_logging,value" Sync jobs are listed under Activity > Sync Jobs.

40 Working with IBM Aspera Console 40 You can click on a Sync job to view more details about the session, including the endpoints, the status of individual file transfers, and the transfer rate. For more information, see Monitor Sync Jobs. Enabling Async Server Node Reporting By default, Console does not report transfers with a server that are associated with IBM Aspera Sync jobs or the Sync job information. If the server is a Console managed node and is runnning IBM Aspera Enterprise Server or IBM Aspera Connect Server version or later, then it can be configured to report transfers and Sync jobs. 1. Enable server activity logging for Sync jobs. Run the following asconfigurator command to enable activity logging for Sync jobs: # asconfigurator -x "set_node_data;async_activity_logging,true" This command adds the following text to the <default> section of the aspera.conf file, located at: /opt/ aspera/etc/aspera.conf. <CONF version="2">... <default>... <async_activity_logging>true</async_activity_logging>... </default>... </CONF> 2. Restart the Aspera Node API service to activate your changes. # service asperanoded restart 3. Confirm Sync jobs and transfers associated with them are reported in Console. After initiating a sync session, go to Console and go to Activity > Sync Jobs page to monitor the job. Note: Sync job reporting (from the Sync Jobs screen) may not appear immediately. Monitor Sync Jobs To monitor Aspera Sync jobs, you must first configure Console to poll the Node API. For more information, see Enabling Async Server Node Reporting to configure server reporting, and Enabling Sync Client Node Reporting to configure client reporting. Once you have initiated a Sync transfer, you can monitor it by going to Activity > Sync Jobs. This shows a list of active and recently completed Sync jobs. You can also remove log data from the Sync Jobs page by clicking remove log data. Note: Sync jobs may not appear immediately.

41 Working with IBM Aspera Console 41 From the Sync Jobs table, you can view a job's transfer details by clicking the corresponding row. The job's transfer details page displays the following: Local and remote server details Session statistics including the number of paths that are synced, pending, conflicted, deleted, or in error state Transfer rate graph, which is only active during the transfer Remove log data button, which deletes the job's log data from the Console and Aspera Sync databases. The example below shows a running Sync job. Transferring Files Starting a Simple Transfer IBM Aspera Application Platform / Server On Demand (APOD / SOD) can be used to initiate transfers between nodes when the Console user has the permission to start transfers. Console provides two types of transfer methods: simple transfers and smart transfers. Simple transfers are one-time transfer sessions that require entering all transfer information. Smart transfers are reusable templates with saved transfer settings. 1. Go to Transfer. 2. Click Simple Transfer. 3. Enter the transfer name and optional comments. The name and comments can be helpful if you want to search for this transfer later.

42 Working with IBM Aspera Console Optional: Add new tags or modify existing tags. Click the button to add a new tag. Enter the tag name and the tag value. Click the button to delete an existing tag. Select the button to prevent a user from changing or deleting the locked tag when starting this transfer. For more information about tags, see Working with Tags. 5. In the Source section, click the Connect drop-down menu and select the source node, cluster, or saved endpoint. Node: A node is listed as the node name (by default, its IP address) and IP address. Select the Endpoint type from the drop-down menu and enter your credentials or select your SSH key. Cluster: A cluster is listed as the domain name. Select the Endpoint type from the drop-down menu and enter your credentials. Endpoint: A saved endpoint is listed as login@address and is associated with login credentials for the username or access key. Selecting a saved endpoint does not prompt you for credentials. 6. Select content to transfer by clicking Browse, selecting the content, and clicking Add. Note: When browsing the node, you can narrow your search by applying a filter. When specifying a filter, the asterisk (*) is not a wildcard. Any string you enter as a filter is treated as a "search within". In other words, the string "foo" matches "123foo", "foo456", and "123foo456". By default, the parent folders of the selected files and folders are not transferred. If a source item is a file, then only the file is transferred. If a source item is a folder, then the folder and its entire contents are transferred. For example, if the source path is aspera/tmp/sent_files, the only folder that will be transferred to the destination is the sent_files folder. Neither /aspera nor /tmp appear at the destination location. To transfer only the contents of a selected folder, select Specify base for source path(s) and enter the filepath to the folder. For example, if the source folder is aspera/tmp/sent_files and you specify that same path as the base for source paths, the contents of /sent_files is transferred to the destination directory as separate items that are not contained in a /sent_files folder. 7. In the Destination section, click the Connect drop-down menu and select the source node, cluster, or saved endpoint. Node: A node is listed as the node name (by default, its IP address) and IP address. Select the Endpoint type from the drop-down menu and enter your credentials or select your SSH key. Cluster: A cluster is listed as the domain name. Select the Endpoint type from the drop-down menu and enter your credentials. Endpoint: A saved endpoint is listed as login@address and is associated with login credentials for the username or access key. Selecting a saved endpoint does not prompt you for credentials. 8. ClickBrowse, select the destination directory, and click Add. 9. Optional: Configure settings in the More Options section. Click the toggle arrow next to each section to view settings. Section Connection Configure fasp settings. Transfer Configure transfer rates and policies. Security Encrypt the transfer.

43 Working with IBM Aspera Console 43 Section File Handling Configure source file attributes, archive source files after transfer, and set filters for source files. Notifications Configure notification options. For more information on notifications, see Configuring Notifications. Advanced Configure transfer initiator, fasp MTU, and read and write block sizes on source and destination nodes. Transfer Time Schedule your transfer to run Now or Later. If you choose Later, click the button and choose the date and time you want the transfer to run. For information on these options, see Simple Transfer Options. 10. Click Transfer to start the transfer (or Schedule if you set a transfer time). Note: You can cancel scheduled simple transfers by going to Activity > Transfers. Click the Scheduled drop-down menu and select All. In the row for the transfer, click Cancel. Creating a Smart Transfer IBM Aspera Application Platform / Server On Demand (APOD / SOD) can be used to initiate transfers between nodes when the Console user has the permission to start transfers. Console provides two types of transfer methods:

44 Working with IBM Aspera Console 44 simple transfers and smart transfers. Simple transfers are one-time transfer sessions that require entering all transfer information. Smart transfers are reusable templates with saved transfer settings. 1. To create a smart transfer template, go to Transfer > New Smart Transfer. 2. Enter a transfer name. 3. Optional: Select Share this smart transfer to share this smart transfer with any user who has permissions for the transfer paths. For more information on sharing smart transfers, see Sharing a Smart Transfer. 4. Optional: Select Allow changes to transfer settings at submit time to allow the user who starts this smart transfer to change settings before submitting the transfer request. 5. Optional: Add new tags or modify existing tags. Click the button to add a new tag. Enter the tag name and the tag value. Click the button to delete an existing tag. Select the button to prevent a user from changing or deleting the locked tag when starting this transfer. For more information about tags, see Working with Tags. The highlighted box in the Smart Transfer Diagram indicates whether you are configuring the Source or Destination for the smart transfer. Make sure Source is selected. 6. Select the source node or saved endpoint from the Connect drop-down menu.

45 Working with IBM Aspera Console 45 Node: A node is listed as the node name (by default, its IP address) and IP address. Select the Endpoint type from the drop-down menu and enter your credentials or select your SSH key. Cluster: A cluster is listed as the domain name. Select the Endpoint type from the drop-down menu and enter your credentials. Endpoint: A saved endpoint is listed as login@address and is associated with login credentials for the username or access key. Selecting a saved endpoint does not prompt you for credentials. 7. Choose your Source directory. Click Choose Source Directory to browse the node for the directories and files you want to transfer. Console displays the source path you choose once you have chosen your source directory. Note: When browsing the node, you can narrow your search by applying a filter. When specifying a filter, the asterisk (*) is not a wildcard. Any string you enter as a filter is treated as a "search within". In other words, the string "foo" matches "123foo", "foo456", and "123foo456". 8. Select Specify base for source path(s) to place the transferred files directly into the destination folder without its hierarchy of directories. The specified base for the source path is removed from the source path when transferring directories. For example, if the source path is /shared_files/projects/presentation, a successful transfer results in the folder destination_folder/shared_files/projects/presentation on the destination node. A successful transfer with "/shared_files/projects" specified as the base path results in the folder destination_folder/presentation on the destination node. For more information on specifying a base path, see Specify Base for Source Path. 9. Select one of the following file-transfer rules from the Items to transfer drop-down list: Always transfer the entire directory: The transfer always transfers all files in the source directory. Allow initiator to select items when starting manually: The user starting this smart transfer can choose the items in the directory included in the transfer. 10. Expand the settings under More Options to configure addition settings. Click the toggle arrow next to each section to view settings. Section Connection Configure fasp settings. Transfer Configure transfer rates and policies. Security Encrypt the transfer. File Handling Configure source file attributes, archive source files after transfer, and set filters for source files. Notifications Configure notification options. For more information on notifications, see Configuring Notifications. Advanced Configure transfer initiator, fasp MTU, and read and write block sizes on source and destination nodes. Transfer Time Schedule your transfer to run Now or Later. If you choose Later, click the button and choose the date and time you want the transfer to run.

46 Working with IBM Aspera Console 46 Section For more information on these options, see Smart Transfer Options. The highlighted box in the Smart Transfer Diagram indicates whether you are configuring the Source or Destination for the smart transfer. Make sure a Destination is selected. You can create additional destination endpoints by clicking the button. To remove a destination, click the button inside the destination box. 11. Select the destination node or saved endpoint from the Connect drop-down menu. Node: A node is listed as the node name (by default, its IP address) and IP address. Select the Endpoint type from the drop-down menu and enter your credentials or select your SSH key. Cluster: A cluster is listed as the domain name. Select the Endpoint type from the drop-down menu and enter your credentials. Endpoint: A saved endpoint is listed as login@address and is associated with login credentials for the username or access key. Selecting a saved endpoint does not prompt you for credentials. 12. Select your Destination directory. Click Choose Destination Directory to browse the node for the directories and files you want to transfer. Console displays the source path you choose once you have chosen your source directory.

47 Working with IBM Aspera Console 47 Note: When browsing the node, you can narrow your search by applying a filter. When specifying a filter, the asterisk (*) is not a wildcard. Any string you enter as a filter is treated as a "search within". In other words, the string "foo" matches "123foo", "foo456", and "123foo456". 13. Optional: Allow the user starting this smart transfer to change the directory on this destination node. The Change Destination Path button appears for a destination with this option enabled. 14. Optional: Allow the user starting this smart transfer to remove this destination node. The button appears for a destination with this option enabled. 15. Optional: Configure additional settings for this individual destination node. Note: This option is only available for a smart transfer with multiple destination nodes. Select Set transfer options individually for this destination. The More Options appears at the bottom of the page. Section Connection Configure fasp settings. Transfer Configure transfer rates and policies. Security Encrypt the transfer. File Handling Configure source file attributes, archive source files after transfer, and set filters for source files. Notifications Configure notification options. For more information on notifications, see Configuring Notifications. Advanced Configure transfer initiator, fasp MTU, and read and write block sizes on source and destination nodes. For information on these options, see Smart Transfer Options. 16. Click Save. Once a smart transfer template has been saved, it is accessible from the Transfer page. Go to Transfer to start, edit, copy, and delete existing smart transfers. Starting a Smart Transfer IBM Aspera Application Platform / Server On Demand (APOD / SOD) can be used to initiate transfers between nodes when the Console user has the permission to start transfers. Console provides two types of transfer methods: simple transfers and smart transfers. Simple transfers are one-time transfer sessions that require entering all transfer information. Smart transfers are reusable templates with saved transfer settings. 1. Go to Transfer to see all the smart transfers you have permission to access. For instructions on creating a smart transfer, see Creating a Smart Transfer. 2. Find the smart transfer listed under Saved Smart Transfers and click Start. 3. Optional: Modify the Transfer Name and leave a comment describing the transfer. 4. Optional: Add new tags or modify existing tags.

48 Working with IBM Aspera Console 48 Click the button to add a new tag. Enter the tag name and the tag value. Click the button to delete an existing tag. Locked tags are greyed out and cannot be modified. For more information, see Working with Tags. 5. Optional: Configure notification options. Expand the Notifications section. Add or delete addresses and configure notifications for existing addresses. For more information, see Configuring Notifications. 6. Optional: Schedule the transfer to run Now or Later. If you choose Later, click the button and choose the date and time you want the transfer to run. 7. Click Start. Sharing a Smart Transfer Smart transfers are reusable templates with saved settings. The primary use case for sharing smart transfers is to set up pre-defined transfers for non-admin users to run. You can decide what transfers a user can monitor and start by limiting the user's permissions and access to a smart transfer. By default, shared transfers require you to use endpoints created by an admin using the Edit Nodes > Endpoints page. Once configured in Console settings, you can also share smart transfers saved with personal login credentials and domain names. For more information about sharing smart transfers with personal logins, see Sharing a Smart Transfer with Personal Login Credentials Note: These instructions assume you know how to configure a smart transfer. For more information, see Creating a Smart Transfer. 1. Create endpoints on the nodes you want to use for this smart transfer. For detailed instructions, see Adding Endpoints. Tip: To use domain names as transfer endpoints, create an unmanaged node using a domain name, then add an Endpoint to this unmanaged node. 2. Go to Transfer and click New Smart Transfer.

49 Working with IBM Aspera Console Select Share this smart transfer. Note: When creating a smart transfer with Any as an endpoint, you must first save the smart transfer before selecting Share this smart transfer. 4. Select endpoints for the Source and Destination. Tip: Create new personal saved endpoints by selecting the desired node and entering the SSH user login credentials. 5. Finish configuring the smart transfer. Click Save when finished. 6. Enable a user to start this smart transfer. Create a group with permissions to start smart transfers for this transfer path (see Creating Console Groups). Add the user to this group (see Creating Console Users). Admin users have permissions to all transfers and do not need to be added to a group to use a shared smart transfer. By default, admins do not have the ability to edit Smart Transfers that are shared with them but owned by another admin. To enable admins to edit each other's smart transfers, go to Configuration > Defaults and select Smart Transfer Editing: Allow administrators to edit each other's Smart Transfers. Note: Even with this feature enabled, admins can only edit smart transfers that do not contain personally saved login credentials. Tip: Editing another admin's smart transfer changes ownership of the smart transfer to the admin who made the last change. Sharing a Smart Transfer with Personal Login Credentials Smart transfers are reusable templates with saved settings. The primary use case for sharing smart transfers is to set up pre-defined transfers for non-admin users to run. You can decide what transfers a user can monitor and start by limiting the user's permissions and access to a smart transfer. By default, shared transfers require you to use endpoints created by an admin using the Edit Nodes > Endpoints page. Once configured in Console settings, you can also share smart transfers saved with personal login credentials and domain names. Personal login credentials are automatically created and saved when a user creates a transfer, chooses a node, and enters authentication credentials for an SSH user on that node. The following describes how to share a smart transfer with personal login credentials. Note: These instructions assume you know how to configure a smart transfer. For more information, see Creating a Smart Transfer. 1. Go to Configuration > Defaults and select Smart Transfer Sharing. 2. Create a new smart transfer, select Share this smart transfer.

50 Working with IBM Aspera Console 50 Note: When creating a smart transfer with Any as an endpoint, you must first save the smart transfer before selecting Share this smart transfer. 3. Select personal saved endpoints for the Source and Destination. If you have no personal saved endpoints, create a new one by selecting the desired node and entering the SSH user login credentials. 4. Finish configuring the smart transfer. Click Save when finished. 5. Enable a user to start this smart transfer. Create a group with permissions to start smart transfers for this transfer path (see Creating Console Groups). Add the user to this group (see Creating Console Users). Admin users have permissions to all transfers and do not need to be added to a group to use a shared smart transfer. By default, admins do not have the ability to edit Smart Transfers that are shared with them but owned by another admin. To enable admins to edit each other's smart transfers, go to Configuration > Defaults and select Smart Transfer Editing: Allow administrators to edit each other's Smart Transfers. Note: Even with this feature enabled, admins can only edit smart transfers that do not contain personally saved login credentials. Tip: Editing another admin's smart transfer changes ownership of the smart transfer to the admin who made the last change. Queue Transfers Overview The Console queueing feature provides two useful capabilities: Admins can limit the number of Console-initiated transfers that can run concurrently for a given destination or from a given source. This can be useful if network connections have limited bandwidth or if particular destination nodes have difficulty handling more than a small number of transfers at a time. For example, if the concurrency limit for a connection is "2", and two transfers are in progress, any new transfers initiated while the first two are still in progress will be queued in the order in which they were initiated. All users can change the priority order of queued and in-progress transfers. This can be useful in situations where users need to respond to emergencies or shifting priorities. Important: Queueing only applies to transfers started from Console or via its API. Transfers started outside Console are not subject to queueing and do not count towards concurrency limits. Concurrency limits are always assigned on a per-node basis, and per outbound or inbound direction. However, the overall, actual limit on a set of concurrent transfers between two nodes is governed by the node with the lowest limit. That is, if NodeA has an outbound limit of "2" and NodeB has an inbound limit of "1", concurrent transfers from NodeA to NodeB are limited to one transfer at a time, with subsequent transfers queued up in the order in which they were initiated.

51 Working with IBM Aspera Console 51 Adjusting the Queueing Properties of In-Progress Transfers If queuing is enabled on a node (see Configuring Queues for Nodes), the queueing properties of in-progress transfers can be adjusted in several ways: Their relative priorities can be raised or lowered. They can be paused and resumed. The concurrency limit in effect can be raised or lowered. Concurrency (and therefore queueing) can be disabled completely. These adjustments can be made while monitoring the node from the Node Detail page. You can view the Node Detail page by going to Nodes and clicking on the node. Tip: You can also reach this page from the Queing page on the current queue contents link next to an enabled concurrency limit. On the Node Detail page, below the transfer chart, you may see the Inbound Queue tab, the Outbound Queue tab, or both. These tabs are visible if the node is configured with inbound or outbound queueing. Clicking the tab displays the node s inbound or outbound transfers - both those currently in progress and those in the queue. To view past transfers, open the Transfers tab. The Transfers tab also shows both outbound and inbound transfers, but does not include controls to promote, demote, pause, or resume transfers. Controlling In-Progress Transfers

52 Working with IBM Aspera Console 52 Icon Action Pause Transfer Resume Transfer Promote Transfer to Highest Priority Promote Transfer Demote Transfer Demote Transfer to Lowest Priority Cancel Transfer Highlight this session on the graph Configuring Queues for Nodes Both managed and unmanaged nodes can be configured for queuing. For more information on queuing, see Queue Transfers. 1. Go to Nodes. Find your node in the Managed Nodes or Unmanaged Nodes page. Click edit and then click Queueing. 2. Enable queueing by selecting Limit concurrency (disabled by default) for Inbound Transfers. 3. Choose the maximum number of concurrent transfers allowed for this node. The default setting is "1". 4. Repeat the previous two steps for Outbound Transfers. 5. Click Update. In the example below, queueing is disabled for inbound transfers. For outbound transfers, queueing is enabled for at most three transfers in progress at the same time.

53 Working with IBM Aspera Console 53 Configure Failover Groups Overview A failover group contains a group of different nodes that act as substitutes for the original node in the case that the original node becomes unavailable. When a node goes offline, Console also restarts any transfers in progress on that node, submitting them to a different node in the group. Note: Transfer failover only activates if the status of a node is set to error. Transfers that are inactive do not failover. Node Requirements Nodes must have identical passwords, transfer accounts, and docroots to be grouped together. Make sure each node has identical configurations for each item in the following list before adding them to a failover group: System User Accounts Transfer User Accounts Node API User Accounts Docroots Endpoints on Console Directory Structure Adding a Node to a Failover Group When adding or editing a node, select Enable failover and load balancing for Console-initiated transfers on this node. Add the node to an existing group or select enter new name from the Failover Group Name drop-down menu to create a new group.

54 Working with IBM Aspera Console 54 If you select enter new name,enter a new failover group name in the prompt. Endpoint Synchronization Editing an endpoint on a node of a failover group makes those changes to the same endpoint on the other nodes in the failover group. Note: Only saved and synchronized endpoints should be selected as a destination when starting a transfer. Configuring Load Balancing Go to Configuration > Console Defaults and configure the Failover / Load balancing Behavior option. Failover + Load Balancing: The transfer uses the least busy nodes first. Failover only: The transfer will uses the original endpoints that the user specified. Creating a Cookie Parsing Rule Note: Cookie configuration applies only to the use of custom cookies. Console does not apply parsing rules to cookies it recognizes as standard cookies used by Aspera products. In an ascp command-line transfer, you can specify the transfer cookie with an environment variable. set ASPERA_SCP_COOKIE=custom_cookie Using a rule, Console can match the set cookie string and then substitute it for selected transfer information. 1. Go to Configuration > Cookies. Click New Rule. 2. Name the rule. 3. Configure the cookie. Enter the regular expression Console uses to filter transfers. If this string matches a transfer, Console includes the cookie in the transfer and the information in the other fields is used in the transfer session. Tip: The format used for regular expression is the RUBY format described here: core/regexp.html. 4. Configure the cookie with the following information: Field Started via Name of the transfer initiator. Contact description of this transfer initiator. Transfer name Name for this transfer. 5. Click Create. When you have multiple cookie parsing rules, Console uses the first rule listed that matches the cookie string. To modify the order of the parsing rules, drag-and-drop the rules in the list. If two rules have identical regular expressions, the rule that is higher in the list is applied. It is possible to capture parts of the cookie and reuse the value in the three parameters. For instance to enable setting the three transfer fields directly from the initiating application, one can fill in the fields with the following configurations: Field Rule name MyCustomCookieRule Regexp ^setcustomfields:(.+?):(.+?):(.+?):$ Started via /1

55 Working with IBM Aspera Console 55 Field Contact description /2 Transfer name /3 For example, the following cookie replaces Started via with "My App", Contact description with "My Contact", and Transfer name with "My Transfer". set ASPERA_SCP_COOKIE="setcustomfields:My App:My Contact:My Transfer:" Running Reports Creating a Basic Report Console allows you to create and export custom reports, as well as apply filters and scheduling options. The steps below demonstrate how to configure new, basic reports. To view an example of a basic report, see the three samples in this topic. To learn about creating advanced reports within Console, see Creating an Advanced Report. To create an advanced report, click the New Advanced button instead. You can also copy and edit Console's built-in, advanced reports, which are listed on the Manage Report Types page. For further information on advanced reporting, see Creating an Advanced Report. 1. Go to Reports > Manage Report Types. Click the New Basic button. 2. Enter a name for your report (limited to 75 characters) and a detailed description about the report. 3. Choose the level of detail to show on your report. Select a field from the drop-down list to be used as the basis for organizing your report. Console generates a report with a row for each item that matches a chosen field. If you choose more than one field, Console generates a multi-level report. The data in the generated report is grouped in ascending order by the fields selected from the drop-down list. For example, if you select Client address, the data in the report is grouped by the transfer initiator IP addresses. For example, Console groups the five transfers initiated by IP Address 1 in the first grouping,the three transfers initiated by IP Address 2 in the second grouping, and so on.. Note: Once a field is selected, the drop-down list updates automatically to allow for multiple levels of organization. To remove a level of organization, click the Remove link that appears next to the selected field. The drop-down list includes all Console built-in fields and custom fields. For a list of built in fields, see Reference: Basic Report Organization Options. For more information on custom fields, see Creating Custom Fields. 4. Select the data columns to include in your report. These include built-in and custom fields. Select whether to use basic fields only or both basic fields and advanced fields from the Available Columns dropdown menu. Use the blue arrows to add and remove selected data columns. Note: The columns available in the list are determined by the organizational fields chosen in the step before. 5. Configure result sorting. Select fields to sort by and whether to sort the data in ascending or descending order Grouping and sorting options appear based on the data columns that you chose to include in the report. By default, the report is sorted by the organization field selected in the previous step. 6. Add a filter to show only results matching the entered value. For detailed information on Console's filters, please see Reference: Reporting Filters. 7. Create your report. You can also run it at this time.

56 Working with IBM Aspera Console 56 Click Create: Save the report without running it. You are redirected to the Manage Report Types page where you can see the new report in the list of reports. Custom reports have edit and delete links, which differentiate them from Console's built-in reports. Both custom reports and built-in reports include a copy link for duplicating the report and a run link to view run settings and generate the report. Click Create and Run: Save the report and run it. The new report is added to the Manage Report Types page, but first, you are redirected to the New Report page where you must finalize the report run settings and click the Run Report button to run the report. Creating an Advanced Report The following instructions describe how to create advanced reports. To view an example of an advanced report, see Advanced Report Example: Transfer Sessions with High Packet Loss. For more informationabout creating basic reports, see Creating a Basic Report. Important: Aspera recommends you read through the Advanced Report Usage Notes before configuring an advanced report. 1. Go to Reports > Manage Report Types. Click the New Advanced button. Note: You may also modify an advanced report by clicking the edit action for an advanced report that is listed on the Manage Report Types page. 2. Enter a name for your report (limited to 75 characters) and a detailed description about the report. 3. Configure the SQL script text. For information on available SQL variables or database field references, click on the Help link. For a list of available reference variables, see:

57 Working with IBM Aspera Console 57 Reference: SQL Variables for Advanced Reports Reference: Database Fields for Advanced Reports, Creating Custom Fields When creating advanced reports, you may specify a custom variable within the WHERE clause (for example, $custom_variable). Once declared within the SQL script text, you can to view and edit the variable by clicking Edit Parameters the Edit Advanced Report Template page. You are prompted to enter a value for the variable when you run the report. 4. Optional: Add a filter in the WHERE section of your script. For example, this example script filters out transfers that do not have a reported policy and transfers that do not fall within the specified date range.... WHERE ts.reported_policy IS NOT NULL AND ts.started_at < '$REPORT_PERIOD_END' AND ( ts.stopped_at >= '$REPORT_PERIOD_START' OR ts.stopped_at IS NULL )... For a list of available SQL variables you can use, Reference: SQL Variables for Advanced Reports. 5. Create your report. You can also run it at this time. Click Create: Save the report without running it. You are redirected to the Manage Report Types page where you can see the new report in the list of reports. Custom reports have edit and delete links, which differentiate them from Console's built-in reports. Both custom reports and built-in reports include a copy link for duplicating the report and a run link to view run settings and generate the report. Click Create and Run: Save the report and run it. The new report is added to the Manage Report Types page, but first, you are redirected to the New Report page where you must finalize the report run settings and click the Run Report button to run the report. Finalizing and Running a Report Console requires you to finalize the report's run settings before running a report. 1. You can initiate finalizing and running a report in the following ways: After configuring your basic or advanced report, click Create and Run. Go to Reports > Manage Report Types from the Console menu and clicking the run link From the Actions column. Go to Reports > Run a Report. Select a built-in or custom report from the list. Go to Reports and click the rerun link from the Actions column for a recently run report. You are redirected to the New Report page. 2. Name the report. 3. Run the report now or schedule it to run later. Select Run Now: Run this report immediately. Select Run Later: Schedule a report by setting the run date. You may also select Repeat to schedule a repeating report. 4. Define the report period. Option Report on Select a pre-defined time period from the drop-down list.

58 Working with IBM Aspera Console 58 Option last hour last 24 hours last week month to date last month custom Start date Select the start date of this report. You must select custom in the dropdown menu to modify this field. End date Select the end date of this report. You must select custom in the dropdown menu modify this field. Time zone Select the time zone for this report. 5. Enter values for your custom SQL variables under Report Parameters. If there are no values, no custom variables were specified for this report. For more information on custom variables, see Editing Custom Variables. 6. Optional: Enter an address and click the Add button to a recipient a copy of this report. After adding an address, select whether the report is sent as an XLSX or a CSV file. 7. Optional: Choose additional file formats (XLSX and CSV). These files can be downloaded after the report has been generated. 8. Click Run Report after finalizing your settings. Your generated report is listed on the Scheduled and Recently Run Reports page. When viewing your report, you have the following options: For a custom report, click Edit Report Type to configure report. To run the report again, click Rerun. If you chose to export your report in CSV or XLSX, click the respective button to download the files. Editing Custom Variables When creating advanced reports, you can specify a custom variable within the WHERE clause. For example, to create a search by contact, enter:... WHERE contact = '$CONTACT_MATCH'; # $CONTACT_MATCH is the custom variable.... Once you declare the variable within the SQL script text, you can view and edit the variable on the Edit Advanced Report Template page. 1. To edit a custom SQL variable used in an advanced report, go to Reports and click the Manage Report Types button. Find the advanced report and click edit. Click Edit Parameters. 2. Find the custom variable you want to configure and click edit. 3. Select the desired variable type from the Type drop-down menu. Variable Type string The value of this variable must be a string. integer The value of this variable must be an integer.

59 Working with IBM Aspera Console 59 Variable Type date The value of this variable must be a valid date. Click the calendar icon to select a valid date. ip The value of this variable must be a valid IP Address. 4. Optional: Allow the user running the report to leave the variable undefined by clearing Is field required?. Custom variables are required by default. If Is field required? is selected, a user running this report is required to enter a value for the custom variable to run the report. Note: If the custom variable is not required and it is used with the AND operator, then write the report query as follows:... WHERE... AND ( t.status = '$FOO' OR '$FOO' = '' )... Failure to include OR '$FOO' = '' results in an empty report because the data is filtered by t.status = '', which is always false. 5. Optional: Define the variable name that is displayed when Console asks for the value of this variable. For example, if you want to search by contacts and included a custom variable named $CONTACT_MATCH in your SQL script, Console by default prompts the user running the report to enter a value for "Contact Match." If you enter "User Name" in the Label field, Console asks for a value called "User Name" instead and matches the result to $CONTACT_MATCH. 6. Optional: Add a hint to remind the user the purpose of this variable. Continuing the previous example, if your custom variable, $CONTACT_MATCH, is used to search your database for contacts matching the value of this variable, a possible hint is: "Search by this CONTACT name." When running the report, the user is prompted with the following: 7. When finished, click Update. Creating Custom Fields Custom fields are used to specify rules for automatically populating fields in basic and advanced reports. 1. Go to Configuration > Custom Fields. 2. Click New Custom Field. 3. Select transfer or file from the Level drop-down list, depending on whether the new custom field stores transferor file-related content. 4. Enter a name for the custom field. The name must be unique and lowercase. The resulting SQL name is prefixed with "cf_". For example, the field name "metadata" appears as "cf_metadata".

60 Working with IBM Aspera Console Note: Custom fields appear in the database with the "cf_" prefix. Custom fields are utilized in the $TBL_FILES and $TBL_TRANSFER tables. Enter the start date (date on which to start custom field calculation). Enter a custom field description. Click Create. Create and associate new rules for your custom field. Rules are conditions that define when the custom field to comes into effect. To set up the rule's conditions, configure the following settings: Select a built-in field from the drop-down list. Enter an operator. Enter an expression. Enter the value Console uses to populate the custom field if conditions are met. For a list of field names and definitions, see Reference: Built-In Fields for Custom Field Rules. For example, to create a custom field that is populated with your company name, create a new custom field and associate it with the following rule: 9. Click Create. For each custom field, you can create multiple rules that populate with different values based on various conditions. When multiple rules are present, Console uses the first rule listed (as long as it matches the condition). To modify the order of the custom field rules, use the drag-and-drop function to move the rules in the list. When creating an advanced report, you can find your available custom fields by clicking the Help link in the SQL Script Text section.

61 Working with IBM Aspera Console 61 For an example of using a custom field in a report, see Advanced Report Example: Transfer Sessions with High Packet Loss. Configuring SSH Keys SSH Keys SSH keys provide a more secure way to authenticate than using passphrases.console generally uses SSH keys for two purposes: Authentication to administer and configure a node. Authentication to make a transfer from one node to another. You can store keys and find a list of existing keys by navigating to the SSH Private Key page in either of two locations: Personal Preferences: Select Preferences from the drop-down menu next to your username in the upper righthand corner. Then, select the SSH Keys tab. Console Configuration: Go to Configuration > SSH Keys from the Console menu. For more information on storing keys, see Storing SSH Keys on Console. The steps to using an SSH key differs if you are using an SSH key to make a transfer or using one to make a transfer to nodes with endpoints that use SSH keys.

62 Working with IBM Aspera Console 62 Using SSH Keys in Transfers A user must add an SSH key in his personal preferences before he can use that key in a transfer. Even if the SSH key is configured in Console Configuration settings, if the user did not the key in his personal preferences, the key does not appear when he enters the credentials for a node to set up a transfer. Making Transfers to Nodes With Endpoints that Use SSH keys When making transfers to nodes with endpoints using SSH keys, the transfer user on the initiating node also needs to have the private key in the.ssh folder. For a walkthrough of this process, see Transferring Files with an Endpoint Using SSH Keys. Storing SSH Keys on Console Console uses a node machine's private key to authenticate into the machine using public key authentication. You must first store in Console the private key paired with the public key on the node machine. You can store private keys privately in your user preferences or globally in Console configurations. These SSH keys can then be used to authenticate endpoints or transfers. 1. Go to your private SSH keys or Console's stored SSH Keys Personal Preferences: Select Preferences from the drop-down menu next to your username in the upper right-hand corner. Then, click the SSH Private Keys tab. Console Configuration: Go to Configuration > SSH Keys. Click New SSH Private Key. Enter a descriptive name to represent the SSH key in Console. Enter the filename of the key as it exists on the node. Do not include the directory. Upload the private key file provided by the node administrator. Enter and confirm the passphrase of the key, if any. Click Save. Click Test to test the new SSH private key. Provide the following information: The address of the computer that has the paired public key installed in their authorized_keys file. The corresponding user name. Then, click Connect with SSH Key to test against the computer. Tip: If the connection fails, contact the node administrator to make sure the public key is properly installed in the authorized_keys file. Transferring Files with an Endpoint Using SSH Keys The objective of this example is to set up two nodes in Console to transfer files from one node to the other using public key authentication.

63 Working with IBM Aspera Console 63 User A: Transfer user found on Node A. User B: Transfer user found on Node B. Node A: The node initiating the transfer. This node holds the private key. Node B: The node receiving the files. This node holds the public key matching the private key in Node A. We set up an endpoint using SSH keys for this node. Note: For the purpose of this example, both nodes are Linux machines. 1. Generate a private key as User A on Node A with the following command: # ssh-keygen -t rsa Choose the default location to store this new private key (Default is ~/.ssh). 2. Make sure User A has read and write permissions for the private key file. $ chmod 600 ~/.ssh/id_rsa $ chmod 644 ~/.ssh/id_rsa.pub 3. Copy the SSH public key into User B's authorized_keys file on Node B. # cat ~/.ssh/id_rsa.pub >> ~./ssh/authorized_keys 4. In Console, add Node A as a managed node and Node B as an unmanaged node. 5. Go to Configuration > SSH Keys and upload the private key to Console. This key should be paired with the public key copied to Node B. 6. Go to Nodes and edit Node B. Click Endpoints and add a new endpoint. Choose to use the SSH key that was uploaded to Console. 7. Make a transfer from User A on Node A to the saved endpoint on Node B. Working With SSL Installing a Signed SSL Certificate Provided by Authorities In a default IBM Aspera Application Platform / Server On Demand (APOD / SOD) installation, Apachenginx generates and uses a self-signed SSL certificate. You can find this certificate at the following location: /opt/ aspera/etc/aspera_server_cert.pem. /opt/aspera/common/apache/conf/server.crt /opt/aspera/common/apache/conf/server.key To set up a signed SSL certificate, follow these steps: 1. Enter the OpenSSL command to generate your Private Key and Certificate Signing Request (CSR). Run the following command (where key_name.key is the name of the unique key that you are creating and csr_name.csr is the name of your CSR): $ openssl req -new -nodes -newkey rsa:2048 -keyout key_name.key out csr_name.csr After entering the command, you are prompted to enter several pieces of information, which are the certificate's X.509 attributes. Important: The Common Name field must be filled in with the fully qualified domain name of the server to be protected by SSL. If you are generating a certificate for an organization outside of the US, see for a list of 2-letter, ISO country codes. Generating a 1024 bit RSA private key

64 Working with IBM Aspera Console writing new private key to 'my_key_name.key' ----You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----Country Name (2 letter code) [US]:Your_2_letter_ISO_country_code State or Province Name (full name) [SomeState]:Your_State_Province_or_County Locality Name (eg, city) []:Your_City Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your_Company Organizational Unit Name (eg, section) []:Your_Department Common Name (i.e., your server's hostname) []:secure.yourwebsite.com Address []:johndoe@yourwebsite.com Note: You are prompted to enter "extra" attributes, including an optional challenge password. Manually entering a challenge password when starting the server can be problematic in some situations (for example, when starting the server from the system boot scripts). You can skip entering values for any extra attribute by hitting the "enter" button.... Enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: After finalizing the attributes, the private key and CSR will be saved to your root directory. Important: If you make a mistake when running the OpenSSL command, you may discard the generated files and run the command again. After successfully generating your key and Certificate Signing Request, be sure to guard your private key, as it cannot be re-generated. 2. Send CSR to your signing authority. You now need to send your unsigned CSR to a Certifying Authority (CA). Once the CSR has been signed, you have a real Certificate. Follow the key provider's instructions to generate and submit both your private key and the Certificate Signing Request (CSR) to acquire the certificate. Important: Some Certificate Authorities provide a Certificate Signing Request generation tool on their Website. Check with your CA for additional information. At this point, you may need to generate a self-signed certificate because: You don't plan on having your certificate signed by a CA. You wish to test your new SSL implementation while the CA is signing your certificate. For information on how to generate a self-signed certificate for temporary use, see Generating a New Self-Signed SSL Certificate. 3. Store your certificates on your machine. For example: ~/my_server.crt ~/my_server.key Your certificate provider may require you to also install an Intermediate CA Certificate file. Copy the file to the following location:

65 Working with IBM Aspera Console 65 /opt/aspera/common/apache/conf/server-ca.crt 4. Install the SSL certificate with the following command: $ asctl apache:install_ssl_cert cert_file key_file [chain_file] For example: $ asctl apache:install_ssl_cert ~/my_server.crt ~/my_server.key /opt/ aspera/common/apache/conf/server-ca.crt You can find the installed certificate at the following location: /opt/aspera/common/apache/conf/server.crt /opt/aspera/common/apache/conf/server.key 5. Rename the certificate files provided with Shares. Locate the original cert.pem and cert.key files in /opt/aspera/shares/etc/nginx. Rename them as follows: # cd /opt/aspera/shares/etc/nginx # mv cert.pem cert.pem.orig # mv cert.key cert.key.orig 6. After receiving your signed certificate from your CA, if the CA requires a bundle or intermediate certificate, you need to concatenate the certificates for them to work with nginx. Bundle your intermediate certificate with your primary certificate. # cat your_domain_name.crt DigiCertCA.crt >> cert.pem 7. Copy your new SSL cert files to /opt/aspera/shares/etc/nginx. If the files are named differently, rename the cert file cert.pem and rename the key file cert.key. 8. Restart the web service. Restart nginx as follows: # /opt/aspera/shares/sbin/sv restart nginx Generating a New Self-Signed SSL Certificate You may need to generate a self-signed certificate because: You don't plan on having your certificate signed by a CA. You wish to test your new SSL implementation while the CA is signing your certificate. Generate a self-signed certificate using OpenSSL. This temporary certificate will generate an error in the client's browser that warns the client that the signing certificate authority is unknown and not trusted. To generate a temporary certificate (which is good for 365 days), run the following command: # openssl x509 req -days 365 -in csr_name.csr -signkey key_name.key out cert_name.crt Regenerating Self-Signed SSL Certificate (Apache) When you initially set up Console on your system a pregenerated, self-signed SSL certificate is also installed. If you have changed your Apache hostname, regenerate the self-signed certificate by following the instructions below. 1. Open a terminal window and run the asctl command.

66 Working with IBM Aspera Console 66 In a terminal window, run the following command to generate a new, self-signed SSL certificate for your installation of Aspera Console (where you will replace the HOSTNAME with your Apache server's IP address or host name): $ asctl apache:make_ssl_cert HOSTNAME Answer yes when prompted to overwrite the existing certificate. 2. Confirm that your certificates are updated. Check the following location to confirm your self-signed SSL certificates have been updated: /opt/aspera/common/apache/conf/server.crt /opt/aspera/common/apache/conf/server.key Working with Shares and Directory Services Console and Shares on Same Machine Important: This topic assumes that you have already installed IBM Aspera Shares. If you have not installed Shares yet, please see the IBM Aspera Shares Administrator's Guide. If you installed Console on the same machine as Shares, you must update the host and port settings in Shares' database.yml file. Your database.yml file can be found in the following directory: /opt/aspera/shares/u/shares/config/database.yml Open database.yml with a text editor and perform the following modifications: Comment out the socket location. Change the host to Change the TCP port to After performing these modifications, your database.yml file should look similar to the example below. production: adapter: mysql2 encoding: utf8 reconnect: false database: web_production pool: 5 username: admin password: v00d00 # socket: /tmp/mysql.sock # socket: /var/lib/mysql/mysql.sock host: port: 4406 Configuring the Directory Service Important: You must install IBM Aspera Shares locally or on a remote host before you can configure a directory service. For information on installing the latest version of Shares, please review the Administrator's Guide. Before continuing, please ensure that the following prerequisites have been satisfied: Shares is installed locally or on a remote host: For instructions on how to install Shares on the same machine as Console, see Console and Shares on Same Machine.

67 Working with IBM Aspera Console 67 Console is installed on the same machine as Shares: Configure your Shares web server to use a non-standard HTTPS port (for example, 8443, rather than 443). See the Shares Administrator's Guide (the "Setting up Shares" topic). Console is installed on the same machine as Shares: Configure your Shares database with the correct host and port settings. For more information, see Working with Shares and Directory Services. 1. Go to Accounts > Directories from the Console menu. 2. Select Remote Authentication to enable remote authentication so that Console can access the groups and users on your Shares server. 3. Enter the base URL. Shares users and groups are authenticated through this Node API base URL. The standard base URL is Note: Because you must use HTTPS to connect to your Shares directory service, ensure that your Node API base URL uses HTTPS, rather than HTTP. 4. Enter the Shares Node API user credentials. 5. Click Save and test settings. Once the directory service is successfully connected, you can add remote users and remote groups by boing to Users > Groups. For more information, see Adding Remote Users and Adding Remote Groups. Adding Remote Users 1. Go to the Users menu. Click Add Remote User. Note: The Add Remote User button does not appear if you have not configured the directory service. 2. Enter the full or partial name of an existing remote user. Click Search. 3. Once your search results appear, select the remote user by clicking Add. 4. Configure the remote user's Console permissions and assign the user to a group. Adding Remote Groups 1. Go to Groups. Click Add Remote Group. Note: The Add Remote User button does not appear if you have not configured the directory service. 2. Enter the full or partial name of an existing remote user. Click Search. Note: Console does not find remote groups that start with a backslash ( \ ) or an asterisk ( * ). Avoid naming groups that start with these characters. 3. Once your search results appear, select the remote group by clicking Add. 4. Configure the remote group's transfer paths and members. Backing Up Console Database Back Up Console with asctl There are two different ways to back up the Console database: 1. Through the asctl command, which backs up only the MySQL database. Use this method before a Console upgrade procedure, or to guard against possible database corruption. 2. Through the Console web UI, which backs up the MySQL database in addition to all the files required to fully restore the Console application. Use this method for disaster recovery purposes, in order to restore Console when the entire server is lost.

68 Working with IBM Aspera Console 68 Back up Console's database using the following asctl command in a Terminal: $ asctl -v console:backup_database This command uses mysqldump to create Console's MySQL database backup. The backup file, aspera_console.sql, is saved in the following directory:/opt/aspera/console/backup/<year-month-day_time> For instructions on restoring your Console database, see Restoring the Console Database. Backing Up Console with the Web UI There are two different ways to back up the Console database: 1. Through the asctl command, which backs up only the MySQL database. Use this method before a Console upgrade procedure, or to guard against possible database corruption. 2. Through the Console web UI, which backs up the MySQL database in addition to all the files required to fully restore the Console application. Use this method for disaster recovery purposes, in order to restore Console when the entire server is lost. 1. Select Configuration > Database from the Console menu. Click Back Up. 2. Enter the desired path of the Console machine into the Save to field. This path is the destination folder for the console_full_backup_yyyy-mm-dd_hhmmss backup file. 3. Schedule the backup to Run Now or to Run Later. Click Run now: Back up the database immediately. Click Run later: Specify a time in the future or configure a repeating backup operation. 4. Click Back Up Now. Once Console has been backed up, the backup file appears on the Database Backups page, where scheduled, current, and recent backups are listed. To view details on a particular backup, click anywhere in the backup's row. Restoring the Console Database You can restore any back up of a Console database as long as you have access to the backup file. 1. Stop Console. $ asctl console:stop 2. Restore the Console database. If you made a back up of the Console database with the asctl command, you can restore it with the following command: $ asctl -v console:restore_database /path/to/dir For example: $ asctl -v console:restore_database /opt/aspera/console/ backup/ _ If you made a back up of the Console database with the web UI, you can restore it with the following command: $ asctl -v console:restore /absolute/path/to/dir For example: $ asctl -v console:restore /tmp/ console_full_backup_ _ _utc

69 Working with IBM Aspera Console 69 Important: The restore command does not support relative paths to the backup directory. The path must be an absolute path in order for the restore command to work. 3. Start Console. $ asctl console:start Backing Up the Current Console Configuration If you need to revert to a previous configuration of Console or want to upload a preset configuration file to a new Console, follow these instructions to backup and restore your Console configurations. Note: This Console backup will not back up the following files: Node users SSL certificates 1. Stop Console background processes. Go to Configuration > Background from the Console menu and stop the background processes. 2. Back up SSH keys. Back Up the following directory: /root/.ssh. 3. Back up node users. # /opt/aspera/bin/asnodeadmin --backup=/backup/api-xfer-mapping 4. Back up SSL Certificates. Note: This step is only applicable if you have purchased SSL certificates and IBM Aspera Shares is installed on your machines. # cp /opt/aspera/shares/conf/cert.key # cp /opt/aspera/shares/conf/cert.pem /backup/cert.key /backup/cert.pem 5. Navigate to Configuration > Save/Restore and select Download Current Configuration. Important: If you use the Safari web browser, you need to make sure the Open "safe" files after downloading option is unchecked in Safari's general settings, before downloading the backup file. Otherwise, the file will be downloaded as a.tar file, rather than a.tar.gz file, and will not work when the user attempts to restore the server with this file. 6. Restart Console background processes from Configuration > Background. To restore Console to a saved configuration, see Restoring the Current Console Configuration. Restoring the Current Console Configuration 1. Stop Console background processes. Go to Configuration > Background from the Console menu and stop the background processes. 2. Navigate to the Configuration > Save/Restore tab and upload a saved configuration file from your computer and select Restore. 3. Restore your SSH key directory to the following location: /root/.ssh. 4. Restore node users. # /opt/aspera/bin/asnodeadmin --restore=/backup/api-xfer-mapping 5. Restart the Aspera NodeD service. # service asperanoded restart 6. Restart Console background processes from Configuration > Background.

70 Working with IBM Aspera Console 70 Managing the MySQL Database Configure MySQL Settings You may want to modify the MySQL settings for security or management purposes. Change the Database root Login Password MySQL database's root account's password is set during the setup process. For security reason, it is recommended to update the password. Use the following command to change the password. Enter the new and old password when prompted: $ asctl mysql:set_root_password Change the MySQL Port By default, Console's MySQL uses TCP port Use the following command to change it. $ asctl mysql:port 1234 If the MySQL's port number is changed, you will need to provide the updated Console settings to all the nodes, and reflect the new settings in all the nodes' aspera.conf files. Running MySQL on a Separate Machine After you have installed Console, you can further configure it to run the MySQL database on a remote machine. Follow these steps to run the web application and the MySQL database on two separate machines: Note: This setup procedure involves steps on the Console machine and the MySQL machine. A MySQL machine or Console machine is indicated at each step. 1. (MySQL machine) Download and install common files only On the MySQL machine, download Aspera Common Files and run it with the following command: $ rpm -Uvh aspera-common-version.rpm 2. (MySQL machine) Setup MySQL database. On the MySQL machine, execute this command to configure MySQL: asctl mysql:setup When started, the configuration program will ask you to use streamlined or detailed setup. Expect the following setup items in each setup method: (In detailed setup, answer y in the first question.) Item Streamlined X MySQL will run on this machine (y/n)? (default: y) What port would you like MySQL to listen on? (default: 4406) X X X Where would you like MySQL to store data: (default: C:/Program files/ Common Files/Aspera/Common/myql/data) MySQL will need to start/restart during configuration. Continue (y/n)? (Current: y) Detailed X X Lastly, a setup summary shows your settings. Enter y to confirm, n to change settings, or x to quit the program without saving.

71 Working with IBM Aspera Console 71 When finished, execute this command to allow access for the Console machine. Replace the highlighted items to match your configuration (Enter the Console machine's address in <Console_server_IP>, and your MySQL password in <mysql_password>): asctl mysql:grant_remote_access <Console_server_IP> root <mysql_password> 3. (Console machine) Configure Console to use a remote MySQL database. On the Console machine, execute this command to configure it to run MySQL on a remote machine: $ asctl console:setup Answer n to the following question: MySQL will run on this machine (y/n)? (default: y) Purging Data from Console You can archive or purge data from Console (for example, purge all sessions before January 1, 2000) by clicking the Purge button from the Database Backups page and completing the fields. 1. Schedule Console to purge the data now or at a later date. Run now: Back up the database immediately. Run later: Specify a time in the future or configure a repeating purge operation. 2. Select time frame of data to purge. Choose the date by entering a number and selecting day, week, or month from the drop-down menu. Make sure the automatically updated date displayed next to the drop-down menu is the desired day before proceeding. 3. Choose the type of transfers to include. Select All closed transfers or choose from the following list: All successful transfers All cancelled transfers All error transfers All inactive transfers All zero-byte transfers 4. Save the data being purged for archiving purposes. Select Save data being purged? and enter the desired absolute path into the Save to field (for example, /tmp/ data or D:\data\). The purged data will then be stored in the file purged_data.sql in the directory: [absolute path]/console_purge_yyyy-mm-dd_hhmmss/. Tip: Saved purged data can be restored by following the instructions in Restoring Purged Data. 5. When finished, click the Purge Now or Schedule Purge button (depending on whether you selected Run now or Run later above). Restoring Purged Data To restore purged data, you can run a MySQL data import (as shown below). It may be necessary to provide a full path to the MySQL binary. For example, the full path to the command is /opt/aspera/common/mysql/ bin/mysql. # # # # asctl console:stop cd /opt/aspera/common/mysql/bin./mysql -uusername -ppassword aspera_console < /path/to/purged_data.sql asctl console:start

72 Working with IBM Aspera Console 72 Troubleshooting Console Updating your Console License IBM Aspera Console requires a valid license key before you can configure users and send or receive packages. If your Console license has expired or cannot be found, the Console login screen displays the following message: An administrator must update the license before any other usage of Console is allowed for any user, including the administrator. The license can be updated in the Console web UI or by running a rake task on the computer where Console is installed. From the GUI: 1. Login with an administrator account and go to Configuration > License. 2. Click Upload a license file or paste the license text into the text window. 3. Click Save. From the Command Line (Rake task): 1. Set the license text as an environment variable. # export LICENSE_TEXT='<ASPERA_LICENSE> <DETAILS expiration_date=... </ KEY> </ASPERA_LICENSE>' In this example, only part of the license text is shown. You must paste the entire license text for the license to be valid. 2. Update the Aspera license: # asctl console:rake aspera:update_license

73 Working with IBM Aspera Console 73 Restart Console Services If Console is not working properly, it is recommended you restart the Console service utilizing the asctl command, so that Apache and MySQL continue to run uninterrupted. If the Console server's MySQL service is stopped, then Aspera Central will need to be restarted on all nodes to re-establish a connection. Console installs the following services on your Linux system: Service Apache HTTPD Server (Aspera) Apache Server for Aspera Console. Aspera Console Aspera Console main application. MySQL Server (Aspera) MySQL Database for Aspera Console. Right-click any of these services select Restart from the menu. Execute the following asctl command to restart Console (while keeping Apache and MySQL running): $ asctl console:restart For more asctl commands, see asctl Command Reference Resetting Console Admin Password To reset Console's administrator password, execute the following asctl command in a Terminal, replacing name with your existing admin login, with the current admin password, and password with the new admin password.: $ asctl console:admin_user name password Log Files Console's log files are located in the following directories: OS Version Path Linux Console: /opt/aspera/console/log/ asctl: /opt/aspera/common/asctl/asctl.log MySQL: /opt/aspera/common/mysql/data/mysqld.log Apache: /opt/aspera/common/apache/logs/ In Console's Apache HTTP server logs directory, you will find the following files: access_log error_log ssl_access_log ssl_error_log ssl_request_log Important: All Apache logs are, by default, rotated by size (defaulting to 10MB files and only retaining the last 10 rotated logs). httpd_template_linux.conf /opt/aspera/common/apache/conf/httpd_template_linux.conf

74 Working with IBM Aspera Console 74 ErrorLog " ${log_path}bin/asrotatelogs ${log_path}logs/error_log 10M 10" CustomLog " ${log_path}bin/asrotatelogs ${log_path}logs/access_log 10M 10" common httpd-ssl_template.conf /opt/aspera/common/apache/conf/extra/httpd-ssl_template.conf ErrorLog " ${log_path}bin/asrotatelogs ${log_path}logs/ssl_error_log 10M 10" TransferLog " ${log_path}bin/asrotatelogs ${log_path}logs/ssl_access_log 10M 10" CustomLog " ${log_path}bin/asrotatelogs ${log_path}logs/ssl_request_log 10M 10" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" You can further configure Console's Apache log settings by running the following commands in a Terminal: Setting Command Specify an Apache log level (for example, error level) Enable Apache log (set to notice) Disable Apache log (set to emerg level) $ asctl apache:log_level error $ asctl apache:enable_logs $ asctl apache:disable_logs Locate Configuration Files Important: Aspera recommends that you DO NOT modify Console's configuration files manually. Instead, use the asctl command. For additional information on utilizing asctl commands, see the topic asctl Command Reference. Console's configuration files are listed below. If you plan to modify these files, Aspera encourages backing up Console through the GUI or by using the asctl command. The asctl command is limited to backing up the Console database, while the GUI backs up the database, as well as all files required to fully restore the system. For instructions on backing up Console through the GUI, please see Backing Up Console with the Web UI. To back up Console's database using the asctl command, please see Back Up Console with asctl. Component Configuration File Path Apache /opt/aspera/console/config/console.apache.conf MySQL /opt/aspera/common/mysql/my.cnf Console /opt/aspera/console/config/*.yml Appendix Configuring Console Defaults The Console Defaults configuration page lets you to set up system defaults for Console, such as IP address and SSH timeout), as well as defaults for transfers (target rate, minimum rate, bandwidth policy, and so on) and login security. To access the Console and Transfer Defaults configuration page, select Configuration > Defaults from the Console menu.

75 Working with IBM Aspera Console 75 Console Defaults Item Console database IP address Enter the Console database IP address. Warn when database free space less than The space watcher background jobs warns you when available space drops below the set number of gigabytes. Set to zero to disable space watcher warnings. Skip non-error transfers older than If a submitted transfer doesn't start after the specified number of minutes, then flag it as having an error. Mongrel Timeout Enter the number of seconds to wait for a response when testing mongrels. Node Polling Timeout Enter the number of seconds the SOAP Poller background process waits for a response when testing a node. Mark Inactive Timeout Enter the number of seconds Console waits before marking a session as inactive. File Browsing Timeout Enter the number of seconds to wait for a response from a node when browsing file lists (over and above the SSH timeout to connect). File Browsing Max Items Enter the maximum number of items to retrieve from a node when browsing file lists. Default SSH Encryption Select the default SSH encryption algorithm for non-console nodes. Note: Console presents this algorithm as the standard, but you can change the algorithm when adding a new node. Remote Login Connection Timeout Enter the number of seconds Console waits before timing out when establishing a connection to a remote server. Remote Login Response Timeout Enter the number of seconds Console waits before timing out when waiting for the remote server's response. SSH Timeout Enter the timeout value in seconds for the SSH connection. SSH Tunnel Start Port Start assigning SSH tunnel ports at the specified port number. Advanced Search Timeout Enter the timeout value in seconds before advanced search returns current results. Notification Delay Enter the number of seconds to wait after initiating a transfer before producing notification s. Total Bandwidth Graph Select this option to track total bandwidth usage across all notes on the Dashboard graph. Advanced File Search Select this option to allow users to search the entire database for filenames when using advanced search. Note: This may slow down Console if your database contains a large number of files. Recipients Select this option to allow recipients to see each other's addresses. Session notifications Select this option to allow non-admins to access the session notifications page. Smart Transfer Start Permissions Select this option to allow users whose transfer path includes "Any" or addresses without a username to start any matching smart transfer that is shared and uses nonpersonal endpoints. For example, usera is authorized to use a transfer path that has one endpoint set to and the other set to "Any". If userb's shared smart transfer is set up with non-personal endpoints on (source) and (destination), it will appear in usera's smart transfers list and can be started by usera.

76 Working with IBM Aspera Console 76 Item Smart Transfer Sharing Select this option to allow users to share smart transfers with personal logins. Smart Transfer Editing Select this option to allow administrators to edit each other's smart transfers. Failover / Load balancing Behavior Select Failover + Load balancing for Console to use the least busy node(s) first. For more information, see Configure Failover Groups. Watchfolders Enable the watchfolder feature in Console. Watchfolders per page Configure the number of watch folders to display per page when browsing configured watch folders. Proxy Select this option to turn on the proxy. This feature enables Console to remotely browse nodes when Console is prohibited from making SSH connections to public IP addresses. Proxy: Address Enter the IP address of the proxy. Proxy: Port Enter the port number for the proxy. Proxy: Use SSL Select this option to use SSL with your proxy. Proxy: Login Enter the login for the proxy user. Proxy: Password Enter the password for the proxy user. Transfer Defaults Item Target Rate Set the default target rate. Minimum Rate Set the minimum rate. Bandwidth Policy Set the default transfer policy (choose among low, high, fair, and fixed). Max. Retry Attempts Set the maximum retry attempts. Retry Interval Set the retry interval in seconds. Transport Encryption Select between not-encrypted or aes-128 encryption. File Compare Type Select a file comparison type to verify transferred files. File Overwrite Policy Select an overwrite policy. Report Generation Item Retention Period The number of days to keep generated reports before deleting them automatically. Maximum Attachment Size The maximum size in megabytes of CSV/XLSX files that may be sent by . (Generated files can still be downloaded from the Reports page.) File Maximum Data Length The maximum size in megabytes of the result table for which CSV/XLSX files may be generated. (CSV/XLSX files are not generated if the result table is larger than this.) This setting is useful for preventing Console from trying to convert a giant data set into a file and running out of disk space. Maximum XLS file rows The maximum number of rows allowed for generated XLS files.

77 Working with IBM Aspera Console 77 Security Item Session Timeout Sessions will timeout after the specified number of minutes of inactivity. Deactivate Users Deactivate a Console user if there has been "X" failed login attempts within "X" minutes. Prevent concurrent login If this checkbox is enabled, users can only be logged in from one client at a time. Suppress logging of transfer tokens Select this option to suppress tokens from being written to the database. Existing tokens already in the database are unaffected. Note: After enabling this feature, you may experience some lag before the setting takes effect if a request is already in progress and the node is taking a long time to reply. Console Password Options Item Password Expiration Select this option to expire number of days Password Duration Enter the number of days before passwords expire. Setting the value to 0 will disable this feature. Password Reuse Limit Enter the number of passwords users need to go through before they can reuse an old password. Setting the value to 0 disables this feature. Password Requirement Regular Expression Enter a regular expression to specify password requirements. Leave blank to set no requirements. Note: You can select the Restore Default link to reset the password requirement to the following: "Passwords must be at least six characters long, with at least one letter, one number, and one symbol." Password Requirement Message Set a message describing the password requirements for users setting a new password. Empty sessions (successfully completed with 0 bytes transferred) Item Leave in database Log no-transfer sessions in the database. Delete if hot folder Delete no-transfer sessions that are hot folder sessions. Delete all Delete all no-transfer sessions. Understanding Space Watcher Space watcher is a background process that checks the amount of free space in the database and gives warning when space is running low. Space Watcher Functionality Once a minute, space watcher runs a ls or dir command, then writes the free space in bytes to a table named aspera_db_disk_space_free. The exact command it executes is: df -k -P "aspera_console_db_directory_path"

78 Working with IBM Aspera Console 78 It only writes one record, always with "id=1". The aspera_db_disk_space_free table will never have more than one record in it. This table only has three fields: Field Value id Always equal to 1. bytes_free BIGINT, max value = , which is approximately 8191 petabytes last_reported_at The time space watcher last stored an entry in the table. If the process fails to figure out free space for any reason or fails to connect to MySQL, it does nothing and logs nothing. Successful or not, it then closes its connection and then sleeps for a minute before repeating the process. Space Watcher Messages in Console Unless warnings have been disabled (by setting the warning threshold to zero), Console checks the aspera_db_disk_space_free table when rendering a page. If it sees that there are no records in the table, or that it has been longer than 10 minutes since space watcher last reported, Console displays the following message at the top of the page: "WARNING: No recent data from database free space watcher". If the last entry is recent (within 10 minutes) but the number of free bytes is less than the configured warning level (default: 10 gigabytes), it shows a message such as the following: "WARNING: Database free space low (7.5 GB remaining)". Working with Tags Tags in Aspera products are JSON (JavaScript Object Notation) strings. Console uses tags to identify transfers and to label Console-initiated transfers. You can find a specific transfer's tags by navigating to a transfer's Session Details page and selecting the Session ID link under the Session State column. Tags are used in the following tasks: Creating simple transfers. Creating and starting smart transfers. Creating advanced rulesets to filter by tags. Creating custom fields with rules involving tags. Searching using the Advanced Search. The JSON Match Comparison Operator Console includes a JSON match operator in the Custom Fields and Advanced Rulesets features, which provide a simple syntax for matching JSON formatted tags included in Aspera transfers. Below are examples of transfer tags in Console and Faspex transfers and instructions for matching them using the JSON match operator. Console Transfers A Console transfer is defined as any transfer initiated by Console using simple or smart transfers. Tags can be specified in both simple and smart transfers. A Console transfer tag is formatted in the following way: {"aspera": {"console": {"user_specified" {"key1":"val1",, "key3":"val3"} } } } An example of a corresponding JSON match value is shown below: [aspera][console][user_specified][key1]val1

79 Working with IBM Aspera Console 79 Faspex Transfer A Faspex Transfer is any transfer initiated by Faspex. A Faspex transfer tag is formatted in the following way: {"aspera": {"faspex": { "key1":"val1",, "key3":"val3"} } } The corresponding JSON match value is shown below: [aspera][faspex][key1]val1 Note: It is recommended to use the Faspex Metadata filter for Faspex transfers instead. See Basic Report Example: Faspex Metadata for more information on Faspex Metadata. Regular Expressions in JSON Matches You can also use regular expressions in a JSON match. Define the regular expression using forward slashes ( / ) like in the example below: [aspera][console][user_specified]/+./ Important: Aspera advises against using regular expressions in keys, because the result will be the first value that matches the regular expression. In the example below, Console will return the first Faspex transfer it hits without backtracking to check for other transfers that meet the requirements. [aspera][faspex][/+./]/.+/ Configure Background Processes The Background Processes configuration page displays all Console processes and allows you to perform the following tasks: View a process log Edit a process Stop a process (although this is not available for all processes) Restart a process (although this is not available for all processes) To access the Background Processes page, select Configuration > Background from the Console menu. The following background processes can be accessed from the table: Controller Mongrel Manager Database Ingest Session Data Collector Node Info Collector File Data Collector Data Canonicalizer Custom Field Database Utility Transfer Initiator Report To modify the settings for a given process, click the edit link in the corresponding table row. After clicking edit, the Editing Background Process page appears, along with the following options:

80 Working with IBM Aspera Console 80 Options Startup type Select the way that the background process starts (that is, manually or automatically) or disable the process from starting altogether. Log level Select the preferred level of logging for the log file output to control the verbosity of the log file output). Choose debug, info, warn, error or fatal. Batch Size (Not available for all processes) Input the number of rows to process each work interval. Daily restart time (HH:MM) (Not available for all processes) Input the time of day to restart the process in 24-hour time, UTC. Leave blank for no auto-restart. Sleep Interval Input the sleep interval time in seconds. Maximum Startup Interval Input a time (in seconds) that must elapse before the given process is assumed to be hanging. Maximum Heartbeat Interval Input a time (in seconds) that must elapse between heartbeats before the given process is assumed to be hanging. Configure the Apache HTTP Server You may configure Console's Apache HTTP Server to use a different host name, communication port, and namespace using asctl commands. Change the Number of Mongrel servers By default, Console opens four mongrel servers. To change it, for example, from the default (4) to 10, use the following command: $ asctl console:mongrel_count 10 Update the Hostname During the installation, you should have configured the Console's hostname. Use this command to print the current hostname: $ asctl apache:hostname To change the hostname, use the following command. Replace HOSTNAME with the new hostname: $ asctl apache:hostname HOSTNAME Important: When changing the hostname, the server's SSL certificate should be regenerated. Select (y) when prompted to generate a new SSL certificate. When the hostname is updated, advise your clients of the new URL. In this example, use the following address:

81 Working with IBM Aspera Console 81 Change HTTP and HTTPS ports By default, Console's web servers are running on TCP/80 (HTTP) and TCP/443 (HTTPS). Use the following commands to update these ports (where, in this example, we TCP/7080 for HTTP and TCP/7443 for HTTPS): Item HTTP HTTPS Command $ asctl apache:http_port 7080 $ asctl apache:https_port 7443 Change Console namespace Console uses the namespace /aspera/console by default. Use this command to print the current namespace: $ asctl console:uri_namespace To set the namespace to, for example, /console, use the following command: $ asctl console:uri_namespace /console When the namespace is updated, advise your client of the new URL. For example, if your Console server's address is , use this URL: Note: Refer to asctl Command Reference for a complete asctl command reference. asctl Command Reference You can use asctl commands in a Terminal window to display or modify IBM Aspera Console's component settings. Console configuration options that can be modified using asctl are listed below. If there are modifications that cannot be accomplished with asctl, notify Aspera Support. Component Apache Apache web server. Console Console main application. MySQL MySQL database. All components commands Important: The commands in this section control all Console components. Task Command Show config info asctl all:info Print info about all components. Restart all components asctl all:restart Restart all components. Setup status asctl all:setup_status Information about configuring all components. Start asctl all:start Start all components. Show status asctl all:status Display the status of each component.

82 Working with IBM Aspera Console 82 Task Command Stop asctl all:stop Stop all components. Show version asctl all:version Display the current version of each component. Task Command Additional Information Create a setup file asctl apache:create_setup_file file Create a reusable file that contains answers to the setup questions. Replace file with a file name. Disable Apache asctl apache:disable Disable the Aspera Apache server. When disabled, the service will not start when rebooting computer, does not print reminders or update its configurations. Disable Apache logs asctl apache:disable_logs Set the Apache's log level to 'emerg'. Enable Apache logs asctl apache:enable_logs Set the Apache's log level to 'notice'. Re-generate conf asctl apache:generate_config Generate the component's configuration file using the current settings. Display hostname asctl apache:hostname Display the hostname or IP address of the server. Change hostname asctl apache:hostname host Change the hostname or IP address of the server. Replace host with a new hostname or IP address. Display HTTP port asctl apache:http_port Display the HTTP port the web server listens to. Change HTTP port asctl apache:http_port port Change the HTTP port the web server listens to. Replace port with a new port number. Display HTTPS port asctl apache:https_port Display the HTTPS port the web server listens to. Change HTTPS port asctl apache:https_port port Change the HTTPS port the web server listens to. Replace port with a new port number. Show config info asctl apache:info Print configuration info about Apache. Copy your SSL files into the Aspera default location (under default names) asctl apache:install_ssl_cert cert_file key_file [chain_file] After upgrading Faspex and Common, use this command to copy your original SSL certificate, key and optional chain file to /opt/ aspera/common/apache/conf and give them Aspera-standard names. The httpd-ssl.conf file Apache

83 Working with IBM Aspera Console 83 Task Command Additional Information is also re-rendered and permissions/ ownership is set for the cert files. Set Apache log level asctl apache:log_level option Specify the Apache's log level. Replace option with crit, error, warn, notice, info or debug. Create SSL certificate asctl apache:make_ssl_cert hostname Create a self-signed SSL certificate for the specified hostname. Replace hostname with your hostname. Restart Apache asctl apache:restart Configure Apache asctl apache:setup Configure Apache using saved file asctl apache:setup_from_file filename Start Apache asctl apache:start Show Apache status asctl apache:status Stop Apache asctl apache:stop Upgrade Apache asctl apache:upgrade Show Apache's version asctl apache:version Run setup using the answers from a file created using the "create_setup_file" command. Console Task Command Create or update admin asctl console:admin_user login Create a new admin, or update an existing admin account. [password] Replace login with a login, with its . You can add the account's password in the command ([password]), or enter it when prompted. If the login you have entered exists, the account is updated with new and password. Backup database asctl console:backup_database dir Backup Console database and associate files to the specified directory. Replace dir with a path to store the backup. Display base port asctl console:base_port Display the base port of the mongrels. Change base port asctl console:base_port [arg] Change the base port of the mongrels. Replace [arg] with the new base port number. Create setup file asctl console:create_setup_file file Create a reusable file that contains answers to the setup questions. Replace file with a file name. Disable Console asctl console:disable Disable Console. When disabled, the service will not start when rebooting

84 Working with IBM Aspera Console 84 Task Command computer, does not print reminders or update its configurations. Re-generate conf asctl console:generate_config Generate Console component's configuration file using the current settings. Config info asctl console:info Print Console configuration info. Update database asctl console:migrate_database Update database to the latest schema. Display mongrel count asctl console:mongrel_count Display the number of mongrels to spawn. Change mongrel count asctl console:mongrel_count arg Change the number of mongrels to spawn. Replace arg with a number. Rake command asctl console:rake arg Evoke a rake command. Restart Console asctl console:restart Restart mongrel web servers and all background processes. Restore config and data asctl console:restore dir Restore Console database and configuration from a backup directory. Restore database asctl console:restore_database dir Restore Console database from a backup directory. Configure Console component asctl console:setup Configure this component. Configure Console using saved file asctl console:setup_from_file file Run setup using the answers from a file created using the "create_setup_file" command. Start Console asctl console:start Starts mongrel web servers and all background processes. Show Console status asctl console:status Display Console status. Stop Console asctl console:stop Stops mongrel web servers and all background processes. Upgrade asctl console:upgrade Upgrade Console from a previous version. Display namespace asctl console:uri_namespace Display Console's URL namespace. Change namespace asctl console:uri_namespace arg Change Console's URL namespace. Replace arg with the new namespace. Show Console's version asctl console:version Display the currently set up version. Generate templates asctl console:generate_ _templates Recreate template files.

85 Working with IBM Aspera Console 85 MySQL Task Command Create setup file asctl mysql:create_setup_file file Create a reusable file that contains answers to the setup questions. Replace file with a file name. Display database directory asctl mysql:data_dir Display the directory that the databases are kept in. Disable MySQL asctl mysql:disable Disable the Aspera MySQL. When disabled, the service will not start when rebooting computer, does not print reminders or update its configurations. Grant access on MySQL-only server asctl mysql:grant_remote_access host mysql_user password If MySQL server is running on a different computer, use this command on the MySQL machine to allow access from the specified machine. Replace host, mysql_user and mysql_password with the server's hostname, MySQL's user name, and the user's password, respectively. Show config info asctl mysql:info Print configuration info about MySQL. Show port asctl mysql:port Display the port the MySQL server listens to. Change port asctl mysql:port port Change the port the MySQL server listens to. Replace port with a new port number. Restart MySQL asctl mysql:restart Restart the Aspera MySQL. Set root password asctl mysql:set_root_password Set the password for 'root' in MySQL. Configure MySQL-only server asctl mysql:setup If MySQL server is running on a different computer, use this command on the MySQL machine to configure it. Configure MySQL using saved file asctl mysql:setup_from_file file Run setup using the answers from a file created using the "create_setup_file" command. Start MySQL asctl mysql:start Start the Aspera MySQL. Show MySQL status asctl mysql:status Display the Aspera MySQL status. Stop MySQL asctl mysql:stop Stop the Aspera MySQL. Upgrade MySQL-only server asctl mysql:upgrade If MySQL server is running on a different computer, use this command on the MySQL machine to upgrade the database. Show MySQL's version asctl mysql:version Display the currently set up version.

86 Working with IBM Aspera Console 86 Advanced Search You can search for a transfer from any page in IBM Aspera Application Platform / Server On Demand (APOD / SOD) by using the search bar in the top right corner of the page. If you want to refine your search, you can access the Advanced Search dialog by selecting the blue drop-down arrow next to the search bar. Filter Transfer Name Include transfers with this name Contact Include transfers initiated by this user. SSH User Include transfers involving this SSH user. Session ID Include transfers with this unique session ID

87 Working with IBM Aspera Console 87 Filter File Name Start Include transfers with files that start with this string. Source Path Include transfers with files that originated from this location. Destination Path Include transfers with files transferred to this location. Node Include transfers involving this selected node or this node IP address. From Include transfers started from this date and onwards. To Include transfers from this date and onwards. Status Include transfers with the current state designated: Results Active Completed Cancelled Error The number of results you want Console to display. Template Examples Template Example: Creating a Simple Notification for a Successful Transfer The following example shows how to create an template that notifies a user of a successful transfer with minimal information. 1. Select Create new transfer success template and then edit. 2. Name your template "Client Success ". 3. Enter a From Name and Reply-to Address if you don't want the notification to come from the default address. 4. Enter a new subject: "Client Transfer Notification - Success". 5. Click Edit Plain Template and make remove variables to limit information provided to the recipient. For example: ======================================== Client Transfer Notification ======================================== of the Transfer: Client Name: Total Bytes Transferred: Total Time for Transfer: Average Transfer Rate: DESCRIPTION CONTACT BYTES_TRANSFERRED ELAPSED_TIME AVERAGE_RATE You are receiving this message because your Aspera Console preferences are set to receive these notifications or someone else thought you should know about this particular transfer. The end result should look like the following:

88 Working with IBM Aspera Console Edit HTML Template to match the information in the basic template. The end result should look like the following: 7. Click the Send Test button to test the new template. Template Example: Adding Company Branding to Your Template The following example shows how to create an template that shows company branding when opened in HTML format. 1. On the Template preview screen, click the Edit HTML Template button to modify the template's HTML code. 2. Locate the URL of your company logo. Your image must be hosted on a server that is accessible to the recipient. 3. Open the HTML Template and insert the following code in the desired location. <IMG SRC=" In this example, we've inserted the logo into the header. The result may look like the following:

89 Working with IBM Aspera Console 89 Node References Node-Level Configuration Options To start node configuration, go to Nodes in the Console menu. Click edit for an existing node that you wish to configure. The node configuration options can be found in the Configuration tab. The following is a summarized chart for navigating and changing values when you click on an individual section. Click Save changes when finished: Note: Configuration at the node level will affect all user accounts and group accounts on that node performing Aspera transfers. Section Configuration Details Database Configuring policy and logging level settings. Transfer Server Setting transfer server IP address and port. HTTP Fallback Server Enable and configure HTTP / HTTPS fallback server. Docroot Setting document root and its access permissions. Authorization Connection permissions, token key, and encryption requirements. Bandwidth Incoming and outgoing transfer bandwidth and policy settings. Advanced File Handling File handling settings, such as file block size, overwrite rules, and exclude pattern. Advanced Network Options Network IP address, port, and socket buffer settings.

90 Working with IBM Aspera Console 90 Database # Field Values Default 1 Host IP Enter the Aspera Console server's IP address, default valid IPv4 address Port The default value for an Aspera Console installation is Valid port numbers range between 1 and Integer between 1 and User User login for the database server. text string blank 4 Database Name Name of the database used to store Aspera transfer text string data. blank 5 Threads The number of parallel connections used for database logging. A higher value may be useful when a large number of files are being transferred within a given time frame. Integer between 1 and Stop Transfers on Database Error Quits all ongoing transfers and no new transfers are permitted when a database error prevents data from being written to the database. Set this to true if all transfers must be logged by your organization. true false false 7 Session Progress Setting this value to true will log transfer status such as number of files transferred, and bytes transferred, at a given interval. true false true 8 Session Progress Interval The frequency at which an Aspera node logs Positive integer 1 transfer session information, up to seconds. 9 File Events Setting this value to true enables the logging of complete file paths and file names. Performance may be improved when transferring datasets containing thousands of files. Also see File Per Session for setting a threshold for the number of files to log per session. true false true 10 File Progress Setting this value to true will log file status such as bytes transferred at a given interval. true false true 11 File Progress Interval The frequency at which an Aspera node logs file Integer transfer information, up to seconds. The between 1 and default setting of 1 logging sessions every second Files Per Session The value is the cut-off point for file names logged in a given session. For example, if the value is set to 50, the first 50 file names will be recorded for any session. The session will still record the number of files transferred along with the number of files completed, failed, or skipped. The default setting of 0 will log all file names for a given session. Positive integer 0 or zero 13 Ignore Empty Files Setting this to true will block the logging of zerobyte files. true false 1 false

91 Working with IBM Aspera Console 91 # Field 14 Ignore No-transfer Files Setting this to true will block the logging of files that have not been transferred because they exist at the destination at the time the transfer started. 15 Rate Events Setting this to true will log changes made to the Target Rate, Minimum Rate, and Transfer Policy of a transfer by any user or Aspera node administrator during a transfer. Values Default true false false true false true Transfer Server # Field Values Default 1 Bind Address This is the network interface address on which the transfer server listens. The default value enables the transfer server to accept transfer requests from the local computer. Setting the value to allows the Aspera transfer server to accept transfer requests on all network interfaces for this node. Alternatively, a specific network interface address may be specified. Valid IPv4 address Bind Port The port at which the transfer server will accept transfer requests. Integer between and HTTP Fallback Server Note: While Console can change a node's settings for HTTP fallback, Console does not support HTTP fallback for transfers it initiates. # Field 1 Cert File The absolute path to an SSL certificate file. If left file path blank, the default certificate file that came with your Aspera Enterprise Server will be used. blank 2 Key File The absolute path to an SSL key file. If left blank, file path the default certificate file that came with your Aspera Enterprise Server will be used. blank 3 Bind Address This is the network interface address on which the HTTP Fallback Server listens. The default value allows the Aspera HTTP Fallback Server to accept transfer requests on all network interfaces for this node. Alternatively, a specific network interface address may be specified. valid IPv4 address Restartable Transfers Setting this to true allows interrupted transfers to resume at the point of interruption. true 5 Session Activity Timeout Positive integer Any value greater than 0 sets the amount of time, in seconds, that the HTTP Fallback Server will wait without any transfer activity before canceling the transfer. Notice that this option Values true false Default 0

92 Working with IBM Aspera Console 92 # Field Values Default false cannot be left at 0, otherwise interrupted HTTP Fallback sessions will get stuck until server or asperacentral is restarted. 6 Enable HTTP Enables the HTTP Fallback Server that allows failed UDP transfers to continue over HTTP. 7 HTTP Port The port on which the HTTP server listens. Valid port numbers range between 1 and positive integer Enable HTTPS Enables the HTTPS Fallback Server that allows failed UDP transfers to continue over HTTPS. false 9 HTTPS Port The port on which the HTTPS server listens. Valid port numbers range between 1 and positive integer true false true false 8443 Docroot # Field Values Default 1 Absolute Path The Absolute Path describes the area of the file system that is accessible by Aspera users. The default empty value gives users access to the entire file system. file path N/A 2 Read Allowed Setting this to true allows users to transfer from the designated area of the file system as specified by the Absolute Path value. true false N/A 3 Write Allowed Setting this to true allows users to transfer to the designated area of the file system as specified by the Absolute Path value. true false N/A 4 Browse Allowed Setting this to true allows users to browse the directory. true false N/A Values Authorization # Field 1 Incoming Transfers The default setting of allow allows users to transfer to this computer. Setting this to deny will prevent transfers to this computer. When set to require token, only transfers initiated with valid tokens will be allowed to transfer to this computer. Token-based transfers are typically employed by web applications such as Faspex and require a Token Encryption Key. 2 Incoming External Provider URL The value entered should be the URL of the HTTP URL external authorization provider for incoming transfers. The default empty setting disables external authorization. Aspera servers can be configured to check with an external authorization provider. This SOAP authorization mechanism can be useful to organizations requiring custom authorization rules. allow deny require token Default allow blank

93 Working with IBM Aspera Console 93 # Field Values Default 3 Incoming External Provider SOAP Action The SOAP action required by the external authorization provider for incoming transfers. Required if External Authorization is enabled. text string blank 4 Outgoing Transfers The default setting of allow allows users to transfer from this computer. Setting this to deny will prevent transfers from this computer. When set to require token, only transfers initiated with valid tokens will be allowed to transfer from this computer. Tokenbased transfers are typically employed by web applications such as Faspex and require a Token Encryption Key. 5 Outgoing External Provider URL The value entered should be the URL of the HTTP URL, external authorization provider for outgoing default blank transfers. The default empty setting disables external authorization. Aspera servers can be configured to check with an external authorization provider. This SOAP authorization mechanism can be useful to organizations requiring custom authorization rules. 6 Outgoing External Provider Soap Action The SOAP action required by the external authorization provider for outgoing transfers. Required if External Authorization is enabled. 7 Token Encryption Cipher The cipher used to generate encrypted authorization tokens. 8 Token Encryption Key This is the secret token that will be used to authorize Text string those transfers configured to require token. Token generation is part of the Aspera SDK. See the Aspera Developer's Network (Token-based Authorization Topic) for more information. blank 9 Token Life (seconds) Sets token expiration for users of web-based transfer Positive integer applications Describes the type of transfer encryption accepted by this computer. When set to any the computer allows both encrypted and non-encrypted transfers. When set to none the computer restricts transfers to non-encrypted transfers only. When set to aes-128 the computer restricts transfers to encrypted transfers only. any 10 Encryption Allowed allow deny require token allow Text string blank aes-128 aes-128 aes-192 aes-256 any none aes-128 Bandwidth # Field Values Default 1 Incoming Vlink ID The value sets the Vlink ID for incoming transfers. Vlinks are a mechanism to define aggregate transfer policies. The default setting of 0 disables Vlinks. One Vlink the virtual equivalent of a network trunk represents a bandwidth allowance that may be allocated to a node, group, or user. Vlink ID are Pre-defined value 0

94 Working with IBM Aspera Console 94 # Field Values Default defined in each Vlink created in Aspera Console. The Vlink ID is a unique numeric identifier. See Configuring Virtual Links 2 Incoming Target Rate Cap (Kbps) The value sets the Target Rate Cap for incoming Positive integer transfers. The Target Rate Cap is the maximum target rate that a transfer can request, in kilobits per second. No transfer may be adjusted above this setting, at any time. The default setting of Unlimited signifies no Target Rate Cap. Clients requesting transfers with initial rates above the Target Rate Cap will be denied. Unlimited 3 Incoming Target Rate Default (Kbps) This value represents the initial rate for incoming transfers, in kilobits per second. Users may be able to modify this rate in real time as allowed by the software in use. This setting is not relevant to transfers with a Fixed policy. Positive integer Incoming Target Rate Lock After an incoming transfer is started, its target rate may be modified in real time. The default setting false gives users the ability to adjust the transfer rate. A setting of true prevents real-time modification of the transfer rate. false 5 Incoming Minimum Rate The value sets the Minimum Rate Cap for incoming Cap (Kbps) transfers. The Minimum Rate Cap is a level specified in kilobits per second, below which an incoming transfer will not slow, despite network congestion or physical network availability. The default value of Unlimited effectively turns off the Minimum Rate Cap. Positive integer Unlimited 6 Incoming Minimum Rate This value represents the initial minimum rate for Default (Kbps) incoming transfers, in kilobits per second. Users may be able to modify this rate in real time as allowed by the software in use. This setting is not relevant to transfers with a Fixed policy. Positive integer 0 7 Incoming Minimum Rate After an incoming transfer is started, its minimum Lock rate may be modified in real time. The default setting of false gives users the ability to adjust the transfer's minimum rate. A setting of true prevents real-time modification of the transfer rate. This setting is not relevant to transfers with a Fixed policy. true false false 8 Incoming Bandwidth Policy Default The value chosen sets the default Bandwidth Policy for incoming transfers. The default policy value may be overridden by client applications initiating transfers. fixed high fair low fair 9 Incoming Bandwidth Policy Allowed The value chosen sets the allowed Bandwidth Policy for incoming transfers. Aspera transfers use fixed, high, fair and low policies to accommodate networksharing requirements. When set to any, the server will not deny any transfer based on policy setting. fixed high fair low fair true false

95 Working with IBM Aspera Console 95 # Field Values Default When set to high, transfers with a Policy of high and less aggressive transfer policies (such as, fair or low) will be permitted. Fixed transfers will be denied. When set to low, only transfers with a Bandwidth Policy of low will be allowed. 10 Incoming Bandwidth Policy Lock After an incoming transfer is started, its Policy may be modified in real time. The default setting of false gives users the ability to adjust the transfer's Policy. A setting of true prevents real-time modification of the Policy. 11 Outgoing Vlink ID The value sets the Vlink ID for outgoing transfers. Vlinks are a mechanism to define aggregate transfer policies. The default setting of 0 disables Vlinks. One Vlink the virtual equivalent of a network trunk represents a bandwidth allowance that may be allocated to a node, group, or user. Vlink ID are defined in each Vlink created in Aspera Console. The Vlink ID is a unique numeric identifier. See Configuring Virtual Links 12 Outgoing Target Rate Cap (Kbps) The value sets the Target Rate Cap for outgoing Positive integer transfers. The Target Rate Cap is the maximum target rate that a transfer can request, in kilobits per second. No transfer may be adjusted above this setting, at any time. The default setting of Unlimited signifies no Target Rate Cap. Clients requesting transfers with initial rates above the Target Rate Cap will be denied. Unlimited 13 Outgoing Target Rate Default (Kbps) This value represents the initial rate for outgoing transfers, in kilobits per second. Users may be able to modify this rate in real time as allowed by the software in use. This setting is not relevant to transfers with a Fixed policy. Positive integer Outgoing Target Rate Lock After an outgoing transfer is started, its target rate may be modified in real time. The default setting of false gives users the ability to adjust the transfer rate. A setting of true prevents real-time modification of the transfer rate. false 15 Outgoing Minimum Rate The value sets the Minimum Rate Cap for outgoing Cap (Kbps) transfers. The Minimum Rate Cap is a level specified in kilobits per second, below which an incoming transfer will not slow, despite network congestion or physical network availability. The default value of Unlimited effectively turns off the Minimum Rate Cap. true false Pre-defined value true false Positive integer 16 Outgoing Minimum Rate This value represents the initial minimum rate for Positive integer Default outgoing transfers, in kilobits per second. Users may be able to modify this rate in real time as allowed by the software in use. This setting is not relevant to transfers with a Fixed policy. false 0 Unlimited 0

96 Working with IBM Aspera Console 96 # Field Values Default 17 Outgoing Minimum Rate After an outgoing transfer is started, its minimum Lock rate may be modified in real time. The default setting of false gives users the ability to adjust the transfer's minimum rate. A setting of true prevents real-time modification of the transfer rate. This setting is not relevant to transfers with a Fixed policy. true false false 18 Outgoing Bandwidth Policy Default The value chosen sets the default Bandwidth Policy for outgoing transfers. The default policy value may be overridden by client applications initiating transfers. fixed high fair low fair 19 Outgoing Bandwidth Policy Allowed The value chosen sets the allowed Bandwidth Policy for outgoing transfers. Aspera transfers use fixed, high, fair and low policies to accommodate networksharing requirements. When set to any, the server will not deny any transfer based on policy setting. When set to high, transfers with a Policy of high and less aggressive transfer policies (for example, fair or low) will be permitted. Fixed transfers will be denied. When set to low, only transfers with a Bandwidth Policy of low will be allowed. any high fair low any 20 Outgoing Bandwidth Policy Lock After an outgoing transfer is started, its Policy may be modified in real time. The default setting of false gives users the ability to adjust the transfer's Policy. A setting of true prevents real-time modification of the Policy. true false false Advanced File Handling # Field Values Default 1 File Create Mode Specify file creation mode (permissions). If specified, create files with these permissions (for example 0755), irrespective of File Create Grant Mask and permissions of the file on the source computer. Only takes effect when the server is a non-windows receiver. Positive integer (octal) undefined 2 File Create Grant Mask Used to determine mode for newly created files if File Create Mode is not specified. If specified, file modes will be set to their original modes plus the Grant Mask values. Only takes effect when the server is a non-windows receiver and when File Create Mode is not specified. Positive integer (octal) Directory Create Mode Specify directory creation mode (permissions). If Positive integer specified, create directories with these permissions (octal) irrespective of Directory Create Grant Mask and permissions of the directory on the source computer. Only takes effect when the server is a non-windows receiver. undefined

97 Working with IBM Aspera Console 97 # Field 4 Directory Create Grant Mask Used to determine mode for newly created Positive integer directories if Directory Create Mode is not specified. (octal) If specified, directory modes will be set to their original modes plus the Grant Mask values. Only takes effect when the server is a non-windows receiver and when Directory Create Mode is not specified Read Block Size (bytes) This is a performance tuning parameter for an Aspera sender. It represents the number of bytes an Aspera sender reads at a time from the source disk drive. Only takes effect when server is sender. The default of 0 will cause the Aspera sender to use its default internal buffer size, which may be different for different operating systems. Positive integer 0 6 Write Block Size (bytes) This is a performance tuning parameter for an Aspera receiver. Number of bytes an ascp receiver writes data at a time onto disk drive. Only takes effect when server is receiver. The default of 0 will cause the Aspera sender to use its default internal buffer size, which may be different for different operating systems. Positive integer 0 7 Use File Cache This is a performance tuning parameter for an Aspera receiver. Enable or disable per-file memory caching at the data receiver. File level memory caching improves data write speed on Windows platforms in particular, but will use more memory. We suggest using a file cache on systems that are transferring data at speeds close to the performance of their storage device, and disable it for systems with very high concurrency (because memory utilization will grow with the number of concurrent transfers). true 8 Max File Cache Buffer (bytes) This is a performance tuning parameter for an Aspera receiver. This value corresponds to the maximal size allocated for per-file memory cache (see Use File Cache). Unit is bytes. The default of 0 will cause the Aspera receiver to use its internal buffer size, which may be different for different operating systems. Positive integer 0 9 Resume Suffix Extension name of a class of special files holding metadata information of regular data files. Useful in the context of resuming partially completed transfers. During resume mode (-k1/2/3), each data file has a corresponding metadata file with the same name and the pre-specified resume suffix. text string aspx 10 Preserve Attributes Values true false Configure file creation policy. When set to none, do none / times not preserve the timestamp of source files. When set to times, preserve the timestamp of the source files at destination. Default undefined

98 Working with IBM Aspera Console 98 # Field Values Default 11 Overwrite Overwrite is an Aspera server setting that determines whether Aspera clients are allowed to overwrite files on the server. By default it is set to allow, meaning that clients uploading files to the servers will be allowed to overwrite existing files as long as file permissions allow that action. If set to deny, clients uploading files to the server will not be able to overwrite existing files, regardless of file permissions. allow deny allow 12 File Manifest When set to text a text file "receipt" of all files within each transfer session is generated. If set to disable no File Manifest is created. The file manifest is a file containing a list of everything that was transferred in a given transfer session. The filename of the File Manifest itself is automatically generated based on the transfer session's unique ID. The location where each manifest is written is specified by the File Manifest Path value. If no File Manifest Path is specified, the file will be generated under the destination path at the receiver, and under the first source path at the sender. text disable none 13 File Manifest Path Specify the location to store manifest files. Can be an absolute path or a path relative to the transfer user's home. text string blank 14 Pre-Calculate Job Size Configure the policy of calculating total job size before data transfer. If set to any, follow client configurations (-o PreCalculateJobSize={yes no}). If set to no, disable calculating job size before transferring. If set to yes, enable calculating job size before transferring. any yes no any 15 Storage Rate Control Enable/Disable disk rate control. When enabled, adjust transfer rate according to the speed of receiving I/O storage, if it becomes a bottleneck. true false false 16 File checksum method Specify the type of checksum to calculate for transferred files. The content of transfers can be verified by comparing the checksum value at the destination with the value read at the source. any md5 sha1 any 16 Partial Suffix Set the file suffix for partially downloaded files..aspx Advanced Network Options # Field Values Default 1 Bind IP Address Specify an IP address for server-side ascp to bind its UDP connection. If a valid IP address is given, ascp sends and receives UDP packets ONLY on the interface corresponding to that IP address. Valid IPv4 address blank 2 Bind UDP Port Specify a port number for server-side ascp to bind its UDP connection. This also prevents client ascp Positive integer 33001

99 Working with IBM Aspera Console 99 # Field Values Default false processes from binding to same UDP port. Valid port numbers range between 1 and When set to true, send data packets back to back (no sending a batch of packets). This results in smoother data traffic at a cost of higher CPU usage. 3 Disable Packet Batching 4 Maximum Socket Buffer Upper bound the UDP socket buffer of an ascp (bytes) session below the input value. The default of 0 will cause the Aspera sender to use its default internal buffer size, which may be different for different operating systems. 5 Minimum socket buffer (bytes) true false Positive integer 0 Set the minimum UDP socket buffer size for an ascp Positive integer session. 0 Node Account-Level Configuration Options When configuring users and groups on a node from Console, both group-level and user-level settings share the same configuration options. This topic covers the following configuration sections: Section Configuration Details Docroot Setting document root and its access permissions. Authorization Connection permissions, token key, and encryption requirements. Bandwidth Incoming and outgoing transfer bandwidth and policy settings. Advanced File Handling File handling settings, such as file block size, overwrite rules, and exclude pattern. Advanced Network Options Network IP, port, and socket buffer settings. Docroot # Field Values Default 1 Absolute Path The Absolute Path describes the area of the file system that is accessible by Aspera users. The default empty value gives users access to the entire file system. file path N/A 2 Read Allowed Setting this to true allows users to transfer from the designated area of the file system as specified by the Absolute Path value. true false N/A 3 Write Allowed Setting this to true allows users to transfer to the designated area of the file system as specified by the Absolute Path value. true false N/A 4 Browse Allowed Setting this to true allows users to browse the directory. true false N/A

100 Working with IBM Aspera Console 100 Authorization # Field 1 Incoming Transfers The default setting of allow allows users to transfer to this computer. Setting this to deny will prevent transfers to this computer. When set to require token, only transfers initiated with valid tokens will be allowed to transfer to this computer. Token-based transfers are typically employed by web applications such as Faspex and require a Token Encryption Key. 2 Incoming External Provider URL The value entered should be the URL of the HTTP URL external authorization provider for incoming transfers. The default empty setting disables external authorization. Aspera servers can be configured to check with an external authorization provider. This SOAP authorization mechanism can be useful to organizations requiring custom authorization rules. blank 3 Incoming External Provider SOAP Action The SOAP action required by the external authorization provider for incoming transfers. Required if External Authorization is enabled. blank 4 Outgoing Transfers The default setting of allow allows users to transfer from this computer. Setting this to deny will prevent transfers from this computer. When set to require token, only transfers initiated with valid tokens will be allowed to transfer from this computer. Tokenbased transfers are typically employed by web applications such as Faspex and require a Token Encryption Key. 5 Outgoing External Provider URL The value entered should be the URL of the HTTP URL, external authorization provider for outgoing default blank transfers. The default empty setting disables external authorization. Aspera servers can be configured to check with an external authorization provider. This SOAP authorization mechanism can be useful to organizations requiring custom authorization rules. 6 Outgoing External Provider Soap Action The SOAP action required by the external authorization provider for outgoing transfers. Required if External Authorization is enabled. 7 Token Encryption Cipher The cipher used to generate encrypted authorization tokens. 8 Token Encryption Key This is the secret token that will be used to authorize Text string those transfers configured to require token. Token generation is part of the Aspera SDK. See the Aspera Developer's Network (Token-based Authorization Topic) for more information. blank 9 Token Life (seconds) Sets token expiration for users of web-based transfer Positive integer applications Describes the type of transfer encryption accepted by this computer. When set to any the computer any 10 Encryption Allowed Values allow deny require token text string allow deny require token Default allow allow Text string blank aes-128 aes-128 aes-192 aes-256 any

101 Working with IBM Aspera Console 101 # Field Values allows both encrypted and non-encrypted transfers. When set to none the computer restricts transfers to non-encrypted transfers only. When set to aes-128 the computer restricts transfers to encrypted transfers only. Default none aes-128 Bandwidth # Field Values Default 1 Incoming Vlink ID The value sets the Vlink ID for incoming transfers. Vlinks are a mechanism to define aggregate transfer policies. The default setting of 0 disables Vlinks. One Vlink the virtual equivalent of a network trunk represents a bandwidth allowance that may be allocated to a node, group, or user. Vlink ID are defined in each Vlink created in Aspera Console. The Vlink ID is a unique numeric identifier. See Configuring Virtual Links Pre-defined value 0 2 Incoming Target Rate Cap (Kbps) The value sets the Target Rate Cap for incoming Positive integer transfers. The Target Rate Cap is the maximum target rate that a transfer can request, in kilobits per second. No transfer may be adjusted above this setting, at any time. The default setting of Unlimited signifies no Target Rate Cap. Clients requesting transfers with initial rates above the Target Rate Cap will be denied. Unlimited 3 Incoming Target Rate Default (Kbps) This value represents the initial rate for incoming transfers, in kilobits per second. Users may be able to modify this rate in real time as allowed by the software in use. This setting is not relevant to transfers with a Fixed policy. Positive integer Incoming Target Rate Lock After an incoming transfer is started, its target rate may be modified in real time. The default setting false gives users the ability to adjust the transfer rate. A setting of true prevents real-time modification of the transfer rate. false 5 Incoming Minimum Rate The value sets the Minimum Rate Cap for incoming Cap (Kbps) transfers. The Minimum Rate Cap is a level specified in kilobits per second, below which an incoming transfer will not slow, despite network congestion or physical network availability. The default value of Unlimited effectively turns off the Minimum Rate Cap. Positive integer Unlimited 6 Incoming Minimum Rate This value represents the initial minimum rate for Default (Kbps) incoming transfers, in kilobits per second. Users may be able to modify this rate in real time as allowed by the software in use. This setting is not relevant to transfers with a Fixed policy. Positive integer 0 7 Incoming Minimum Rate After an incoming transfer is started, its minimum Lock rate may be modified in real time. The default false true false true

102 Working with IBM Aspera Console 102 # Field Values setting of false gives users the ability to adjust the transfer's minimum rate. A setting of true prevents real-time modification of the transfer rate. This setting is not relevant to transfers with a Fixed policy. false Default 8 Incoming Bandwidth Policy Default The value chosen sets the default Bandwidth Policy for incoming transfers. The default policy value may be overridden by client applications initiating transfers. fixed high fair low fair 9 Incoming Bandwidth Policy Allowed The value chosen sets the allowed Bandwidth Policy for incoming transfers. Aspera transfers use fixed, high, fair and low policies to accommodate networksharing requirements. When set to any, the server will not deny any transfer based on policy setting. When set to high, transfers with a Policy of high and less aggressive transfer policies (such as, fair or low) will be permitted. Fixed transfers will be denied. When set to low, only transfers with a Bandwidth Policy of low will be allowed. fixed high fair low fair 10 Incoming Bandwidth Policy Lock After an incoming transfer is started, its Policy may be modified in real time. The default setting of false gives users the ability to adjust the transfer's Policy. A setting of true prevents real-time modification of the Policy. true false false 11 Outgoing Vlink ID The value sets the Vlink ID for outgoing transfers. Vlinks are a mechanism to define aggregate transfer policies. The default setting of 0 disables Vlinks. One Vlink the virtual equivalent of a network trunk represents a bandwidth allowance that may be allocated to a node, group, or user. Vlink ID are defined in each Vlink created in Aspera Console. The Vlink ID is a unique numeric identifier. See Configuring Virtual Links 12 Outgoing Target Rate Cap (Kbps) The value sets the Target Rate Cap for outgoing Positive integer transfers. The Target Rate Cap is the maximum target rate that a transfer can request, in kilobits per second. No transfer may be adjusted above this setting, at any time. The default setting of Unlimited signifies no Target Rate Cap. Clients requesting transfers with initial rates above the Target Rate Cap will be denied. Unlimited 13 Outgoing Target Rate Default (Kbps) This value represents the initial rate for outgoing transfers, in kilobits per second. Users may be able to modify this rate in real time as allowed by the software in use. This setting is not relevant to transfers with a Fixed policy. Positive integer Outgoing Target Rate Lock After an outgoing transfer is started, its target rate may be modified in real time. The default setting of false gives users the ability to adjust the false Pre-defined value true false 0

103 Working with IBM Aspera Console 103 # Field Values Default Positive integer Unlimited transfer rate. A setting of true prevents real-time modification of the transfer rate. 15 Outgoing Minimum Rate The value sets the Minimum Rate Cap for outgoing Cap (Kbps) transfers. The Minimum Rate Cap is a level specified in kilobits per second, below which an incoming transfer will not slow, despite network congestion or physical network availability. The default value of Unlimited effectively turns off the Minimum Rate Cap. 16 Outgoing Minimum Rate This value represents the initial minimum rate for Positive integer Default outgoing transfers, in kilobits per second. Users may be able to modify this rate in real time as allowed by the software in use. This setting is not relevant to transfers with a Fixed policy Outgoing Minimum Rate After an outgoing transfer is started, its minimum Lock rate may be modified in real time. The default setting of false gives users the ability to adjust the transfer's minimum rate. A setting of true prevents real-time modification of the transfer rate. This setting is not relevant to transfers with a Fixed policy. true false false 18 Outgoing Bandwidth Policy Default The value chosen sets the default Bandwidth Policy for outgoing transfers. The default policy value may be overridden by client applications initiating transfers. fixed high fair low fair 19 Outgoing Bandwidth Policy Allowed The value chosen sets the allowed Bandwidth Policy for outgoing transfers. Aspera transfers use fixed, high, fair and low policies to accommodate networksharing requirements. When set to any, the server will not deny any transfer based on policy setting. When set to high, transfers with a Policy of high and less aggressive transfer policies (for example, fair or low) will be permitted. Fixed transfers will be denied. When set to low, only transfers with a Bandwidth Policy of low will be allowed. any high fair low any 20 Outgoing Bandwidth Policy Lock After an outgoing transfer is started, its Policy may be modified in real time. The default setting of false gives users the ability to adjust the transfer's Policy. A setting of true prevents real-time modification of the Policy. true false false Advanced File Handling # Field Values Default 1 File Create Mode Specify file creation mode (permissions). If specified, create files with these permissions (for example 0755), irrespective of File Create Grant Mask and permissions of the file on the source Positive integer (octal) undefined

104 Working with IBM Aspera Console 104 # Field Values Default Positive integer (octal) 0644 computer. Only takes effect when the server is a non-windows receiver. 2 File Create Grant Mask Used to determine mode for newly created files if File Create Mode is not specified. If specified, file modes will be set to their original modes plus the Grant Mask values. Only takes effect when the server is a non-windows receiver and when File Create Mode is not specified. 3 Directory Create Mode Specify directory creation mode (permissions). If Positive integer specified, create directories with these permissions (octal) irrespective of Directory Create Grant Mask and permissions of the directory on the source computer. Only takes effect when the server is a non-windows receiver. undefined 4 Directory Create Grant Mask Used to determine mode for newly created Positive integer directories if Directory Create Mode is not specified. (octal) If specified, directory modes will be set to their original modes plus the Grant Mask values. Only takes effect when the server is a non-windows receiver and when Directory Create Mode is not specified Read Block Size (bytes) This is a performance tuning parameter for an Aspera sender. It represents the number of bytes an Aspera sender reads at a time from the source disk drive. Only takes effect when server is sender. The default of 0 will cause the Aspera sender to use its default internal buffer size, which may be different for different operating systems. Positive integer 0 6 Write Block Size (bytes) This is a performance tuning parameter for an Aspera receiver. Number of bytes an ascp receiver writes data at a time onto disk drive. Only takes effect when server is receiver. The default of 0 will cause the Aspera sender to use its default internal buffer size, which may be different for different operating systems. Positive integer 0 7 Use File Cache This is a performance tuning parameter for an Aspera receiver. Enable or disable per-file memory caching at the data receiver. File level memory caching improves data write speed on Windows platforms in particular, but will use more memory. We suggest using a file cache on systems that are transferring data at speeds close to the performance of their storage device, and disable it for systems with very high concurrency (because memory utilization will grow with the number of concurrent transfers). true 8 Max File Cache Buffer (bytes) This is a performance tuning parameter for an Aspera receiver. This value corresponds to the maximal size allocated for per-file memory cache (see Use File Cache). Unit is bytes. The default of Positive integer true false 0

105 Working with IBM Aspera Console 105 # Field Values Default text string aspx 0 will cause the Aspera receiver to use its internal buffer size, which may be different for different operating systems. 9 Resume Suffix Extension name of a class of special files holding metadata information of regular data files. Useful in the context of resuming partially completed transfers. During resume mode (-k1/2/3), each data file has a corresponding metadata file with the same name and the pre-specified resume suffix. 10 Preserve Attributes Configure file creation policy. When set to none, do none / times not preserve the timestamp of source files. When set to times, preserve the timestamp of the source files at destination. undefined 11 Overwrite Overwrite is an Aspera server setting that determines whether Aspera clients are allowed to overwrite files on the server. By default it is set to allow, meaning that clients uploading files to the servers will be allowed to overwrite existing files as long as file permissions allow that action. If set to deny, clients uploading files to the server will not be able to overwrite existing files, regardless of file permissions. allow deny allow 12 File Manifest When set to text a text file "receipt" of all files within each transfer session is generated. If set to disable no File Manifest is created. The file manifest is a file containing a list of everything that was transferred in a given transfer session. The filename of the File Manifest itself is automatically generated based on the transfer session's unique ID. The location where each manifest is written is specified by the File Manifest Path value. If no File Manifest Path is specified, the file will be generated under the destination path at the receiver, and under the first source path at the sender. text disable none 13 File Manifest Path Specify the location to store manifest files. Can be an absolute path or a path relative to the transfer user's home. text string blank 14 Pre-Calculate Job Size Configure the policy of calculating total job size before data transfer. If set to any, follow client configurations (-o PreCalculateJobSize={yes no}). If set to no, disable calculating job size before transferring. If set to yes, enable calculating job size before transferring. any yes no any 15 Storage Rate Control Enable/Disable disk rate control. When enabled, adjust transfer rate according to the speed of receiving I/O storage, if it becomes a bottleneck. true false false 16 File checksum method Specify the type of checksum to calculate for transferred files. The content of transfers can be any md5 sha1 any

106 Working with IBM Aspera Console 106 # Field Values Default verified by comparing the checksum value at the destination with the value read at the source. 16 Partial Suffix.aspx Set the file suffix for partially downloaded files. Advanced Network Options # Field Values Default 1 Bind IP Address Specify an IP address for server-side ascp to bind its UDP connection. If a valid IP address is given, ascp sends and receives UDP packets ONLY on the interface corresponding to that IP address. Valid IPv4 address blank 2 Bind UDP Port Specify a port number for server-side ascp to bind its UDP connection. This also prevents client ascp processes from binding to same UDP port. Valid port numbers range between 1 and Positive integer Disable Packet Batching When set to true, send data packets back to back (no sending a batch of packets). This results in smoother data traffic at a cost of higher CPU usage. false 4 Maximum Socket Buffer Upper bound the UDP socket buffer of an ascp (bytes) session below the input value. The default of 0 will cause the Aspera sender to use its default internal buffer size, which may be different for different operating systems. 5 Minimum socket buffer (bytes) true false Positive integer 0 Set the minimum UDP socket buffer size for an ascp Positive integer session. 0 Transfer References Simple Transfer Options The following tables provide information on additional configurable settings that are available when creating simple transfers. Connection Fasp Port (UDP) Specify the UDP port for FASP file transfers. Fasp proxy Enable transferring through a FASP proxy server, and specify the proxy host address, port, username, and password. This feature enables the source node to bypass restrictions to the destination node for this specific transfer by using a proxy. Security Content protection Check the option to enable the content protection that encrypts the files on destination, using the entered password. Transport encryption Select aes-128 to transfer with this encryption method.

107 Working with IBM Aspera Console 107 Transfer Target rate Specify the transfer target rate. Minimum rate Set the transfer minimum rate Bandwidth policy Choose a transfer policy among fixed/high/fair/low. Retry policy Check the option to enable the retry policy, as well as specify the number of attempts and the duration. Notifications address To send status notifications for transfer events (start, success, or error), enter an address and click Add. When the address appears in the table, specify which template to use for each transfer event. File Handling Timestamp Filtering Select this option to exclude files modified in the designated number of seconds. Resume policy Specify a resume policy and the overwrite rule when the file exists on the destination. File attributes Check the option to preserve the file permissions on the destination. Symlinks Specify how to deal with symbolic links: follow, copy, copy and force, or skip. Leave this option blank if the source is on Windows. For all others, leaving it blank is the same as choosing "follow". Source Archiving Move source files to a designated directory after completing a transfer. The transfer's session details page will display the archive directory's filepath as the After transfer path. For more information on session details, see Transfer Details. Note: The After transfer path will only be visible in the session details of the Console that initiated the transfer. Another Console monitoring the same managed nodes will not have access to the After transfer path. Note: Rerunning the transfer may generate a "No such file or directory" error since the source files were moved to the archive directory. Delete empty source subdirectories This option becomes available if you selected Source Archiving. Select this option to delete any subdirectory that is emptied by the source archiving. Note: Console does not delete the top-most directory in the source path. Source Deletion Check the option to delete the transferred files from the source computer. Exclude filter Enter file-name pattern Console uses to determine what files to exclude from the transfer. You can use the following two symbols in the pattern: Include filter * : The wildcard (*) symbol represents zero to many characters in a string. For example, the "*.tmp" pattern matches ".tmp" and "abcde.tmp".? : The question mark (?) represents any one character. For example, the "t?p" pattern matches "tmp" but not "temp". Enter file-name pattern Console uses to determine what files to include in the transfer. Only files matching the filter are transferred. You can use the following two symbols in the pattern:

108 Working with IBM Aspera Console 108 * : The wildcard (*) symbol represents zero to many characters in a string. For example, the "*.tmp" pattern matches ".tmp" and "abcde.tmp".? : The question mark (?) represents any one character. For example, the "t?p" pattern matches "tmp" but not "temp". Advanced Initiator Check this option to initiate transfers from the destination node (if possible). Console normally initiates transfers from the source node unless the source is an unmanaged node. fasp datagram size (MTU) Select the option and enter the datagram size in bytes. Read block size Check the option and enter the read block size in bytes. Write block size Check the option and enter the write block size in bytes. Transfer Time Transfer Specify when to submit the transfer. Note: You can cancel scheduled simple transfers by going to Activity > Transfers. Click the Scheduled drop-down menu and select All. In the row for the transfer, click Cancel. Smart Transfer Options The following tables provide information on additional configurable settings that are available when creating smart transfers. Connection Fasp Port (UDP) Specify the UDP port for FASP file transfers. Fasp proxy Enable transferring through a FASP proxy server, and specify the proxy host address, port, username, and password. This feature enables the source node to bypass restrictions to the destination node for this specific transfer by using a proxy.

109 Working with IBM Aspera Console 109 Security Content protection Check the option to enable the content protection that encrypts the files on destination, using the entered password. Transport encryption Select aes-128 to transfer with this encryption method. Transfer Target rate Specify the transfer target rate. Minimum rate Set the transfer minimum rate Bandwidth policy Choose a transfer policy among fixed/high/fair/low. Retry policy Check the option to enable the retry policy, as well as specify the number of attempts and the duration. Notifications address To send status notifications for transfer events (start, success, or error), enter an address and click Add. When the address appears in the table, specify which template to use for each transfer event. File Handling Timestamp Filtering Select this option to exclude files modified in the designated number of seconds. Resume policy Specify a resume policy and the overwrite rule when the file exists on the destination. File attributes Check the option to preserve the file permissions on the destination. Symlinks Specify how to deal with symbolic links: follow, copy, copy and force, or skip. Leave this option blank if the source is on Windows. For all others, leaving it blank is the same as choosing "follow". Source Archiving Move source files to a designated directory after completing a transfer. The transfer's session details page will display the archive directory's filepath as the After transfer path. For more information on session details, see Transfer Details. Note: The After transfer path will only be visible in the session details of the Console that initiated the transfer. Another Console monitoring the same managed nodes will not have access to the After transfer path. Note: Rerunning the transfer may generate a "No such file or directory" error since the source files were moved to the archive directory. Delete empty source subdirectories This option becomes available if you selected Source Archiving. Select this option to delete any subdirectory that is emptied by the source archiving. Note: Console does not delete the top-most directory in the source path. Source Deletion Check the option to delete the transferred files from the source computer. Exclude filter Enter file-name pattern Console uses to determine what files to exclude from the transfer. You can use the following two symbols in the pattern: * : The wildcard (*) symbol represents zero to many characters in a string. For example, the "*.tmp" pattern matches ".tmp" and "abcde.tmp".

110 Working with IBM Aspera Console 110 Include filter? : The question mark (?) represents any one character. For example, the "t?p" pattern matches "tmp" but not "temp". Enter file-name pattern Console uses to determine what files to include in the transfer. Only files matching the filter are transferred. You can use the following two symbols in the pattern: * : The wildcard (*) symbol represents zero to many characters in a string. For example, the "*.tmp" pattern matches ".tmp" and "abcde.tmp".? : The question mark (?) represents any one character. For example, the "t?p" pattern matches "tmp" but not "temp". Advanced Initiator Check this option to initiate transfers from the destination node (if possible). Console normally initiates transfers from the source node unless the source is an unmanaged node. fasp datagram size (MTU) Select the option and enter the datagram size in bytes. Read block size Check the option and enter the read block size in bytes. Write block size Check the option and enter the write block size in bytes. Scheduling Start Click the calendar icon to select a date and time that serves as the starting basis for your recurring smart transfers. Based on the "Start" entry, Console will calculate the run time for the next occurrence (that matches the repeat rules). For example, if your start date is Friday, April 8, but your transfer is scheduled to run on Saturdays, then the first transfer will occur on Saturday, April 9. Repeat every Select the number of minutes, hours, days, weeks, or months to repeat this transfer. When weeks is selected, you can enable the requisite days of the week. When months is selected, you can specify whether to perform the transfer on a specific day of the month or on the "nth day" of the month (for example, 1st Sunday). Until Click the calendar icon to select a "do not go beyond" date and time. Your smart transfer will not repeat beyond this entry. Time zone Select your timezone from the drop-down list. Important: When you have more than one destination, you can override the default smart transfer settings (with the exception of scheduling) shown in the More Options panel for each individual destination. Watchfolder Options The following tables provide information on additional configurable settings that are available when creating watchfolders. Watchfolder Settings Note: A watchfolder groups new or updated files it detects in its source folder into "drops". A drop is defined by the duration set by the snapshot creation period. All files in a given drop are transferred in the same transfer session, post-processed together, and reported as a unit.

111 Working with IBM Aspera Console 111 Option Drop detection strategy The strategy this watchfolder uses to detect files dropped into the source folder. Cool off only: Create a drop that includes new files added within the duration by the snapshot creation period. Top level files: Create a drop for each file placed in the top level of the source folder. Top level directories: Create a drop for each directory placed in the top level of the source folder. This drop also includes the sub-directories and files in the top level directory. Drop detection cool off The duration allowed for new files to be included in a drop. Aspera recommends choosing a multiple of the specified snapshot_creation_period for predictable results. Snapshot creation period The duration used to determine what files are included in the current drop. Connect timeout The duration the source node waits to connect to the destination node. Sample period The frequency of the system estimateing the available bandwidth. Queue threshold The duration watchfolder adds files to a session. Use this feature to limit the number of files transferred based on the computed available bandwidth. Retry duration The duration in which the source node tries to establish a connection with the destination node. Wait between retries The duration the source node waits in between retries. File detection cool off The duration watchfolder in which placing a new file in the source folder does not trigger a new drop. Note: This setting does not apply to the Cool off only detection strategy. File filters Click the button to add a new filter to identify file lists. You can set a filter to include or exclude files by globbing or by regular expression. Transfer Option Target rate The transfer target rate. Minimum rate The transfer minimum rate Bandwidth policy Choose a transfer policy among fixed high fair low. Transport Encryption Select aes-128 to transfer with this encryption method. Retry policy The number of attempts and the duration between each retry. Security Option Content Protection Select Encrypt transferred files with a password to enable content encryption. Enter and confirm the password the recipient must use to decrypt the transferred files.

112 Working with IBM Aspera Console 112 Option Note: When editing a watchfolder with content protection enabled, you must rethe content protection password. A password must be provided in order to save changes to the watchfolder. File Handling Option Resume policy Specify a resume policy and the overwrite rule when the file exists on the destination. File attributes Preserve file UIDs, GIDs, or timestamps. Source Archiving The designated directory source files are moved to after completing a transfer. The transfer's session details page display the archive directory's filepath as the After transfer path. Note: The After transfer path will only be visible in the session details of the Console that initiated the transfer. Another Console monitoring the same managed nodes will not have access to the After transfer path. Note: Re-running the transfer may generate a "No such file or directory" error since the source files were moved to the archive directory. You can use archive directory variables in the filepath to define specific archive paths for each drop. Hover over the Archive directory variables link for a list of available variables. Source deletion Delete the transferred files from the source computer after transfer. Growing Files Option Maximum parallel transfers The maximum number of concurrent transfers of growing files watchfolder can initiate. Target rate The target transfer rate. Bandwidth policy The bandwidth policy. Transport encryption Select aes-128 to transfer with this encryption method. TCP port The TCP port to use for this watchfolder. fasp port (UDP) The UDP port to use for this watchfolder. Completion timeout The amount of time to wait for the file to no longer change for the session to finish. Memory The maximum amount of memory that the faspstream binary is allowed to use. Chunk size The size of data to pack before sending over the network. Growing file filters Click the button to add a new filter to identify growing files. You can set a filter to include or exclude files by globbing or by regular expression. Packages / Drops Option Package timeout A package in watchfolder defines a set of files with dependencies. The package timeout defines the time in which watchfolder waits for required files. If the required files do not

113 Working with IBM Aspera Console 113 Option appear within the duration, files with dependencies are marked as not transferred because of unsatisfied dependencies. Final transfer Defines which file has to be transferred last. File list filters Last file in list: The last file in the package list is transferred last. File list: The files are transferred without any specific order. Click the button to add a new filter to identify file lists. You can set a filter to include or exclude files by globbing or by regular expression. Specify Base for Source Path When selecting the source for a simple or smart transfer, you have the option to select Specify base for source path(s) to specify a portion of the source path to remove to place the transferred files directly into the destination folder without its hierarchy of directories. For example, a source computer has a sent_files/project directory containing the following folders and files: /shared_files/project/presentation /shared_files/project/video_footage/take1 /shared_files/project/video_footage/take2 /shared_files/project/video_footage/take3 If your select the shared_files/project directory as the source, by default, the transfer includes the sent_files directory and the entirety of its contents, including its hierarchy of directories. If the destination directory is specified as /incoming, your transferred files appear as follows on the destination computer: docroot/incoming/shared_files/project/presentation docroot/incoming/shared_files/project/video_footage/take1 docroot/incoming/shared_files/project/video_footage/take2 docroot/incoming/shared_files/project/video_footage/take3 By selecting Specify base for source paths(s), the project folder can be excluded. Entering "/shared_files/project" in the field removes that part of the source path. Only the presentation and video_footage directories are transferred. The transferred files appear as follows on the destination computer: docroot/incoming/presentation docroot/incoming/video_footage/take1 docroot/incoming/video_footage/take2 docroot/incoming/video_footage/take3 If any files or folders selected for transfer fall outside the specified base path, they are omitted from the transfer. For example, if the specified path is /shared_files/project/video_footage, then presentation is not transferred at all because it is not in video_footage. Only take1, take2, and take3 are transferred. The transferred files appear as follows on the destination computer: docroot/incoming/take1 docroot/incoming/take2 docroot/incoming/take3 Tip: Specify base for source paths(s) can also be used to include more path depth than the default. If the source-base path is specified as /shared_files, then project and all files and folders in its folder hierarchy are included. Similarly, if the source-base path is specified as /, the entire source path and all fields and folders in its folder hierarchy are transferred.

114 Working with IBM Aspera Console 114 Report References Reference: Basic Report Organization Options Field Client Address Organize / summarize report by Client IP Address (client = initiator of the transfer) Contact Organize by the 'Contact' shown for a transfer. This might be a Console user name, a Faspex Server user name, SSH account, or customized value obtained from a transfer cookie. Examples: "admin (console)", "aspera (ssh)", "aspera (faspex)". File Display a detail row for every file in every transfer. File Extension Organize / summarize report by file extension. Server Address Organize / summarize report by Server IP Address. Session Display a row for every transfer session. A transfer session represents one attempt to transfer. Transfer Display a row for every transfer. A transfer may have multiple sessions if it took multiple attempts to finish. Reference: Built-In Fields for Custom Field Rules Built-In Fields Available for Creating Custom Field Rules (for Transfer-Level Fields) Transfer Field Client Address IP address of transfer initiator. Client User Client-side username. Null for all transfers, except for transfers initiated by the Console. Contact Contact assigned by Console. This can be a Console user name, a Faspex Server user name, SSH account, or customized value obtained from a transfer cookie. Examples: "admin console", "aspera ssh", "aspera faspex". Cookie Custom identifying text attached to a transfer session. This text is used by the Console to identify and name transfers. Destination Address IP address of transfer destination (use for general purpose). Destination Path The file path on the destination machine. Destination User If upload, dest_user is the server user. If download, dest_user is client user (NULL, unless initiated from Console). For everyday purposes, recommend using contact field instead. Direction The direction of the transfer from the perspective of the client. "Upload" if the transfer is a push; "Download" if the transfer is a pull.

115 Working with IBM Aspera Console 115 Transfer Field Meta-tags JSON hash used to tag transfers with additional data. Faspex Metadata Information provided by Faspex, encoded in the transfer cookie. See Basic Report Example: Faspex Metadata. Server Address IP address of the server. Server User SSH account specified when the transfer starts (should always be displayed). Source Address IP address of transfer source. Source Paths File paths on the source machine. Source User If upload, source_user is the client user. If download, source_user is server user. Started Via The name of the application (Aspera or custom) that is responsible for initiating the transfer (for example, aspera.scp, aspera.sync, etc.). Token Security token used for the transfer (note that this depends on whether or not the application that started the transfer is configured to use tokens). Transfer Name Human-readable name assigned to a transfer. This name may have been keyed in by the user or automatically set by an application. Built-In Fields Available for Creating Custom Field Rules (for File-Level Fields) Note: Setting up file-level custom fields is NOT recommended for customers that transfer many small files, as this will result in scaling issues. File Field Name File Bytes Transferred Total bytes successfully received over the network. File Error Desc Error message for the file, if any. File Extension Portion of the filename after the last period (.) File Full Destination Path File's full path from the destination's point-of-view. File Full Source Path File's full path from the source's point-of-view. File Name Name of the file, without its path (for example, "my_file.txt" rather than "C:\temp \my_file.txt") File Size Size of the file in bytes. File Status Status of transfer or file (for example, "running," "completed," "canceled" or "error"). Reference: Reporting Filters IBM Aspera Application Platform / Server On Demand (APOD / SOD) provides built-in filters that allow you to specify conditions for limiting the data included in your report.

116 Working with IBM Aspera Console 116 Column Heading Filter By Select from a list of parameter names. NOT Appears as a checkbox, where unchecked represents "is" and checked represents "is not" (for example, file extension is not equal to tmp) Comparison Select from a list of operators (for example,, equal to, greater than, etc.). Value Input a parameter value to complete the filter expression. Important: Once you have added a filter, you may remove it by clicking the Remove hyperlink. The following filter parameters are available within the Filter By drop-down list: Parameter Name Parameter {Custom Field Names} Displays custom fields that you have configured for the SQL database. File Bytes Transferred File bytes successfully received over the network by the destination. File Bytes Written Files bytes successfully received over the network by the destination, plus bytes skipped for data already present at the destination. File Error File's error message, if any. File Extension Portion of the filename after the last period (.) File Fullpath File's directory tree hierarchy. File Name Name of the file, without its path (for example, "my_file.txt," rather than "C:\temp \my_file.txt"). File Session Status Status of file session (for example, "running," "completed," "canceled" or "error"), where a file session is one file in a transfer session. A file record may group together more than one file session record if, during a transfer session, one of the files fails or is interrupted. In the next transfer session (when the transfer is retried or a hot folder handles the next batch of files to arrive), then that particular file may be retried. This will result in another file session record being created. File Size Size of the file in bytes. File Status The file status will be the status of the last/most recent file session for the file (for example, "running," "completed," "canceled" or "error"). SSH Account SSH account specified when the transfer starts. Transfer Average Rate Average transfer rate in bits per second. Transfer Bytes Lost Number of bytes sent by source for a particular file, but never received by destination, or never written to disk. Transfer Bytes Transferred Total bytes successfully received over the network by the destination. Transfer Bytes Written Total bytes successfully received over the network by the destination, plus bytes skipped for data already present at the destination. Transfer Client Address IP address of transfer initiator.

117 Working with IBM Aspera Console 117 Parameter Name Parameter Transfer Contact Contact assigned by Console. This can be a Console user name, a Faspex user name, SSH account, or customized value obtained from a transfer cookie. Examples: "admin (console)", "aspera (ssh)", "michael (faspex)" Transfer Cookie Custom identifying text attached to a transfer session. This text is used by the Console to identify and name transfers. Transfer Destination Address IP address of transfer destination. Transfer Destination Path The file path on the destination machine. Transfer Error Error message for transfer or file, if any. Transfer Files Completed Number of files successfully verified at destination (i.e., the number of files actually transferred plus the number of files that were already at destination). Transfer Files Failed Number of files that failed to transfer. Transfer Name Human-readable name assigned to a transfer. This name may have been keyed in by the user or automatically set by an application. Transfer Server Address IP address of transfer server. Transfer Session Status Indicates status of transfer session (for example, "running," "completed," "canceled" or "error"), where the transfer session represents one execution of ascp (i.e., one attempt to transfer). Note: When a transfer session is interrupted or fails and is configured to retry, a second transfer session will begin after the configured retry interval has elapsed. Transfer Source Address IP address of transfer source. Transfer Source Paths File paths on the source machine. Transfer Status A transfer will group together transfer sessions into a single item. The transfer status will be the status of the last/most recent transfer session for the transfer (for example, "running," "completed," "canceled" or "error"). Reference: SQL Variables for Advanced Reports When creating your advanced report, you may utilize the SQL variables listed below. These variables also appear within Console's built-in, SQL script text help. SQL Variable $TBL_FILES Files table. One record in this table represents one file. At run time, this variable gets replaced with the SQL name of the table containing the file data (currently 'rpt_transfer_files'). Please note the following distinction: $TBL_TRANSFER_SESSIONS A FILE record can have multiple associated TRANSFER SESSION FILE records (if a file took more than one attempt to transfer). A FILE record has one and only one associated TRANSFER record ($TBL_TRANSFER_FILES.transfer_id = $TBL_TRANSFERS.id). Transfer sessions table. One record in this table represents one attempt to transfer data. If you start a transfer and it fails, then automatically retries and succeeds, there will be two records in this table, one for the initial attempt and one for the automatic retry. For hot folder transfers, each session represents one attempt to transfer a batch of files that are

118 Working with IBM Aspera Console 118 SQL Variable currently available. If new files become available while the first batch is in progress, these may be transferred in a subsequent session, resulting in an additional record in this table. At run time, this variable gets replaced with the SQL name of the table containing the transfer session data (currently 'rpt_transfer_sessions'). Please note the following distinction: $TBL_TRANSFER_SESSION_FILES A TRANSFER SESSION record can have multiple TRANSFER SESSION FILE records (if the session attempted to transfer more than one file). A TRANSFER SESSION record has one and only one associated TRANSFER record ($TBL_TRANSFER_SESSIONS.transfer_id = $TBL_TRANSFERS.id). Files within a transfer session. One record in this table represents one attempt to transfer a file. At run time, this variable gets replaced with the SQL name of the table containing the file session data (currently 'rpt_transfer_session_files'). Please note the following distinction: A TRANSFER SESSION FILE record has one and only one associated FILE RECORD ($TBL_TRANSFER_SESSION_FILES.transfer_file_id = $TBL_FILES.id). A TRANSFER SESSION FILE record has one and only one associated TRANSFER SESSION record ($TBL_TRANSFER_SESSION_FILES.transfer_session_id = $TBL_TRANSFER_SESSIONS.id). $TBL_NODES A table containing one record for each node, whether managed or unmanaged. At run time, this variable gets replaced with the SQL name of the table containing the node data (currently 'rpt_transfer_nodes'). $TBL_TRANSFERS A TRANSFER groups together TRANSFER SESSIONS to tie together retry attempts and hot folder file batches. Related TRANSFER SESSIONS are grouped together so that no matter how many times the session was interrupted and retried, only a single record will be present in this table. At run time, this variable gets replaced with the SQL name of the table containing the transfer data (currently 'rpt_transfers'). Please note the following distinction: A TRANSFER record can have multiple TRANSFER SESSION records (if multiple attempts or batches were required to transfer all the data). A TRANSFER record can have multiple FILE records (if the transfer consisted of more than one file). $FINAL_RESULT_TABLE This is the table where you place your final results. The data displayed on reports comes directly from this table. At run time, this variable gets replaced with a name based on an auto-generated numeric id (for example, 'report_100_results'). $TMP_TABLENAME If you need any temporary tables for intermediate record processing, give them names starting with "$TMP_" (for example, $TMP_UNIQUE_IP_ADDRESSES). At run time, these variables get replaced with a name based on an auto-generated numeric id (for example, 'report_100_temp_unique_ip_addresses').

119 Working with IBM Aspera Console 119 SQL Variable $USER_ID This is the login id of user requesting report. At run time, this variable gets replaced with the numeric id of the user requesting the report. $REPORT_PERIOD_START Report period start. The user running this report will be prompted for a value at request time. (Value is converted to UTC before substitution). $REPORT_PERIOD_END Report period end. The user running this report will be prompted for a value at request time. (Value is converted to UTC before substitution). $ANYTHING_ELSE Any $NAME that does not match one of the variables is presumed to be a custom variable whose value will be provided by the report requester. See Editing Custom Variables for instructions on how to create and configure a custom variable. Reference: Database Fields for Advanced Reports When creating your advanced report, you may utilize the database fields listed below. These fields (and corresponding descriptions) also appear within Console's built-in, SQL script text help. Note: The term "client" refers to the machine initiating a transfer request. The term "server" refers to the machine receiving the request. These terms do not describe the direction of the file transfer. As long as a machine is the transfer initiator, it does not matter whether the machine is sending a file or receiving a file. Database Field Table args_attempted Number of items specifically selected $TBL_TRANSFER_SESSIONS by the user (either in GUI or command line). args_completed Out of the number of arguments attempted, the number completed successfully. $TBL_TRANSFER_SESSIONS aspera_version Aspera product version for the node machine. $TBL_NODES avg_loss_pct Average packet loss over the network, which is calculated as a percentage. $TBL_TRANSFER_SESSIONS avg_rate Average transfer rate in bits per second. $TBL_TRANSFERS, $TBL_TRANSFER_SESSIONS bytes_config The number of contiguous bytes that have been transferred to the destination. $TBL_TRANSFER_SESSION_FILES, $TBL_FILES bytes_lost Number of bytes sent by source for a particular file, but never received by destination, or never written to disk. $TBL_TRANSFERS, $TBL_TRANSFER_SESSIONS, $TBL_TRANSFER_SESSION_FILES, $TBL_FILES bytes_pretransfer If the server is configured to do so, calculates size of the transfer before the transfer starts. On the server, this corresponds to the "pre-calculate job size" setting. $TBL_TRANSFERS, $TBL_TRANSFER_SESSIONS bytes_remaining Total bytes waiting to be sent over the network to the destination. $TBL_TRANSFERS, $TBL_TRANSFER_SESSIONS

120 Working with IBM Aspera Console 120 Database Field Table bytes_transferred Total bytes successfully received over the network by the destination. $TBL_TRANSFERS, $TBL_TRANSFER_SESSIONS, $TBL_TRANSFER_SESSION_FILES, $TBL_FILES bytes_written Total bytes successfully received over the network by the destination, plus bytes skipped for data already present at the destination. $TBL_TRANSFERS, $TBL_TRANSFER_SESSIONS, $TBL_TRANSFER_SESSION_FILES, $TBL_FILES cipher Encryption algorithm. $TBL_TRANSFERS, $TBL_TRANSFER_SESSIONS client_console_ip The client's IP address from the perspective of the Aspera Console application (advanced / debugging field). $TBL_TRANSFER_SESSIONS client_err_code Error code reported by the client. $TBL_TRANSFER_SESSION_FILES, $TBL_TRANSFER_SESSIONS client_err_desc Error code description reported by the client. $TBL_TRANSFER_SESSION_FILES, $TBL_TRANSFER_SESSIONS client_external_fasp_port The client's UDP port from the perspective of the server (advanced / debugging field). $TBL_TRANSFER_SESSIONS client_external_ip The client's IP address from the perspective of the server (advanced / debugging field). $TBL_TRANSFER_SESSIONS Note: If the client is a managed node and the server is not, then this field is null. client_file_basename File's basename from client's point-ofview. $TBL_TRANSFER_SESSION_FILES, $TBL_FILES client_file_extension File's extension from client's point-ofview. $TBL_TRANSFER_SESSION_FILES, $TBL_FILES client_file_fullpath File's full path from the client's pointof-view. $TBL_TRANSFER_SESSION_FILES, $TBL_FILES client_file_index Arbitrary, unique number assigned to each file within a transfer session (on the client). $TBL_TRANSFER_SESSION_FILES client_ip IP address of the transfer initiator (use for general purpose). $TBL_TRANSFER_SESSIONS client_node_id ID number assigned to the client node. $TBL_TRANSFER_SESSIONS client_node_uuid Universally, unique ID number assigned to the client node. $TBL_TRANSFER_SESSIONS client_status Either the file status (running, completed, error) or the session status reported by the client. $TBL_TRANSFER_SESSION_FILES, $TBL_TRANSFER_SESSIONS

121 Working with IBM Aspera Console 121 Database Field Table Note: In some cases, client and server can see different statuses (for example, canceled versus error). client_user Client-side username. Null for all transfers, except for transfers initiated by the Console. $TBL_TRANSFERS, $TBL_TRANSFER_SESSIONS contact Contact assigned by Console. This can $TBL_TRANSFERS, be a Console user name, a Faspex user $TBL_TRANSFER_SESSIONS name, SSH account, or customized value obtained from a transfer cookie. Examples: "admin (console)", "aspera (ssh)", "michael (faspex)" cookie Custom identifying text attached to a transfer session. This text is used by the Console to identify and name transfers. $TBL_TRANSFERS, $TBL_TRANSFER_SESSIONS dest_endpoint_id ID number assigned to the destination endpoint. $TBL_TRANSFER_SESSIONS dest_file_basename File's basename from destination's point-of-view. $TBL_FILES dest_file_extension File's extension from destination's point-of-view. $TBL_FILES dest_file_fullpath File's full path from the destination's point-of-view. $TBL_FILES dest_ip IP address of transfer destination (use for general purpose). $TBL_TRANSFER_SESSIONS dest_node_id ID number assigned to the destination node. $TBL_TRANSFER_SESSIONS dest_path The file path on the destination machine. $TBL_TRANSFERS, $TBL_TRANSFER_SESSIONS dest_user If upload, dest_user is the server $TBL_TRANSFERS, user. If download, dest_user is client $TBL_TRANSFER_SESSIONS user (NULL, unless initiated from Console). For everyday purposes, recommend using contact field instead. dirs_pretransfer If the server is configured to do so, calculates number of directories to be transferred. Only calculated if "precalculate job size" setting is turned on. $TBL_TRANSFERS, $TBL_TRANSFER_SESSIONS dirscans_completed Number of directory scans completed. $TBL_TRANSFER_SESSIONS err_desc Error message for transfer or file, if any. $TBL_TRANSFER_SESSION_FILES, $TBL_TRANSFER_SESSIONS fallback_protocol If the transfer has been configured to retry using the HTTP fallback $TBL_TRANSFER_SESSIONS

122 Working with IBM Aspera Console 122 Database Field Table protocol, then this field will report "http." If not, will be NULL. file_basename Name of the file, without its path (for $TBL_TRANSFER_SESSION_FILES, example, "my_file.txt," rather than "C: $TBL_FILES \temp\my_file.txt") file_extension Portion of the filename after the last period (.) $TBL_TRANSFER_SESSION_FILES, $TBL_FILES file_fullpath Full path to the file. $TBL_TRANSFER_SESSION_FILES, $TBL_FILES files_attempted Number of files attempted to be sent over the network. $TBL_TRANSFERS, $TBL_TRANSFER_SESSIONS files_complete Number of files successfully verified at destination, that is, the number of files actually transferred + number of files that were already at destination. $TBL_TRANSFERS, $TBL_TRANSFER_SESSIONS files_failed Number of files that failed to transfer. $TBL_TRANSFERS, $TBL_TRANSFER_SESSIONS files_pretransfer If the server is configured to do so, calculates number of files to be transferred. Only calculated if "precalculate job size" setting is turned on. $TBL_TRANSFERS, $TBL_TRANSFER_SESSIONS files_skipped Number of files skipped. $TBL_TRANSFERS, $TBL_TRANSFER_SESSIONS filescans_completed The number of file scans completed. $TBL_TRANSFERS, $TBL_TRANSFER_SESSIONS hostname The local name of the node machine (which is only filled in for managed nodes). Note that a node machine will be called "localhost" if it hasn't been previously named. $TBL_NODES id Unique integer ID assigned by the Console (used as an internal field). $TBL_NODES, $TBL_TRANSFERS, $TBL_TRANSFER_SESSIONS, $TBL_TRANSFER_SESSION_FILES, $TBL_FILES initiated_by_source Identifies an "upload." If this field is equal to 1, then whoever started the transfer is uploading. $TBL_TRANSFERS, $TBL_TRANSFER_SESSIONS, $TBL_TRANSFER_SESSION_FILES, $TBL_FILES last_client_ip The client's IP address from the last session of a multiple session transfer. $TBL_TRANSFERS last_client_node_id ID number assigned to the client node during the last session of a multiple session transfer. $TBL_TRANSFERS

123 Working with IBM Aspera Console 123 Database Field Table last_dest_ip The destination's IP address from the last session of a multiple session transfer. $TBL_TRANSFERS last_dest_node_id ID number assigned to the destination node during the last session of a multiple session transfer. $TBL_TRANSFERS last_err_desc Error description from the last session of a multiple session transfer. $TBL_TRANSFERS, $TBL_FILES last_network_delay The lag on the network (RTT, measured in milliseconds) from the last session of a multiple session transfer. $TBL_TRANSFERS last_restarted_at The last date/time that the node machine was restarted (for managed node's only). $TBL_NODES last_retry_timeout The number of seconds that the server waited to try again (after a failure), during the last session of a multiple transfer session. $TBL_TRANSFERS last_server_ip The server's IP address from the last session of a multiple session transfer. $TBL_TRANSFERS last_server_node_id ID number assigned to the server node during the last session of a multiple session transfer. $TBL_TRANSFERS last_source_ip The source's IP address from the last session of a multiple session transfer. $TBL_TRANSFERS last_source_node_id ID number assigned to the source node $TBL_TRANSFERS during the last session of a multiple session transfer. last_transfer_session_file_id ID number assigned to the file during the last transfer session. $TBL_FILES last_transport Transport mechanism ("fasp2" for Aspera protocol, "http" for fallback protocol) from the last session of a multiple session transfer. $TBL_TRANSFERS max_rate Maximum transfer rate. $TBL_TRANSFERS, $TBL_TRANSFER_SESSIONS min_rate Minimum transfer rate. $TBL_TRANSFERS, $TBL_TRANSFER_SESSIONS mkdirs_attempted Number of directories that were attempted to be created at the destination. $TBL_TRANSFER_SESSIONS mkdirs_failed Number of directories that failed to be created at the destination. $TBL_TRANSFER_SESSIONS

124 Working with IBM Aspera Console 124 Database Field Table mkdirs_passed Number of directories that were created successfully at the destination. $TBL_TRANSFER_SESSIONS name cf Human-readable name assigned to a transfer. This name may have been keyed in by the user or automatically set by an application. $TBL_NODES, $TBL_TRANSFERS, $TBL_TRANSFER_SESSIONS network_delay Lag on the network (RTT), which is measured in milliseconds. $TBL_TRANSFER_SESSIONS operation Either upload or download from the perspective of the client (the initiator). Upload if pushing; download if pulling. $TBL_TRANSFERS, $TBL_TRANSFER_SESSIONS os The node machine's Operating System. $TBL_NODES os_version The version of the node machine's Operating System. $TBL_NODES paths_attempted The total number of files and directories attempted. $TBL_TRANSFER_SESSIONS paths_excluded The number of files and directories $TBL_TRANSFER_SESSIONS that were not transferred because of an exclusion rules. paths_failed The number of files and directories that failed to transfer. A failure is counted if the sender was unable to read a source file or the destination was unable to write the file. paths_irreg This is the total number of special files $TBL_TRANSFER_SESSIONS (for example, nodes, pipes, memory mapped files, page files or /proc files). These files are never transferred. pct_complete Percent (%) of transfer that has been completed. NULL if the node is server is not configured to pre-calculate job size. $TBL_TRANSFERS, $TBL_TRANSFER_SESSIONS pretransfer_stats_changed Between one attempt to the next (retries and sync), whether or not the size of the transfer has changed (grew or reduced in size). $TBL_TRANSFERS primary_address The node's actual IP address (which has been keyed into the Console interface). $TBL_NODES priority Normal or high (only valid when the policy if adaptive). $TBL_TRANSFERS, $TBL_TRANSFER_SESSIONS reported_by_both_sides Database logger added information to the Console from both ends of the transfer (both source and destination $TBL_TRANSFERS $TBL_TRANSFER_SESSIONS

125 Working with IBM Aspera Console 125 Database Field Table are managed nodes and both are sending data back to the database). reported_by_server If this field is equal to 1, then Console received data from the server node. If this field is equal to 0, then the server was not a managed node or failed to log. $TBL_TRANSFER_SESSION_FILES, $TBL_FILES reported_policy High, fixed, adaptive or trickle. $TBL_TRANSFER_SESSIONS reported_priority Normal or high (only valid when the policy if adaptive). $TBL_TRANSFER_SESSIONS retry_timeout After a transfer fails, the number of seconds the server will wait before trying again. $TBL_TRANSFER_SESSIONS seconds_remaining Seconds remaining for the file transfer. $TBL_TRANSFERS, $TBL_TRANSFER_SESSIONS server_console_ip Internal IP address of the server (inputted into the nodes page inside Console). Note that this field is primarily used for testing. $TBL_TRANSFER_SESSIONS server_err_code Error code reported by the server. $TBL_TRANSFER_SESSION_FILES, $TBL_TRANSFER_SESSIONS server_err_desc Error code description reported by the server. $TBL_TRANSFER_SESSION_FILES, $TBL_TRANSFER_SESSIONS server_external_fasp_port External fasp (UDP) port of the server. $TBL_TRANSFER_SESSIONS Note that this field is primarily used for testing. server_external_ip External IP address of the server. Note that this field is primarily used for testing. server_file_basename File's basename from server's point-of- $TBL_TRANSFER_SESSION_FILES, view. $TBL_FILES server_file_extension File's extension from server's point-ofview. $TBL_TRANSFER_SESSION_FILES, $TBL_FILES server_file_fullpath File's full path from the server's pointof-view. $TBL_TRANSFER_SESSION_FILES, $TBL_FILES server_file_index Arbitrary, unique number assigned to each file within a transfer session (on the server) $TBL_TRANSFER_SESSION_FILES server_ip IP address of transfer server. $TBL_TRANSFER_SESSIONS server_node_id ID assigned to the server node. $TBL_TRANSFER_SESSIONS server_node_uuid Universally, unique ID assigned to the server node. $TBL_TRANSFER_SESSIONS server_status Either the file status (running, completed, error) or the session status $TBL_TRANSFER_SESSION_FILES, $TBL_TRANSFER_SESSIONS $TBL_TRANSFER_SESSIONS

126 Working with IBM Aspera Console 126 Database Field Table reported by the server. Note that in some cases, client and server can see different statuses (for example, canceled versus error). server_user SSH account specified when the transfer starts (should always be displayed). $TBL_TRANSFERS, $TBL_TRANSFER_SESSIONS session_count Number of sessions required for the transfer. $TBL_TRANSFERS Note: Hot folders can span many sessions. session_file_count Number of sessions required to send a particular file. $TBL_FILES session_id ID assigned to transfer session. $TBL_TRANSFER_SESSION_FILES, $TBL_TRANSFER_SESSIONS size Size of the file in bytes. $TBL_TRANSFER_SESSION_FILES, $TBL_FILES size_changed The change in file size from one transfer attempt to another. $TBL_FILES soap_active_sessions Number of transfer sessions running on the node. $TBL_NODES source_endpoint_id ID assigned to the source endpoint. $TBL_TRANSFER_SESSIONS source_file_basename File's basename from source's point-of- $TBL_FILES view. source_file_extension File's extension from source's point-of- $TBL_FILES view. source_file_fullpath File's full path from the source's pointof-view. $TBL_FILES source_ip IP address of transfer source. $TBL_TRANSFER_SESSIONS source_node_id ID assigned to the source node. $TBL_TRANSFER_SESSIONS source_paths File paths on the source machine. $TBL_TRANSFERS, $TBL_TRANSFER_SESSIONS source_paths_changed Between one transfer attempt to the next, whether or not the file source paths have changed. $TBL_TRANSFERS source_user If upload, source_user is the client user. If download, source_user is server user. $TBL_TRANSFERS, $TBL_TRANSFER_SESSIONS ssh_port Node machine's SSH port. $TBL_NODES ssh_tunnel_port Node machine's SSH tunnel port. $TBL_NODES start_byte Displays the point at which data from $TBL_TRANSFER_SESSION_FILES, the file started transferring to the $TBL_FILES destination (relevant if some of the file

127 Working with IBM Aspera Console 127 Database Field Table has already been transferred). If the file has already been transferred to the destination, then the start byte equals the total file size. started_at Date and time that a transfer or file started. $TBL_TRANSFERS, $TBL_TRANSFER_SESSIONS, $TBL_TRANSFER_SESSION_FILES, $TBL_FILES started_via The name of the application (Aspera or custom) that is responsible for initiating the transfer (for example, aspera.scp, aspera.sync, etc.). $TBL_TRANSFERS, $TBL_TRANSFER_SESSIONS status Status of transfer or file (for example, "running," "completed," "canceled" or "error"). $TBL_TRANSFERS, $TBL_TRANSFER_SESSIONS, $TBL_TRANSFER_SESSION_FILES, $TBL_FILES stopped_at Date and time that a transfer or file stopped (value is blank if transfer or file is still active). $TBL_TRANSFERS, $TBL_TRANSFER_SESSIONS, $TBL_TRANSFER_SESSION_FILES, $TBL_FILES target_rate Target transfer rate. $TBL_TRANSFERS, $TBL_TRANSFER_SESSIONS tmp_actual_rate Reserved for future use. $TBL_TRANSFERS, $TBL_TRANSFER_SESSIONS tmp_actual_rate_calculated_at Reserved for future use. $TBL_TRANSFERS, $TBL_TRANSFER_SESSIONS tmp_loss_pct Reserved for future use. $TBL_TRANSFER_SESSIONS token Security token used for the transfer (note that this depends on whether or not the application that started the transfer is configured to use tokens). $TBL_TRANSFERS, $TBL_TRANSFER_SESSIONS transfer_file_id Corresponds to the file ID field $TBL_TRANSFER_SESSION_FILES transfer_id Corresponds to ID field. $TBL_TRANSFER_SESSIONS, $TBL_FILES transfer_session_id Corresponds to transfer session ID field $TBL_TRANSFER_SESSION_FILES transfer_uuid Universally, unique ID that is used to identify the transfer as a whole. May contain multiple sessions and is generated by application that started the transfer. Generally only populated by transfers started by Console. $TBL_TRANSFERS, $TBL_TRANSFER_SESSIONS transport fasp2 for Aspera protocol, "http" for fallback protocol $TBL_TRANSFER_SESSIONS type Managed or unmanaged node. $TBL_NODES

128 Working with IBM Aspera Console 128 Database Field Table udp_port Node machine's UDP port. $TBL_NODES use_ssh_tunnel Set up an SSH tunnel for database logging (for managed nodes only). $TBL_NODES usecs Length of the transfer session (in milliseconds). Not authoritative (use only for transfer sessions and transfers). $TBL_TRANSFERS, $TBL_TRANSFER_SESSIONS, $TBL_TRANSFER_SESSION_FILES, $TBL_FILES uuid Universally, unique identifier that is generated on the node when installing Aspera software (for managed nodes only) $TBL_NODES Important: If you have configured custom fields, they will be prefixed with "cf_". Custom fields are utilized in the $TBL_FILES and $TBL_TRANSFER tables. Please note that if you would like to add additional custom fields, you may do so via the Configuration > Custom Fields. For instructions on setting up a custom field, see Creating Custom Fields. Advanced Report Usage Notes Advanced Report Usage Notes: Avoid Duplicating Identical Records Console's security filtering prioritizes speed over the cost of potentially returning duplicate records. It is up to the report writer to remove duplicate records returned when querying report tables directly. For example, a user unaware of Console internals might expect the following to always return no more than a single record: SELECT ts.* FROM $TBL_TRANSFER_SESSIONS ts WHERE ts.session_id='ed0a9b4039bb40dfa86690ff7e1f6fa2' ; However, depending on the user's group memberships and permissions, the above could return multiple identical records. To correct this, use SELECT DISTINCT. For example: SELECT DISTINCT ts.* FROM $TBL_TRANSFER_SESSIONS ts WHERE ts.session_id='ed0a9b4039bb40dfa86690ff7e1f6fa2' ; Be aware that this means you cannot directly perform aggregate computations--such as SUM, AVERAGE, or COUNT--on the reporting tables. For example, in the following, total_bytes_transferred could count some sessions multiple times: SELECT DISTINCT ts.contact, SUM(ts.bytes_transferred) AS total_bytes_transferred FROM $TBL_TRANSFER_SESSIONS ts WHERE...

129 Working with IBM Aspera Console 129 ; Instead, first extract just the data of interest to a temporary table, then summarize from there: # Create holding table for filtered raw data CREATE TABLE $TMP_FILTERED_TRANSFER_SESSIONS ( `id` INT(11) NOT NULL AUTO_INCREMENT PRIMARY KEY, `contact` VARCHAR(255), `bytes_transferred` BIGINT(20) ); # Extract relevant data (very important to include ts.id) INSERT INTO $TMP_FILTERED_TRANSFER_SESSIONS SELECT DISTINCT ts.id, ts.contact, ts.bytes_transferred FROM $TBL_TRANSFER_SESSIONS ts WHERE ts.started_at < '$REPORT_PERIOD_END' AND ( ts.stopped_at >= '$REPORT_PERIOD_START' OR ts.stopped_at IS NULL ); # Summarize by contact CREATE TABLE $FINAL_RESULT_TABLE SELECT fts.contact, SUM(fts.bytes_transferred) AS total_bytes_transferred FROM $TMP_FILTERED_TRANSFER_SESSIONS fts GROUP BY fts.contact ORDER BY fts.contact ; Advanced Report Usage Notes: Avoid Duplicating Redundant Records Transfers between two managed nodes create two records per file, one in $TBL_TRANSFER_SESSION_FILES and one in $TBL_FILES. If both source and destination are managed nodes, then both sides log to the database. These records will not be identical--the record logged by the server reports the server-side path, while the record logged by the client reports the client-side path. Sometimes other fields, such as err_desc, may differ as well. There are several fields in the canonical tables supplied specifically to address this issue: Field Name Tables reported_by_both_sides 0 if transfer was only logged by $TBL_TRANSFERS one side. 1 if transfer was logged by both server and client. reported_by_server 0 if the file record was logged by the client. 1 if the file record was logged by the server. $TBL_FILES $TBL_TRANSFER_SESSION_FILES

130 Working with IBM Aspera Console 130 Field Name Tables initiated_by_source 0 if transfer is a pull (client is the destination). $TBL_TRANSFERS $TBL_TRANSFER_SESSIONS $TBL_FILES $TBL_TRANSFER_SESSION_FILES 1 if transfer is a push (client is the source). To ensure that each file is present only once in a result set, we need to use the above fields to give precedence to the record from one side or the other. Note: The previous caveat about record duplication (Advanced Report Usage Notes: Avoid Duplicating Identical Records) also applies (i.e. the file record reported by the server node could itself be returned multiple times, as well as the record reported by the client node). Note: Certain edge cases cause a problem even when using the above filter. For example, if both nodes start reporting a transfer session and one node loses its connection to the database, then reported_by_both_sides will equal 1, but not all of the file records will have two records in the file tables. The following SQL example, taken from the built-in Activity Summary By Contact report, gives the destinationside file record precedence in cases where both sides logged the transfer. #================================================== # Set variables to hold report datetime parameters # (all datetimes are converted to UTC) #================================================== = '$REPORT_PERIOD_START'; = '$REPORT_PERIOD_END'; #=================================================== # PRE-FILTER RECORD IDS # Initially retrieve just the id columns from # base tables (improves performance by avoiding # queries with more than one join) #=================================================== # # Create tables to hold the prefiltered record IDs # CREATE TABLE $TMP_TRANSFER_IDS ( id INT NOT NULL PRIMARY KEY, reported_by_both_sides TINYINT(1) NOT NULL DEFAULT 0 ); CREATE TABLE $TMP_TRANSFER_SESSION_IDS ( id INT NOT NULL PRIMARY KEY, reported_by_both_sides TINYINT(1) NOT NULL DEFAULT 0 ); CREATE TABLE $TMP_FILE_SESSION_IDS ( id INT NOT NULL PRIMARY KEY, transfer_session_id INT NOT NULL ); # # Retrieve IDs # # # Transfers # INSERT INTO $TMP_TRANSFER_IDS SELECT DISTINCT t.id, t.reported_by_both_sides FROM $TBL_TRANSFERS t WHERE (t.started_at AND (t.stopped_at

131 Working with IBM Aspera Console 131 OR t.stopped_at IS NULL ) ) ; # # Transfer Sessions # (copy over 'reported_by_both_sides' # from transfers) # INSERT INTO $TMP_TRANSFER_SESSION_IDS SELECT DISTINCT ts.id, t.reported_by_both_sides FROM $TBL_TRANSFER_SESSIONS ts JOIN $TMP_TRANSFER_IDS t ON ts.transfer_id = t.id WHERE (ts.started_at AND (ts.stopped_at OR ts.stopped_at IS NULL ) ) ; # # File Sessions (choose destination-side # info if both sides logged to db) # INSERT INTO $TMP_FILE_SESSION_IDS SELECT DISTINCT fs.id, fs.transfer_session_id FROM $TBL_TRANSFER_SESSION_FILES fs JOIN $TMP_TRANSFER_SESSION_IDS ts ON fs.transfer_session_id = ts.id WHERE (fs.started_at AND (fs.stopped_at OR fs.stopped_at IS NULL) ) AND (ts.reported_by_both_sides=0 OR ( (fs.reported_by_server=1 AND fs.initiated_by_source=1) OR (fs.reported_by_server=0 AND fs.initiated_by_source=0) ) ) ; CREATE INDEX idx_transfer_session_id ON $TMP_FILE_SESSION_IDS (transfer_session_id); Advanced Report Usage Notes: Filter on Raw Values Filtering on computed values in most cases prevents MySQL from being able to take advantage of indexes. For example, the following will force a scan of every record in TBL_TRANSFER_SESSIONS, because MySQL has to perform the CONVERT( ) on ts.started_at for every record: SELECT DISTINCT ts.* FROM $TBL_TRANSFER_SESSIONS ts WHERE CONVERT(ts.started_at, DATE) = DATE(NOW())

132 Working with IBM Aspera Console 132 ; Instead, compute the correct criteria to compare the raw value against: = DATE(NOW()); = DATE_ADD(@todays_date, INTERVAL 1 DAY); SELECT DISTINCT ts.* FROM $TBL_TRANSFER_SESSIONS ts WHERE ts.started_at AND ts.started_at ; Note: Even the above will only give expected results if you are in GMT time zone, as NOW( ) will return UTC time. The builtin report variables $REPORT_PERIOD_START and $REPORT_PERIOD_END contain datetimes converted from local time zone of input into UTC and are usually a better choice for date filtering (unless recipient is fine with UTC-based filtering). Advanced Report Usage Notes: Filter Strings by Using "Begins With" If possible, filter strings by matching begins with rather than contains or ends with. If that's not possible, consider creating a custom field. For example, the following will not be able to use the index on ts.contact: SELECT DISTINCT ts.* FROM $TBL_TRANSFER_SESSIONS ts WHERE ts.contact LIKE '%Euro2012_Livex%' ; If you know all the possible ways the string could begin, you could enumerate them like this: SELECT DISTINCT ts.* FROM $TBL_TRANSFER_SESSIONS ts WHERE ts.contact LIKE 'AA_Euro2012_Livex%' OR ts.contact LIKE 'BB_Euro2012_Livex%' OR ts.contact LIKE 'CC_Euro2012_Livex%' ; If the report is only to be run for a small date range and there are few transfer sessions then you may not need to worry about this. If you expect to be running over large date ranges and large numbers of sessions, then you should create a custom field that detects the presence of the match string and then copies it to the custom field -- you could then filter on the custom field instead. Advanced Report Usage Notes: Always Include a Date Filter To avoid creating a report that might try to work on the entire database you should always include some kind of date filter. The recommended option is to use the built-in report variables $REPORT_PERIOD_START and $REPORT_PERIOD_END to filter data. If an advanced report contains these variables, the web UI will include date pickers when the user runs the report. A standard filter to find all transfers that were active at any time during the report period would look like the following: SELECT DISTINCT ts.id, ts.contact

133 Working with IBM Aspera Console 133, ts.bytes_transferred FROM $TBL_TRANSFER_SESSIONS ts WHERE ts.started_at < '$REPORT_PERIOD_END' AND ( ts.stopped_at >= '$REPORT_PERIOD_START' OR ts.stopped_at IS NULL ); Note the clause OR ts.stopped_at IS NULL. Without this, the report would exclude any transfers that were still running at the time the report was run. Depending on the intended purpose of the report, you might need to prorate data for transfers that were active for only part of the reporting period, such as cases 2, 3, and 4 in the following: As an alternative, you can avoid the use of $REPORT_PERIOD_START and $REPORT_PERIOD_END if you are creating a report that always looks at the last X hours: = DATE_SUB(NOW(), INTERVAL 24 HOUR); CREATE TABLE $FINAL_RESULT_TABLE SELECT DISTINCT ts.* FROM $TBL_TRANSFER_SESSIONS ts WHERE ts.started_at ; Note: As of Console 1.6 there is a bug in the report engine that causes the creation of Excel/CSV files to fail if you do not reference $REPORT_PERIOD_START and $REPORT_PERIOD_END at all. To work around this, include a dummy reference in the report SQL. For example: = '$REPORT_PERIOD_START'; When running the report, users are then asked for report period dates, but they will be ignored.

134 Working with IBM Aspera Console 134 Advanced Report Usage Notes: Always Name Your Computed or Aggregated Columns Always name your computed or aggregate columns, and avoid names that might be reserved words. In particular, do not call a final result column "name", "count", "id", and so on. INCORRECT: CREATE TABLE $FINAL_RESULT_TABLE SELECT fts.contact, COUNT(*), SUM(fts.bytes_transferred)... CORRECT: CREATE TABLE $FINAL_RESULT_TABLE SELECT fts.contact, COUNT(*) AS session_count, SUM(fts.bytes_transferred) AS total_bytes_transferred... Advanced Report Usage Notes: Avoid Joining Reporting Views MySQL often mis-optimizes queries that join reporting views directly to each other. The fact that the views can show the same record multiple times can cause a geometric explosion in the number of temporary records inspected. EXAMPLE: # Find all sessions that contained file "foo.txt" # List both session info and file info # ASSUMES NO SESSIONS WERE BETWEEN TWO MANAGED NODES = '$REPORT_PERIOD_START'; = '$REPORT_PERIOD_END'; CREATE TABLE $FINAL_RESULT_TABLE SELECT DISTINCT ts.session_id, ts.source_ip, ts.dest_ip, ts.started_at, ts.stopped_at, ts.status, tsf.file_fullpath, tsf.size, tsf.started_at AS file_started_at, tsf.stopped_at AS file_stopped_at, tsf.status AS file_status FROM $TBL_TRANSFER_SESSIONS ts JOIN $TBL_TRANSFER_SESSION_FILES tsf ON ts.id = tsf.transfer_session_id WHERE tsf.started_at AND ( tsf.stopped_at OR tsf.stopped_at IS NULL ) AND tsf.file_basename = "foo.txt" ORDER BY

135 Working with IBM Aspera Console 135 ts.started_at, tsf.started_at ; Although the above report uses SELECT DISTINCT, contains no aggregate functions such as COUNT and SUM, and generates a correct final result (unless any of the transfer sessions were between two managed nodes), it is potentially slow. For greater speed (and to prevent query misoptimization from MySQL), it is better to decompose the above query into smaller steps, and join your temporary tables to the report views instead of joining the report views together directly. Note: In order to avoid complexity in the SQL, the example below assumes no sessions were between two managed nodes. Therefore, the code for dealing with this has been left out (see Advanced Report Usage Notes: Avoid Duplicating Redundant Records). EXAMPLE = '$REPORT_PERIOD_START'; = '$REPORT_PERIOD_END'; # # Create tables to prefilter base table record ids # CREATE TABLE $TMP_TRANSFER_SESSION_IDS ( id INT NOT NULL PRIMARY KEY ); CREATE TABLE $TMP_TRANSFER_SESSION_FILE_IDS ( id INT NOT NULL PRIMARY KEY, transfer_session_id INT NOT NULL ); # # Create table to hold all desired fields from # transfer_sessions # CREATE TABLE $TMP_TRANSFER_SESSION_DATA ( `id` INT(11) NOT NULL AUTO_INCREMENT PRIMARY KEY, `session_id` VARCHAR(36), `source_ip` VARCHAR(255), `dest_ip` VARCHAR(255), `started_at` DATETIME, `stopped_at` DATETIME, `status` VARCHAR(255) ); # # Create table to hold all desired fields from # transfer_session_files # CREATE TABLE $TMP_TRANSFER_SESSION_FILE_DATA ( `id` INT(11) NOT NULL AUTO_INCREMENT PRIMARY KEY, `transfer_session_id` INT(11), `started_at` DATETIME, `stopped_at` DATETIME, `status` VARCHAR(255), `file_fullpath` TEXT, `size` BIGINT(20) ); #========================================

136 Working with IBM Aspera Console 136 # PRE-FILTER BASE TABLE IDS #======================================== # # For this report, we know we are # filtering on file name and can use # the index on that column, so it is # faster to find the records from # transfer_session_files first # # # Transfer Session Files # INSERT INTO $TMP_TRANSFER_SESSION_FILE_IDS SELECT DISTINCT tsf.id, tsf.transfer_session_id FROM $TBL_TRANSFER_SESSION_FILES tsf WHERE tsf.started_at AND ( tsf.stopped_at OR tsf.stopped_at IS NULL ) AND tsf.file_basename = "foo.txt" ; # # Create an index on the join field # for speed, we wait until table is # populated instead of defining the index # during initial creation of table # CREATE INDEX idx_transfer_session_id ON $TMP_TRANSFER_SESSION_FILE_IDS (transfer_session_id); # # Transfer Sessions # INSERT INTO $TMP_TRANSFER_SESSION_IDS SELECT DISTINCT ts.id FROM $TBL_TRANSFER_SESSIONS ts JOIN $TMP_TRANSFER_SESSION_FILE_IDS tsf ON ts.id = tsf.transfer_session_id WHERE ts.started_at AND ( ts.stopped_at OR ts.stopped_at IS NULL ) ; # # Remove transfer file sessions that don't have an # associated transfer_session record # (normally not supposed to happen, but we want # to protect against bad data that might be # caused by system crash, logger errors, console # purge errors, Canonicalizer shutdown, etc.) # For this particular report, this is not needed

137 Working with IBM Aspera Console 137 # since the final join will weed out such records, # but it is a good habit to maintain, this report # could be modified later into one where # it would make a difference. # DELETE tsf.* FROM $TMP_TRANSFER_SESSION_FILE_IDS tsf LEFT JOIN $TMP_TRANSFER_SESSION_IDS ts ON tsf.transfer_session_id = ts.id WHERE ts.id IS NULL; #======================== # Get all desired fields #======================== # # transfer_session_files # INSERT INTO $TMP_TRANSFER_SESSION_FILE_DATA ( id, `transfer_session_id`, `started_at`, `stopped_at`, `status`, `file_fullpath`, `size` ) SELECT DISTINCT tsf.id, tsf.transfer_session_id, tsf.started_at, tsf.stopped_at, tsf.status, tsf.file_fullpath, tsf.size FROM $TMP_TRANSFER_SESSION_FILE_IDS tsf_ids STRAIGHT_JOIN $TBL_TRANSFER_SESSION_FILES tsf ON tsf_ids.id = tsf.id ; # # Add index to speed joins # CREATE INDEX idx_transfer_session_id ON $TMP_TRANSFER_SESSION_FILE_DATA (`transfer_session_id`); # # transfer_sessions # INSERT INTO $TMP_TRANSFER_SESSION_DATA ( id, `session_id`, `source_ip`, `dest_ip`, `started_at`, `stopped_at`, `status` )

138 Working with IBM Aspera Console 138 SELECT DISTINCT ts.id, ts.session_id, ts.source_ip, ts.dest_ip, ts.started_at, ts.stopped_at, ts.status FROM $TMP_TRANSFER_SESSION_IDS ts_ids STRAIGHT_JOIN $TBL_TRANSFER_SESSIONS ts ON ts_ids.id = ts.id ; #=========================== # Create final result table #=========================== CREATE TABLE $FINAL_RESULT_TABLE SELECT ts.session_id, ts.source_ip, ts.dest_ip, ts.started_at, ts.stopped_at, ts.status, tsf.file_fullpath, tsf.size, tsf.started_at AS file_started_at, tsf.stopped_at AS file_stopped_at, tsf.status AS file_status FROM $TMP_TRANSFER_SESSION_DATA ts JOIN $TMP_TRANSFER_SESSION_FILE_DATA tsf ON ts.id = tsf.transfer_session_id ORDER BY ts.started_at, tsf.started_at ; Example Reports Basic Report Example: Faspex User Activity The following example demonstrates the process of creating a new, basic report (following the instructions described in Creating a Basic Report) for Faspex users. In our example, we will generate a report that displays transfer activity by Faspex users only. The example report, once generated, will display total bytes transferred by each Faspex Server user, along with file and transfer-level detail (where a transfer groups together transfer sessions into a single item). 1. Go to the Manage Report Types page. Select Reports from the Console menu, and then click the Manage Report Types button. On the Manage Report Types screen, click the New Basic button. 2. Configure your basic report to display file- and transfer-level details, organized by Faspex Users. On the Create New Report Type page (for basic reports), enter the following information:

139 Working with IBM Aspera Console 139 Field Name Basic Faspex User Report Basic Faspex Server User report, which includes total bytes per Faspex User, as well as file- and transfer-level details. How would you like to organize this report? Select "Contact," "Transfer," and "File" as the fields by which to organize this report. In doing so, the report will be grouped by the following fields: Columns to include Contact (Contact assigned by Console. This can be a Console user name, a Faspex Server user name, SSH account, or customized value obtained from a transfer cookie. Examples: "admin (console)", "aspera (ssh)", "michael (faspex)".) Transfer (Human-readable name assigned to a transfer. A transfer represents one or multiple executions of ascp (that is, one or multiple attempts to transfer).) File (File's name) Select the following basic fields to include as columns: bytes transferred average rate files completed files failed started at stopped at status error description source address destination address Note: When you select a field, its definition will appear in the box below. Sort Select the following fields to sort data inside your groups: Sort your contact groups by contact name. Sort your transfer groups by the time that the transfer started.

140 Working with IBM Aspera Console 140 Field Sort your file groups by file name. Select ascending order for all fields. Filters To narrow down the report so that only Faspex Users are displayed, specify the Transfer Contact field as ending with the value (faspex). 3. Save, finalize run settings, and run your report. Next, click the Create and Run button. Confirm the following settings on next page: Title is as described above. Report is scheduled to Run Now. Report period is Month to date and time zone is Pacific. Sorting is as described above. Filter is as described above. XLSX file format is checked. Once confirmed, click the Run Report button. 4. View your Web and XLSX reports. After clicking the Run Report button, the page updates to display the report queuing and then running. Once generated, the Web version of your basic report appears as shown below. As you can see, the report's data is grouped and sorted in the following manner: Faspex Users Transfers (per Faspex User), which are sorted by the time they started File name (per Transfer) In addition, all data columns appear as selected on the Create Advanced Report Type page. To download the Excel version of the report for use in other applications, click the XLSX button.

141 Working with IBM Aspera Console 141 Basic Report Example: Hot Folder Activity The following example demonstrates the process of creating a new, basic report (following the instructions described in the topic Creating a Basic Report) for Hot Folder transfers. In our example, we will generate a report that displays transfer activity for Hot Folders that have been set up within Aspera Enterprise (or Connect) Server, Point_to_Point and Client. The example report, once generated, will display Hot Folder transfer start time, end time and the number of files transferred. 1. Go to the Manage Report Types page Select Reports from the Console menu, and then click the Manage Report Types button. On the Manage Report Types screen, click the New Basic button. 2. Configure your basic report to display file- and transfer-level details, organized by Faspex Users On the Create New Report Type page (for basic reports), enter the following information: Field Name Basic Hot Folder Transfer Report Basic Hot Folder Transfer report, which includes start time, stop time and the number of files that were transferred. How would you like to organize this report? Select "Transfer" as the field by which to organize this report. In doing so, the report will be grouped the human-readable name that has been assigned to each hot

142 Working with IBM Aspera Console 142 Field folder transfer. A transfer represents one or multiple executions of ascp (that is., one or multiple attempts to transfer). Columns to include Select the following basic fields to include as columns: started at stopped at files completed average rate Note: When you select a field, its definition appears in the box below. Sort Select the "transfer name" field (in ascending order) to sort data inside your group. Filters In this example, we must set a filter that checks the value of the transfer cookie. When files are transferred using Hot Folders, the transfer cookie contains the following information: aspera.sync2: Thus, the filter must be set to only include transfers that have a transfer cookie starting with the value aspera.sync2:. 3. Save, finalize run settings, and run your report. Next, click the Create and Run button. Confirm the following settings on next page: Title is as described above Report is scheduled to Run Now Report period is Month to date and time zone is Pacific Sorting is as described above Filter is as described above Once confirmed, click the Run Report button. 4. View your Web report. After clicking the Run Report button, the page will update to display the report queuing and then running. Once generated, the Web version of your basic report appears as shown below. Basic Report Example: Faspex Metadata The following example demonstrates the process of creating a new, basic report (following the instructions described in the topic Creating a Basic Report) for Faspex metadata. In our example, we will generate a report that displays the

143 Working with IBM Aspera Console 143 metadata that is entered into a "Create New Package" form within Faspex, which is accomplished by creating a new, custom field called "Event" within Console. Note: This example assumes that the "event" (metadata) field has already been set up on the Faspex node. When creating a new Faspex package, Faspex users can select from a predefined (drop-down) list of events, which populates the database for this custom field. The example report, once generated, will display the purpose (or "Event") of the Faspex package, as well as file-level detail, transfer-level detail (where a transfer groups together transfer sessions into a single item), and which Faspex user sent the package. 1. Set up a Console database custom field for the metadata. Within Console, select Configuration from the main menu, and then the Custom Fields tab. Create a new, custom field with the following attributes: Level: Select "transfer" Name: Enter the name "event" Start Date: Enter " " : Since this custom field is for the metadata report, enter the description "Faspex Metadata report demo" For more information on custom fields, see Creating Custom Fields. Next, click the Create button and enter the following information: Field Value Built-in field Faspex Metadata Operator matching regular expression Expression \{.*"Event":"(?<event>.+?)".*\) Custom Field Value <event> In the rule example above, a rule is created that states if the conditions match the regular expression, then set the "event" custom field value to the Faspex metadata value. The regular expression is interpreted as follows:

144 Working with IBM Aspera Console 144 The following example of decoded metadata for a Faspex cookie shows what the regular expression matches: When finished, click Create to create the new rule. On the next page, click the Back to Custom Fields tab or the Custom Fields tab. Locate the entry for the field you just created ("event" in this case), and click recalculate. 2. Go to the Manage Report Types page Select Reports from the Console menu, and then click the Manage Report Types button. On the Manage Report Types screen, click the New Basic button. 3. Configure your basic report to display contact, file-level, and transfer-level details, organized by Faspex metadata (the "event"). On the Create New Report Type page (for basic reports), enter the following information:

145 Working with IBM Aspera Console 145 Field Name Faspex meta data report Based on the custom field "event." Includes metadata, contact, file-level, and transfer-level details. How would you like to organize this report? Select "Event" (which is a custom field), "Contact," "Transfer" and "File" as the fields by which to organize this report. In doing so, the report will be grouped by the following: Columns to include Event (Based on a transfer-level rule that states if the conditions match the regular expression, then set the "event" custom field value to the Faspex metadata value.) Contact (Contact assigned by Console. This can be a Console user name, a Faspex Server user name, SSH account, or customized value obtained from a transfer cookie. Examples: "admin (console)", "aspera (ssh)", "michael (faspex)".) Transfer (Human-readable name assigned to a transfer. A transfer represents one or multiple executions of ascp (i.e., one or multiple attempts to transfer).) File (File's name) Select the following basic fields to include as columns: started at stopped at bytes transferred status average rate cookie Note: When you select a field, its definition will appear in the box below. Sort Select the following fields to sort data inside your groups: Sort your metadata groups by event/metadata name Sort your contact groups by contact name Sort your transfer groups by transfer name Sort your file groups by file name Select ascending order for all fields. Filters Filter the report so that only fields with metadata appear (that is, event is not NULL) and only data from Faspex Users is displayed (that is, transfer contact contains the value faspex). 4. Save, finalize run settings and run your report. Next, click the Create and Run button. Confirm the following settings on next page: Title is as described above. Report is scheduled to Run Now. Report period is Month to date and time zone is Pacific. Sorting is as described above. Filter is as described above. Once confirmed, click the Run Report button. 5. View your Web report.

146 Working with IBM Aspera Console 146 After clicking the Run Report button, the page will update to display the report queuing and then running. Once generated, the Web version of your basic report will appear as shown below. As you can see, the report's data is grouped and sorted in the following manner: Metadata Faspex Users that selected the corresponding event/metadata Transfers (per Faspex User), which are sorted by the time they started File name (per Transfer) In addition, all data columns appear as selected on the Create Basic Report Type page. Advanced Report Example: Transfer Sessions with High Packet Loss The following example demonstrates the process of creating a new, advanced report (following the instructions described in the topic Creating an Advanced Report) for transfers with high packet loss. In our example, we will generate a report that displays a list of all transfers that have high packet loss, where high loss is user specified. The report includes transfers that started before the report period start, as well as ones that ended after the report period end, as long as part of the transfer fell within the reporting period. Note that the data is not prorated, meaning that the "bytes transferred," "files complete" and other values show totals for the entire transfer, even if part of the transfer took place outside the reporting period. 1. Go to the Manage Report Types page. Select Reports from the Console menu, and then click the Manage Report Types button. On the Manage Report Types screen, click the New Advanced button. 2. Input your advanced report's name and description. On the Create New Advanced Report Type page, enter the following information: Field Name Transfer Sessions with High Packet loss Displays a list of all transfers that have high packet loss. 3. Create your SQL script. Important: For assistance on SQL variables and a fields reference guide, please click the Help link.

147 Working with IBM Aspera Console 147 CREATE TABLE $FINAL_RESULT_TABLE SELECT DISTINCT -- prevents duplicate rows (that is, overlapping permissions) ts.name, ts.contact, ts.bytes_transferred, ts.bytes_lost, TRUNCATE((ts.bytes_lost)*100/(ts.bytes_transferred + ts.bytes_lost), 1) AS `packet loss %`, ts.source_ip AS `from`, ts.dest_ip AS `to`, ts.started_at, ts.stopped_at, ts.status, ts.files_complete, ts.files_failed, ts.files_skipped FROM $TBL_TRANSFER_SESSIONS ts WHERE ((ts.bytes_lost * 100) /(ts.bytes_lost + ts.bytes_transferred)) >= $PACKET_LOSS /* Custom/configurable variable */ AND ts.started_at < '$REPORT_PERIOD_END' AND ( ts.stopped_at >= '$REPORT_PERIOD_START' OR ts.stopped_at IS NULL ) ORDER BY 5 DESC, 8 ; Important: For demonstration purposes, we have created a configurable/custom variable called $PACKET_LOSS in the SQL script text above. You may, alternatively, utilize the built-in SQL database field avg_loss_pct, to display the average packet loss over the network (as a percentage). Please see the Help link in the application for details. 4. Save, finalize run settings and run your report. Next, click the Create and Run button. Confirm the following settings on next page: Title is as described above. Report is scheduled to Run Now. Report period is Last 24 hours and time zone is Pacific. Once confirmed, click the Run Report button. 5. View your Web report. After clicking the Run Report button, the page will update to display the report queuing and then running. Once generated, the Web version of your basic report will appear as shown below.

148 Working with IBM Aspera Console 148

149 Working with IBM Aspera Shares 149 Working with IBM Aspera Shares Configuring Shares Options The Shares Home Page When you log into IBM Aspera Shares, you land on your APOD / SOD homepage. Callout Link Action A Home Goes to your Shares home page. B Admin Goes to the admin page. C Errors and Warnings icon Opens a pop-up window containing a summary of errors and warnings with links to individual errors and warnings as well as the Errors and Warnings page. D username Opens a drop-down menu with links for Preferences and Logout. E Preferences Goes to the Preferences page. For more information, see Configure User Preferences. F Logout Logs you out of Shares and goes to the Shares Log In window. G SHARES + Your shares are listed below this heading. If you have authorization, click + to add a new share. For more information, see Creating a Share. If Home Shares are enabled, your Home Share is listed above this heading. For more information, see Managing Home Shares. Note: The + is visible only if you are authorized to create shares.

150 Working with IBM Aspera Shares 150 Callout Link Action I ACTIVITY Click My Activity to see and search your Shares activity. Click All Activity to see and search the activity of all users and all activities in nodes and shares. Configure User Preferences To configure your user account settings, click your username in the top right corner of the browser window and click Preferences. Click Edit next to the headers to change general settings such as your first and last name, your password, and your address, as well as change your notification options, configure your system display, and choose to suppress the Aspera Connect install dialog. Settings Note: All notifications are enabled by default. Setting Notify me when I am granted access to a new share Receive an whenever you are given access to a new share. Notify me when a new transfer is completed to a share (and share notification is enabled) Receive an when new content has been added to your share. An admin must enable notifications for that share for you to receive an . Notify me when a user is authorized to a share Receive an whenever a user is given access to a share. Note: This option is available for admins only. Notify me when a new user has requested an account Receive an whenever a new user requests an account when self-registration is enabled and set to moderated. Note: This option is available for admins only. Display Setting Time Zone The time zone for your system.

151 Working with IBM Aspera Shares 151 Setting Date Order The order that date, month, and year are displayed. Date Delimiter The punctuation used to separate the date, month, and year. Time Format Display a 12-hour time format or a 24-hour time format. Number Delimiter The punctuation used to denote the thousands place in a number. For example, if a comma (, ) is chosen as the delimiter then one thousand is displayed as "1,000". Note: Number delimiter and separator cannot be the same. Number Separator The punctuation used to denote the decimal place in a number. For example, if a period (. ) is chosen as the delimiter then ten and two-tenths is displayed as "10.2". Note: Number delimiter and separator cannot be the same. Items Per Page The number of items Shares will display per page. The default is 50. Connect Install Dialog Each page of Shares checks for the presence of the IBM Aspera Connect Browser Plug-in. If Connect is missing, Shares prompts you to download the plug-in. To suppress Shares from prompting users to install Connect on each page, set the value to true. Configuring System Settings The following system configuration options are available under the System Settings menu on the Admin page. Setting Background Configure the frequency with which Shares monitors and updates the system. Also set the minimum allowable remaining space available on the Shares server, below which a warning notification is issued. Home Shares Enable or disable Home Shares. For more information on Home Shares, see Managing Home Shares and Enabling Home Shares. License View or change your APOD / SOD license. For more information on updating your license, see Updating the License. Localization Configure your APOD / SOD server with your local timezone, date format, and time format. For more information on localization, see Configuring the Shares Time Zone and Time Format Logging Configure the logging density. For more information on logging, see Configuring Logging Settings. Logos Add, edit, or delete a custom logo for your Shares web application. Logo image files must be less than 500 kb. To make the new logo active, click Select. To delete a logo image file, click Delete. Messages Create messages that appear at the top of the log in page and the home page for all users. Transfers Configure settings for upload and download rates, transfer policies, and encryption. for more information on configuring transfers, see Configuring Transfer Settings.

152 Working with IBM Aspera Shares 152 Setting Web Server Configure the web server settings, including the host, port, and whether SSL/TLS is enabled. For more information, see Configuring the Web Server. Managing Home Shares A Home Share is a private, empty share directory which is automatically created for new users when they first log into Shares (if Home Shares are enabled). Users can authorize other users to access their Home Share. You can choose which node to use for Home Shares. A new directory is created on the node, and a share is added to the user s account. The user s username is used for both the directory and share name. Home Shares are treated like regular shares by the application. Therefore, you can choose to authorize additional users to these shares or remove them individually after the initial creation. When you log in, you can see all the Home Shares. For instructions on enabling Home Shares, see Enabling Home Shares. Note: If Home Share creation fails when a user first logs in, an error is logged to the activity log. The next time the user logs in, Shares tries to create the Home Share again. Enabling Home Shares When Home Shares are enabled, Shares automatically creates and adds a private share directory for new users when they first log in to Shares. Home Shares are created for all new local users, directory users, and SAML users. 1. Go to Admin > System Settings > Home Shares. 2. To enable automatic creation of Home Shares, select Enable Home Shares. 3. From the Node drop-down list, select a node. You can also add a new node by clicking New Node. For details on how to add a node, see Adding Nodes. 4. Select the default directory or click Browse to select a different directory for the Home Share. 5. Click Save. Disabling Home Shares These instructions disable automatic Home Share creation for all new users. To disable a specific user's Home Share, see Disabling a User's Home Share. 1. Go to Admin > System Settings > Home Shares. 2. Clear Enable Home Shares. 3. Click Save. Note: When you disable home shares, Home Shares that already exist are not affected, and existing users can use their existing Home Shares. Home Shares for new users are no longer created. Changing the Home Shares Node Note: When you modify the directory or node for Home Shares, existing Home Shares are not transferred. Only Home Shares of new users are created in the new destination. 1. Go to Admin > System Settings > Home Shares. 2. Select a different node from the Node drop-down list. You can also change to a new node by clicking New Node. For details on how to add a node, see Adding Nodes. 3. Select the default directory or click Browse to select a different directory for the Home Share. 4. Click Save. Configuring the Shares Time Zone and Time Format Localization settings allow you to set the time zone of the Shares server and configure date and time formats.

153 Working with IBM Aspera Shares Click Admin > System Settings > Localization. 2. Configure the following settings. Localization Setting Default Time Zone Set the time zone associated with the Shares server. All activity will be logged in the chosen time zone. (GMT+00:00) UTC. Us time zones priority Select the box to show U.S. zones at the top of the Time Zone drop-down menu. Date order Set the order of day, month, and year in the date. YYYYMMDD Date delimiter Choose the date delimiter. - (dash) Time format Set the time format. 24 Hour 3. Click Save. Select the Reset All Defaults link to revert all changes. Configuring Logging Settings Admins can configure the logging level in Shares based on the desired logging density and the tolerance for performance impacts under higher logging levels. Five logging levels are available: debug, info, warn, error, and fatal. Logging levels are set to info by default, which logs application events. If you are troubleshooting Shares, you may want to increase the logging level to debug, which logs application events as well as more detailed information aimed at developers. Debug generates the most log entries, causing the logs to fill up and rotate faster, and incurs the greatest performance penalty. For instructions on how to gather logs for support, see Gathering and Zipping All Logs for Support. Errors and warnings are logged but may also be viewed in the Shares web application. For more information, see Errors and Warnings. Configuring Transfer Settings To configure settings for upload and download rates, transfer policies, and encryption, click System Settings > Transfers. The following settings are available: Setting Min connect version The minimum version of the IBM Aspera Connect Browser Plug-in that can be used to transfer with Shares. The version must be in the form "X.Y.Z" for example, Upload target rate Specify the target upload rate, such as 1.5 Gbps, 500Mbps, 10K, Once you click Save, the rate appears with standardized units. Leave the field blank to use the settings on the node. Upload target rate cap Specify a maximum upload rate. Leave the field blank to use the settings on the node. If a target rate cap is specified in Shares and on the node, the lesser of the two is used. Download target rate Specify the target download rate, such as 1.5 Gbps, 500Mbps, 10K, Once you click Save, the rate

154 Working with IBM Aspera Shares 154 Setting appears with standardized units. Leave the field blank to use the settings on the node. Download target rate cap Specify the maximum download rate to. Leave the field blank to use the settings on the node. If a target rate cap is specified in Shares and on the node, the lesser of the two is used. Starting policy Select the policy to be enforced when the transfer starts from the drop-down menu: Fixed: The transfer occurs at the target rate. This may impact the performance of other traffic present on the network. High: The transfer uses available bandwidth up to the maximum rate. Fair: The transfer attempts to run at the target rate. If the transfer is limited by network conditions, it occurs at a rate lower than the target rate, but not less than the minimum rate. Low: The transfer rate is less aggressive than Fair when sharing bandwidth with other network traffic. When congestion occurs, the transfer rate is decreased to the minimum rate, until other traffic recedes. Allowed policy Select which set of policies are available to the user during transfer. If you do not make a selection, settings are inherited from the node. Encryption Select Optional or AES-128. If you do not make a selection, settings are inherited from the node. Encryption at rest Select Optional or Required. Encryption at Rest (EAR) requires users, on upload, to enter a password to encrypt the files on the server. Package recipients are required to enter the encryption password to decrypt protected files as they are being downloaded. If a user chooses to keep downloaded files encrypted, they are not required to enter a password until they attempt to decrypt the files locally. Encryption-atRest is supported by the IBM Aspera Connect Browser Plug-in. If you do not make a selection, settings are inherited from the node. Configuring HTTP and HTTPS Fallback HTTP fallback serves as a secondary transfer method when the Internet connectivity required for Aspera FASP transfers (UDP port 33001, by default) is unavailable. When HTTP fallback is enabled and UDP connectivity is lost or cannot be established, the transfer will continue over the HTTP protocol. The instructions below describe how to enable and configure HTTP/HTTPS fallback. These instructions assume that you have already configured your Connect Server's Web UI. For additional information on configuring different modes and testing, see the Aspera KB Article "HTTP fallback configuration, testing and troubleshooting."

155 Working with IBM Aspera Shares 155 Note: Ensure that your HTTP daemon (Aspera HTTPD) is running with sufficient privileges, so that it can modify file ownership. 1. Configure HTTP/HTTPS fallback settings. You can configure HTTP/HTTPS Fallback from either the GUI or by editing aspera.conf. Configuring HTTP/HTTPS fallback from the GUI: Launch the transfer server and go to Configuration > Global > HTTP Fallback. Configuring HTTP/HTTPS fallback by editing aspera.conf: Run the following commands: To view the current HTTP settings in aspera.conf: $ /opt/aspera/bin/asuserdata -b -t To manually inspectaspera.conf, open it from the following directory: /opt/aspera/etc/aspera.conf 2. After enabling HTTP fallback and setting a token encryption key, restart the Aspera Central, Aspera NodeD, and Aspera HTTPD services. Run the following command in a Terminal window to restart asperacentral: # /etc/init.d/asperacentral restart Run the following commands to restart asperanoded: # /etc/init.d/asperanoded restart Run the following commands to restart asperahttpd: # /etc/init.d/asperahttpd restart Configuring the Web Server Setting Host The hostname or IP address of the server. The Host value is used in URLs generated in Shares notification s. For example, when an account is created for a user, Shares sends the user an prompting the user to reset the password by clicking a URL. Shares uses the Host value to generate the URL. Port The HTTPS port on the server. The default value is 443. SSL/TLS Select to enable SSL/TLS. For more information about SSL, see Installing a Signed SSL Certificate Provided by Authorities.

156 Working with IBM Aspera Shares 156 Securing Shares Configuring Shares Security From the Admin page, configure Shares security by clicking User Security under the Security header. Option Options Session timeout Log out users after this many minutes of inactivity Require strong passwords Require passwords to be at least 8 characters and contain at least one uppercase letter, lowercase letter, number, and symbol. Password expiration interval Number of days before a user must change the password Leave the field blank to disable password expirations.. Failed login count Number of failed logins within the Failed login interval before Shares locks the account Failed login interval The interval in minutes within which hitting the Failed login count locks the account Self registration Determines whether non-users can create or request user accounts. For more information on self-registered accounts, see Moderate Self Registered Accounts. None: Not allowed. Moderated: An admin must approve the account before it is created. If you allow selfregistration, the moderated setting is recommended for security. Unmoderated: After a user registers, the user s account is automatically created. Removing Support for TLS 1.0 and 1.1 The default configuration of Shares has TLS 1.0, 1.1 and 1.2 enabled. Older browsers require the older and less secure version, TLS 1.0. You may disable support for these older browsers by removing TLS 1.0 from the configuration. To remove TLS 1.0 from the configuration, edit the nginx.conf file located at /opt/aspera/shares/etc/ nginx/nginx.conf. Delete TLSv1 and TLSv1.1 from the following line: ssl_protocols TLSv1 TLSv1.1 TLSv1.2; Configuring Manager Permissions The Manager Permissions page (Admin > Security > Manager Permissions) controls how managers of shares can administer users and groups of their shares. Admins can allow managers to administer users and groups through the Shares UI, through the Shares API, or both, by enabling or disabling the following options: Allow managers to administer users and groups through UI Allow default Allow managers to administer users and groups through API These options are disabled by default. In a common use case, admins may decide that managers should administer users solely through the API and disable access to the Shares UI. For more information about users configured to use the API, see Shares API Permissions.

157 Working with IBM Aspera Shares 157 For more information about managers and user roles in Shares, see Understanding User Roles and Share Authorization and Assigning Users the Manager Role. Moderate Self Registered Accounts Self registration allows users to request or create Shares user accounts. For more information on how to enable self registration, see Configuring System Settings. If self registration is enabled, the login page displays a Request an Account link that leads to a self registration form. When a user submits this form and self registration is moderated, Self Registration under the Accounts header on the Admin page turns red with the number of requests listed in parentheses and admins get an notification. By default, admins receive notifications for new self registration request. Admins can configure whether they receive notifications for new self registration request in their personal preferences (see Configure User Preferences). To change the global default setting, see Configure Settings. Click Self Registration to see the list of unprocessed requests. Select a user or all users in the list and click Approve, Deny, or Delete. You can search accounts by their status by entering New, Approved, or Denied in the Statuses field. Installing a Signed SSL Certificate Provided by Authorities In a default IBM Aspera Application Platform / Server On Demand (APOD / SOD) installation, Apachenginx generates and uses a self-signed SSL certificate. You can find this certificate at the following location: /opt/ aspera/etc/aspera_server_cert.pem. /opt/aspera/common/apache/conf/server.crt /opt/aspera/common/apache/conf/server.key To set up a signed SSL certificate, follow these steps: 1. Enter the OpenSSL command to generate your Private Key and Certificate Signing Request (CSR). Run the following command (where key_name.key is the name of the unique key that you are creating and csr_name.csr is the name of your CSR): $ openssl req -new -nodes -newkey rsa:2048 -keyout key_name.key out csr_name.csr After entering the command, you are prompted to enter several pieces of information, which are the certificate's X.509 attributes. Important: The Common Name field must be filled in with the fully qualified domain name of the server to be protected by SSL. If you are generating a certificate for an organization outside of the US, see for a list of 2-letter, ISO country codes. Generating a 1024 bit RSA private key writing new private key to 'my_key_name.key' ----You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----Country Name (2 letter code) [US]:Your_2_letter_ISO_country_code State or Province Name (full name) [SomeState]:Your_State_Province_or_County

158 Working with IBM Aspera Shares 158 Locality Name (eg, city) []:Your_City Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your_Company Organizational Unit Name (eg, section) []:Your_Department Common Name (i.e., your server's hostname) []:secure.yourwebsite.com Address Note: You are prompted to enter "extra" attributes, including an optional challenge password. Manually entering a challenge password when starting the server can be problematic in some situations (for example, when starting the server from the system boot scripts). You can skip entering values for any extra attribute by hitting the "enter" button.... Enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: After finalizing the attributes, the private key and CSR will be saved to your root directory. Important: If you make a mistake when running the OpenSSL command, you may discard the generated files and run the command again. After successfully generating your key and Certificate Signing Request, be sure to guard your private key, as it cannot be re-generated. 2. Send CSR to your signing authority. You now need to send your unsigned CSR to a Certifying Authority (CA). Once the CSR has been signed, you have a real Certificate. Follow the key provider's instructions to generate and submit both your private key and the Certificate Signing Request (CSR) to acquire the certificate. Important: Some Certificate Authorities provide a Certificate Signing Request generation tool on their Website. Check with your CA for additional information. At this point, you may need to generate a self-signed certificate because: You don't plan on having your certificate signed by a CA. You wish to test your new SSL implementation while the CA is signing your certificate. For information on how to generate a self-signed certificate for temporary use, see Generating a New Self-Signed SSL Certificate. 3. Store your certificates on your machine. For example: ~/my_server.crt ~/my_server.key Your certificate provider may require you to also install an Intermediate CA Certificate file. Copy the file to the following location: /opt/aspera/common/apache/conf/server-ca.crt 4. Install the SSL certificate with the following command: $ asctl apache:install_ssl_cert cert_file key_file [chain_file] For example: $ asctl apache:install_ssl_cert ~/my_server.crt ~/my_server.key /opt/ aspera/common/apache/conf/server-ca.crt You can find the installed certificate at the following location: /opt/aspera/common/apache/conf/server.crt /opt/aspera/common/apache/conf/server.key

159 Working with IBM Aspera Shares Rename the certificate files provided with Shares. Locate the original cert.pem and cert.key files in /opt/aspera/shares/etc/nginx. Rename them as follows: # cd /opt/aspera/shares/etc/nginx # mv cert.pem cert.pem.orig # mv cert.key cert.key.orig 6. After receiving your signed certificate from your CA, if the CA requires a bundle or intermediate certificate, you need to concatenate the certificates for them to work with nginx. Bundle your intermediate certificate with your primary certificate. # cat your_domain_name.crt DigiCertCA.crt >> cert.pem 7. Copy your new SSL cert files to /opt/aspera/shares/etc/nginx. If the files are named differently, rename the cert file cert.pem and rename the key file cert.key. 8. Restart the web service. Restart nginx as follows: # /opt/aspera/shares/sbin/sv restart nginx Generating a New Self-Signed SSL Certificate You may need to generate a self-signed certificate because: You don't plan on having your certificate signed by a CA. You wish to test your new SSL implementation while the CA is signing your certificate. Generate a self-signed certificate using OpenSSL. This temporary certificate will generate an error in the client's browser that warns the client that the signing certificate authority is unknown and not trusted. To generate a temporary certificate (which is good for 365 days), run the following command: # openssl x509 req -days 365 -in csr_name.csr -signkey key_name.key out cert_name.crt Configuring Setting Up the SMTP Server 1. Select Admin > SMTP to configure the SMTP server for Shares 2. To add a server's SMTP settings, select the SMTP option and complete the form, which requests the following information: Server SMTP server address Port SMTP port Domain Domain name Use TLS if available Aspera recommends turning TLS (Transport Layer Security) on to secure your server. Timeout The timeout for connecting to SMTP servers. The default is 3 seconds. Username username

160 Working with IBM Aspera Shares 160 Password password From The default sender address and sender name that appear in notifications when they receive an notification. 3. To debug the SMTP server settings, click Send Test . Note: If you get the error "Net::SMTPUnknownError: could not get 3xx (550)" when sending a test message, you might be blocked by your domain as a potential spammer. Aspera recommends that you set an SPF record for your domain to identify which mail servers are allowed to send on behalf of your domain. For more information about SPF and how to create an SPF record, see a/bin/answer.py?hl=en&answer=33786&topic= &rd=1 After you have configured the SMTP server, you can return to this page to view all APOD / SOD activity related to it in the Activity tab. Each reported activity event is accompanied by a tag. You can click the tag to find related activities. You can also perform an activity event search by clicking Search and entering the requisite information. Updating Links in Notifications IBM Aspera Shares generates links in notifications using the hostname or IP address set in its Web Server settings. By default, it is set to example.com. Important: If you change the hostname of the APOD / SOD machine, you must update the Host field with the new hostname or IP address. 1. Go to Admin > System Settings > Web Server. 2. Update Host with the IP address or hostname of the APOD / SOD machine. By default, the port is set to 443 and SSL/TLS is selected. 3. To save your changes, click Save. Configure Settings Admins can set the default notification settings for new IBM Aspera Shares users. Note: Changing these preferences does not affect settings for current users. Current users can update their own settings. For more information see Configure User Preferences. Go to Admin > > Settings. Select from the following options: Option Notify users on share authorization. Notify users when they are authorized to a new share.

161 Working with IBM Aspera Shares 161 Option Notify users on transfer complete. Notify users when a new transfer is completed to a share (and share notification is enabled). Notify admins on user share authorization. Notify admins when a user is authorized to a share. Note: This option is available for admins only. Notify admins on self registration request. Notify admins when there is a new user self registration request and self registration is set to moderated. For more information, Moderate Self Registered Accounts. Note: This option is available for admins only. Creating Templates IBM Aspera Shares comes with preconfigured notification templates. The text of these templates can be customized to your specifications. Template substitution variables are useful for creating reusable boilerplate text that can be used across multiple templates. To modify a template, create a new template by copying one of the preconfigured templates and editing it. You cannot modify or delete the preconfigured templates. 1. From the Admin page, click > Templates. 2. To view a template, click its name. To return to the list of templates, click your browser's back button or > Templates. 3. Click Copy to create a copy of the template you wish to modify. The copied template appears in the list with the name template_name 1 and is greyed out because it is not yet active. 4. Click the name of the new template to edit it. 5. To change the template name and subject line, click Edit next to Details. The default subject line includes the Template Substitution Variable {{subject_prefix}}. To get more information about and use substitution variables, click Template Substitution Variables at the bottom of the page and click Show More in the pop-up window. (Make the pop-up window small again by clicking Show Less). To insert a substitution variable, put your cursor where you want the variable inserted in the text then click Add next to the variable in the Substitution Variables window.

162 Working with IBM Aspera Shares 162 To create new variables or modify existing ones, see Creating and Modifying Variables in Templates. Important: You must click Save for your changes to be saved. 6. To change the text of the , click Edit next to HTML Template and Plain Template. notifications always include the HTML and plain-text versions of the message. Aspera recommends editing the plain-text version first, then copying and pasting the edited text to the equivalent location in the HTML template. The editing interface for the two can be open simultaneously. You may add template substitution variables as described for editing template details. Important: You must click Save under both editing boxes for your changes to be saved. 7. Make the new template the default notification. Return to the Templates page and select Active? and Default?. When Default? is selected for the new template, it will automatically be cleared for the original template. Note: To delete a modified template, select a different template for the default, clear Active?, then click Delete. Click OK in the pop up to confirm template deletion. Creating and Modifying Variables in Templates Variables are useful for creating reusable boilerplate text that can be used across multiple templates. You can create or modify variables for use in your IBM Aspera Shares notification templates. When editing a variable, you can configure both HTML and plain-text versions.

163 Working with IBM Aspera Shares Click > Variables to open the Notification Variables page. 2. To modify a built-in Shares variable, click Edit. Edit the text and html then click Update Notification Variable to save your changes. 3. To create a new variable, click New Notification Variable. Edit the text and html then click Create Notification Variable. The new variable appears as a new entry in the Notification Variables list and is available in the Substitution Variables dialog for use in templates. Managing Nodes Modifying Nodes To modify a Shares node, go to Home and select Edit from the drop-down menu under NODES. Action Browse For more details, see Browsing Nodes.

164 Working with IBM Aspera Shares 164 Action Edit Opens the node's Detail view. Check the node's status by clicking Test. If the node is functioning properly, a message below the node name will read "Status: OK. (Last checked X seconds ago.)" Change the values set during configuration in the fields and click Update Node to save your changes. For more details, see Adding Nodes. To delete the node, click Delete. Shares This is also accessible as a tab in the node's Detail view. View the name and directory of the node's shares. To edit a share, click Edit to go to the share's detail page appears. For more details, see Creating a Share and Modifying a Share. Admin Activity This is also accessible in the Activity tab in the node's Detail view. View a list of all administrative activity that has occurred on the node. Click Search to search for activity based on tagged events or a date range. Delete Deletes the node from Shares. Browsing Nodes You can browse a node by clicking Browse in the node's dropdown menu or by clicking the name of the node on the home page. This opens a page that displays all directories and files on that node. Search for a directory name by entering a word or phrase in the Name field and clicking Search. Click Advanced to limit the search by size or date modified. For more information, see Searching Nodes and Shares. The following buttons enable you to perform actions on a directory or directories. Action Bookmark Create a shortcut to the selected directory. If you do not select any directory, the bookmark is the node's root directory. Bookmarks appear in a list above the Shares list on your home page. Download Download the selected directory or directories using the IBM Aspera Connect Browser Plug-in. For more information, see Transferring Files. Upload Upload a file or folder from another machine to this node using the IBM Aspera Connect Browser Plug-In. For more information, see Transferring Files. Delete Delete the selected directory or directories. New Folder Create a new directory on the node. Rename Rename a directory on the node. Create Share Create a share for the selected directory. You can only select one directory at a time. Click Create Share to open the New Share dialog. This dialog is pre-populated

165 Working with IBM Aspera Shares 165 Action with the node and directory information. To complete the other fields, see Adding Nodes. Sort Sort the directories of a node by: Type Size Size Descending Last Modified Last Modified Descending Searching Nodes and Shares To search a share or node, select a share or node on your Home page. In the Name box, enter a keyword for your search. IBM Aspera Shares appends any keyword that you enter with *, such that if you enter the keyword Dec, the search actually performs as *Dec* and Shares return any string that contains this word. To include sub-directories in the search, select Search sub-folders. To limit the search results by size or date last modified, use Advanced search. For size values, include the unit of measure as bytes, MB, or GB. Select a date from the pop-up calendar. Managing User Accounts Understanding User Roles and Share Authorization Overview: User roles in Shares determine a user's permissions to access and perform actions on a share. There are three user roles for an account authorized to access a share: administrators, managers, and regular users. Admins have full permissions to view, modify, and remove all existing shares and users. Managers have permissions to view, modify, remove shares for which they have authorization to manage. Users have permissions depending on the authorizations given them by admins and managers. User, group, and directory service accounts must be authorized to access a share. If authorized, a user can perform the following actions on a share: Browse Upload Download Make directory Delete directory or file

166 Working with IBM Aspera Shares 166 Rename Note: If you do not have browse permissions but have all other permissions, you can still perform Upload File and Upload Folder operations in the user interface, though the contents of the share are not displayed. Authorization Precedence Authorizations can be granted to users, groups, and directory services. Authorization at the user level takes precedence over the user's group or directory service authorizations. In the absence of user level authorization, a user is granted the union of all authorizations for the groups and directory services to which the user belongs. Administrators Users with the admin permission are authorized to create new shares and users, as well as to modify or remove any or all shares and users. Nodes are only visible to administrators. All administrators are authorized to create, edit, and delete any or all nodes and shares. Only administrators can create, edit, and delete top-level shares. Managers Administrators can use the manager permission to delegate the creation of shares and users to another user without giving that account full administration privileges. Like administrators, managers can view, edit, and remove share authorizations but only for shares that they manage. Assigning a user to a share as its manager gives that user administrative privileges for that share and all inherited subdirectories. If a user creates a new share within a managed share, the manager of the share has administrative rights to the new share. For instructions on how to authorize manager permissions, see Assigning Users the Manager Role. Though a user with manager permissions effectively becomes the admin for that share, the following restrictions apply: A manager cannot modify or delete the top-level share or any shares above it. A manager cannot create a share at the same level of the first share. For a manager to administer a group, the manager must have manager permissions for all of that group's shares. Managers cannot edit Admin user properties, but they can edit other managers in Admin > Users. A manager cannot authorize new users or groups for shares the manager does not manage. For a manager to change the password or of a user, the manager must be a manager of all the shares that user is authorized to access. Users Regular users can access any shares for which they have authorizations to access, but the actions they are allowed to take are set and managed by any user with administrative privileges for that share. Adding Local Users Administrators can create local IBM Aspera Shares user accounts that are added to the local Shares database. For directory service users, see Importing Directory Service Users. 1. From the Admin page, click Accounts > Users and click New. 2. Enter the user's account information. 3. Set the user password. You can do so in one of two ways: Select Send login link in welcome to send a login link through a welcome that prompts the user to set a password. Select Set password to set a temporary password on the user's behalf. Enter the following information:

167 Working with IBM Aspera Shares 167 Option/Field Send welcome Send the new user an with the new account's username and password. Prompt to change password on first login Force the new user to change the account password on first login. Password / Password confirmation Enter and confirm the user's password. 4. Click Create User. After creating a user, Shares redirects you to the user's Security settings. From this page, you can also access the user's groups, shares, and transfer settings, the user's preferences, and the user's activity logs. For more information, see Configure User Settings. Note: A new user may only log in if the number of users active in the last hour is less than the max number of users allowed by your license. Configure User Settings You can access a user's settings and activity logs by clicking Edit for the user you wish to configure. View a list of users by clicking Accounts > Users from the Admin page. Tab Detail Update the local user's name, username, and address, or delete the local user from Shares. Member of Add the user to a local group by selecting one from the drop-down list. Only local groups that have been added to Shares appear on this list. After adding a local user to a local group, click Edit to modify the group's settings or click Remove to delete the user from the group. Clicking Edit takes you to local group's configuration page. For details on modifying a local group's settings, see Adding Local Groups. Note: You cannot add local users to a directory service group, only to local groups. For instructions on configuring directory service users, see Importing Directory Service Users. Security You can configure the following security settings: Shares Send the user a password reset link. Disable the user's account. A disabled user cannot log into Aspera Shares even if the user belongs to a group that has group access permissions. Allow the user to log into Shares. Make the user an administrator. Allow the user to log into the API. Users who do not have Browse permissions can log into the API and perform transfer and file operations through SSH. For more information, see Shares API Permissions. Set an account expiration date. Set a temporary password. Displays all shares for which the user has authorization. For more information on authorizations, see Authorizing Users to a Share. If this user belongs to a local group and the group has access to a share, that share is listed here because permission to access the share is inherited from the group. To edit these permissions or disallow the local user's access to a share, click Edit.

168 Working with IBM Aspera Shares 168 Tab To authorize new shares for the local user, click Add Share. A list of shares appears. Click Authorize to authorize a share. Select permissions that the local user has for the share. After modifying the settings, click Update. You may disallow access to a share by clicking Delete. Note: Regular users are not automatically notified when given access to a share unless they have enabled it. For instructions on enabling these notifications, see Configure User Preferences. Preferences Select a timezone and enter any comments. Transfer Setting The user's default transfer settings are those of the node where the share is located. To override these defaults, click Override these settings and configure the transfer settings. For more information, see Configuring Transfer Settings. Activity View and search for Shares activities by this user. Unlocking User Accounts and Changing Passwords If a user enters an incorrect password too many times, the user account is locked until the admin unlocks it and either resets the password for the user or sends a password reset link to the user. 1. Go to Admin > Users. 2. To unlock an account, click Edit for the locked user account. Click Unlock next to the username. 3. To reset the user account password, go to Security. The admin can either send a password reset link, or set a new password. To send a password reset link, click Send password reset link. To set a new password, select Set password. Enter the new password in the password fields. Select Prompt to change password on next login to require the user to update their password from the one assigned by the admin. Disabling and Deleting User Accounts IBM Aspera Shares allows you to disable or delete user accounts. Disabling an account removes all log in and transfer privileges, including logging into the API, but retains the account and its configuration settings. To reinstate access to the user, you can enable the account without adding them to Shares again. Deleting an account removes all log in and transfer privileges, as well as the account and its configuration settings. To reinstate access to the user, you must add them again as a new user. Disabling a User Account From the Admin page, click Accounts > Users Click Edit next to the account you want to disable. On the Security tab, select Disabled. Click Update Permissions to save your change. To restore a disabled user account, clear Disabled in the account security settings. Deleting a User Account 1. From the Admin page, click Accounts > Users. 2. Click Edit next to the account you want to delete.

169 Working with IBM Aspera Shares On the Detail tab, click Delete. 4. Click OK in the pop-up window to confirm account deletion. Setting a User Account Expiration Date If you want a user to have access to IBM Aspera Shares for a limited time, you can set an expiration date for the user account. 1. From the Admin page, click Accounts > Users The list of user accounts includes a column Expiry Date in which user account expiration dates are listed. 2. Click Edit next to the account for which you want to set an expiration date. 3. On the Security tab, click the box next to Account expires on. Click the desired expiration date in the pop-up calendar. 4. Click Update Permissions to save your change. If the user attempts to log in after the account expiration date, they receive an error message indicating that the account has expired. 5. To restore an expired user account, set a new expiration date or leave the field blank. Assigning Users the Manager Role For more information on manager permissions, see Understanding User Roles and Share Authorization Use the drop-down menu to the right of the share and click Authorizations. Click Authorize User, Authorize Group, or Authorize Directory. Search for the name of the user, group, or directory service you want to authorize. Click Add On the Authorizations page, select manage to enable management of the share. The user, group, or directory service is now authorized to create and modify shares and users within the managed share. Disabling a User's Home Share These instructions describe how to disable a specific user's Home Share. To disable automatic Home Share creation for all new users, see Disabling Home Shares. 1. From the Admin page, click Accounts > Users. 2. Click Edit for the user. 3. Click the Home Share tab and select Home Share disabled. Searching Accounts 1. On the Admin page, click Accounts > Groups or Accounts > Users, depending on what account type you want to search for. 2. Click Search at the top of the page. 3. Enter at least two characters for your search query. You can search by username, first name, or last name.

170 Working with IBM Aspera Shares 170 Note: Shares does not support searching by full name. For example, if you are searching for a user "jd_user1" with first name "John" and last name "Doe", searching "John" or "Doe" would both return "jd_user1", but searching "John Doe" would not return the user. Managing Group Accounts Adding Local Groups Administrators can create IBM Aspera Shares local groups, in which all users who belong to the group have the same Shares authorizations and belong to the local database, rather than to a directory service From the Admin page, click Accounts > Groups > New. Name the new local group and click Create Group. Optional: Select Login to enable all users in the group to log in to Shares and click Update Permissions. Select Admin to authorize all users in the group as admins and click Update Permissions. After creating a group, you are redirected to the group's Security settings. From this page, you can add users to the group, authorize shares, configure transfer settings, and view the group's activity logs. For more information, see Configure Local Group Settings. Configure Local Group Settings You can access a group's settings and activity logs by clicking Edit for the group you wish to configure. You can view a list of groups by clicking Accounts > Groups from the Admin page. Tab Detail Update the group s name or delete the local group from APOD / SOD. Members Add members to the group by selecting users from the drop-down list and clicking Add. You will only see local users who have been added to Aspera Shares. Note: You cannot add directory service users to a local group. For more information on directory service groups, see Importing Directory Service Groups.. Manage existing users by clicking Edit to modify users settings, or clicking Remove to delete them from the group. When you click Edit, the individual user's configuration page appears. See Adding Local Users for details on modifying a local user's settings. Security Configure group-specific security settings for all members. Select Login to authorize all group members to log into APOD / SOD. If left clear, you may give individual users access to log in. Select Admin to authorize all users with administrative permissions. If left clear, you may give individual users administrative access. To configure users' security settings from their individual account pages, see Adding Local Users for details. Shares Click Add Share to authorize group access to specific shares. A list of nodes and shares that are currently configured in Shares appears. Click Authorize to authorize a share. Set the group's permissions for browsing, transferring, and performing file operations within the share. The default permission is browse. To edit these permissions or disallow the group's access to the share, click edit.

171 Working with IBM Aspera Shares 171 Tab Select permissions that group members have for the authorized share. Click Update. You can disallow access to this share by clicking Delete. Transfer Setting To override the default transfer settings for this group, click Override these settings. For more information, see Configuring Transfer Settings. Click Save to keep the new settings or Cancel cancel setting changes. You may also click Use Inherited Settings to return to the application-wide transfer configuration. Activity View and search for Shares activities by this group. Configuring the Directory Service Adding a Directory Service (DS) IBM Aspera Shares supports the Lightweight Directory Access Protocol (LDAP) and can be configured to connect to a directory service. The following directory service databases are supported: Active Directory (AD) Apple Open Directory Fedora Directory Server Open LDAP To add a directory service account: 1. From the Admin page, click Accounts > Directories and click New. 2. Complete the form. Option Directory Type Select a directory service type from one of the following options: Active Directory (AD) Apple Open Directory Fedora Directory Server Open LDAP Name Enter a name for this directory service. Enter a description for this directory service. Host Enter the directory's IP address or hostname, and then enter the port number. By default, LDAP secured by simple TLS uses port 636, unsecured LDAP uses port 389, unsecured global catalog uses port 3268, and global catalog over SSL uses port Base DN The search treebase, for example, dc=mycompany,dc=com for mycompany.com. Authentication Credentials Anonymous Bind Simple Bind If Simple Bind is selected, you must type your directory service username, which is typically a Distinguished Name (DN), (for example, CN=Administrator,CN=Users,DC=myCompany,DC=com) and your directory service password. Encryption Unencrypted (Default port 389)

172 Working with IBM Aspera Shares 172 Option Simple TLS (Default port 636) Note: Aspera recommends using Simple TLS to secure your server. By default, LDAP traffic is transmitted unsecured but can be made confidential and secure by enabling TLS. 3. Click Create Ldap config. Importing Directory Service Users 1. Find your directory service (DS) user. From the Admin page, you can search for your DS group from the Accounts page or from the Directories page: Search by name: Click Accounts > Users > Search. Type the username or at least two characters of the user name and click Search. A list of users that match the characters appears. Select from a list: Click Directories then click Edit for the corresponding directory. Go to the Users tab. If the number of records exceeds the limit for displaying a list in Shares, Shares displays the following message: "This directory has too many users to show all at once." Enter a minimum of two characters in the search box to search for your user by name. 2. Click Edit to import the user and edit the user's profile. For details on how to edit a user's profile, see Configure DS Users and Groups. Note: A new user may only log in if the number of users active in the last hour is less than the max number of users allowed by your license. Importing Directory Service Groups 1. Find your directory service (DS) group. From the Admin page, you can search for your DS group from the Accounts page or from the Directories page: Search by name: Click Accounts > Groups > Search. Type the group name or at least two characters of the group name and click Search. A list of groups that match the characters appears. Select from a list: Click Directories. Click Edit for the corresponding directory and click the Groups tabs. Note: If the number of records exceeds the limit for displaying a list in Shares, Shares displays the following message: "This directory has too many groups to show all at once." Enter a minimum of two characters in the search box to search for your group by name. 2. Click Edit for the corresponding group to import the group and edit the group s profile. For details on how to edit a group s profile, see Configure DS Users and Groups. Configure DS Users and Groups You can access and edit athe settings and activity logs of directory service users and groups by selecting Accounts > Users or Accounts > Groups from the Admin page and clicking Edit. Tab Detail View the user or group name, modify the directory, or delete the user or group from Shares. Member of Displays all groups to which the DS user or group belongs. If the number of groups exceeds 100, a search facility is opened. A group's Edit link takes you to a DS group's configuration page. For details on modifying DS group settings, see Importing Directory Service Groups. Members (groups Displays the group's DS members and enables you to edit corresponding DS user settings. For only) details on editing DS user settings, see Importing Directory Service Users.

173 Working with IBM Aspera Shares 173 Tab Security For users and groups: Allow the user or all users in the group to log into APOD / SOD. Authorize the user or all users in the group with Administrator permissions. For users: Shares Disable the user's account. The user is unable to log into APOD / SOD even if the user belongs to a group or directory that has access permissions. Allow the user to log into the API. Users who do not have Browse permissions, can still log into the API and perform transfer and file operations. Set an account expiration date. Displays all shares for which the user or group has authorization. For more information on authorizations, see Authorizing Users to a Share. If a user belongs to a DS group, and the group has access to a share, that share is listed because permission to access the share is inherited from the group. The same is true if the entire directory has access to this share. To edit these permissions or disallow the user or group access to a share, click Edit. To authorize new shares for the DS user or group, click Add Share. A list of shares appears. Click Authorize to authorize a share. Select permissions that the DS user or group has for the share. The default permission is browse. If browse is not selected, the DS user or group members are only able to access functions if they has been made API users. To edit these permissions or disallow the DS user or group access to the share, click Edit. After modifying the settings, click Update. You may disallow access to this share by clicking Delete. Preferences (users only) Select a timezone and add any comments. Transfer Settings The user's default transfer settings are those of the node where the share is located. To override these defaults, click Override these settings and configure the transfer settings. For more information, see Configuring Transfer Settings. Activity View and search for APOD / SOD activities by a specific user. Managing a Share Creating a Share You can create a share by using one of the following methods: On your Home page, click the button next to the SHARES header. Browse a Node, Share, or Bookmark and select the directory to share, then click Create Share. Browse a Node, Share, or Bookmark, click the drop-down menu associated with the directory you want to share, and click Share. Each of these goes to the New Share page. Note: If you want to create a new share from a location on a specific share (for example, from an existing folder on a share), see Creating a Share from a Folder. 1. Configure your new share.

174 Working with IBM Aspera Shares 174 Field Name The name of the share is only a description, which means that multiple shares can have the same name. Node Select a node from the drop-down list of all available nodes. If you are creating this share by clicking Create a share for a directory selected while browsing a node or share, this field is automatically populated with the node containing the selected directory. Directory If you are creating this share from a directory selected while browsing a node or share, this field is automatically populated with the directory. If you are creating a share using the SHARES button, click Browse to browse directories on the node. Select the directory that you want to share, then click Select. Note: For Windows nodes, folders with names that do not follow the proper Windows folder naming convention do not open in the Shares web UI. For details on Windows folder naming conventions, see msdn.microsoft.com. Bytes free - warn Shares issues a warning message when the share has equal to or less than the specified number of bytes free.

175 Working with IBM Aspera Shares 175 Field You can enter the number as G, MB, terrabytes, and bytes. Percent free - warn Shares issues a warning message when the share has equal to or less than the specified percent of its storage free. Bytes free - error Shares issues an error message when the share has equal to or less than the specified number of storage bytes free. You can enter the number as G, MB, terrabytes, and bytes. Percent free - error Shares issues an error message when the share has equal to or less than the specified percent of its storage free. 2. Click Create Share to save your entries. The share appears under the Shares section on your Home page. Tip: Only the first 100 shares are shown in the left sidebar. Clicking See all displays all shares. When you select a share that is not one of the first 100 shares, it appears under a new section in the left sidebar called "CURRENT SHARE". To give a user permission to access a share, see Authorizing Users to a Share. Creating a Share from a Folder When browsing a share, you can create a new share from a folder in the share. 1. Select the folder from which to create a share and click Create Share. If you would like to create a share from a folder that does not exist, create a new folder with the New Folder button and select that folder. 2. Configure your new share. Note: The Name, Node, and Directory fields are pre-populated with the name and location of the selected folder.

176 Working with IBM Aspera Shares 176 Field Name The name of the share is only a description, which means that multiple shares can have the same name. Node Select a node from the drop-down list of all available nodes. If you are creating this share by clicking Create a share for a directory selected while browsing a node or share, this field is automatically populated with the node containing the selected directory. Directory If you are creating this share from a directory selected while browsing a node or share, this field is automatically populated with the directory. If you are creating a share using the SHARES button, click Browse to browse directories on the node. Select the directory that you want to share, then click Select. Note: For Windows nodes, folders with names that do not follow the proper Windows folder naming convention do not open in the Shares web UI. For details on Windows folder naming conventions, see msdn.microsoft.com. Bytes free - warn Shares issues a warning message when the share has equal to or less than the specified number of bytes free.

177 Working with IBM Aspera Shares 177 Field You can enter the number as G, MB, terrabytes, and bytes. Percent free - warn Shares issues a warning message when the share has equal to or less than the specified percent of its storage free. Bytes free - error Shares issues an error message when the share has equal to or less than the specified number of storage bytes free. You can enter the number as G, MB, terrabytes, and bytes. Percent free - error Shares issues an error message when the share has equal to or less than the specified percent of its storage free. 3. Click Create Share to save your entries. The share appears under the Shares section on your Home page. Tip: Only the first 100 shares are shown in the left sidebar. Clicking See all displays all shares. When you select a share that is not one of the first 100 shares, it appears under a new section in the left sidebar called "CURRENT SHARE". To give a user permission to access a share, see Authorizing Users to a Share. Modifying a Share Shares are listed under the SHARES section of the Home page. Tip: Only the first 100 shares are shown in the left sidebar. Clicking See all displays all shares. When you select a share that is not one of the first 100 shares, it appears under a new section in the left sidebar called "CURRENT SHARE". Use the drop-down menu to the right of the share name to do the following on a share: Action Browse Explore directories and files within a share. For details, see Browsing a Share. Activity A list of all activity that has occurred on the selected share appears. You can also search for activity based on tagged events or a date range.

178 Working with IBM Aspera Shares 178 Action Comments A list of any comments that have been made about the share appears. You can also add your own comments. Notifications Set your preference for receiving notifications when new content has been added to your share. Edit (Detail tab) Open the share Detail view. Check the status by clicking Test. If the share is functioning properly, a message below the share name reads, "Status: OK. (Last checked X seconds ago.)" Change the values (set during configuration) in the fields and click Update Share to save your changes. For more details on the settings, see Creating a Share. To delete the share, click Delete. Authorizations Set authorization for browsing, file transfer, file operations, and notifications related to the share for existing users, groups, and directories. For more information on authorizations, see Authorizing Users to a Share Admin Activity A list of all admin activity that has occurred on the share. You may also search for activity based on tagged events or a date range. Delete Deletes the share. Browsing a Share When you browse a share, all files and directories within that share are displayed.

179 Working with IBM Aspera Shares 179 The name of the share appears at the top. The search bar enables you to search for specific files or directories (for more information, see Searching Nodes and Shares). When you select a file or directory in the share, you can click one of the buttons (for example, Bookmark) to act on the share. Total Count displays the total number of entries (files and directories) in the current share. The buttons perform the following functions: Button Function Bookmark Create a shortcut to the selected directory. If you do not select any directory, the bookmark is the node's root directory. Download Download the selected directory or directories using the IBM Aspera Connect Browser Plug-In. For more information, see Transferring Files. Upload File Upload a file from another machine to this share using the IBM Aspera Connect Browser Plug-in. For more information, see Transferring Files. Upload Folder Upload a folder from another machine to this share using the IBM Aspera Connect Browser Plug-in. Users do not need permission to create new folders to upload directories. Delete Delete the selected directory or directories. New Folder Create a new directory in the share. Rename Rename an existing directory in the share. Create Share Create a share for the selected directory. You must have admin or manager authorization to create a share. You

180 Working with IBM Aspera Shares 180 Button Function can select only one directory at a time. Click Create Share to open the New Share dialog. The dialog is prepopulated with the node and directory information. To complete the other fields, see Creating a Share. Authorizing Users to a Share For an overview on user roles and authorizations, see Understanding User Roles and Share Authorization. 1. From your home page, click a share's drop-down menu, and select Authorizations. 2. Click Authorize User, Authorize Group, or Authorize Directory. 3. For users and groups, enter a user or group name and click Search Users or Search Groups. The search functions as it does for searching shares and nodes. For more information on searching, see Searching Nodes and Shares. 4. Click Add next to the user, group, or directory. 5. Select permissions for the user, group, or directory. Permission Manage Select manage to make the user a manager of the share. For more information about managers, see Understanding User Roles and Share Authorization. Browse Select browse to give the user permission to browse the node. Transfer Select download and upload to give the user download and upload permissions. Note: Users with upload permissions can upload directories even if they are not permitted to create directories (mkdir is not selected). File Operations Select mkdir, delete, and rename to make changes to the files on the node. Notifications Select content availability for Shares to send notifications to the user whenever new content is available. The default permission is browse. If a user does not have the browse or upload permissions, the user can only access Shares functions if the user has been made an API user. For more information about API permissions, see Shares API Permissions. 6. Click Update to save your changes. 7. Remove all authorization for a user, group, or directory by clicking Remove. Transferring Files Uploading and Downloading Content IBM Aspera Application Platform / Server On Demand (APOD / SOD) users may upload and download content to and from a share if they are authorized to do so by clicking the corresponding action buttons shown when browsing a share. Transfers are managed by IBM Aspera Connect Browser Plug-in. For more information on the Connect

181 Working with IBM Aspera Shares 181 Browser Plug-In, see IBM Aspera Application Platform / Server On Demand (APOD / SOD) and the Connect Browser Plug-In. When initiating a transfer, Shares opens the transfer in the Connect Browser Plug-In transfer window. For more information on the Connect transfers window, see The Transfers Window. Users with sufficient permissions can adjust file transfer speed by opening the Transfer Monitoring window. For more information, see Monitoring Transfers. IBM Aspera Application Platform / Server On Demand (APOD / SOD) and the Connect Browser Plug-In Transfers initiated in the IBM Aspera Application Platform / Server On Demand (APOD / SOD) web application are conducted using the IBM Aspera Connect Browser Plug-in. The Connect Plug-In is an install-on-demand web browser plug-in that facilitates high-speed uploads and downloads with an Aspera transfer server. The Connect Install Dialog When a user first logs in, APOD / SOD checks if the Connect Plug-In has been installed on their browser. If they have an outdated version or do not have the plug-in installed, APOD / SOD prompts the users to download and install the plug-in. Clicking Download latest version connects the user to Aspera's CloudFront CDN from which they can download the Connect Plug-In installer. Each page of Shares checks for the presence of Connect. If Connect is missing, Shares prompts you to download the plug-in. To suppress Shares from prompting you to install Connect on each page, go to your Preferences page and set the value of Suppress Connect Install Dialog to true. Transfers with Connect For more information on transferring content with Connect, see Uploading and Downloading Content. Serving Connect Locally If you are operating within a closed system, you may want to host the IBM Aspera Connect installers and plugins for locally rather than having the downloads served from Aspera's CloudFront CDN. This also enables you to enforce a certain version of the Connect plug-in. you can host the IBM Aspera Connect Plug-in SDK installers locally. For more information on serving the Connect plug-in locally, see Serving Connect from a Local Location. The Transfers Window You can view and manage all transfer sessions within the Transfers window. The Transfers window contains the following controls: Open the Transfer Monitor. For more information on using this feature, see Monitoring Transfers.

182 Working with IBM Aspera Shares 182 Open the folder on your computer that contains this content. Stop the transfer session. Resume transfer. Retry a failed transfer. When the queuing option is enabled, only a certain number of concurrent transfers are allowed. The additional transfers will be queued in the Transfers window and initiated when a transfer is finished. You can manually start a queued transfer by clicking the button. You can also right-click on a started or stopped transfer to access various controls. The example below shows the right-click options for a stopped transfer. Monitoring Transfers You can monitor and adjust file transfer speed by clicking to open the IBM Aspera Connect Browser Plug-in Transfer Monitor dialog. If you have sufficient server privileges and your transfer server is configured to allow it, you may modify the following in this dialog: Field Value Transfer progress bar Adjust the file transfer speed by clicking and sliding the transfer progress bar. Click to view the destination folder of the transferred files. Click to stop the transfer session. Transfer policy: Select the transfer policy from the drop-down list: Fixed High Fair Low The transfer transmits data at a rate equal to the target rate, although this may impact the performance of other traffic present on the network. The transfer rate is adjusted to use the available bandwidth up to the maximum rate. The transfer attempts to transmit data at a rate equal to the target rate. If network conditions do not permit that, it transfers at a rate lower than the target rate, but not less than the minimum rate. The transfer rate is less aggressive than Fair when sharing bandwidth with other network traffic. When congestion occurs, the transfer rate is decreased to the minimum rate, until other traffic retreats. Note: You can only switch between High and Fair transfer policies if the host is IBM Aspera Enterprise Server version 3.0 or later. Serving Connect from a Local Location If you need to host the IBM Aspera Connect Plug-in SDK installers locally, you can download the Connect SDK file and configure Shares to point to a local copy of the Connect SDK hosted at a non-standard location. In this way, users download Connect from a server of your choice. 1. Download the Connect SDK zip file from the Aspera Developer Network.

183 Working with IBM Aspera Shares Create the directory, /opt/aspera/shares/u/connect-sdk, and extract the contents of the connect SDK into this directory. 3. Edit the connectinstaller-4.js file found at the following location: /opt/aspera/shares/u/connectsdk/v4/connectinstaller-4.js Change the default SDK location to connectoptions.sdklocation. var updatesurl = connectoptions.sdklocation; 4. Create a Connect Nginx configuration file named "connect-sdk" at /opt/aspera/shares/etc/nginx/ locations-available/connect-sdk with the following content: location /connect/ { alias /opt/aspera/shares/u/connect-sdk/; expires 1d; } 5. Create a symlink between the connect-sdk file and the locations-enabled folder so Nginx includes the configuration file. # ln -s /opt/aspera/shares/etc/nginx/locations-available/connect-sdk /opt/ aspera/shares/etc/nginx/locations-enabled 6. Point Shares to the new Connect SDK location by editing the file at /opt/aspera/shares/u/shares/ app/views/node/shared/_aspera_web_plugin_install.html.haml. Change the following line to one of two options: - connect_autoinstall_location = '//d3gcli72yxqn2z.cloudfront.net/connect/ v4' Programmatically set the domain name of the server. - connect_autoinstall_location = "//#{ request.host_with_port }/connect/ v4" Manually set the domain name of the server. Replace shares.example.com with the Shares server domain. - connect_autoinstall_location = '//shares.example.com/connect/v4' Find the following line under function loadconnectscript: var url = window.location.protocol + CONNECT_AUTOINSTALL_LOCATION + '/' + script + '.min.js'; Replace it with the line below: var url = window.location.protocol + CONNECT_AUTOINSTALL_LOCATION + '/' + script + '.js'; 7. Restart Shares and Nginx. # service aspera-shares restart # killall -HUP nginx Your Shares server is now hosting IBM Aspera Connect Browser Plug-in and installers. Note: You may need to clear your browser cache in order for these changes to take effect.

184 Working with IBM Aspera Shares 184 Transferring Content Between Shares Note: This feature is supported only by IBM Aspera Enterprise Server or later. You can transfer content from any share for which you have download permission to any share for which you have upload permission. Conversely, you can transfer content to any share for which you have upload permission from any share for which you have download permission. 1. Select one or more files or folders from a Share for which you have download permission. 2. Drag the files or folders to a Share for which you have upload permission, or to a bookmark. When a transfer occurs, a transfer window opens showing the current status of each transfer that is being made. In the Transfer dialog, you can also perform the following actions: Action Pause Temporarily pause a transfer. Resume Resume a previously paused transfer. Clear all Clear transfers from the list. Remove Remove transfer from the list. (This will also cancel any paused transfers.) Using Bookmarks Use bookmarks in Shares to save the location of a directory for quick and easy access. Saved bookmarks appear under the BOOKMARKS section in the left sidebar on the Home page. If you do not see BOOKMARKS, you do not have any saved bookmarks. Creating a Bookmark To create a bookmark, browse the Node or Shares directory you want to bookmark. Select a directory and click the Bookmark button. If you do not select a directory, clicking the Bookmark button bookmarks the directory you are currently browsing. Note: You can only bookmark directories. If you select a file and click Bookmark, Shares gives the following message: "Can only bookmark directories". Managing Bookmarks You can edit or delete bookmarks from the left sidebar. Hovering over a bookmark reveals the drop-down arrow that allows you to perform the following actions: Action Browse Go to the directory saved by the bookmark. Edit Change the name of the bookmark. Note: You cannot change the bookmark directory. To change the directory, you must delete this bookmark and create a new bookmark from the desired directory.

185 Working with IBM Aspera Shares 185 Action Delete Deletes the bookmark. Note: If you lose permission to browse a directory, bookmarks of those directories are not automatically removed. You can still access the bookmark, though you can no longer browse the directory. Monitoring Shares Monitoring Shares Activity Admins can view and search activity in IBM Aspera Application Platform / Server On Demand (APOD / SOD), including user logins, share authorizations, and transfers, in the Activity page and in the Activity tab for users, groups, and directories. Viewing Activity All activity: On the Admin page, click Activity to go to a searchable list of all activity in Shares. Activity by user, group, or directory service: On the Admin page, click Users, Groups, or Directories. Click Edit next to the user, group, or directory and go to the Activity tab where a searchable list of activity by that entity is displayed. Searching Activity Click Search to open a search dialog. Confine your search to a date range using the From and To fields. Search for specific events by typing in a keyword. Once you have entered one or more letters, Shares suggests a list of events containing the string. For example, typing share returns the following options: DirectoryCreatedOnShare FileRenamedOnShare FilesDeletedFromShare ShareAuthorizationCreated ShareCreated ShareDeleted ShareStatusChanged Click Search to start your search.

186 Working with IBM Aspera Shares 186 In the search results, to view details of an event click Show. To see a list of all events of that type, click the event name. Errors and Warnings You can review errors and warning associated with IBM Aspera Shares activity to identify problems. The Errors and Warnings page can be accessed by clicking Monitor > Errors and Warnings or the warning icon upper right corner of Shares pages. in the Access from Monitor > Errors and Warnings Click Monitor > Errors and Warnings to go to a table of all errors and warnings. The Errors and Warnings page provides the following options for viewing them. To search for specific errors or warnings, enter the object, such as Node or User, or the level (error or warning) in the search fields and click Search. To sort errors and warnings by level (warning or error) or object, click the dropdown menu next to Sort. The default sort is by level. If more information about an error or warning is available, go to it by clicking the link next to the error. To go to the error log, click the description link for the object "ErrorLog." Access from the Warning Icon The warning icon shows the total number of errors and warnings. Click the icon to open a pop-up window that displays a summary of errors (red icons) and warnings (orange icons). Buttons at the bottom of the window show the number of warning and errors. The pop-up window provides the following options for viewing errors and warnings: To go to a searchable list of all warnings, click. To go to a searchable list of all errors, click. If more information about an error or warning is available, go to it by clicking the error description. To go to the error log, click Found number errors in error_logs table. If there are too many errors and warnings to fit in the pop-up window, click + number more, which goes to the same page as Monitor > Errors and Warnings. Configuring the Stats Collector Adding Existing Nodes to Stats Collector 1. Go to the Shares shell. # cd /opt/aspera/shares/u/shares/bin 2. Run the following rake task to add existing nodes to stats collector: #./run rake aspera:stats_collector:add_all_nodes Configure Stats Collector Log Levels Edit the stats collector logging configuration file, logback.xml, to view more detailed information in stats collector logs. 1. Open the logback.xml file.

187 Working with IBM Aspera Shares 187 Find it in: /opt/aspera/shares/u/stats-collector/etc/logback.xml 2. Edit the statscollector.log.level value. Change INFO to DEBUG. <root level="${statscollector.log.level:-info}"> <appender-ref ref="file"/> <appender-ref ref="stderr" /> </root> 3. Restart stats collector for the changes to take effect. Run the following command: # /opt/aspera/shares/sbin/sv restart stats-collector Stats collector logs should now show debugging information. To change log levels back to normal, open the logback.xml file and change DEBUG back to INFO. Lowering Stats Collector Polling Frequency Lowering the frequency that stats collector polls nodes for statistics can free up memory and lower the load on your server. This is especially applicable to cases where the stats collectors of multiple machines are all polling a single node for statistics. 1. Open the stats-collector.properties file. Find the file at: /opt/aspera/shares/u/stats-collector/etc/stats-collector.properties. 2. Uncomment and specify the polling.period variable: ## The time period at which nodes are polled for new statistics. ## Default 1s # polling.period= For example, increase the polling period to 5s to lower the load on your server: ## The time period at which nodes are polled for new statistics. ## Default 1s polling.period=5s 3. Restart stats collector for the changes to take effect. Run the following command: # /opt/aspera/shares/sbin/sv restart stats-collector Retrieving Stats Collector Version Number Run the following command: # /opt/aspera/shares/u/stats-collector/bin/run java -jar lib/statscollector-admin.jar -A

188 Working with IBM Aspera Shares 188 Working with Rake Tasks Configure Users With Rake Tasks Rake tasks can be used to configure and manage IBM Aspera Shares users, groups, shares, and nodes from the command line. Rake tasks must be run from the Shares shell, as described in the following steps: 1. Go to the shares folder: #cd /opt/aspera/shares/u/shares/bin 2. Test that your rake tasks are working correctly../run rake -T The following rake tasks create, modify and delete users, as well as export and import users from.csv files. Create User./run rake data:user:create -- --username username --password password -- _address --first_name first_name --last_name last_name For example:./run rake data:user:create -- --username johndoe --password ********* -- --first_name John --last_name Doe Delete User./run rake data:user:delete -- --username username For example:./run rake data:user:delete -- --username johndoe Update User./run rake data:user:update -- --username username --password password first_name first_name --last_name last_name For example:./run rake data:user:update -- --username johndoe --password ********* -- --first_name John --last_name Doe Export a List of Users./run rake data:user:export -- --path /path/to/file For example:./run rake data:user:export -- --path /temp/projectgroups.txt

189 Working with IBM Aspera Shares 189 The export command writes the groups into a.txt file. For example, the projectgroups.txt file may read like below: projectgroup1 projectgroup2 Import Users (from.csv) Note: The.csv file must use the following format: Username, , First Name, Last Name, Password./run rake data:user:import -- --path /path/to/file For example:./run rake data:user:import -- --path /temp/users.csv Important: By default, users created by this rake command are not allowed to log into Shares. A Shares admin can set login permissions for these users one by one by going to Admin > Users, selecting the user, clicking Edit Security, and selecting the Login permission. Users for whom no passwords are specified are assigned a random password and must click the Forgot your username and password? link to reset their password and log in. Import SAML User./run rake data:user:saml:import -- --id full_distinguished_name -name_id shares_username [OPTIONS] Note: Delimit distinguished names containing spaces with quotes ("). When running the create and update tasks, you can add the following options to your command to set values for the Shares user's fields: Option --given_name given_name This value determines the Shares user's first name. --surname surname This value determines the Shares user's last name. -- This value determines the Shares user's address. For example:./run rake data:user:saml:import -- --id "CN=saml doe,ou=ak,ou=users,ou=asperasoft,dc=dev,dc=aspera,dc=us" --name_id samldoe --given_name Sam --surname Doe -- samldoe@shares.example.com Fetch User Details from LDAP./run rake data:group:ldap:fetch -- --username username For example:./run rake data:group:ldap:fetch -- --username samldoe

190 Working with IBM Aspera Shares 190 Delete LDAP User./run rake data:user:ldap:delete -- --username username For example:./run rake data:user:ldap:delete -- --username samldoe Configure Groups With Rake Tasks Rake tasks can be used to configure and manage IBM Aspera Shares users, groups, shares, and nodes from the command line. Rake tasks must be run from the Shares shell, as described in the following steps: 1. Go to the shares folder: #cd /opt/aspera/shares/u/shares/bin 2. Test that your rake tasks are working correctly../run rake -T The following rake tasks create and delete groups, as well as add or delete users from a group. Create Group./run rake data:group:create -- --group_name group_name For example:./run rake data:group:create -- --group_name projectgroup1 Delete Group./run rake data:group:delete -- --group_name group_name For example:./run rake data:group:delete -- --group_name projectgroup1 Add User to a Group./run rake data:group:user:add -- --username username -group_name group_name For example:./run rake data:group:user:add -- --username johndoe --group_name projectgroup1 Add LDAP User to a Group./run rake data:group:authorizable:user:add -- --username ldap_username -group_name group_name

191 Working with IBM Aspera Shares 191 For example:./run rake data:group:authorizable:user:add -- --username johnldap -group_name projectgroup1 Remove User from a Group./run rake data:group:user:remove -- --username username -group_name group_name For example:./run rake data:group:user:remove -- --username johndoe --group_name projectgroup1 Export a List of Groups./run rake data:group:export -- --path /path/to/file For example:./run rake data:user:export -- --path /temp/groupexport.txt Import Groups from a Text File./run rake data:group:import -- --path /path/to/file If the group already exists in Shares, the rake task does not add the group. For example:./run rake data:group:import -- --path /temp/projectgroups.txt Where the projectgroups.txt file contains the following : projectgroup1 projectgroup2 projectgroup3 projectgroup4 projectgroup5 projectgroup6 Create SAML Group./run rake data:group:saml:create -- --group_name group_name For example:./run rake data:group:saml:create -- --group_name samlgroup1 Fetch Group Details from LDAP./run rake data:group:ldap:fetch -- --group_name group_name

192 Working with IBM Aspera Shares 192 For example:./run rake data:group:ldap:fetch -- --group_name samlgroup1 Delete LDAP Group./run rake data:group:ldap:delete -- --group_name group_name For example:./run rake data:group:ldap:delete -- --group_name samlgroup1 Configure a Share With Rake Tasks Rake tasks can be used to configure and manage IBM Aspera Shares users, groups, shares, and nodes from the command line. Rake tasks must be run from the Shares shell, as described in the following steps: 1. Go to the shares folder: #cd /opt/aspera/shares/u/shares/bin 2. Test that your rake tasks are working correctly../run rake -T The following rake tasks create, modify, and delete a share, as well as manage a user or group's share permissions. Tip: Square brackets in usage statements denote optional arguments and need not be included when running the commands. Create Share./run rake data:share:create -- --node_name node_name -share_name share_name --directory directory For example:./run rake data:share:create -- --node_name aspera --share_name share1 -directory /mnt Delete Share./run rake data:share:delete -- --share_name share_name For example:./run rake data:share:delete -- --share_name share1 Modify Share Note: Uses the same syntax as create share. Change the values as needed to modify the attributes of the specified share../run rake data:share:create -- --node_name node_name -share_name share_name --directory directory

193 Working with IBM Aspera Shares 193 For example:./run rake data:share:create -- --node_name aspera --share_name share1 -directory /mnt Manage User's Share Permissions./run rake data:user:share_permissions -- --username username -share_name share_name [--permission true/false --permission true/false...] Where valid permissions are: browse_permission download_permission upload_permission mkdir_permission delete_permission rename_permission content_availability_permission manage_permission For example:./run rake data:user:share_permissions -- --username users -share_name share1 --upload_permission true --mkdir_permission true Manage Group's Share Permissions./run rake data:group:share_permissions -- --group_name group_name -share_name share_name [--permission true/false --permission true/false...] Where valid permissions are: browse_permission download_permission upload_permission mkdir_permission delete_permission rename_permission content_availability_permission manage_permission For example:./run rake data:group:share_permissions -- --group_name group1 --share_name share1 --upload_permission true --mkdir_permission true Export Share Name and Associated Directory./run rake data:share:export -- --path path/to/file

194 Working with IBM Aspera Shares 194 For example:./run rake data:share:export -- --path /tmp/share_export.txt Configure Nodes With Rake Tasks Rake tasks can be used to configure and manage IBM Aspera Shares users, groups, shares, and nodes from the command line. Rake tasks must be run from the Shares shell, as described in the following steps: 1. Go to the shares folder: #cd /opt/aspera/shares/u/shares/bin 2. Test that your rake tasks are working correctly../run rake -T The following rake tasks create, delete, and modify a node. Tip: Square brackets in usage statements denote optional arguments and need not be included when running the commands. Options When running the create and update tasks, you can add the following options to your command to set values different from the defaults: Option Default --port port ssl true_or_false true --verify_ssl true_or_false false --timeout seconds 30 --open_timeout seconds 10 Create Node./run rake data:node:create -- --name name --host host --api_username api_username --api_password [--options value api_password [--options] For example:./run rake data:node:create -- --name local_node --host localhost -api_username node_user --api_password ********* Note: You must create a node user and password to finish creating the new node. See IBM Aspera Enterprise Server Admin Guide: Setting up Node Users for instructions on how to create a node user. Delete Node./run rake data:node:delete -- --name name

195 Working with IBM Aspera Shares 195 For example:./run rake data:node:delete -- --name local_node Update Node./run rake data:node:update -- --name name [--options] For example:./run rake data:node:update -- --name local_node Configure Server Settings With Rake Tasks Rake tasks can be used to configure and manage IBM Aspera Shares users, groups, shares, and nodes from the command line. Rake tasks must be run from the Shares shell, as described in the following steps: 1. Go to the shares folder: #cd /opt/aspera/shares/u/shares/bin 2. Test that your rake tasks are working correctly../run rake -T The following rake tasks add or configure an LDAP, configure web server settings, and configure SMTP server settings. Tip: Square brackets in usage statements denote optional arguments and need not be included when running the commands. Add or Configure LDAP./runrake data:ldap_config -- --directory_type directory_type --name name [--description description] --host host --port port [--base_dn base_dn] -authentication_method authentication_method [--username username --password password --encryption encryption] Where acceptable directory types are: ActiveDirectory OpenDirectory FedoraDirectoryServer OpenLdap Where acceptable authentication methods are: anonymous simple (Simple bind requires a username and a password.) Where acceptable encryption types are: unencrypted simple_tls Note: Encryption is, by default, set to unencrypted.

196 Working with IBM Aspera Shares 196 For example:./runrake data:ldap_config -- --directory_type ActiveDirectory --name dest_dir --host ldap.aspera.us --port base_dn OU=AsperaDirectory,DC=aspera,DC=asperasoft,DC=com --authentication_method simple --username johndoe --password ********* -encryption simple_tls Configure Manager UI and API Permissions Admins can allow managers to administer users and groups through the Shares UI, through the Shares API, or both, using the following rake task:./run rake data:manager_config -- --UI true/false --API true/false For more information on manager permissions, see Configuring Manager Permissions. Configure Host, Port, and TLS./runrake data:web_server -- --host host --port port --tls tls For example:./runrake data:web_server -- --host shares.example.com --port tls true Configure SMTP Server./runrake data:smtp_server -- --server server --port port --domain domain -tls tls --username username --password password --from from For example:./runrake data:smtp_server -- --server smtp2.example.com --port 25 --domain example.com --tls 1 --username admin --password ******** --from server@shares.example.com Note: The first time this task is run, the task creates requires an entry for all options. Afterward, running the task again only modifies the specified options, leaving non-specified fields the same. Configure Custom Logo./runrake data:logo:set -- --path /path/to/file For example:./runrake data:logo:set -- --path /temp/aspera_logo.jpg

197 Working with IBM Aspera Shares 197 Configuring MySQL Server Open a MySQL Prompt To open a MySQL client prompt, run the following command: # /opt/aspera/shares/bin/run mysql Using Another MySQL Server After Installation To use another MySQL server after rpm installation has occurred, you must update.my.cnf files and application configuration files. 1. Update the.my.cnf files with your MySQL server information in each of the following locations: /opt/aspera/shares/.my.cnf /opt/aspera/shares/u/shares/.my.cnf /opt/aspera/shares/u/stats-collector/.my.cnf 2. Update the Shares application config file.. Open /opt/aspera/shares/u/shares/config/database.yml and fill in your MySQL server information (username, password, host, and port). production: database: shares username: "mysql_username" password: "mysql_password" host: ip_address port: port_number encoding: utf8 reconnect: false pool: 5 production_stats_collector: database: stats_collector username: "mysql_username" password: "mysql_password" host: ip_address port: port_number encoding: utf8 reconnect: false pool: 5 3. Update the stats collector configuration file.. Open /opt/aspera/shares/u/stats-collector/etc/persistence.xml and fill in your MySQL server information (username, password, host, and port). <!-- connection URL: jdbc:mysql://host:port/database --> <property name="hibernate.connection.url" value="jdbc:mysql://ip_address:port_number/stats_collector"/> <property name="hibernate.connection.username" value="mysql_username"/ > > <property name="hibernate.connection.password" value="mysql_password"/

198 Working with IBM Aspera Shares Restart all services. # service aspera-shares restart 5. Disable the built-in MySQL server. To stop the built-in MySQL from running, you must remove it from the runlevels that include it. Run the following commands: # rm /opt/aspera/shares/etc/runit/runlevels/setup/mysqld # rm /opt/aspera/shares/etc/runit/runlevels/up/mysqld Changing the Built-in MySQL Port Edit the my.cnf file to change the built-in MySQL port. 1. Open /opt/aspera/shares/etc/my.cnf 2. In the [mysqld] section, change the value for port. For example, to change to port 12345, add the following line in my.cnf: [mysqld] port = Backing Up and Restoring the Database Backing Up Shares and the Database Aspera recommends backing up Shares and the MySQL database before any major changes to your Shares installation, such as installing a patch or upgrading to a newer version of Shares. Note: The Shares web application and the nginx service are still available when performing a backup. 1. Run the following script as a root user. The script stops Shares services, backs up all necessary files, and restarts Shares. # /opt/aspera/shares/u/setup/bin/backup /backup_dir For example: # /opt/aspera/shares/u/setup/bin/backup /tmp Creating backup directory /tmp/ Checking status of aspera-shares... Status is running mysqld is alive Backing up the Shares database and config files... Backing up the SSL certificates... Done 2. Make a note of the ID of the created backup directory for future use. In the above example: For instructions on how to restore a backup of Shares, see Restoring Shares from a Backup. Restoring Shares from a Backup The following instructions assume you have a Shares backup. For instructions on backing up Shares, see Backing Up Console Database.

199 Working with IBM Aspera Shares 199 Note: If you are restoring Shares on a new installation, make sure your MySQL password on the new installation matches the password of the backed up MySQL database. 1. Stop Shares services. Run the following script as root. The script stops Shares services, restores Shares data, and restarts Shares. You cannot use this procedure with earlier versions of Shares. # /opt/aspera/shares/u/setup/bin/restore /your_backup_dir/backup_id For example, using the ID of the example directory generated in Backing Up Console Database. # /opt/aspera/shares/u/setup/bin/restore /tmp/ The Terminal returns the following information: Checking status of aspera-shares... Status is running mysqld is alive Restoring the Shares database and config files... Migrating the Shares database... Initializing the Shares database... Configuring the stats collector to poll all nodes... Restoring the SSL certificates... Done 2. Update the restored Shares to retrieve information from the new stats collector database. # /opt/aspera/shares/u/shares/bin/run mysql -e 'delete from transfer_reporters' Tip: Shares does not currently back up the stats collector database. You must perform this step to enable transfer notification s. Troubleshooting Shares Reset Shares Admin Password You can reset your Shares admin password by opening a root terminal on your APOD / SOD server and then run the following command: /opt/aspera/shares/u/shares/bin/run rake aspera:admin NAME="username" PASSWORD="password" =" _address" Restart Shares Services Some troubleshooting fixes may require that you stop, start, or restart one or more Shares services. Restarting All Shares Services # service aspera-shares restart Restarting Individual Services Restart a service: # /opt/aspera/shares/sbin/sv restart command_service

200 Working with IBM Aspera Shares 200 For example, to start and stop the stats-collector command service, run the following command: # /opt/aspera/shares/sbin/sv restart stats-collector Note: Command services support all sv commands including stop, start, and restart. Command services include: crond mysqld nginx shares-background-0 stats-collector Tip: The shares-background-0 command service runs scheduled jobs in queue, such as sending s. Fixing Services Not Running After Upgrading Shares After an upgrade, it may seem that only MySQL is running and the other services are missing. The problem may be that an error during the upgrade left Shares in the "setup" runlevel instead of the "up" runlevel. To fix the problem, you need to change the current runlevel to be the "up" runlevel. Important: Do not add symlinks to /opt/aspera/shares/etc/runitrunlevels/setup. Run the following command: # /opt/aspera/shares/sbin/runsvchdir up Shares is now at the "up" runlevel and the other services should now work. Clearing Unresponsive Background Jobs If IBM Aspera Shares background jobs are not responding, they can be cleared using the command line. 1. Clear background jobs in MySQL. # /opt/aspera/shares/bin/run mysql delete from delayed_jobs; 2. Restart Aspera background jobs. # /opt/aspera/shares/sbin/sv restart shares-background-default-0 Gathering and Zipping All Logs for Support Aspera Technical Support often requires system logs to help troubleshoot errors. The following instructions describe how to gather the logs created by IBM Aspera Shares, background processes, and stats collector into a.zip file that can be sent to Aspera Technical Support. Run the following command in one line: # tar czvf /tmp/shares-logs-backup-`date "+%Y-%m-%d-%H-%M-%S"`.tar.gz \ /opt/aspera/shares/u/shares/log/production.log* \ /opt/aspera/shares/var/log/shares-background-*/current \ /opt/aspera/shares/var/log/shares-background-*/*.s \ /opt/aspera/shares/u/stats-collector/logs/statscollector.*log* \ ;

201 Working with IBM Aspera Shares 201 Disabling SELinux SELinux (Security-Enhanced Linux), an access control implementation, can affect web UI access. To disable SELinux, do the following: 1. Open the SELinux configuration file: /etc/selinux/config 2. Locate the following line: SELINUX=enforcing 3. Change the value to disabled: SELINUX=disabled Save your changes. 4. On the next reboot, SELinux is permanently disabled. To dynamically disable it before the reboot, run the following command: # setenforce 0 Appendix Updating the License 1. Select Admin > Other > License. 2. Select Change license. Paste your license key and click Save. After entering a valid license, Shares displays your Expiration Date and the Max Users and Max Nodes allowed by your license. Note: A new user may only log in if the number of users active in the last hour is less than the max number of users. Checking for SSH Issues Aspera recommends that you review your SSH log periodically for signs of a potential attack. Locate and open your syslog, for example, /var/log/auth.log or /var/log/secure. Depending on your system configuration, syslog's path and file name may vary. Look for invalid users in the log, especially a series of login attempts with common user names from the same address, usually in alphabetical order. For example:... Mar 10 18:48:02 sku sshd[1496]: Failed password for invalid user alex from port 1585 ssh2... Mar 14 23:25:52 sku sshd[1496]: Failed password for invalid user alice from port 1585 ssh2... If you have identified attacks: Check the SSH security settings. Report attackers to your ISP's abuse , for example, abuse@your-isp.

202 Working with IBM Aspera Shares 202 Adding a Dedicated CA File to Verify a Node SSL Certificate When trying to add a node with signed SSL certificates to Shares, selecting the Verify SSL Certificate option may result in a failure to add the node if the node's SSL certificate is not recognized by the Certifcate Authority (CA). Shares displays the following error message at the top of the page when you try to add the node: "Status: Not pingable. Internal error. (Error-35)". You can resolve this error in one of two ways: If the node is using the default self-signed SSL certificate provided by Aspera, the certificate is not recognized by any CA. You must clear Verify SSL Certificate option. If the node is using a signed SSL certificate, you must add to Shares a dedicated CA that recognizes the certificate. The following instructions describe how to add to Shares a dedicated CA that recognizes the node SSL certificate. 1. Add the dedicated CA file to the following location: /opt/aspera/shares/etc/openssl/certs 2. Run the following script: # /opt/aspera/shares/bin/c_rehash Changing Nginx Ports 1. Edit the IBM Aspera Shares nginx.config file. /opt/aspera/shares/etc/nginx/nginx.conf. 2. Update the HTTP and HTTPS server blocks with your desired ports. These are the default settings for the two server blocks: server { listen 80; listen [::]:80; return } server { listen 443; listen [::]:443; ssl on; } [...] Update the values of the listen and rewrite directives with the desired ports (for example, 9080 and 9443). server { listen 9080; listen [::]:9080; return } server { listen 9443; listen [::]:9443; ssl on; } [...]

203 Working with IBM Aspera Shares Update passenger_pre_start directive with the new port. /opt/aspera/shares/etc/nginx/conf.d/shares-pre-start.conf Update the passenger_pre_start with your desired port. For example: passenger_pre_start Note: In versions older than 1.8, the passenger_pre_start directive is in the main nginx.conf file. 4. Reload the nginx.config file with the following command: # /opt/aspera/shares/sbin/nginx -s reload Disabling IPv6 Support in Shares By default, the Nginx web server in Shares is configured to listen on IPv6 ports in addition to the standard IPv4 ports. If your operating system does not support IPv6, Nginx is unable to start and Shares fails to load for your users. To disable IPv6 support in Shares, you must edit the nginx.conf configuration file. 1. Edit the nginx.conf configuration file, located at: /opt/aspera/shares/etc/nginx/nginx.conf 2. In the server sections, comment out the following lines: listen [::]:80; listen [::]:443; After making the changes, your nginx.conf server sections may look like the following example: server { listen 80; # listen [::]:80; } return ^ server { listen 443; # listen [::]:443; ssl on; } [...] 3. Save your changes. 4. Reload the nginx.conf file with the following command: # /opt/aspera/shares/sbin/nginx -s reload 5. Test your changes. Try to access Shares by entering an IPv6 address in the browser. Shares API Permissions Aspera products such as IBM Aspera Drive and IBM Aspera Enterprise Server have integrated capabilities for working with IBM Aspera Shares. Such products interact with Shares using the API. To allow the API to correctly access users shares, configure permissions as described below.

204 Working with IBM Aspera Shares Allow API login. For each Shares user, ensure that the API Login check box is checked under the Security tab. This permission is enabled by default whenever new users are created. 2. Create shares and authorize users for each share. The table below describes the mapping between API permissions and Shares permissions. API Permission Shares Permissions that should be Enabled View browse and download Edit upload, rename, mkdir Delete delete

205 Working with SAML 205 Working with SAML SAML and APOD / SOD IBM Aspera Application Platform / Server On Demand (APOD / SOD) supports Security Assertion Markup Language (SAML) 2.0, an XML-based standard that allows secure web domains to exchange user authentication and authorization data. With the SAML model, you can configure APOD / SOD as a SAML online service provider (SP) that contacts a separate online identity provider (IdP) to authenticate users. Authenticated users can then use APOD / SOD to access secure content. With SAML enabled, APOD / SOD redirects a user to the IdP sign-on URL. The user signs in with the IdP and the IdP sends a SAML assertion back to APOD / SOD, which grants the user access to APOD / SOD. When a SAML user logs in to APOD / SOD for the first time, APOD / SOD automatically creates a new user account based on the information provided by the SAML response. Any changes subsequently made to the account on the DS server are not automatically picked up by APOD / SOD. For more information about user provisioning for SAML users, see User Accounts Provisioned by Just-In-Time (JIT) Provisioning. IdP Requirements To use SAML with APOD / SOD, you must already have an identity provider (IdP) that meets the following requirements: Supports SAML 2.0 Able to use an HTTP POST Binding. Able to connect to the same directory service that Shares uses. Not configured to use pseudonyms. Can return assertions to Shares that include the entire contents of the signing certificate. If prompted, set to sign the SAML response. (Signing the SAML assertion is optional.) Configure the SAML IdP Before configuring SAML in APOD / SOD, make sure you configure your IdP to send a correct SAML response to Shares. For more information, see Configuring Your Identity Provider (IdP). For instructions on configuring SAML in Shares, see Configuring SAML. For instructions on configuring SAML in Shares, see Configuring SAML. Note: Shares users with SAML accounts are affected by Shares session timeouts configured on the User Security page (Admin > Security > User Security). After session timeout, SAML users are redirected to the local login page. To log in again, click Log in using SAML Identity Provider. SAML and Directory Services SAML and directory services should not be enabled together. Although there is a directory service behind a SAML IdP, APOD / SOD users do not have access to it. When configuring SAML with APOD / SOD, the following is recommended: 1. Disable directory service sync. 2. Remove existing directory service users from the system. Bypassing the Default SAML IdP APOD / SOD provides a mechanism for users to bypass the SAML redirect and log in using a local username and password. This feature allows admins to correct server settings, including a mis-configured SAML setup, without logging in through SAML.

206 Working with SAML 206 To bypass the SAML login, add login?local=true to the end of the login URL. For example: User Accounts Provisioned by Just-In-Time (JIT) Provisioning When a SAML user logs in to IBM Aspera Application Platform / Server On Demand (APOD / SOD) for the first time, APOD / SOD automatically creates a new user account based on the information provided by the SAML response. If the SAML response also contains group information, and that group does not yet exist in APOD / SOD, APOD / SOD automatically creates a new SAML group for each group of which the user is a member. For more information about SAML groups, see Creating SAML Groups. Group Permissions A SAML user belonging to multiple groups is given the permissions and settings of all groups it belongs to with permissions overriding restrictions. For example, if Group A disallows sending to external users but Group B does not, users who belong to both groups are allowed to send to external users. Settings that require specific handling are as follows: Account expiration is only enabled if all groups to which a user belongs specify account expiration. If account expiration is enabled, the expiration date is set to the latest expiration date from among all groups. For any settings that use Server Default, Yes or Allow, and No or Deny, the setting is set to Yes if any group specifies Yes, and it is set to No if all groups are set to No. Otherwise, it is set to use the server default. For package deletion policy, override is enabled if all groups specify override, or if the least restrictive group setting is less restrictive than the server-wide setting. If override is enabled, the least restrictive group setting is used. Do nothing is less restrictive than Delete files after all recipients download all files, which in turn is less restrictive than Delete files after any recipient downloads all files. For advanced transfer settings, override is enabled if all groups specify override or if any group specifies any transfer rate that is higher than the server default. If override is enabled, each transfer rate is set to the higher of the highest value from among the groups and the server default. The minimum rate policy is locked only if all groups specify the setting. Configuring Your Identity Provider (IdP) IdP Requirements To use SAML with APOD / SOD, you must already have an identity provider (IdP) that meets the following requirements: Supports SAML 2.0 Able to use an HTTP POST Binding. Able to connect to the same directory service that Shares uses. Not configured to use pseudonyms. Can return assertions to Shares that include the entire contents of the signing certificate. If prompted, set to sign the SAML response. (Signing the SAML assertion is optional.) IdP Metadata Formats You must configure formats to set up your IdP to work with APOD / SOD: Tag Format NameID Format urn:oasis:names:tc:saml:1.1:nameid-format:unspecified Entity ID Binding urn:oasis:names:tc:saml:2.0:bindings:http-post

207 Working with SAML 207 Tag Format Callback URL Tag Format Entity ID: ACS: Base URL: If the IdP is capable of reading SAML XML metadata for a service provider, you can upload a saved XML metadata file to configure the IdP. You can retrieve the XML metadata for an existing APOD / SOD by going to and saving the XML as an XML file. SAML Assertion Requirements APOD / SOD: expects assertion from an IdP to contain the following elements: Default Attribute APOD / SOD User Field Required NameID / SAML_SUBJECT / id Username Yes, with the format: urn:oasis:names:tc:saml:1.1:nameidformat:unspecified address Yes given_name First name YesOptional surname Last name Optional member_of SAML group Necessary for SAML groups Tip: All attributes other than NameID or SAML_SUBJECT or id can also use the urn:oasis:names:tc:saml:2.0:attrname-format:basic format. Configuring SAML Before configuring SAML in APOD / SOD, make sure you have properly configured your SAML IdP (see Configuring Your Identity Provider (IdP)) In IBM Aspera Shares, go to Admin > Accounts > Directories. Click Edit for the SAML Identity Provider. For the SAML IdP entry, click Edit. To enable SAML, select the check box Log in using the SAML Identity Provider. Optional: Enable SAML login redirection. If enabled, entering the default APOD / SOD URL will direct users to the SAML login page. If disabled, the APOD / SOD URL will direct users to the local login page.

208 Working with SAML Enter the SAML entry-point address provided by the IdP in the IdP Single Sign-On URL text box. Enter the Identity Provider Certificate Fingerprint. Enter the Identity Provider Certificate. Click Save. Configuring SAML Before following the instructions below, have the following information on hand: IdP Single Sign-On URL (SSO) IdP Certificate Fingerprint OR IdP Certificate Go to Accounts > SAML to open the SAML Configuration page. Select SAML Authentication. Enter the SSO URL and the SHA1 certificate fingerprint. Click Save. Creating SAML Groups SAML groups are created in IBM Aspera Application Platform / Server On Demand (APOD / SOD) one of two ways: Creating a SAML group in APOD / SOD using the application and then logging in as a SAML user in the new group. The APOD / SOD SAML group is mapped to the external SAML group. Logging in using SAML credentials creates a Shares SAML group mapped to the external SAML group. The following instructions describe how to create a SAML group in APOD / SOD using the web application. 1. When SAML is enabled, you can create SAML groups by navigating to Admin > Groups. 2. Click New SAML Group to create a SAML group. 3. Enter the group name, which is the distinguished name (DN).

209 Working with SAML Click Create Group to create the SAML group. You can view and manage your SAML group in the Groups section under Admin. Importing a SAML User to Shares You can pre-populate the SAML user record and set permissions for a user before the user logs in to Shares. You can import the user in one of two ways: Import the SAML user in the Shares UI Import the SAML user using a rake task For more information about using a rake task, see Configure Users With Rake Tasks. Note: You must first configure and enable SAML for Shares before you can create a SAML user. For more information, see Configuring SAML. The instructions below describe how to import a SAML user in the Shares UI. 1. Go to Admin > Users and select Import SAML User. 2. Enter a value for each of the following fields for the SAML user. Field Example ID The SAML user's full Distinguished CN=saml Name (required) doe,ou=ak,ou=users,ou=asperasoft,dc=dev Given_name First name Sam Surname Last name Doe Name ID Username (required) samldoe address samldoe@shares.example.com 3. Click Import User. For information about configuring the newly created user, see Configure User Settings.

210 Enterprise Server Configuration and Transfer Reference 210 Enterprise Server Configuration and Transfer Reference Managing Users from the Command Line Setting Up Transfer Users Aspera transfer products use system accounts to authenticate transfers, but these accounts require additional configuration. You can set global values for default transfer rate, docroot, and file handling rules, and can also specify user-specific settings. Follow these steps to set up transfer accounts in a command terminal: 1. Create default (global) transfer settings. To set default values to authorize transfers in and out, set the encryption key, and set the default docroot for all users, run the following commands (if not already set): $ $ $ $ asconfigurator asconfigurator asconfigurator asconfigurator -x -x -x -x "set_node_data;authorization_transfer_in_value,allow" "set_node_data;authorization_transfer_out_value,allow" "set_node_data;token_encryption_key,token_key" "set_node_data;absolute,docroot" These create the following lines in aspera.conf, found in the following location: /opt/aspera/etc/aspera.conf In the example below, the encryption key is secret and the default docroot is /sandbox/$(name). The substitutional string $(name) in the docroot setting can be used if your system users docroot settings have a pattern -- for example, /sandbox/(user name). This way you can assign independent docroot to each user by setting only the default docroot, instead of adding docroot for each user. <CONF version="2">... <default> <authorization> <transfer> <in> <value>allow</value> </in> <out> <value>allow</value> </out> </transfer> <token> <encryption_key>secret</encryption_key> </token> </authorization> <file_system> <access> <paths> <path> <absolute>/sandbox/$(name)</absolute> </path> </paths> </access> </file_system>... </default>

211 Enterprise Server Configuration and Transfer Reference 211 </CONF> 2. Restrict user permissions with aspshell. By default, all system users can establish a FASP connection and are only restricted by file permissions. You can restrict the user's file operations through the aspshell, which permits only the following operations: Running Aspera uploads and downloads to or from this computer. Establishing connections in the application. Browsing, listing, creating, renaming, or deleting contents. These instructions explain one way to change a user account so that it uses the aspshell; there may be other ways to do so on your system. Open the following file with a text editor: /etc/passwd Add or replace the user's shell with aspshell. For example, to apply aspshell to the user aspera_user_1, use the following settings in this file:... aspera_user_1:x:501:501:...:/home/aspera_user_1:/bin/aspshell Configure user-specific transfer settings. Besides the default (global) transfer settings, you can also create user-specific and group-specific transfer settings. The user-specific settings have the highest priority, overriding both group and global settings. To set user-specific values to authorize transfers in and out, set the user's docroot and target rate, then run the following commands: asconfigurator -x "set_user_data;user_name,username;authorization_transfer_in_value,allow" $ asconfigurator -x "set_user_data;user_name,username;authorization_transfer_out_value,allow" $ asconfigurator -x "set_user_data;user_name,username;absolute,docroot" $ asconfigurator -x "set_user_data;user_name,username;transfer_in_bandwidth_flow_target_rate_default,rate $ asconfigurator -x "set_user_data;user_name,username;transfer_out_bandwidth_flow_target_rate_default,rat $ These commands add the following section to aspera.conf, found in: /opt/aspera/etc/aspera.conf <?xml version='1.0' encoding='utf-8'?> <CONF version="2"> <aaa> <realms> <realm> <users> <user> <name>username</name> <authorization> <transfer> <in> <value>allow</value> </in> <out> <value>allow</value> </out> </transfer> </authorization>

212 Enterprise Server Configuration and Transfer Reference 212 <file_system> <access> <paths> <path> <absolute>docroot</absolute> </path> </paths> </access> </file_system> <transfer> <in> <bandwidth> <flow> <target_rate> <default>rate_in</default> </target_rate> </flow> </bandwidth> </in> <out> <bandwidth> <flow> <target_rate> <default>rate_out</default> </target_rate> </flow> </bandwidth> </out> </transfer> </user> </users> </realm> </realms> </aaa>... </CONF> 4. Verify the configuration. If you modify aspera.conf by editing the text, use the following command to verify the XML form and values: # /opt/aspera/bin/asuserdata -v 5. Restart asperanoded and asperacentral to activate your changes. Run the following commands to restart asperanoded: # /etc/init.d/asperanoded restart Run the following command in a Terminal window to restart asperacentral: # /etc/init.d/asperacentral restart Setting Up Transfer Groups You can set up transfer settings based on your system's user groups. If users within a group do not have individual transfer settings, then the group's transfer settings will be applied. Please note that APOD/SOD doesn't create user groups on the operating system for you, so you must ensure that the groups currently exist before adding them to your Aspera product. Follow the steps below to add user groups to APOD/SOD in a Terminal. 1. Determine the user groups you would like to add to your Aspera transfer product.

213 Enterprise Server Configuration and Transfer Reference 213 Ensure that you have an existing user group on your operating system, or create a new user group. Please refer to your operating system's documentation for information on creating user groups. APOD/SOD reads group information from the following file: /etc/group 2. Add the user group to your Aspera transfer product When a transfer group is specified, it overwrites global settings and applies group configuration to corresponding users. To add group-specific transfer settings, you can use asconfigurator commands with the following syntax: # asconfigurator -x "set_group_data;group_name,groupname;parameter,value" For more information on available settings, see User, Group and Default Configurations and the references in the table below. Category Configuration Precedence When a user is a member of multiple groups, the precedence setting can be used to determine priority. aspera.conf - Authorization Connection permissions, token key, and encryption requirements. aspera.conf - Transfer Incoming and outgoing transfer bandwidth and policy settings. aspera.conf - File System Docroot, file and directory creation, access permissions, block sizes, and so on. You can also manually edit aspera.conf with a text editor. /opt/aspera/etc/aspera.conf Add the following section to aspera.conf: <?xml version='1.0' encoding='utf-8'?> <CONF version="2"> <aaa> <realms> <realm> <users>... <!-- user-specific settings --> </users> <groups> <group> <!-- Each group tag contains a group's profile. --> <name>aspgroup</name> <!-- The group name. --> <precedence>0</precedence> <!-- Group precedence. --> <authorization>...</authorization> <!-- Authorization settings. --> <transfer>...</transfer> <!-- Transfer settings. --> <file_system>...</file_system> <!-- File System settings. --> </group> <group>... <!-- Another group's settings--> </group> </groups> </realm> <realms> </aaa>... </CONF> 3. Verify your configuration.

214 Enterprise Server Configuration and Transfer Reference 214 When you have finished updating the group's settings in aspera.conf, use the following command to verify it (in this example, verify the group asp-group's settings): # /opt/aspera/bin/asuserdata -g asp-group 4. Restart asperanoded and asperacentral to activate your changes. Run the following commands to restart asperanoded: # /etc/init.d/asperanoded restart Run the following command in a Terminal window to restart asperacentral: # /etc/init.d/asperacentral restart Configuration Precedence APOD/SOD gives precedence to settings as follows, where user settings have the highest priority and default settings have the lowest User Group (if a user belongs to more than one group, a precedence can be set for each group.) Global Default The table below shows the setting values that a user aspera_user_1 is assigned in bold. In this example, aspera_user_1 is a member of both the admin and xfer groups. The admin group's precedence setting is 0, which supersedes the xfer group's setting of 1: Configuring Precedence of Groups You can configure a group's precedence in aspera.conf by running the following asconfigurator command: # asconfigurator -x "set_group_data;group_name,group_name;precedence,value" Note: A group's precedence setting must be greater than or equal to 0, where 0 is the highest precedence level. This adds a <group> section to aspera.conf like the one below. In this example, group "admin" has higher precedence than group "xfer". <groups> <group> <name>admin</name> <precedence>0</precedence>... </group> <group> <name>xfer</name> <precedence>1</precedence>... </group> </groups> You can also edit aspera.conf manually by opening it with administrative privileges: /opt/aspera/etc/aspera.conf

215 Enterprise Server Configuration and Transfer Reference 215 In the file, locate the entry for each group, add the <precedence> option, and assign a precedence value as shown in the example above. After editing the file, validate the XML form and option values by running the following command: # /opt/aspera/bin/asuserdata -v Setting Up a User's Public Key on the Server Public key authentication is an alternative to password authentication, providing a more secure authentication method that allows users to avoid entering or storing a password, or sending it over the network. A user generates a key pair (a public key and a private key) on the client computer and provides the public key to the administrator of the remote computer running Enterprise Server. The administrator sets up the client user's public key as described in the steps below. For information on how to create public keys, see Creating SSH Keys (Command Line). 1. Obtain the client user's public key. The client user should send you a secure with the public key pasted in the message body or attached as a text file. 2. Install the public key in the user account on the server. In the home directory of the account that clients will use to access the server, create a directory called.ssh (if it doesn't already exist). In that folder, save the key file and name it authorized_keys. If authorized_keys already exists, append the key file to it. In the example that follows: aspera_user_1 is the server user account. /tmp/id_rsa.pub is where you have saved the public key. /home/aspera_user_1/.ssh/authorized_keys is where to install the public key Run the following commands to install the client's public key: # mkdir /home/aspera_user_1/.ssh # cat /tmp/id_rsa.pub > /home/aspera_user_1/.ssh/authorized_keys Run the following commands to change the key directory and keyfile's ownership to user aspera_user_1, to allow access by the aspera_user_1 group, and to set permission bits: # # # # chown chmod chmod chmod -R aspera_user_1:aspera_user_1 /home/aspera_user_1/.ssh 700 /home/aspera_user_1 700 /home/aspera_user_1/.ssh 600 /home/aspera_user_1/.ssh/authorized_keys Managing Global Transfer Settings from the Command Line aspera.conf - Authorization This topic describes how to manually modify the <authorization/> section of aspera.conf. You can also add and edit these parameters using asconfigurator commands. For more information on using asconfigurator, see User, Group and Default Configurations. 1. Open aspera.conf. You can find the aspera.conf configuration file at:

216 Enterprise Server Configuration and Transfer Reference 216 /opt/aspera/etc/aspera.conf 2. Add or locate the <authorization> section, as in the example below. <authorization> <transfer> <in> <value>allow</value> <!-- Incoming Transfer --> <external_provider> <url>...</url> <!-- Incoming External Provider URL --> <soap>...</soap> <!-- Incoming External Provider SOAP Action --> </external_provider> </in> <out> <value>allow</value> <!-- Outgoing Transfer --> <external_provider> <url>...</url> <!-- Outgoing External Provider URL --> <soap>...</soap> <!-- Outgoing External Provider SOAP Action --> </external_provider> </out> </transfer> <token> <encryption_type>aes-128</encryption_type> <!-- Token Encryption Cipher --> <encryption_key> </encryption_key> <!-- Token Encryption Key --> <filename_hash> </filename_hash> <!-- Token Filename Hash --> <life_seconds>86400</life_seconds> <!-- Token Life (seconds) --> </token> </authorization> 3. Configuration options reference. Field Values Default Incoming Transfers To enable users to transfer to this computer, leave the default setting of allow. Set to deny to prevent transfers to this computer. Set to token to allow only transfers initiated with valid tokens to this computer. Token-based transfers are typically used by web applications such as Faspex and require a Token Encryption Key. allow, deny, or token allow Incoming External Provider URL Set the URL of the external authorization provider for incoming transfers. The default empty setting disables external authorization. Aspera servers can be configured to check with an external authorization provider. This SOAP authorization mechanism can be useful to organizations requiring custom authorization rules. Requires a value for Incoming External Provider SOAP Action. HTTP URL blank Incoming External Provider SOAP Action The SOAP action required by the external authorization provider for incoming transfers. Required if External Authorization is enabled. text string blank Outgoing Transfers To enable users to transfer friom this computer, leave the default setting of allow. Set to deny to prevent transfers from this computer. Set to token to allow only transfers initiated with valid tokens from this computer. Token-based transfers are typically used by web applications such as Faspex and require a Token Encryption Key. allow, deny, or token allow

217 Enterprise Server Configuration and Transfer Reference 217 Field Values Default Outgoing External Provider URL Set the URL of the external authorization provider for outgoing transfers. The default empty setting disables external authorization. Aspera servers can be configured to check with an external authorization provider. This SOAP authorization mechanism can be useful to organizations requiring custom authorization rules. Requires a value for Outgoing External Provider Soap Action. HTTP URL blank Outgoing External Provider Soap Action The SOAP action required by the external authorization provider for outgoing transfers. Required if External Authorization is enabled. text string blank Token Encryption Cipher Set the cipher used to generate encrypted authorization tokens. aes-128, aes-128 aes-192, or aes-256 Token Encryption Key Set the secret text phrase that will be used to authorize those transfers configured to require token. Aspera recommends setting a token encryption key of at least 20 random characters. For more information, see Configuring Token Authorization from the GUI. text string Token Filename Hash Set the algorithm with which filenames inside transfer tokens should be hashed. Use MD5 for backward compatibility. sha1, sha-256 md5, or sha-256 Token Life (seconds) Set the token expiration for users of web-based transfer applications. positive integer blank (24 hrs) 4. Save and validate aspera.conf. Run the following command to confirm that the XML is correctly formatted and the parameter settings are valid: # /opt/aspera/bin/asuserdata -v aspera.conf - Transfer This topic describes how to manually modify the <transfer> section of aspera.conf, which includes parameters for inline validation (see Overview of Inline File Validation for more information). You can also add and edit these parameters using asconfigurator commands. 1. Open aspera.conf. You can find the aspera.conf configuration file at: /opt/aspera/etc/aspera.conf 2. Add or locate the <transfer/> section, as in the example below. <transfer> <in> <bandwidth> <aggregate> <trunk_id>109</trunk_id> </aggregate> <flow> <target_rate> <!-- Incoming VLink ID -->

218 Enterprise Server Configuration and Transfer Reference 218 <cap></cap> <!-- Incoming Target Rate Cap --> <default>10000</default> <!-- Incoming Target Rate Default --> <lock>false</lock> <!-- Incoming Target Rate Lock --> </target_rate> <min_rate> <cap></cap> <!-- Incoming Minimum Rate Cap --> <default></default> <!-- Incoming Minimum Rate Default --> <lock>false</lock> <!-- Incoming Minimum Rate Lock --> </min_rate> <policy> <cap></cap> <!-- Incoming Policy Allowed --> <default></default> <!-- Incoming Policy Default --> <lock>false</lock> <!-- Incoming Policy Lock --> </policy> <priority> <cap></cap> <!-- Incoming Priority Allowed --> <default></default> <!-- Incoming Priority Default --> <lock>false</lock> <!-- Incoming Priority Lock --> </priority> <network_rc> <module></module> <!-- Incoming Rate Control Module --> <tcp_friendly>no</tcp_friendly> <!-- Incoming TCP Friendly Mode --> </network_rc> </flow> </bandwidth> </in> <out> <bandwidth> <aggregate> <trunk_id>109</trunk_id> <!-- Outgoing VLink ID --> </aggregate> <flow> <target_rate> <cap></cap> <!-- Outgoing Target Rate Cap --> <default>10000</default> <!-- Outgoing Target Rate Default --> <lock>false</lock> <!-- Outgoing Target Rate Lock --> </target_rate> <min_rate> <cap></cap> <!-- Outgoing Minimum Rate Cap --> <default>0</default> <!-- Outgoing Minimum Rate Default --> <lock>false</lock> <!-- Outgoing Minimum Rate Lock --> </min_rate> <policy> <cap></cap> <!-- Outgoing Policy Allowed --> <default></default> <!-- Outgoing Policy Default --> <lock>false</lock> <!-- Outgoing Policy Lock --> </policy> <priority> <cap></cap> <!-- Outgoing Priority Allowed --> <default></default> <!-- Outgoing Priority Default --> <lock>false</lock> <!-- Outgoing Priority Lock --> </priority> <network_rc> <module></module> <!-- Outgoing Rate Control Module --> <tcp_friendly>no</tcp_friendly> <!-- Outgoing TCP Friendly Mode --> </network_rc> </flow> </bandwidth> </out> <protocol_options> <bind_ip_address></bind_ip_address> <! - Bind IP Address --> <bind_udp_port>33001</bind_udp_port> <!-- Bind UDP Port --> <disable_batching>false</disable_batching> <!-- Disable Packet Batching --> <batch_size>1</batch_size> <!-- Batch Size --> <datagram_size>1000</datagram_size> <!-- Datagram Size --> <max_sock_buffer>0</max_sock_buffer> <!-- Maximum Socket Buffer (bytes)--> <min_sock_buffer>0</min_sock_buffer> <!-- Minimum Socket Buffer (bytes)--> <rtt_autocorrect>false</rtt_autocorrect> <!-- RTT auto correction --> <rtt_reverse_infer>false</rtt_reverse_infer> <!-- Reverse path congestion inference -> </protocol_options> <encryption> <content_protection_strong_pass_required>false </content_protection_strong_pass_required> <!-- Strong Password Required for Content Protection --> <content_protection_required>false </content_protection_required> <!-- Content Protection Required --> <allowed_cipher>any</allowed_cipher> <!-- Encryption Allowed -->

219 Enterprise Server Configuration and Transfer Reference 219 <fips_mode>false</fips_mode> <!-- Transfer in FIPS certified encryption mode --> </encryption> <validation_file_start>as_null</validation_file_start> <!-- Validation File Start --> <validation_file_stop>as_null</validation_file_stop> <!-- Validation File Stop --> <validation_session_start>as_null</validation_session_start> <!-- Validation Session Start --> <validation_session_stop>as_null</validation_session_stop> <!-- Validation Session Stop --> <validation_threshold>as_null</validation_threshold> <!-- Validation Threshold --> <validation_uri>as_null</validation_uri> <!-- Validation URI --> <validation_threshold_kb>0</validation_threshold_kb> <!-- Validation Threshold KB --> <validation_threads>5</validation_threads> <!-- Validation Threads --> <validation_lua_script_base64></validation_lua_script_base64> <!-- Validation Lua Script Base64 --> <validation_lua_script_path></validation_lua_script_path> <!-- Validation Lua Script Path --> </transfer> 3. Configuration options reference. Field Incoming Vlink ID Set the Vlink ID for incoming transfers. predefined value Vlinks are a mechanism to define aggregate transfer policies. The default setting of 0 disables Vlinks. One Vlink the virtual equivalent of a network trunk represents a bandwidth allowance that may be allocated to a node or a user. Vlink ID is defined in each Vlink created in Aspera Console. Vlink ID is a unique numeric identifier. 0 Incoming Target Rate Cap (Kbps) Set the Target Rate Cap for incoming positive integer transfers. The Target Rate Cap is the maximum target rate that a transfer can request, in kilobits per second. No transfer may be adjusted above this setting, at any time. The default setting of unlimited signifies no Target Rate Cap. Clients requesting transfers with initial rates above the Target Rate Cap will be denied. unlimited Incoming Target Rate Default (Kbps) Set the initial rate for incoming transfers, positive integer in kilobits per second. Users may be able to modify this rate in real time, if allowed. This setting is not relevant to transfers with a Policy of fixed Incoming Target Rate Lock Set to false to allow users to adjust the transfer rate once an incoming transfer is started. Set to true to prevent real-time modification of the transfer rate. true or false false positive integer or unlimited unlimited Incoming Minimum Rate Set the Minimum Rate Cap for incoming Cap (Kbps) transfers. The Minimum Rate Cap is a level, specified in kilobits per second, below which an incoming transfer will not slow, despite network congestion or Values Default

220 Enterprise Server Configuration and Transfer Reference 220 Field Values Default physical network availability. The default value of unlimited effectively turns off the Minimum Rate Cap. Incoming Minimum Rate Set the initial minimum rate for incoming positive integer Default (Kbps) transfers, in kilobits per second. Users may be able to modify this rate in real time, if allowed. This setting is not relevant to transfers with a Policy of fixed. 0 Incoming Minimum Rate Set to false (default) to allow users to true or false Lock adjust the minimum transfer rate once an incoming transfer is started. Set to true to prevent real-time modification of the minimum transfer rate. This setting is not relevant to transfers with a Policy of Fixed. false Incoming Bandwidth Policy Allowed Set the allowed Bandwidth Policy for incoming transfers. Aspera transfers use fixed, high, fair and low policies to accommodate network-sharing requirements. When set to any, the server will not deny any transfer based on policy setting. When set to high, transfers with a Policy of high and less aggressive transfer policies (e.g. fair or low) will be permitted. When set to fair, transfers of fair and low will be permitted, while fixed transfers will be denied. When set to low, only transfers with a Bandwidth Policy of low will be allowed. fixed, high, fair / regular, low, or any any Incoming Bandwidth Policy Default Set the default Bandwidth Policy for incoming transfers. The default policy value may be overridden by client applications initiating transfers. fixed, high, fair / regular, low, or any fair fixed Attempts to transfer at the specified target rate, regardless of the actual network capacity. This policy transfers at a constant rate and finishes in a guaranteed time. This policy typically occupies most of the network's bandwidth, and is not recommended in most file transfer scenarios. In fixed mode, a maximum (target) rate value is required. high Monitors the network and adjusts the transfer rate to fully utilize the available bandwidth up to the maximum rate. When congestion occurs, a it transfers at a rate twice of a session with fair policy. In this mode, both the maximum (target) and the minimum transfer rates are required.

221 Enterprise Server Configuration and Transfer Reference 221 Field Values Default fair Monitors the network and adjusts the transfer rate to fully utilize the available bandwidth up to the maximum rate. When other types of traffic build up and congestion occurs, it shares bandwidth fairly by transferring at an even rate. In this mode, both the maximum (target) and the minimum transfer rates are required. low Similar to fair mode, the low policy uses the available bandwidth up to the maximum rate, but is much less aggressive when sharing bandwidth with other network traffic. When congestion builds up, the transfer rate is reduced to the minimum rate until other traffic retreats. Incoming Bandwidth Policy Lock Set to false (default) to allow users to adjust the Bandwidth Policy once an incoming transfer is started. Set to true to prevent real-time modification of the Bandwidth Policy. true or false false Incoming Priority Allowed The highest priority your client can request. Use the value 0 to unset this option; 1 to allow high priority, 2 to enforce normal priority. 0, 1, or 2 1 Incoming Priority Default The initial priority setting. Use the value 0 to unset this option, 1 to allow high priority; 2 to enforce normal priority 0, 1, or 2 2 Incoming Priority Lock To disallow your clients change the priority, set the value to true true or false false Module (for incoming rate control) Located within the incoming </ delay-odp, network_rc> stanza, this hidden setting delay-adv, or air is meant for advanced users to select an incoming rate control module (which will only be applied at the local "receiver" side). It should only be used with special instructions for debugging. Options include: TCP Friendly (for incoming rate control) blank delay-odp: queue scaling controller delay-adv: advanced rate controller air: FASP air Located within the incoming </ network_rc> stanza, this hidden setting is meant for advanced users to turn TCP-friendly mode on or off (which will only be applied at the local "receiver" side when the transfer policy is set to yes or no no

222 Enterprise Server Configuration and Transfer Reference 222 Field Values Default fair). It should only be used with special instructions for debugging. If turned on ("yes"), this mode allows an incoming FASP transfer to maintain relative fair bandwidth share with a TCP flow under congestion. Outgoing Vlink ID Set the Vlink ID for outgoing transfers. predefined value Vlinks are a mechanism to define aggregate transfer policies. The default setting of 0 disables Vlinks. One Vlink the virtual equivalent of a network trunk represents a bandwidth allowance that may be allocated to a node or a user. Vlink ID is defined in each Vlink created in Aspera Console. The Vlink ID is a unique numeric identifier. 0 Outgoing Target Rate Cap (Kbps) Set the Target Rate Cap for outgoing positive integer transfers. The Target Rate Cap is the maximum target rate that a transfer can request, in kilobits per second. No transfer may be adjusted above this setting, at any time. The default setting of unlimited signifies no Target Rate Cap. Clients requesting transfers with initial rates above the Target Rate Cap will be denied. unlimited Outgoing Target Rate Default (Kbps) Set the initial rate for outgoing transfers, positive integer in kilobits per second. Users may be able to modify this rate in real time, if allowed. This setting is not relevant to transfers with a Policy of Fixed Outgoing Target Rate Lock Set to false (default) to allow users to adjust the transfer rate once an outgoing transfer is started. Set to true to prevent real-time modification of the transfer rate. true or false false Outgoing Minimum Rate Cap (Kbps) Set the Minimum Rate Cap for outgoing transfers. The Minimum Rate Cap is a level specified in kilobits per second, below which an outgoing transfer will not slow, despite network congestion or physical network availability. The default value of Unlimited effectively turns off the Minimum Rate Cap. positive integer unlimited Outgoing Minimum Rate Default Set the initial minimum rate for outgoing positive integer transfers, in kilobits per second. Users may be able to modify this rate in real time, if allowed. This setting is not relevant to transfers with a Policy of Fixed. 0 Outgoing Minimum Rate Lock Set to false (default) to allow users to adjust the minimum transfer rate once an outgoing transfer is started. Set to true false true or false

223 Enterprise Server Configuration and Transfer Reference 223 Field Values Default to prevent real-time modification of the minimum transfer rate. This setting is not relevant to transfers with a Policy of Fixed. Outgoing Bandwidth Policy Allowed Set the allowed Bandwidth Policy for fixed, high, outgoing transfers. Aspera transfers fair (regular), use fixed, high, fair and low policies low, or any to accommodate network-sharing requirements. When set to any, the server will not deny any transfer based on policy setting. When set to high, transfers with a Policy of high and less aggressive transfer policies (e.g. fair or low) will be permitted. When set to fair, transfers of fair and low will be permitted, while fixed transfers will be denied. When set to low, only transfers with a Bandwidth Policy of low will be allowed. any Outgoing Bandwidth Policy Default Set the default Bandwidth Policy for outgoing transfers. The default policy value may be overridden by client applications initiating transfers. fair fixed Attempts to transfer at the specified target rate, regardless of the actual network capacity. This policy transfers at a constant rate and finishes in a guaranteed time. This policy typically occupies most of the network's bandwidth, and is not recommended in most file transfer scenarios. In fixed mode, a maximum (target) rate value is required. high Monitors the network and adjusts the transfer rate to fully utilize the available bandwidth up to the maximum rate. When congestion occurs, a it transfers at a rate twice of a session with fair policy. In this mode, both the maximum (target) and the minimum transfer rates are required. fair Monitors the network and adjusts the transfer rate to fully utilize the available bandwidth up to the maximum rate. When other types of traffic build up and congestion occurs, it shares bandwidth fairly by transferring at an even rate. In this mode, both the maximum (target) and the minimum transfer rates are required. low Similar to fair mode, the low policy uses the available bandwidth up to the maximum rate, but is much less fixed, high, fair, low

224 Enterprise Server Configuration and Transfer Reference 224 Field Values Default aggressive when sharing bandwidth with other network traffic. When congestion builds up, the transfer rate is reduced to the minimum rate until other traffic retreats. Outgoing Bandwidth Policy Lock Set to false (default) to allow users to adjust the Bandwidth Policy once an outgoing transfer is started. Set to true to prevent real-time modification of the Bandwidth Policy. true or false false Outgoing Priority Allowed The highest priority your client can request. Use the value 0 to unset this option; 1 to allow high priority, 2 to enforce normal priority. 0, 1, or 2 1 Outgoing Priority Default The initial priority setting. Use the value 0 to unset this option, 1 to allow high priority; 2 to enforce normal priority. 0, 1, or 2 2 Outgoing Priority Lock true or false false delay-odp, delay-adv, or air blank To prevent your clients from changing the priority, set the value to true. Module (for outgoing rate Located within the outgoing <network_rc> stanza, this hidden control) setting is meant for advanced users to select an outgoing rate control module (which will only be applied at the local "receiver" side). It should only be used with special instructions for debugging. Options include: delay-odp: queue scaling controller delay-adv: advanced rate controller air: FASP air TCP Friendly (for outgoing rate control) Located within the outgoing yes or no <network_rc> stanza, this hidden setting is meant for advanced users to turn TCP-friendly mode on or off (which will only be applied at the local "receiver" side when the transfer policy is set to fair). It should only be used with special instructions for debugging. If turned on ("yes"), this mode allows an outgoing FASP transfer to maintain relative fair bandwidth share with a TCP flow under congestion. Bind IP Address Specify an IP address for server-side valid IPv4 address blank ascp to bind its UDP connection. If a valid IP address is given, ascp sends and receives UDP packets only on the interface corresponding to that IP address. Important: The bind address should only be modified no

225 Enterprise Server Configuration and Transfer Reference 225 Field Values Default (changed to an address other than ) if you, as the System Administrator, understand the security ramifications of doing so, and have undertaken precautions to secure the SOAP service. Bind UDP Port Prevent the client-side ascp process from using the specified UDP port. integer between 1 and Disable Packet Batching Set to true to send data packets back-toback (no sending a batch of packets). This results in smoother data traffic at a cost of higher CPU usage. true or false false Batch Size When set to "0" (default), the system uses a pre-computed batch size. Set this to "1" for high concurrency servers (senders) in order to reduce CPU utilization in aggregate. Integer 0 Datagram Size Sets the datagram size on the server side. Integer If size is set with both -Z (client side) and <datagram_size> (server side), the <datagram_size> setting is used. In cases where the client-side is pre-3.3, datagram size is determined by the -Z setting, regardless of the server-side setting for <datagram_size>. In such cases, if there is no -Z setting, datagram size is based on the discovered MTU and the server logs the message "LOG Peer client doesn't support alternative datagram size" Maximum Socket Buffer (bytes) Set the upper bound of the UDP socket buffer of an ascp session below the input value. The default of 0 will cause the Aspera sender to use its default internal buffer size, which may be different for different operating systems. positive integer 0 Minimum Socket Buffer (bytes) Set the minimum UDP socket buffer size for an ascp session. positive integer 0 RTT auto correction Set to true to enable auto correction of the base (minimum) RTT measurement. This feature is helpful for maintaining accurate transfer rates in hypervisor-based virtual environments. true or false false Reverse path congestion inference Set to true to prevent the transfer speed of a session from being adversely affected by congestion in the reverse (non datasending) transfer direction. This feature is useful for boosting speed in bi-directional transfers. true or false true

226 Enterprise Server Configuration and Transfer Reference 226 Field Values Default Strong Password Required for Content Encryption Set to true to require the password for content encryption to contain at least 6 characters, of which at least 1 is nonalphanumeric, at least 1 is a letter, and at least 1 is a digit. true or false false Content Protection Required Set to true to require that content be left encrypted at the destination. true or false false Users are required to enter a password during upload to encrypt the files on the server. Users will be given the option when downloading to decrypt during transfer. Encryption Allowed Set the type of transfer encryption accepted by this computer. Set to any to allow both encrypted and non-encrypted transfers to this computer. Set to none to allow only non-encrypted transfers. Set to aes-128 to allow only encrypted transfers. any, noneaes-128, aes-192, or aes-256 any Do encrypted transfers in FIPS certified encryption mode Set to true for ascp to use a FIPS certified encryption module. When enabled, transfer start is delayed while the FIPS module is verified. true or false false When you run ascp in FIPS mode (that is, <fips_enabled> is set to true in aspera.conf), and you use passphraseprotected SSH keys, you must use keys generated by running ssh-keygen in a FIPS-enabled system, or convert existing keys to a FIPS-compatible format using a command such as the following: openssl pkcs8 -topk8 v2 aes128 -in id_rsa out new-id_rsa Important: When set to true, all ciphers and hash algorithms that are not FIPS compliant will abort transfers. Run at File Start Enables validation when starting a file. uri, This happens before file transfer starts. For lua_script, or more information on inline file validation, none see Overview of Inline File Validation. none Run at File Stop Enables validation when reporting file transfer end. This happens after file transfer is complete and file is closed. For more information on inline file validation, see Overview of Inline File Validation. none uri, lua_script, or none

227 Enterprise Server Configuration and Transfer Reference 227 Field Values Default Run at Session Start Enables validation when an ascp session starts. For more information on inline file validation, see Overview of Inline File Validation. uri, lua_script, or none none Run at Session Stop Enables validation when an ascp session ends. For more information on inline file validation, see Overview of Inline File Validation. uri, lua_script, or none none Run when Crossing File Threshold Enables validation when a set threshold in the file transfer is reached. For more information on inline file validation, see Overview of Inline File Validation. uri, lua_script, or none none Note: For threshold validation, it is possible for the file transfer to complete before the file threshold validation response comes back (because ascp doesn't pause file transfers during file threshold validation); therefore, a complete file transfer could happen even with validation failure. Validation Threshold KB Threshold validation occurs- after the Positive integer threshold value defined in this option is met during file download (when at least the threshold KB of the file is downloaded). Since threshold validation can only be triggered periodically (every second in the worst case), the file must be large enough to trigger this validation. 0 The Validation Threshold option must also be specified (uri or lua) if this option is to be recognized by the system. If Validation Threshold is also enabled, and this value is not specified (or set to 0), the ascp session will exit with an error. Validation Threads Setting a value enables multiple validations Positive integer to happen in parallel in validator threads. 5 Note: If the number of validation threads is not set to 1, then muliple threads may perform different types of validations for different (or the same) files at the same time. In such a situation, the response of a validation_file_stop at the end of a file download might come before the response of a validation_threshold for the same file. Validation URI External URL used for validation calls. When this parameter is defined, at least two validations, validation_file_start and URL none

228 Enterprise Server Configuration and Transfer Reference 228 Field Values Default Base64-encoded string blank validation_file_stop will happen for every file. The entry should define a URL, port, and URL handler for validation. For example, SimpleValidator This value must be defined if any of the following values are set to uri: Base64-Encoded Lua Action Script validation_file_start validation_file_stop validation_ session_start validation_session_stop validation_threshold For Lua API validation, enter the base64encoded value. If both this option and File Path to Lua Action Script option are defined, this value is ignored. For more information on inline file validation, see Overview of Inline File Validation. This value must be defined if any of the following values are set to lua_script: Run at File Start, Run at File Stop, Run at Session Start, Run at Session Stop, Run when Crossing File Threshold. File Path to Lua Action Script For Lua API validation, enter a file path. If Filepath both this option and the Base64-Encoded Lua Action Script option are defined, this value is the one recognized by the system. blank This value must be defined if any of the following values are set to lua_script: validation_file_start validation_file_stop validation_ session_start validation_session_stop validation_threshold For more information on inline file validation, see Overview of Inline File Validation. 4. Save and validate aspera.conf. Run the following command to confirm that the XML is correctly formatted and the parameter settings are valid: # /opt/aspera/bin/asuserdata -v

229 Enterprise Server Configuration and Transfer Reference 229 aspera.conf - File System This topic describes how to manually modify the <authorization/> section of aspera.conf. You can also add and edit these parameters using asconfigurator commands. For more information on using asconfigurator, see User, Group and Default Configurations. 1. Open aspera.conf. You can find the aspera.conf configuration file at: /opt/aspera/etc/aspera.conf 2. Add or locate the <file_system /> section, as in the example below. <file_system> <access> <paths> <path> <absolute peer_ip="ip_address">/path/$(name)</absolute> <!-- Absolute Path (conditional) --> <absolute>/path/$(name)</absolute> <!-- Absolute Path --> <read_allowed>true</read_allowed> <!-- Read Allowed --> <write_allowed>true</write_allowed> <!-- Write Allowed --> <dir_allowed>true</dir_allowed> <!-- Browse Allowed --> </path> </paths> </access> <read_block_size>0</read_block_size> <!-- Read Block Size --> <write_block_size>0</write_block_size> <!-- Write Block Size --> <read_threads>0</read_threads> <! - Number of I/O Read Threads --> <write_threads>0</write_threads> <! - Number of I/O Write Threads --> <scan_threads>0</scan_threads> <!-- Number of Dir Scanning Threads --> <meta_threads>0</meta-threads> <!-- Number of Metadata Threads --> <sparse_file>false</sparse_file> <!-- Sparse File Checking --> <fail_on_attr_error>yes</fail_on_attr_error> <!-- Behavior on Attr Error --> <compression_method>lz4</compression_method> <!-- Compression Method for File Transfer --> <use_file_cache>true</use_file_cache> <!-- Use File Cache --> <max_file_cache_buffer>0</max_file_cache_buffer> <!-- Max File Cache Buffer--> <resume_suffix>.aspx</resume_suffix> <!-- Resume Suffix --> <preserve_attributes> </preserve_attributes> <!-- Preserve Attributes --> <overwrite>allow</overwrite> <!-- Overwrite --> <file_manifest>disable</file_manifest> <!-- File Manifest --> <file_manifest_path>path</file_manifest_path> <!-- File Manifest Path --> <file_manifest_inprogress_suffix>.aspera-inprogress</file_manifest_inprogress_suffix --> <!-- File Manifest Suffix --> <pre_calculate_job_size>any</pre_calculate_job_size><!-- Pre-Calculate Job Size --> <replace_illegal_chars></replace_illegal_chars> <!-- Convert Restricted Windows Characters --> <storage_rc> <adaptive>true</adaptive> <!-- Storage Rate Control --> </storage_rc> <filters> <!- File Filter Pattern List --> <filter>rule1</filter> <filter>rule2</filter> </filters> <file_create_mode> </file_create_mode> <!-- File Create Mode --> <file_create_grant_mask>644</file_create_grant_mask><!-- File Create Grant Mask --> <directory_create_mode> </directory_create_mode> <!-- Directory Create Mode --> <directory_create_grant_mask>755</directory_create_grant_mask> <!-- Directory Create Grant Mask --> <partial_file_suffix>.partial</partial_file_suffix> <!-- Partial File Suffix --> <file_checksum>any</file_checksum> <!- File Checksum Method --> </file_system> 3. Configuration options reference.

230 Enterprise Server Configuration and Transfer Reference 230 Field Values Default Absolute Path The docroot: the area of the file system that is accessible to Aspera users. The default empty value gives users access to the entire file system. You can set one global docroot and then further restrict access to the file system by group or individual user. Docroot paths require specific formatting depending on where the transfer server's storage is located. file path or URI undefined (total access) Format examples Local storage absolute path /home/bear/movies Local storage in URI format (required for serverside encryption-at-rest, not supported by the Aspera Watch Service) file:////home/bear/movies Cloud or on-premises object storage For more information, see Setting Docroots for Object Storage and HDFS. You can also set multiple docroots and make them conditional based on the IP address from which the connection is made by editing aspera.conf. To do so, edit the absolute path setting by adding the IP address using the following syntax: <absolute peer_ip="ip_address">path</ absolute> Read Allowed Setting this to true (default) allows users to transfer from the designated area of the file system as specified by the Absolute Path value. true false true Write Allowed Setting this to true (default) allows users to transfer to the designated area of the file system as specified by the Absolute Path value. true false true Browse Allowed Setting this to true (default) allows users to browse the directory. true false true Read Block Size (bytes) Set the maximum number of bytes that can be stored within a block as the block is being transferred from the source disk drive to the receiver. The default of zero causes the Aspera sender to use its default internal buffer size, which may vary by operating system. This is a performance-tuning parameter for an Aspera sender (which only takes effect if the sender is a server). positive 0 integer, where 500MB or 524,288,000 bytes is the maximum block size. Write Block Size (bytes) Set the maximum bytes within a block that an ascp receiver can write to disk. The default of zero causes the Aspera receiver to use its default internal buffer size, which may vary by operating system. This is a positive 0 integer, where 500MB or 524,288,000

231 Enterprise Server Configuration and Transfer Reference 231 Field Values performance-tuning parameter for an Aspera receiver (which only takes effect if the receiver is a server). bytes is the maximum block size. Default Number of I/O read threads Set the number of threads the Aspera sender uses to positive read file contents from the source disk drive. It takes integer effect on both client and server, when acting as a sender. The default of zero causes the Aspera sender to use its internal default, which may vary by operating system. This is a performance-tuning parameter for an Aspera sender. 0 Number of I/O write threads Set the number of threads the Aspera receiver uses to positive write the file contents to the destination disk drive. It integer takes effect on both client and server, when acting as a receiver. The default of zero causes the Aspera receiver to use its internal default, which may vary by operating system. This is a performance-tuning parameter for an Aspera receiver. 0 Number of Dir Scanning Threads Set the number of threads the Aspera sender uses to positive scan directory contents. It takes effect on both client integer and server, when acting as a sender. The default of zero causes the Aspera sender to use its internal default. This is a performance-tuning parameter for an Aspera sender. 0 Number of Metadata Threads. Set the number of threads the Aspera receiver uses to positive create directories or 0 byte files. It takes effect on both integer client and server, when acting as a receiver. The default of zero causes the Aspera receiver to use its internal default, which may vary by operating system. This is a performance-tuning parameter for an Aspera receiver. 0 Sparse File Checking Set to true to enable sparse file checking, which tells the Aspera receiver to avoid writing zero blocks and save disk space. The default of false to tell the Aspera reciever to write all the blocks. This is a performance-tuning parameter for an Aspera receiver. false Behavior on Attr Error no or yes Set behavior for when operations attempt to set or change file attributes (such as POSIX ownership, ACLs, or modification time) and fail. Setting to yes returns an error and causes the operation to fail. Setting to no logs the error and the operation continues yes Compression Method for File Transfer Set the compression method to apply to transfers. It applies to both the client and server. lz4 Use File Cache Set to true (default) to enable per-file memory true or caching at the data receiver. File level memory false caching improves data write speed on Windows platforms in particular, but uses more memory. This is a performance tuning parameter for an Aspera receiver. Aspera suggests using a file cache on systems that are transferring data at speeds close to the performance of true or false lz4, qlz, zlib, or none true

232 Enterprise Server Configuration and Transfer Reference 232 Field Values Default positive integer 0 their storage device, and disable it for system with very high concurrency (because memory utilization will grow with the number of concurrent transfers). Max File Cache Buffer (bytes) Set the maximal size allocated for per-file memory cache (see Use File Cache) in bytes. The default of zero will cause the Aspera receiver to use its internal buffer size, which may be different for different operating systems. This is a performance tuning parameter for an Aspera receiver. Resume Suffix Set the file name extension for temporary metadata text string files used for resuming incomplete transfers. Each data file in progress will have a corresponding metadata file with the same name plus the resume suffix specified by the receiver. Metadata files in the source of a directory transfer are skipped if they end with the sender's resume suffix..aspx Preserve Attributes Set the file creation policy. Set to none to not preserve the timestamps of source files. Set to times to preserve the timestamp of the source files at destination. none or times blank (use the client setting) allow or deny allow Note: For Limelight storage, only the preservation of modification time is supported. Overwrite Set to allow to allow Aspera clients to overwrite existing files on the server, as long as file permissions allow that action. Note: The deny setting does not work, and clients are still allowed to overwrite files on the server if file permissions allow it. File Manifest Set to text to generate a text file "receipt" of all files within each transfer session. Set to disable to not create a File Manifest. The file manifest is a file containing a list of everything that was transferred in a given transfer session. The filename of the File Manifest itself is automatically generated based on the transfer session's unique ID. The location where each manifest is written is specified by the File Manifest Path value. If no File Manifest Path is specified, the file will be generated under the destination path at the receiver, and under the first source path at the sender. text, disable, or none none File Manifest Path Specify the location to store manifest files. Can be an absolute path or a path relative to the transfer user's home. text string blank text string.asperainprogress Note: File manifests can only be stored locally. Thus, if you are using S3, or other non-local storage, you must specify a local manifest path. File Manifest Suffix Specify the suffix of the manifest file during file transfer.

233 Enterprise Server Configuration and Transfer Reference 233 Field Values Pre-Calculate Job Size Set to yes to enable calculating job size before transferring. Set to no to disable calculating job size before transferring. Set to any to follow client configurations. yes, no, or any any Convert Restricted Windows Characters To enable the replacement of reserved Windows characters in file and directory names with a nonreserved character, set to the single byte, non-restricted character that will be used for the replacement. Only applies to files written to the local Windows file system; to enable on the peer it must be set on the peer's system. singlebyte, nonrestricted character File Create Mode Set the file creation mode (permissions). If specified, positive create files with these permissions (for example, 0755), integer irrespective of File Create Grant Mask and permissions (octal) of the file on the source computer. Only takes effect when the server is a non-windows receiver. undefined File Create Grant Mask Set the mode for newly created files if File Create Mode is not specified. If specified, file modes will be set to their original modes plus the Grant Mask values. Only takes effect when the server is a non-windows receiver and when File Create Mode is not specified. positive integer (octal) 644 Directory Create Mode Set the directory creation mode (permissions). If specified, create directories with these permissions irrespective of Directory Create Grant Mask and permissions of the directory on the source computer. Only takes effect when the server is a non-windows receiver. positive integer (octal) undefined Directory Create Grant Mask Set the mode for newly created directories if Directory positive Create Mode is not specified. If specified, directory integer modes will be set to their original modes plus the Grant (octal) Mask values. Only takes effect when the server is a non-windows receiver and when Directory Create Mode is not specified. 755 File Filter Pattern List Exclude or include files and directories with the text entries specified pattern in the transfer. Add multiple entries for more inclusion/exclusion patterns. To specify an inclusion, start the pattern with '+ ' (+ and a whitespace). To specify an exclusion, start the pattern with '- ' (- and a whitespace). Two symbols can be used in the setting of patterns: blank A "*" (asterisk) represents zero to many characters in a string. For example, *.tmp matches.tmp and abcde.tmp. A "?" (question mark) represents a single character. For example, t?p matches tmp but not temp. For details on specifying rules, see Applying Filters to Include and Exclude Files. Default blank

234 Enterprise Server Configuration and Transfer Reference 234 Field Values Default text string blank This option applies only when the server is acting as a client. Servers cannot exclude files or directories uploaded or downloaded by remote clients. Partial File Name Suffix Set the filename extension on the destination computer while the file is being transferred. Once the file has been completely transferred, this filename extension is removed. Note: This option only takes effect when it is set on the receiver side. File Checksum Method Set the type of checksum to calculate for transferred files. The content of transfers can be verified by comparing the checksum value at the destination with the value read at the source. any, md5, any sha1, sha256, sha384, or sha Save and validate aspera.conf. Run the following command to confirm that the XML is correctly formatted and the parameter settings are valid: # /opt/aspera/bin/asuserdata -v aspera.conf - Filters to Include and Exclude Files Filters allow you to refine the list of files (or directories) designated for transfer. With filters, you indicate which files in the transfer list to skip or include. At runtime, ascp looks for filters in two locations: on the ascp command line, and in aspera.conf. Filters can be set in the aspera.conf file either from the GUI, or by modifying it directly with an editor or asconfigurator. When filtering rules are found in aspera.conf, they are applied before rules on the command line. If no filtering rules are specified, ascp transfers all source files in the transfer list. This topic describes how to specify rules by editing aspera.conf or using asconfigurator. Note: Filter settings apply only when the server is acting as a client. Servers cannot exclude files or directories uploaded or downloaded by remote clients. Setting Filter Rules in aspera.conf The ascp -N and -E options let you specify filter rules individually for each transfer, while filter options configured in aspera.conf allow you to have the same rules applied to all transfers. Filter rules that ascp finds in aspera.conf are always applied before any command-line rules. This allows you to specify individual command-line rules to augment a core set specified in aspera.conf. Filter rules can be set in aspera.conf in the following ways: from the GUI. For details, see. by modifying aspera.conf directly with a text editor by modifying aspera.conf with the asconfigurator tool. This section describes how to use the asconfigurator method. However, any of the examples can also be created by editing aspera.conf directly. Below is a section of an aspera.conf file showing settings for filter rules. In this example, the filter rules are in the <default> section, which is where global options are set: <default> <file_system>

235 Enterprise Server Configuration and Transfer Reference 235 <filters> <filter>+ file.txt</filter> <filter>- *.txt</filter> </filters> </file_system> </default> Each rule is specified with a separate <filter> option. A rule consists of a "+" or "-" sign (indicating whether to include or exclude), followed by a space character, followed by a pattern. A pattern can be a file or directory name, or a set of names expressed with UNIX glob patterns (described below). (The equivalent ascp command options for the above example are: -N 'file.txt' -E '*.txt' ) To determine which files to transfer, each file in the set of transfer files (the transfer list) is evaluated by the filter rules in top-down order, as follows: 1. The first (or next) file or directory in the transfer list is compared to the first rule. 2. If the file matches the pattern, it's included (if +) or excluded (if -), and for this file, filtering stops. 3. If the file does not match, it's compared with the next rule and the process is repeated for each rule until a match is found or until all rules have been tried. 4. If the file did not match any rules, it is included in the transfer. Filtering is a process of exclusion, and "+" rules act as overrides to any "-" rules that follow them. Filtering operates only on the set of files and directories in the transfer list. That is, an include option cannot add files or directories that are not already part of the transfer list. If directories or files reside in directories that have already been excluded, they will also be excluded and therefore not checked against any further rules. For example, consider the following rules: - /above/ + /above/below The file /above/below is never considered because its parent directory /above/ has already been excluded. Creating Rule Patterns In order to filter directories and files to be transferred, their names are matched against patterns (globs) that include wildcards and special characters. The patterns use the standard globbing syntax found in UNIX systems along with several extensions. Character case: Case always matters, even if the scanned file system does not enforce such a distinction. For example, "debug" does not match "Debug". To match both, the pattern should be "[Dd]ebug". Partial matches: With globs, unlike standard regular expressions, the entire filename or directory name must match the pattern. That is, abcdef matches the pattern abc*f but abcdefg does not. Pattern position: A pattern given with "+" will match a path only if it falls directly under the transfer directory. However, a pattern given with "-" will match a path regardless of where (at which level) the path falls under the transfer directory. For example, given the pattern 'zzz*' and a transfer directory AAA: The "+" option matches only if the path to the zzz file (or directory) falls directly under AAA. That is, AAA/zzz. The "-" option matches regardless of the where the path to the zzz file (or directory) falls under AAA. For example, AAA/abc/def/zzz. For details on using wildcards and special characters to build rule patterns, see Applying Filters to Include and Exclude Files. Running Asconfigurator In order to run asconfigurator successfully, you must (1) have write access to aspera.conf, and (2) not be executing it from aspshell, which does not allow running asconfigurator.

236 Enterprise Server Configuration and Transfer Reference 236 The set commands for user, group, and global filter settings use the following syntax: asconfigurator -x "set_user_data;user_name,username;file_filters, rule1 rule2... rulen" asconfigurator -x "set_group_data;group_name,groupname;file_filters, rule1 rule2... rulen" asconfigurator -x "set_node_data;file_filters, rule1 rule2... rulen" Each rule argument, including the first, must begin with a " " character, which serves as the separator between multiple rules. To clear rules, run asconfigurator by specifying "file_filters," without rule arguments. Note that the comma in "file_filters," is still required. See the example below. Note: Running asconfigurator replaces the specified settings; it does not add to them. Examples The following example creates the aspera.conf <default> code shown above: $ asconfigurator -x "set_node_data;file_filters, + file.txt - *.txt" The following example sets filters for user asp1, producing the result below: # asconfigurator -x "set_user_data;user_name,asp1;file_filters, + abc/wxy/ tuv/** - abc/**/def" <aaa> <realms> <realm> <users> <user> <name>asp1</name> <file_system> <filters> <filter>+ abc/wxy/tuv/**</filter> <filter>- abc/**/def</filter> </filters> </file_system> </user> </users> </realm> </realms> </aaa> The following example clears all filters for the group asgroup, producing the result below: # asconfigurator -x "set_group_data;group_name,asgroup;file_filters," <groups> <group> <name>asgroup</name> <file_system> <filters /> </file_system> </group> </groups> For further information on the use of asconfigurator, see Asconfigurator Reference.

237 Enterprise Server Configuration and Transfer Reference 237 Server-Side Symbolic Link Handling Aspera handles symbolic links in based on settings configured in the aspera.conf file, found in the following location: /opt/aspera/etc/aspera.conf Configuration Options The following configuration options are set in the <file_system> section of the aspera.conf file: <file_system> <symbolic_links>comma-separated_options</symbolic_links> </file_system> Note: If no option is specified, the configuration defaults to create, follow. Option create Create symbolic links with arbitrary targets. This is the default. follow Follow symbolic links with targets inside docroot. If at any point the path goes outside the docroot, will not complete the transfer. This is option set by default. Client Behavior Server Behavior Symbolic links are always copied to the server if the client requests. Symbolic links are always copied to the server if the client requests. Note: If the docroot is a symbolic link and is specified as the source or destination: As the receiver, follow the target widely (no docroot constraint) and unconditionally, regardless of the symbolic link actions that are configured/requested. follow_widefollow symbolic links with arbitrary targets, even if the targets are outside the docroot. none Take no action with symbolic links. Take no action with symbolic links. Take no action with symbolic links. aspera.conf - Server-Side Encryption at Rest (EAR) Capabilities When files are uploaded from an Aspera client to the server, server-side encryption-at-rest (EAR) saves files on disk in an encrypted state. When downloaded from the server, server-side EAR first decrypts files automatically, and then the transferred files are written to the client's disk in an unencrypted state. Server-side EAR provides the following advantages: It protects files against attackers who might gain access to server-side storage. This is important primarily when using NAS storage or cloud storage, where the storage can be accessed directly (and not just through the computer running Aspera Enterprise Server, Connect Server or Point-to-Point Client).

238 Enterprise Server Configuration and Transfer Reference 238 It is especially suited for cases where the server is used as a temporary location--for example, when a client uploads a file and another one downloads it. Server-side EAR can be used together with client-side EAR. When used together, content is doubly encrypted. Server-side EAR doesn't create an "envelope" as client-side EAR does. The transferred file stays the same size as the original file. The server stores the encryption and various metadata necessary for server-side EAR separately. (By contrast, client-side EAR creates a file envelope containing both the encrypted contents of the file and the encryption metadata, and it also changes the name of the file by adding the file extension.aspera-env.) It works with both regular transfers (FASP) and HTTP fallback transfers. Limitations and Considerations Server-side EAR is not designed for cases where files need to move in an encrypted state between multiple computers. For that purpose, client-side EAR is more suitable: files are encrypted when they first leave the client, then stay encrypted as they move between other computers, and are decrypted when they reach the final destination and the passphrase is available. Do not mix server-side EAR and non-ear transfers. Doing so can cause problems for clients by overwriting files when downloading or uploading. Server-side EAR does not work with multi-session transfers (using ascp -C or node API multi_session set to greater than 1). Configuring Server-Side EAR 1. Set the docroot in URI format. Server-side EAR requires the storage to have a docroot in URI format, such that it is prefixed with file:///. The third slash ( / ) does not serve as the root slash for an absolute path. For example, a docroot of /home/xfer would be set as file:////home/xfer and a docroot of C:\Users\xfer would be set as file:///c: \Users\xfer. To set the docroot for a user, group, or default, from the command line, run the appropriate asconfigurator command: # asconfigurator -x "set_user_data;user_name,username;absolute,file:///filepath" # asconfigurator -x "set_group_data;group_name,group_name;absolute,file:///filepath" # asconfigurator -x "set_node_data;absolute,file:///filepath" This creates lines similar to the example below, in which the user asp1 has a docroot set to file:////users/ testing/public: <user> <name>asp1</name>... <file_system> <access> <paths> <path> <absolute>file:////users/testing/public</absolute> </path> </paths> </access> </file_system>... </user> To manually edit aspera.conf, open it from the following location and insert text similar to the example above. /opt/aspera/etc/aspera.conf

239 Enterprise Server Configuration and Transfer Reference Set the password. The server-side EAR password can be set for all users (global), per group, or per user. You can specify these settings using asconfigurator or manually editing aspera.conf: To set the EAR password for a user, group, or default, run the appropriate command: # asconfigurator -x "set_user_data;user_name,username;transfer_encryption_content_protection_secret,passp # asconfigurator -x "set_group_data;group_name,group_name;transfer_encryption_content_protection_secret,p # asconfigurator -x "set_node_data;transfer_encryption_content_protection_secret,passphrase" Setting the default value (gobal setting) creates the following text in aspera.conf: <default> <transfer> <encryption> <content_protection_secret>passphrase</content_protection_secret> </encryption> </transfer>... </default> Setting a value for a user, such as asp1, creates the following text in aspera.conf: <user> <name>asp1</name> <transfer> <encryption> <content_protection_secret>passphrase</content_protection_secret> </encryption> </transfer>... </user> To manually add a passphrase, open aspera.conf and insert text similar to the examples above, depending on your specifications. 3. Optional: Require content protect and/or strong passwords. In addition to setting a password, you can set options to cause server-side EAR to fail if a password is not given or if a password is not strong enough. For example, the following asconfigurator command adds both these options for all users (global): # asconfigurator -x "set_node_data;transfer_encryption_content_protection_required,true; \ transfer_encryption_content_protection_strong_pass_required,true" This command adds the following text in aspera.conf: <default> <transfer> <encryption> <content_protection_secret>passphrase</content_protection_secret> <content_protection_required>true</content_protection_required> <content_protection_strong_pass_required>true</ content_protection_strong_pass_required> </encryption> </transfer>... </default>

240 Enterprise Server Configuration and Transfer Reference 240 To manually enable these options, open aspera.conf and insert text similar to the example above. 4. Save your changes to aspera.conf then validate them by running the following command: # /opt/aspera/bin/asuserdata -v Overview of Inline File Validation If an executable file containing malicious code is uploaded to the server, the malicious code can subsequently be executed by an external product that integrates with an Aspera product. Inline file validation is a feature that enables file content to be validated while the file is in transit, as well as when the transfer is complete. You can include or exclude files with certain characteristics; for example: Accept only files of certain types (extensions) Examine the.zip / archive files for unapproved file types Disallow files greater that a certain size The validation check is made with a Lua script.or with a RESTful call to an external URL. The mode of validation used (URL or Lua) is defined in the Enterprise Server GUI or aspera.conf. Note: Inline file validation with Lua script is only available for Enterprise Server products that are v or above. Defining Values for Inline File Validation Parameters The following parameters for inline file validation set the method of file validation (uri, lua, or none). They can be set in the GUI (Global Configuration > Filehandling options) or manually (by editing the aspera.conf or running the asconfigurator command). run run run run run at file start at file stop at session start at session stop when crossing file threshold Two additional parameter values--specifically for inline validation with a Lua script--can be set either in the GUI or manually: base64-encoded Lua action script file path to Lua action script The following parameters can only be set manually: validation threshold_kb validation threads validation uri (for inline validation with URI, only) For more detailed information about these parameters, see. Inline Validation with URI or Lua Script For information on the process of validation with a URL or Lua script, see Inline File Validation with URI or Inline File Validation with Lua Script. Inline File Validation with URI For general information about inline file validation, see Overview of Inline File Validation.

241 Enterprise Server Configuration and Transfer Reference 241 Configuration To set up a validation handler for inline file validation, define a URL in the <transfer> section of aspera.conf and define values for the REST service. The code examples in the steps below are for an admin using a Java servlet deployed on an Apache web server, but this process is generalizable to other programming languages and other servers. 1. Configure the REST service. web.xml must have values for the <servlet> and <servlet_mapping> sections to provide the necessary information for validation. Note: The <servlet-name> (URL handler) value is reused in both aspera.conf (in the next step) and custom code (see Custom Code for Including and Excluding Files, below). <?xml version="1.0" encoding="utf-8"?> <web-app xmlns=" xmlns:xsi=" xsi:schemalocation=" xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" version="3.1"> <servlet> <servlet-name>simplevalidator</servlet-name> <servlet-class>aspera.validation.simplevalidator</servlet-class> </servlet> <servlet-mapping> <servlet-name>simplevalidator</servlet-name> <url-pattern>/simplevalidator/validation/files</url-pattern> </servlet-mapping> </web-app> 2. Edit the <transfer> section in aspera.conf to add the server's IP address and port, and the servlet name (URL handler) found in web.xml. For example: <transfer> <validation_uri> </transfer> Validation Requests and Returned Responses During the inline validation process, ascp automatically generates a JSON-based request. The call is made with the URL already defined in aspera.conf. For example: POST URL/validation/files HTTP/1.1 Content-type: application/json The system then generates a JSON accepted or error response (OK or Bad Request). Sample JSON accepted response: The "file_encryption" field is only returned if server-side EAR is present. HTTP 200 OK { "id" : " ", "file_encryption" : { "passphrase" : "supersecret" } "aspera_response_object_name" : { "startstop" : "start"

242 Enterprise Server Configuration and Transfer Reference 242 } } "xfer_id" : "AAAA-BBBB",... "file_csum" : "a1000abf882", "file_csum_type" : "sha2-256" Sample JSON error response: If a file validation fails, it terminates the session with an error message from the URI. HTTP 400 Bad Request { "error" : { "code" : "1022", "message" : "The file fails validation" } } Custom Code for Including and Excluding Files Administrators can include or exclude files by enabling whitelisting, blacklisting, or another method of their own design. You can do this by creating custom code in the programming language of your choice, using a web server that runs a REST service. (Connect Server users have the option to use the web server associated with that installation). The following is an example of custom code that creates a file blacklist, using a Java servlet deployed on an Apache web server. Note that this code uses the servlet name SimpleValidator, which was defined in web.xml above. package aspera.validation; import com.google.gson.gson; import com.google.gson.jsonobject; import import import import import import import javax.servlet.servletexception; javax.servlet.annotation.webservlet; javax.servlet.http.httpservlet; javax.servlet.http.httpservletrequest; javax.servlet.http.httpservletresponse; java.io.bufferedreader; = "SimpleValidator") public class SimpleValidator extends HttpServlet { protected void dopost(httpservletrequest request, HttpServletResponse response) throws ServletException, IOException { StringBuilder filerequestjson = new StringBuilder(); BufferedReader reader = request.getreader(); String line = ""; Gson gson = new Gson(); System.out.println("Got Validation request..."); while (line!= null) { line = reader.readline(); if (!(line == null)) { filerequestjson.append(line).append("\n"); } } ValidationInput validationinput = gson.fromjson(filerequestjson.tostring(), ValidationInput.class); System.out.println("FileData JSON: " + filerequestjson.tostring());

243 Enterprise Server Configuration and Transfer Reference 243 if (validationinput.file!= null && validationinput.file.endswith(".sh") validationinput.file.endswith(".exe")) { file!!"); JsonObject innerobject = new JsonObject(); innerobject.addproperty("message", "Cannot transfer executable innerobject.addproperty("code", 1); JsonObject jsonobject = new JsonObject(); jsonobject.add("error", innerobject); response.getoutputstream().println(jsonobject.tostring()); response.setstatus(httpservletresponse.sc_internal_server_error); } else { JsonObject jsonobject = new JsonObject(); jsonobject.addproperty("success", true); jsonobject.addproperty("data", "File is ok to transfer"); jsonobject.addproperty("code", 1); response.getoutputstream().println(jsonobject.tostring()); } } response.setstatus(httpservletresponse.sc_ok); } return; Inline File Validation with Lua Script For general information about inline file validation, see Overview of Inline File Validation The administrator defines a base-64 encoded Lua action script and a path to that script in the UI or in the <transfer> section of aspera.conf. During the inline validation process, ascp automatically generates a request; the parameters for the Lua call are passed to a Lua script defined in aspera.conf. The returned value from Lua indicates validation success or failure: Validation success - No return value Validation failure - Returns a failure description string Lua Logging Facility The Lua harness provides string access to the various ascp log interfaces (simple text string only; format strings are not supported). The following ascp logging functions are supported: as_err as_log as_dbg1 as_dbg2 as_dbg3 as_dbg4

244 Enterprise Server Configuration and Transfer Reference 244 To invoke the function, substitute lua for as in the code; for example, you could enter the following line in a Lua script for as_log: lua_log("this was a successful transfer") This would result in the following log entry: xxxxxx LOG lua: This was a successful transfer Securing Your SSH Server Keeping your data secure is critically important. Aspera strongly recommends taking additional steps to set up and configure your SSH server to protect against common attacks. These steps include the following: 1. Changing the TCP port. 2. Restricting user access. Changing and Securing the TCP Port Generally, SSH servers listen for incoming connections on TCP Port 22. As such, Port 22 is subject to countless, unauthorized login attempts by hackers who are attempting to access unsecured servers. An effective deterrent is simply to turn off Port 22 and run the service on a seemingly random port above 1024 (and up to 65535). To standardize the port for use in Aspera transfers, Aspera recommends setting the TCP port to The OpenSSH suite included in the installer uses TCP/22 as the default port for SSH connections. Remote Aspera clients attempt to establish an SSH connection with the server on port However, if the connection fails, the client retries the connection on port 22. Aspera recommends opening TCP/33001 and disabling TCP/22 to prevent security breaches of your SSH server. Open TCP/33001 and keep TCP/22 open until users are notified they should switch to TCP/ Once users are notified, block TCP/22 and allow traffic only on TCP/ Prerequisites: Before changing the default port for SSH connections, verify with your network administrators that TCP/33001 is open. Before closing port TCP/22, notify users of the change. Aspera recognizes that disabling the default SSH connection port (TCP/22) may affect your client users. When you change the port, ensure that you advise your users on how to configure the new port number, from the GUI (if available and used) and from the command line. GUI: To change the SSH port in Desktop Client, click Connections and select the entry for the server whose ports are changing. On the Connection tab, click Show Advanced Settings and enter the SSH port number in the SSH Port (TCP) field. Command line: Clients running FASP transfers from the command line can specify the port by using the -P option. The following steps require root privileges. 1. Open the SSH configuration file. /etc/ssh/sshd_config 2. Add the TCP/33001 SSH port. SSHD can listen on multiple ports, so you can have both TCP/33001 and TCP/22 open. To enable TCP/33001, add the port to your sshd_config file, as in the following example: Port 22

245 Enterprise Server Configuration and Transfer Reference 245 Port Once your client users have been notified of the port change to TCP/33001, disable TCP/22 and use only TCP/33001 by commenting out "Port 22" in your sshd_config file. For example: #Port 22 Port Disable non-admin SSH tunneling. These instructions require that OpenSSH 4.4 or newer is installed on your system in order to use the Match directive. Match allows you to selectively override certain configuration options when specific criteria (based on user, group, hostname, or address) are met. Open your SSH Server configuration file, sshd_config, with a text editor. Add the following lines to the end of the file (or modify them if they already exist): AllowTcpForwarding no Match Group root AllowTcpForwarding yes Depending on your sshd_config file, you might have additional instances of AllowTCPForwarding that are set to the default Yes. Review your sshd_config file for other instances and disable if necessary. Disabling TCP forwarding does not improve security unless users are also denied shell access, because they can still install their own forwarders. Review your user and file permissions, and see the steps below for instructions on modifying user shell access. 4. Update authentication methods Public key authentication can prevent brute-force SSH attacks if all password-based authentication methods are disabled. For this reason, Aspera recommends disabling password authentication in the sshd_config file and enabling private/public key authentication. To do so, add or uncomment PubkeyAuthentication yes and comment out PasswordAuthentication yes. PubkeyAuthentication yes #PasswordAuthentication yes PasswordAuthentication no Note: If you choose to leave password authentication enabled, be sure to advise account creators to use strong passwords and set PermitEmptyPasswords to "no". PermitEmptyPasswords no 5. Disable root login. By default, OpenSSH allows root logins. However, disabling root access helps maintain a more secure server. Aspera recommends disabling root access by commenting out PermitRootLogin yes in the sshd_config file and adding PermitRootLogin No. #PermitRootLogin yes PermitRootLogin no Administrators can use the su command when root privileges are necessary. 6. Restart the SSH server to apply new settings. To apply your new SSH server configuration settings, you must restart the server. Restarting your SSH server does not affect currently connected users.

246 Enterprise Server Configuration and Transfer Reference 246 To restart or reload your SSH server, run the following commands: Linux Version RedHat, zlinux (restart) RedHat, zlinux (reload) Debian (restart) Debian (reload) Command $ sudo service sshd restart $ sudo service sshd reload $ sudo /etc/init.d/ssh restart $ sudo /etc/init.d/ssh reload 7. Review your logs periodically for attacks. You can view the state of active TCP connections by running the netstat command: # netstat -an -p tcp Typical output shows multiple, different IP addresses connected to specific ports: TCP TCP TCP TCP TCP TCP TCP : : : : : : : : : : : : : :443 CLOSE_WAIT ESTABLISHED TIME_WAIT ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED If your server is under attack, you might see output similar to the following, in which the same IP address attempts to connect to contiguous ports (hundreds or thousands of times) and the connection is timing out (reporting a status of TIME_WAIT): TCP TCP TCP TCP TCP TCP TCP : : : : : : : : : : : : : :60980 TIME_WAIT TIME_WAIT TIME_WAIT TIME_WAIT TIME_WAIT TIME_WAIT TIME_WAIT If you see this, review your logs to determine the source and cause. Open your syslog, which is located in /var/log/auth.log or /var/log/secure, depending on your system configuration. Look for invalid users in the log, especially a series of login attempts with common user names from the same address, usually in alphabetical order. For example:... Mar 10 18:48:02 sku sshd[1496]: Failed password for invalid user alex from port 1585 ssh2... Mar 14 23:25:52 sku sshd[1496]: Failed password for invalid user alice from port 1585 ssh2... If you identify attacks, take the following steps:

247 Enterprise Server Configuration and Transfer Reference 247 Double-check the SSH security settings in this topic. Report attackers to your ISP's address for abuse reports (often Restricting User Access Restricting user access is a critical component of securing your server. By default, all user accounts are allowed to browse and read all files on the server. To limit a user's access to a portion of the system, set the account's shell to the Aspera secured shell (aspshell) and create a document root (docroot) for that user. The aspshell permits only the following operations: Run Aspera uploads and downloads to or from this computer. Establish connections in the application. Browse, list, rename, create, or delete contents. 1. Restrict user permissions with aspshell. By default, all system users can establish a FASP connection and are only restricted by file permissions. You can restrict the user's file operations through the aspshell, which permits only the following operations: Running Aspera uploads and downloads to or from this computer. Establishing connections in the application. Browsing, listing, creating, renaming, or deleting contents. These instructions explain one way to change a user account so that it uses the aspshell; there may be other ways to do so on your system. Open the following file with a text editor: /etc/passwd Add or replace the user's shell with aspshell. For example, to apply aspshell to the user aspera_user_1, use the following settings in this file:... aspera_user_1:x:501:501:...:/home/aspera_user_1:/bin/aspshell Set a user's docroot and restrict read, write, and browse privileges. When a user's docroot is empty (blank), that user has full access to your server's directories and files. To restrict the user, you must set a non-empty docroot. Run the following command to set a docroot for a specific user: #asconfigurator -x "set_user_data;user_name,username;absolute,docroot" You can further restrict access by disabling write privileges: #asconfigurator -x "set_user_data;user_name,username;write_allowed,false" 3. Run the asp-check tool to check for potential user-security issues. The asp-check tool performs the following secure checks: Identifies full-access users and reports how many exist on the system. The existence of full-access users does not necessarily indicate that your system is vulnerable. However, the system administrator must ensure that the existence of full-access users is intentional. Identifies restricted users and potential misconfigurations, including: incorrect login shell (one that is not restricted via aspshell), SSH tunnel access (which can be used to work around the restricted shell), and docroot settings that allow users to access the home directory. Note: A docroot setting that allows access to the home directory is not necessarily a security risk. However, a user with this docroot can download or upload SSH keys and upload.login scripts,

248 Enterprise Server Configuration and Transfer Reference 248 which could be used to circumvent other access restrictions. Aspera highly recommends setting the docroot under a user's home directory (such as /home/jane/data) or in an alternate location (for example, /data). To run the asp-check tool, run the following command: # sudo /opt/aspera/bin/asp-check.sh Search results are displayed as in the following example. If potential issues are identified, review your users' settings before proceeding. Users with full access: 22 (not considered insecure) Restricted users: 0 Insecure users: 0 - no restricted shell (aspshell): 0 - docroot above home directory: 0 - ssh tunneling enabled: 0 Pre- and Post-Processing (Prepost) Setting Up Pre/Post Processing Your Aspera server can execute a shell script from a pre-defined location: The script is executed as a result of four transfer events: Session start Session end Start of each individual file transfer in the session End of each individual file transfer in the session The aspera-prepost script can also execute additional shell scripts, Perl scripts, native executables, and Java programs. Aspera sets several environment variables for aspera-prepost that you can use in your own custom scripts. These environment variables are described in detail in Pre/Post Variables. Depending on usage, pre- and postprocessing may consume a large amount of system resources. Be sure to evaluate your system performance and apply this feature appropriately. Caution: When creating pre- and post-processing scripts, unsafe scripts can compromise a server. As with CGI scripts, you should take precautions in testing a pre/post script before placing it into use (such as taint checking and ensuring proper quotes). You should also be aware of user permissions; pre/post scripts run as the user who authenticates the transfer. To prevent a pre/post script from performing an action with elevated or special user permissions, the script needs to check the $USER variable. Follow the steps below to set up pre/post processing for your Aspera transfer product: 1. Set up the shell script file. Locate the following file: /opt/aspera/var/aspera-prepost.disable This file runs the perl script aspera-notif.pl, which is an notification script that sends s (according to user-defined filters) to one or more recipients. Filters and lists are defined in the Aspera configuration file aspera.conf, which is located in /opt/aspera/etc. Copy the contents of aspera-prepost.disable into a new file, and name it as follows: /opt/aspera/var/aspera-prepost

249 Enterprise Server Configuration and Transfer Reference 249 Ensure that execute privileges are enabled (at least r-xr-xr-x). 2. Create your scripts. The pre/post processing script, aspera-prepost, can contain the pre/post processing steps, as well as execute other programs. Often, aspera-prepost checks for certain conditions (based on environment variables), and then calls a specific external executable based on those conditions. aspera-prepost is executed as a result of a the start and end of a transfer session, as well as the start and end of the transfer of an individual file in the session. You can use the variables TYPE and STARTSTOP to specify a particular state. For the complete list of all variables, see Pre/Post Variables. 3. Include custom scripts in aspera-prepost. Custom scripts can be written directly into the script file aspera-prepost. For example, to add the custom script script1.pl to your pre/post script, insert the following line (into aspera-prepost):... perl script1.pl... Pre/Post Variables The following tables list all pre/post variables for setting up pre- and post-processing. Pre/post variable considerations: Pre/post variables are case-sensitive. Pre/post variables that can be arbitrarily long (values marked with * below) are truncated by prepost scripts. For Type Session and Type File Variable Values Example COOKIE The user-defined cookie string. string* "$COOKIE" == cookie-string DIRECTION The transfer direction. "$DIRECTION" == send ERRCODE The error code. string "$ERRCODE" == 1 ERRSTR The error string. string "$ERRSTR" == FASP error MANIFESTFILE The full path to the manifest file. string* "$MANIFESTFILE" == /log PEER The peer name or IP address. string or valid IPv4 address "$PEER" == SECURE Transfer encryption. "$SECURE" == no SESSIONID The session id. string "$SESSIONID" == 1 STARTSTOP The status start or stop. Start Stop "$STARTSTOP" == Start STATE The transfer state. started success failed "$STATE" == success TYPE The event type. Session "$TYPE" == Session send recv yes no

250 Enterprise Server Configuration and Transfer Reference 250 Variable Values Example File USER The user name string "$USER" == aspera_user_1 USERID The user ID string "$USERID" == 501 USERSTR The user string, such as additional variables. string* "$USERSTR" == -q Variable Values Example FILE1 The first file. string* "$FILE1" == first-file FILE2 The second file. string* "$FILE2" == second-file FILECOUNT The number of files. positive integer "$FILECOUNT" >= 5 FILELAST The last file. string* "$FILELAST" == last-file LICENSE The license account and serial number. string "$LICENSE" == license-string MINRATE The initial minimum rate, in Kbps. positive integer "$MINRATE" == 50 PEERLICENSE The peer's license account and serial number. string "$PEERLICENSE" == licensestring RATEMODE The transfer policy. "$RATEMODE" == adapt SOURCE The full path of the source file. string* "$SOURCE"== /tmp TARGET The full path of the target directory. string* "$TARGET" ==. TARGETRATE The initial target rate, in Kbps. positive integer "$TARGETRATE" == 100 TOTALBYTES The total bytes transferred. positive integer "$TOTALBYTES" >= TOTALSIZE The total size of files being transferred in bytes. positive integer "$TOTALSIZE" >= Variable Values Example DELAY The measured network delay, in ms. positive integer "$DELAY" <= 1 FILE The file name. string* "$FILE" == file-name FILE_CSUM Destination checksum of the most recently transferred file. string "$FILE_CSUM" == checksum LOSS The network loss in percentage. double-digit fixed point value "$LOSS" >= 5.00 For Type Session adapt fixed For Type File

251 Enterprise Server Configuration and Transfer Reference 251 Variable Values Example OVERHEAD The total number of duplicate packets. positive integer "$OVERHEAD" >= 1 RATE The transfer rate in Kbps. double-digit fixed point value "$RATE" >= REXREQS The total number of retransmission requests. positive integer "$REXREQS" >= 3 SIZE The file size in bytes. positive integer "$SIZE" >= STARTBYTE The start byte if resumed. positive integer "$STARTBYTE" >= Pre/Post Examples Pre- and post-processing script examples are shown below (bash syntax). To run these examples on your own system, do the following: Save the example to /opt/aspera/var/myscript.sh. Ensure that the script file is executable -- for example: $ chmod +x /opt/aspera/var/myscript.sh Add the line /opt/aspera/var/myscript.sh to /opt/aspera/var/aspera-prepost to call myscript.sh. Be sure there is no exit condition in aspera-prepost before you call your script. 1. Shell - Change file and directory permissions. In the shell script, change file and directory permissions after receiving, and log into the file /tmp/p.log: #!/bin/bash if [ $TYPE == File ]; then if [ $STARTSTOP == Stop ]; then echo "The file is: $FILE" >> /tmp/p.log chmod 777 $FILE fi fi 2. Shell - Forward files to another computer. In the shell script, transfer received files to a third computer , and remove the local copy. Important: For this example to work properly, the server's host key must be cached. #!/bin/bash

252 Enterprise Server Configuration and Transfer Reference 252 RATE=10m export ASPERA_SCP_PASS=aspera if [ $TYPE == File ]; then if [ $STARTSTOP == Stop ]; then if [ $STATE == success ]; then if [ $DIRECTION == recv ]; then logger -plocal2.info "Move file $FILE to $TARGET" ascp -T -o RemoveAfterTransfer=yes -l $RATE $FILE $TARGET fi fi fi fi 3. Shell - Create a log of successfully transferred files. In the shell script, store successfully transferred files as a list into the file /tmp/aspera.transfer.log: #!/bin/bash if [ $TYPE == File ]; then if [ $STARTSTOP == Stop ]; then if [ $SIZE -gt 0 ]; then if [ `expr $SIZE - $STARTBYTE` -gt 0 ]; then echo `date` >> /tmp/aspera.transfer.log echo "$STATE $FILE $SIZE bits transferred" >> /tmp/ aspera.transfer.log fi fi fi fi Setting Up Notification The notification feature is a built-in pre- and post-processing application that generates customized s based on transfer events. Your server should have pre- and post-processing configured in order to run this application. For details, see Setting Up Pre/Post Processing. notification requires an SMTP server that matches the following configurations: An open SMTP server you can reach on your network. The SMTP Server must not use any external authentication or SSL. The following steps explain how to set up notification: 1. Prepare the notification configuration template. Open the aspera.conf file: /opt/aspera/etc/aspera.conf Locate or create the section < NOTIF>...</ NOTIF>: <CONF version="2">... < NOTIF> <MAILLISTS mylist = "asperausers@example.com, admin@example.com" myadminlist = "admin@example.com" /> <FILTER MAILLISTS = "mylist" TARGETDIR = "/content/users" />

253 Enterprise Server Configuration and Transfer Reference 253 <MAILCONF DEBUG = "0" FROM = "asperaserver@example.com" MAILSERVER = "mail.example.com" SUBJECT = "Transfer %{SOURCE} %{TARGET} - %{STATE}" BODYTEXT = "Aspera transfer: %{STATE}%{NEWLINE}%{TOTALBYTES} bytes in %{FILECOUNT} files: %{FILE1}, %{FILE2},...%{FILELAST}." /> </ NOTIF> </CONF> 2. Set up the basic Notification function in <MAILCONF/> <MAILCONF/> defines the general configuration, including the sender, the mail server, and the body text. In the SUBJECT and BODYTEXT options, the pre- and post-processing variables can be used with the format %{variable}, such as %{STATE} for the variable STATE. For the complete list of the variables, see Pre/Post Variables. MAILCONF Field Values Example FROM The address to send notifications from. (Required) a valid FROM="admin@example.com" address MAILSERVER The outgoing mail server (SMTP). (Required) A valid URL MAILSERVER="mail.example.com" SUBJECT General subject of the . text string SUBJECT="Transfer:%{STATE}" BODYTEXT General body of the . text string BODYTEXT="Transfer has %{STATE}." DEBUG Print debugging info and write to the logs. "0" = off, "1" DEBUG="0" = on 3. Create mailing lists in <MAILLISTS />. <MAILLISTS /> defines sets of mailing lists. For example, to create the following mailing list: Item Value Mailing list name list1 s to include janedoe@companymail.com, johndoe@companymail.com Specify the mailing list in the following form: <MAILLISTS list1 = "janedoe@companymail.com, johndoe@companymail.com" /> 4. Set up mailing filters in <FILTER />. <FILTER /> defines notification conditional filters. When the conditions are met, a customized is sent to the indicated mailing list. Multiple filters are allowed. The values in the filter are matched as substrings, for example, USER = root means the value would match strings like root, treeroot, and root1. The pre- and post-processing variables can be used with the format %{variable}, such as %{STATE} for the variable STATE. For the complete list of the variables, see Pre/Post Variables.

254 Enterprise Server Configuration and Transfer Reference 254 FILTER Field Values Example MAILLISTS Required The lists to send to. Separate lists with comma (,). text string MAILLISTS="mylist" USER Login name of the user who transferred the files. text string USER="aspera_user_1" SRCIP Source IP of the files. a valid IPv4 SRCIP=" " address DESTIP Destination IP of the files. a valid IPv4 DESTIP=" " address SOURCE The top-level directories and files that were transferred. text string SOURCE="/folder1" TARGETDIR The directory that the files were sent to. text string TARGETDIR="/folder2" SUBJECTPREFIX The subject, preceded by the SUBJECT in <MAILCONF />. text string SUBJECTPREFIX="Sub" BODYPREFIX The body, preceded by the BODYTEXT in <MAILCONF />. text string BODYPREFIX="Txt" TOTALBYTESOVER Send when total bytes transferred is over this number. This only applies to s sent at the end of a transfer. positive integer TOTALBYTESOVER="9000" SENDONSESSION Send for the entire session. yes / no SENDONSESSION="yes" SENDONSTART Send when transfer is started. This setting is dependent on SENDONSESSION="yes". yes / no SENDONSTART="yes" SENDONSTOP Send when transfer is stopped. This setting is dependent on SENDONSESSION="yes". yes / no SENDONSTOP="yes" SENDONFILE Send for each file within a session. yes / no SENDONFILE="yes" Notification Examples 1. Notify a specified mailing list when a transfer session is completed. < NOTIF> <MAILLISTS list1 ="janedoe@company .com, johndoe@company .com" /> <MAILCONF FROM="Aspera Notifier <admin@company .com>" MAILSERVER="smtp.company .com" BODYTEXT="%{NEWLINE}Powered by Aspera Inc." /> <FILTER MAILLISTS="list1" SENDONSESSION="yes"

255 Enterprise Server Configuration and Transfer Reference 255 SUBJECTPREFIX="Aspera Transfer - %{USER} " BODYPREFIX="Status: %{STATE}%{NEWLINE} File Count: %{FILECOUNT}" /> </ NOTIF> 2. Notify the specified mail list when a session is initiated and completed. < NOTIF> <MAILLISTS list1 ="janedoe@company .com, johndoe@company .com" /> <MAILCONF FROM="Aspera Notifier <admin@company .com>" MAILSERVER="smtp.company .com" SUBJECT=" by %{USER}" BODYTEXT="%{NEWLINE}Powered by Aspera Inc." /> <FILTER MAILLISTS="list1" SENDONSTART="yes" SENDONSTOP="no" SUBJECTPREFIX="Transfer Started" BODYPREFIX="Source: %{PEER}%{NEWLINE} Target: %{TARGET}" /> <FILTER MAILLISTS="list1" SENDONSTART="no" SENDONSTOP="yes" SUBJECTPREFIX="Transfer Completed" BODYPREFIX=" Status: %{STATE}%{NEWLINE} File Count: %{FILECOUNT}%{NEWLINE} Source: %{PEER}%{NEWLINE} Target: %{TARGET}%{NEWLINE} Bytes Transferred: %{TOTALBYTES} Bytes%{NEWLINE} " /> </ NOTIF> 3. Send different notifications for regular transfers and for Aspera Sync transfers. In the example below, when Aspera Sync triggers a transfer (assuming only Aspera Sync uses the folder /syncfolder), an message is sent to "mediagroup". When a regular transfer occurs (files are sent to /upload), a different notification is sent to "medialead" and "admingroup". < NOTIF> <MAILLISTS mediagroup ="johndoe@company .com, janedoe@company .com" medialead ="janedoe@company .com" admingroup ="admin@company .com, root@company .com" /> <MAILCONF FROM="Aspera Notifier <admin@company .com>" MAILSERVER="smtp.company .com" BODYTEXT="%{NEWLINE}Powered by Aspera Inc." /> <FILTER MAILLISTS="mediaGroup" SENDONSESSION="yes" DESTIP=" "

256 Enterprise Server Configuration and Transfer Reference 256 TARGETDIR="/sync-folder" SUBJECTPREFIX="Aspera Sync #1 - From %{PEER}" BODYPREFIX="Status: %{STATE}%{NEWLINE} File Count: %{FILECOUNT}" /> <FILTER MAILLISTS="mediaLead,adminGroup" SENDONSESSION="yes" TARGETDIR="/upload" SUBJECTPREFIX="Transfer - %{USER}" BODYPREFIX=" Status: %{STATE}%{NEWLINE} Source: %{PEER}%{NEWLINE} File Count: %{FILECOUNT}%{NEWLINE} Bytes Transferred: %{TOTALBYTES} Bytes%{NEWLINE} " /> </ NOTIF> ascp: Transferring from the Command Line Ascp Command Reference The executable ascp (Aspera secure copy) is a command-line FASP transfer program. The tables below describe the complete command usage, including general syntax guidelines, supported environment variables, a synopsis, and command options. General Syntax Guidelines Item Decription symbols used in the paths Use single-quote (' ') and forward-slashes (/) on all platforms. Characters to avoid / \ " : '? > < & * Environment Variables If needed, you can set the following environment variables for use with the ascp command: Item Initiation Command Password ASPERA_SCP_PASS=password Token ASPERA_SCP_TOKEN=token Cookie ASPERA_SCP_COOKIE=cookie Content Protection Password ASPERA_SCP_FILEPASS=password Proxy Server Password ASPERA_PROXY_PASS=proxy_server_password Ascp Usage ascp options [[user@]srchost:]source_file1[,source_file2,...] [[user@]desthost:]target_path For examples of ascp commands, see Ascp General Examples.

257 Enterprise Server Configuration and Transfer Reference 257 Important: If you do not specify a username for the transfer, the local username is authenticated (by default). If you are authenticating on a Windows machine as a domain user, the transfer server strips the domain from the username. For example, Administrator is authenticated rather than DOMAIN \Administrator. Thus, you must specify the domain explicitly. Special Considerations for URI Paths URIs are supported in paths, but only under the following restrictions: URIs can only be specified on the command line. If the source paths are URIs, they must all be in the same cloud storage account. No docroot (download), local docroot (upload), or source prefix can be specified. If a destination path is a URI, no docroot (upload) or local docroot (download) can be specified. The special schemes stdio:// and stdio-tar:// are supported only on the client. They cannot be used as an upload destination or download source. If required, specify the URI passphrase as part of the URI or set it as an environment variable (ASPERA_SRC_PASS or ASPERA_DST_PASS, depending on the direction of transfer). Transfer Testing with Minimal Storage Requirements For ascp transfer testing purposes, you can use a faux:// argument in place of the source file and target path to send random data and not write it to disk at the destination. For more information, see. For examples, see Ascp General Examples. Ascp Options Option -h, --help Display usage. -A, --version Display version and license information; then exit. -T Disable encryption for maximum throughput. -c Specify the encryption cipher for file data. Options are aes128, aes192, aes256, or none. This overrides the setting for transport_cipher in aspera.conf. -d Create target directory if it doesn't already exist. Note: This option is automatically applied for uploads to object storage. -q Quiet mode (to disable progress display). -v Verbose mode (prints connection and authentication debug messages in the log file). For information on log files, see. -6 Enable IPv6 address support. When using IPv6, the numeric host can be written inside brackets. For example, [2001:0:4137:9e50:201b:63d3:ba92:da] or [fe80::21b:21ff:fe1c:5072%eth1]. -D -DD -DDD Specify the debug level, where each D is an additional level of debugging. -l max_rate Set the target transfer rate in Kbps (default: Kbps). If the ascp client does not specify a target rate, the rate is acquired from the server aspera.conf setting. If local or server aspera.conf rate caps are specified, the "starting" (default) rates is not higher than the cap. -m min_rate Set the minimum transfer rate in Kbps (efault: 0. If the ascp client does not specify a minimum rate, the rate is acquired from the server aspera.conf setting. If local

258 Enterprise Server Configuration and Transfer Reference 258 Option or server aspera.conf rate caps are specified, the "starting" (default) rates is not higher than the cap. -u user_string Apply a user string, such as variables for pre- and post-processing. -i private_key_file Use public key authentication and specify the SSH private key file. Typically, the private key file is in the directory $HOME/.ssh/id_algorithm. Multiple private key files can be specified using multiple -i arguments. The keys are tried in order and the process ends when a key passes authentication or when all keys have been tried and authentication fails. -w{r f} Test bandwidth from server to client (r) or client to server (f). Currently a beta option. -K probe_rate Set probing rate (Kbps) when measuring bottleneck bandwidth. (Default: 100Kbps) -k { } Enable resuming partially transferred files at the specified resume level (default: 0). This must be specified for your first transfer; otherwise, it does not work for subsequent transfers. Resume levels: -k 0 Always retransfer the entire file. -k 1 Check file attributes and resume if the current and original attributes match. -k 2 Check file attributes and do a sparse file checksum; resume if the current and original attributes/checksums match. -k 3 Check file attributes and do a full file checksum; resume if the current and original attributes/checksums match. When a complete file exists at the destination (no.aspx), the source file size is compared with the destination file size. When a partial file and a valid.aspx file exist at the destination, the source file size is compared with the file size recorded inside the.aspx file. -Z dgram_size Specify the datagram size (MTU) for FASP. By default, the detected path MTU is used. (Range: bytes) Note: As of version 3.3, datagram size can also be enforced by the server using <datagram_size> in aspera.conf. If size is set with both -Z (client side) and <datagram_size> (server side), the <datagram_size> setting is used. If the client-side is pre-3.3, datagram size is determined by the -Z setting, regardless of the server-side setting for <datagram_size>. In this case, if there is no -Z setting, datagram size is based on the discovered MTU and the server logs the message "LOG Peer client doesn't support alternative datagram size". -g read_size Set the read-block size, in bytes. A read_size of 1M is 1 MB. The maximum block size is 500 MB. The default of 256K causes the Aspera sender to use its default internal buffer size. This is a performance-tuning parameter for an Aspera sender, which takes effect only if the sender is a server. It specifies the maximum number of bytes that can be stored within a block as the block is transferred from the source disk to the receiver. This option overrides the client's configuration file setting for this feature if set. The server uses its configuration file setting for this feature if it's set, otherwise it uses read_size if set; however, it does not use settings in the client configuration file. -G write_size Set the write-block size, in bytes. A write_size of 1M is 1 MB. The maximum block size is 500 MB. The default of 256K causes the Aspera receiver to use its default internal buffer size.

259 Enterprise Server Configuration and Transfer Reference 259 Option This is a performance-tuning parameter for an Aspera receiver, which takes effect only if the receiver is a server. It specifies the maximum number of bytes within a block that an ascp receiver can write to disk. This option overrides the client's configuration file setting for this feature if set. The server uses its configuration file setting for this feature if it's set, otherwise it uses write_size if set; however, it does not use settings in the client configuration file. -L local_log_dir[:size] Specify a logging directory in the local host, instead of using the default directory. Optionally set the size of the log file (default 10 MB). -R remote_log_dir Specify a logging directory in the remote host, instead of using the default directory. -S remote_ascp Specify the name of the remote ascp binary (if different). -e prepost Specify an alternate pre/post command. Use the complete path and file name. -O fasp_port Set the UDP port to be used by FASP for data transfer. (Default: 33001) -P ssh-port Set the TCP port to be used for FASP session initiation. (Default: 22) -C nid:ncount Enable multi-session transfers (also known as parallel transfers) on a multi-node/ multi-core system. Specify the node ID (nid) and count (ncount) in the format 1:2, 2:2. The valid range of values for nid and ncount is 1-128, and nid must be less than or equal to ncount. Assign each participant to an independent UDP port. Large files can be split across sessions, see --multi-session-threshold. -E pattern Exclude (-E) or include (-N) files or directories from the transfer using the specified pattern. This option can be used multiple times to exclude/include many patterns. Up to 16 -E and -N patterns can be used. The following two symbols can be used in specifying the pattern: -N pattern A "*" (asterisk) represents zero or more characters in a string. For example *.tmp matches.tmp and abcde.tmp. A "?" (question mark) represents a single character. For example t?p matches tmp but not temp. Rules are applied in the order in which they are encountered, with the first rule taking precedence. For details on specifying rules, see Applying Filters to Include and Exclude Files. --exclude-newerthan=mtime Exclude files from the transfer based on when the file was last changed. This feature does not include directories. --exclude-olderthan=mtime -f config_file Specify an alternate Aspera configuration file (default is aspera.conf). -W token_string Specify the token string for the Transfer only part of a file. This option only works when downloading a single file and does not support resuming. The argument to "-@" may omit either or both numbers, and the ":" delimiter. For example, -@3000:6000 transfers bytes from position 3000 to position 6000; -@1000: transfers from 1000 to the end of the file; and -@:1000 transfers from beginning to X rexmsg_size Adjust the maximum size in bytes of a retransmission request. (Max: 1440). --mode=mode Specify the transfer direction, where mode is either send or recv. Requires -host.

260 Enterprise Server Configuration and Transfer Reference 260 Option --user=username The user name to be authenticated by the transfer server. Important: If you do not specify a username for the transfer, the local username is authenticated (by default). If you are authenticating on a Windows machine as a domain user, the transfer server strips the domain from the username. For example, Administrator is authenticated rather than DOMAIN\Administrator. Thus, you must specify the domain explicitly. --host=hostname The server's address. Requires --mode. --keepalive Run ascp in persistent mode. Requires --mode and --host. --save-beforeoverwrite Saves a copy of an existing file if a transfer would overwrite the file. If the filename is filename.ext, the file is saved as filename.yyyy.mm.dd.hh.mm.ss.index.ext (where index is set to 1 at the beginning of each second and incremented for each file saved during the same second) in the same directory before the new file is written. File attributes are maintained in the renamed file. --policy=fixed high fair low Set the FASP transfer policy. fixed Attempts to transfer at the specified target rate, regardless of the actual network capacity. This policy transfers at a constant rate and finishes in a guaranteed time. This policy typically occupies most of the network's bandwidth, and is not recommended in most file transfer scenarios. In fixed mode, a maximum (target) rate value is required. high Monitors the network and adjusts the transfer rate to fully utilize the available bandwidth up to the maximum rate. When congestion occurs, a it transfers at a rate twice of a session with fair policy. In this mode, both the maximum (target) and the minimum transfer rates are required. fair Monitors the network and adjusts the transfer rate to fully utilize the available bandwidth up to the maximum rate. When other types of traffic build up and congestion occurs, it shares bandwidth fairly by transferring at an even rate. In this mode, both the maximum (target) and the minimum transfer rates are required. low Similar to fair mode, the low policy uses the available bandwidth up to the maximum rate, but is much less aggressive when sharing bandwidth with other network traffic. When congestion builds up, the transfer rate is reduced to the minimum rate until other traffic retreats. Important: If --policy is not set, ascp uses the server-side policy setting (fair by default). --sourceprefix=prefix Add prefix to the beginning of each source path. This can be either a conventional path or a URI; however, it can only be a URI if there is no root defined. --src-base=prefix Specify the prefix to be stripped off from each source object. The remaining portion of the source path is kept intact at the destination. Special care must be taken when using this option with cloud storage. Example: The "clips" directory on the remote computer contains the following folders and files: /clips/outgoing/file1 /clips/outgoing/foldera/file2 /clips/outgoing/folderb/file3

261 Enterprise Server Configuration and Transfer Reference 261 Option To transfer all folders and files within the "outgoing" folder but not the "outgoing" folder itself, run the following command: # ascp -d --src-base=/clips/outgoing/ root@ :/ clips/outgoing/ /incoming Result: The following folders and files appear in the "incoming" directory at the destination. Files outside of the source base (for example, /temp/file4) are not transferred, and warnings are generated. (docroot)/incoming/file1 (docroot)/incoming/foldera/file2 (docroot)/incoming/folderb/file3 If the same transfer is run without --src-base=/clips/outgoing/, then the following folders and files appear at the destination: (docroot)/incoming/outgoing/file1 (docroot)/incoming/outgoing/foldera/file2 (docroot)/incoming/outgoing/folderb/file3 For further examples, with and without --src-base, see Ascp File Manipulation Examples Use with URIs The --src-base option performs a character-to-character match with the source path specifying a file or directory. For cloud storage, --src-base must specify the URI in the same manner as the source parameters. For example, if the source includes an embedded passphrase, the source base must also include an embedded passphrase or it does not match the source files/directories). --file-list=filename Extract a list of sources to transfer from filename. The file list supports UTF-8 files and input from standard input through "-". If the sources are URIs, the list file should not exceed 24kb. The sources can exist on either the local host or the remote host (for download), but not on both. Each source must be specified on a separate line, for example: src src2... srcn Multiple --file-list options are not supported in one ascp command. If multiple file lists are specified, all but the last are ignored. In addition, you cannot include file names in a command with --file-list. Only files from the file list are transferred. --file-pairlist=filename Extract a list of sources and corresponding destinations from filename. There is no command-line equivalent for specifying file pairs. If the sources or destination are URIs, the list file should not exceed 24kb. Each source and each destination must be specified on a separate line: src1 dst1 src2 dst2...

262 Enterprise Server Configuration and Transfer Reference 262 Option srcn dstn Source content is specified using the full file or directory path. Destination directories are specified relative to the transfer user's docroot, which is specified as a "." at the end of the ascp command. For example, # ascp --file-pair-list=filepairlist.txt --mode=send -user=username --host=host_ip_address. Multiple --file-list options are not supported in one ascp command. If multiple file lists are specified, all but the last are ignored. In addition, you cannot include file names in a command with --file-list. Only files from the file list are transferred. --dest64 Indicate that the destination is base64 encoded. --sourceprefix64=prefix Indicate that the specified source prefix is base64 encoded. If a non-encoded source prefix is also specified on the command line, the later argument takes precedence. --symboliclinks=method Specify the rule to handle symbolic links. This option takes following values: (Default: follow). follow Follow symbolic links and transfer the linked files. copy Copy only the alias file. If a file with the same name exists on the destination, the symbolic link is not copied. copy+force Copy only the alias file. If a file with the same name exists on the destination, the symbolic link replaces the file. If the file of the same name on the destination is a symbolic link to a directory, it is not replaced. skip Skip the symbolic links. Important: On Windows, the only option is skip. --remove-aftertransfer Remove all source files (excluding the source directory) after they are successfully transferred. Requires write permissions on the source. --move-aftertransfer=archivedir Move source files and copy source directories to archivedir after they are successfully transferred. Requires write permissions on the source and the archivedir. Because directories are copied, the original source tree remains in place. The archivedir is created if it does not already exist. If the archive directory cannot be created, the transfer proceeds and the source files remain in their original location. Example upload: # ascp --move-after-transfer=c:\users\pat\archive C: \Users\Pat\srcdir\file0012 Pat@ :/ Results: file0012 is uploaded to Pat's docroot on , the server (destination). On the current machine (source), file0012 is moved (not copied) to C:\Users \Pat\Archive Example download: # ascp --move-after-transfer=archive Pat@ :/ srcdir C:\Users\Pat

263 Enterprise Server Configuration and Transfer Reference 263 Option Results: srcdir is downloaded to C:\Users\Pat on the current machine (destination). On the server (source), srcdir is moved (not copied) to the archive directory When the file or directory is moved to the archive, no portion of the path above the transferred file or directory is included, unless the --src-base option is specified. The --src-base=prefix option preserves paths in the archive directory the same way it preserves them with transfers. That is, when --src-base=prefix is specified, files are moved to the archivedir and they include the portion of the path that remains when prefix is removed. Example: # ascp --src-base=c:\users\pat --move-after-transfer=c: \Users\Pat\Archive C:\Users\Pat\srcdir\file0012 Pat@ :/ Results: file0012 is uploaded to Pat's docroot on The file includes the path minus the prefix C:\Users\Pat that is, srcdir/file0012. On the current machine (source), file0012 is moved to C:\Users\Pat \Archive. The file includes the path minus the prefix C:\Users\Pat that is, C:\Users\Pat\Archive\srcdir\file0012. Once files have been moved to the archive, the original source directory tree remains intact. To remove empty source directories that remain after files have been moved, add the flag --remove-empty-directories to the ascp command. This removes empty source directories, except for those that are specified as the source to transfer. Restrictions: archivedir must be on the same file system as the source. If the specified archive is on a separate file system, it is created (if it does not exist), but an error is generated and files are not moved to it. For cloud storage, archivedir must be in the same cloud storage account. archivedir is subject to the same docroot restrictions as the source. --remove-after-transfer and --move-after-transfer are mutually exclusive. Including both in the same command generates an error. Empty directories are not saved to archivedir. --remove-emptydirectories Remove empty source directories once the transfer has completed (not including a directory specified as the source to transfer). Do not use if multiple processes (ascp or other) might access the source directory at the same time. --remove-emptysource-directory Remove the source directory argument itself (for use with --remove-emptydirectories). --skip-specialfiles Skip special files (for example, devices and pipes). --filemanifest=output Generate a list of all transferred files, where output is none or text (Default: none) --file-manifestpath=directory Specify the path to the file manifest.

264 Enterprise Server Configuration and Transfer Reference 264 Option Important: File manifests can only be stored locally. Thus, if you are using S3, or other non-local storage, you must specify a local manifest path. --file-manifestinprogresssuffix=suffix Specify the suffix of the file manifest's temporary file. (Default:.asperainprogress) --precalculatejob-size Calculate total size before transfer. The server side aspera.conf setting overrides the ascp command-line option. --overwrite=method Overwrite destination files with source files of the same name. This option takes the following values (Default: diff): never Never overwrite the file. However, if the parent folder is not empty, its access, modify, and change times may still be updated. always Always overwrite the file. diff Overwrite the file if it is different from the source. If a complete file at the destination is the same as the source then it is not overwritten. Partial files are overwritten or resumed depending on the resume policy. diff+older Overwrite the file if it is older and different than the source. older Overwrite the file if its timestamp is older than the source timestamp. Important: If the overwrite method is diff or diff+older, difference is determined by the resume policy (-k{ }). If -k 0 or no -k is specified, the source and destination files are always considered different and the destination file is always overwritten. If -k 1, the source and destination files are compared based on file attributes (currently file size). If -k 2, the source and destination files are compared based on sparse checksum. If -k 3, the source and destination files are compared based on full checksum. --file-crypt=crypt Encrypt or decrypt files for client-side encryption-at-rest (EAR). Valid values are encrypt and decrypt. Set the passphrase (required) with the environment variable ASPERA_SCP_FILEPASS. Encrypted files have the file extension.aspera-env. If a client-side encrypted file is downloaded with an incorrect password, the download is successful but the file is still encrypted and still has the file extension.asperaenv. --filechecksum=hash Report checksums for transferred files, where hash is sha1, md5, sha-512, sha-384, sha-256 or none. (Default: none) --retrytimeout=secs Specify the timeout duration in seconds for a retry attempt. --partial-filesuffix=suffix Filename extension on the destination computer while the file is being transferred. Once the file has been completely transferred, this filename extension is removed. (Default: blank) Note: This option only takes effect when it is set on the receiver side. --proxy=proxy_url Specify the address of the Aspera proxy server. proxy_url takes the form of: dnat[s]://[username]@server:port The default ports for DNAT and DNATS protocols are 9091 and preserve-fileowner-uid (OS X and Linux/UNIX systems only.) Preserve transferred files' owner information (uid).

265 Enterprise Server Configuration and Transfer Reference 265 Option Note: This option requires the transfer user be authenticated as a superuser. --preserve-fileowner-gid (OS X and Linux/UNIX systems only.) Preserve transferred files' group information (gid). Note: This option requires the transfer user be authenticated as a superuser. --preservecreation-time --preservemodification-time --preserve-accesstime --preserve-sourceaccess-time -p Preserve creation time [Windows only]: Set the file/directory creation time at the destination to that of the source. If the destination is a non-windows host, this option is ignored. (Note: Do not confuse this with UNIX ctime, which represents "change time", indicating the time when metadata was last updated.) Preserve modification time: Set the file/directory modification time at the destination to that of the source. Preserve access time: Set the file/directory access time (the last time the file was read or written) at the destination to that of the source. This results in the destination file having the access time that the source file had prior to the copy operation. The act of copying the source file to the destination results in an update to the source file's access time. Preserve source access time: Restore the access time of the file at the source once the copy operation is complete (because the file system at the source regards the transfer operation as an access). -p is equivalent to setting --preserve-modification-time and -preserve-access-time (and --preserve-creation-time, on Windows). On Windows, modification time may be affected when the system automatically adjusts for Daylight Savings Time (DST). For details, see the Microsoft KB article, Cloud storage support for timestamp settings depends on the cloud storage implementation. See the documentation for your cloud storage option to determine which of these settings are supported. For Limelight, only the preservation of modification time (mtime) is supported. --ignore-host-key If you are prompted to accept a host key when connecting to a remote host, ascp ignores the request. --checksshfp=fingerprint Check whether fingerprint matches the server SSH host key fingerprint specified in the server's aspera.conf. Aspera fingerprint convention is to use a hex string without the colons; for example, f74e5de9ed0d62feaf0616ed1e851133c42a0082. Note: When the HTTP fallback feature is enabled and the client "falls back" to HTTP, this option enforces server SSL certificate validation (HTTPS). Validation fails if the server has a self-signed certificate; a properly signed certificate is required. --apply-localdocroot Apply the local docroot. This option is equivalent to setting the environment variable ASPERA_SCP_DOCROOT. --multi-sessionthreshold=threshold This option augments the -C option, which enables multi-session transfers (also known as parallel transfers). With the threshold option, if the size of the files to be transferred is greater than or equal to threshold, files are split across multiple sessions. If the total file size is less than the threshold or no threshold is set (default), files are not split. The client node API can specify the multi-session-threshold, and this is passed to the ascp command line. If the client doesn't specify a value, then the multi_session_threshold_default is taken from the server. A default value for the threshold can be specified in aspera.conf by setting

266 Enterprise Server Configuration and Transfer Reference 266 Option multi_session_threshold_default. Setting it to 0 (zero) means "do not split". The command-line setting overrides the aspera.conf setting. Note: For cloud transfers, file-splitting is currently (3.6.0) supported for S3 only. Multi-session uploads to cloud storage:currently only supported for S3. Unlike noncloud file splitting, files for transfer to cloud storage are sent in chunks, with the chunk size is specified by <chunk_size> in aspera.conf: <central_server>... <transfer> <protocol_options> <transfer> <chunk_size>0</chunk_size> </transfer> </protocol_options> </transfer> </central_server> File-splitting needs to respect a minimum split size, which for cloud storage is a part, such that each ascp call must deliver full parts. Thus, the chunk size must be equal to the cloud-storage part size. If the file size is greater than the multi-session threshold but smaller than the chunk size, then the file is not split. Set chunk size and part size as follows: 1. In aspera.conf set the chunk size to some value greater than 5 MB (the minimum part size), for example: <chunk_size> </chunk_size> <!-- 64 MB --> 2. In /opt/aspera/etc/trapd/s3.properties set the upload part size (default 64 MB) to the same value as the chunk size and set a ONE_TO_ONE gathering policy: aspera.transfer.upload.part-size=64mb aspera.transfer.gathering-policy=one_to_one --delete-beforetransfer --preservexattrs=mode --remote-preservexattrs=mode --preserveacls=mode --remote-preserveacls=mode Delete files that exist at the destination but not at the source, before any files are transferred. Requires write permissions on the destination. Do not use with multiple sources, keepalive, URI storage, or HTTP fallback. The utility asdelete provides the same capability. Preserve extended attributes (xattrs) and/or access control lists (ACLs) when transferring files between different types of file systems. mode can be native, metafile, or none (default): native xattrs and ACLs are preserved using native capabilities of the file system. However, this storage mode is not supported on all file systems. metafile xattrs and ACLs for a file (say, readme.txt) are preserved in a second file, whose name is composed of the name of the primary file with.aspera-meta appended to it; for example, readme.txt.aspera-meta. The Aspera metafiles are platform independent and can be copied between hosts without

267 Enterprise Server Configuration and Transfer Reference 267 Option loss of information. This storage mode is supported on all file systems. none xattrs and ACLs are not preserved. This storage mode is supported on all file systems. The modes of preserving xattrs and ACLs on each side of the transfer are the same, even if specified differently. The metafile mode silently takes precedence. The options with the remote- prefix specify the storage mode used on the remote file system. If not specified, the default behavior is to use the same storage mode specified for the local file system. A remote option with mode set to native may be overridden by the remote ascp if that mode is not supported there. Older versions of ascp do not support this feature. Thus, these options may be overridden by the peer, to none, and ascp stops and reports the problem is incompatible FASP protocol versions. The amount of xattr/acl data per file that can be transferred successfully is subject to ascp's internal PDPU size limitation. Ascp Options for HTTP Fallback Option -y {0 1} Enable HTTP Fallback transfer server when UDP connection fails. Set to 1 to enable (default: 0). -j {0 1} Encode all HTTP transfers as JPEG files. Set to 1 to enable (default: 0). -Y key_file The HTTPS transfer's key file name. -I cert_file The HTTPS certificate's file name. -t port Specify the port for HTTP Fallback Server. -x proxy_server Specify the proxy server address used by HTTP Fallback. Ascp General Examples The following are examples of initiating FASP file transfers using the ascp command: Fair-policy transfer Fair-policy transfer with maximum rate 100 Mbps and minimum at 1 Mbps, without encryption, transfer all files in \local-dir\files to : # ascp -T --policy=fair -l 100m -m 1m /local-dir/files root@ :/remote-dir Fixed-policy transfer Fixed-policy transfer with target rate 100 Mbps, without encryption, transfer all files in \local-dir\files to : # ascp -T -l 100m /local-dir/files root@ :/remote-dir Specify UDP port for transfer Perform a transfer with UDP port 42000: # ascp -l 100m -O /local-dir/files user@ :/remote-dir

268 Enterprise Server Configuration and Transfer Reference 268 Public key authentication Transfer with public key authentication using key file <home dir>/.ssh/aspera_user_1-key localdir/files: $ ascp -T -l 10m -i ~/.ssh/aspera_user_1-key local-dir/files root@ :/remote-dir Username or filepath contains a space Enclose the target in double-quotes when spaces are present in the username and remote path: # ascp -l 100m local-dir/files "User Name@ :/remote directory" Content is specified in a file pair list Specify source content to transfer to various destinations in a file pair list. Source content is specified using the full file or directory path. Destination directories are specified relative to the transfer user's docroot, which is specified as a "." at the end of the ascp command. For example, the following is a simple file pair list, filepairlist.txt that lists two source folders, folder1 and folder2, with two destinations, tmp1 and tmp2: /tmp/folder1 tmp1 /tmp/folder2 tmp2 # ascp --user=user_1 --host= mode=send --file-pair-list=/tmp/ filepairlist.txt. This command and file pair list create the following directories within the transfer user's docroot on the destination: /tmp1/folder1 /tmp2/folder2 Network shared location transfer Send files to a network shares location \\ \nw-share-dir, through the computer : # ascp local-dir/files root@ :"// /nw-share-dir/" Parallel transfer on a multicore system Use parallel transfer on a dual-core system, together transferring at the rate 200Mbps, using UDP ports and Two commands are executed in different Terminal windows: # ascp -C 1:2 -O l 100m /file root@ :/remote-dir & # ascp -C 2:2 -O l 100m /file root@ :/remote-dir Upload with content protection Upload the file space\file to the server with password protection (password: secret): $ export ASPERA_SCP_FILEPASS=secRet; ascp -l 10m --file-crypt=encrypt local-dir/file root@ :/remote-dir/ Download with content protection and decryption Download from the server and decrypt while transferring: $ export ASPERA_SCP_FILEPASS=secRet; ascp -l 10m --file-crypt=decrypt root@ :/remotedir /local-dir Decrypt a downloaded, encrypted file

269 Enterprise Server Configuration and Transfer Reference 269 If the password-protected file file1 is downloaded on the local computer without decrypting, decrypt file1.aspera-env (the name of the downloaded/encrypted version of file1) to file1: $ export ASPERA_SCP_FILEPASS=secRet; /opt/aspera/bin/asunprotect -o file1 file1.aspera-env Download through Aspera forward proxy with proxy authentication User Pat transfers the file /data/file1 to /Pat_data/ on , through the proxy server at with the transfer user aspera_proxy and transfer user password pa33w0rd. After running the command, Pat is prompted for the ascp password. # ascp --proxy dnat://aspera_proxy:pa33w0rd@ /data/file1 Pat@ :/Pat_data/ Test transfers using faux:// For information on the syntax, see. Transfer random data (no source storage required) Transfer 20 GB of random data as user root to file newfile in the directory /remote-dir on : #ascp --mode=send --user=root --host= faux:///newfile?20g /remote-dir Transfer a file but do not save results to disk (no destination storage required) Transfer the file /tmp/sample as user root to , but do not save results to disk: #ascp --mode=send --user=root --host= /temp/sample faux:// Transfer random data and do not save result to disk (no source or destination storage required) Transfer 10 MB of random data from as user root and do not save result to disk: #ascp --mode=send --user=root --host= faux:///dummy?10m faux:// Ascp File Manipulation Examples Below are examples of using the ascp command to manipulate files. Upload a directory Upload a directory, /content/, to the remote server The following produces /storage/content/ * on the remote server: # ascp /data/content/ root@ :/storage/ Upload only the contents of a directory Upload only the contents of /content/ to the remote server, stripping the srcbase path and preserving the rest of the file structure. The following produces /storage/* on the remote server: # ascp --src-base=/data/content /data/content/ root@ :/storage Upload a directory to a new directory Upload /content/ to the remote server and create a new folder, /storage2, to contain it. The following produces /storage2/content/* on the remote server: # ascp -d /data/content/ root@ :/storage2/ Download only the contents of a directory

270 Enterprise Server Configuration and Transfer Reference 270 Download the contents of /storage/content/ from the remote server, while stripping the srcbase path and preserving the rest of the file structure. The following produces /data/* on the local machine: # ascp --src-base =/storage/content root@ :/storage/content/ /data Upload only the contents of a file and a directory to a new directory Upload a file, /monday/file1and a directory, /tuesday/*, to the /storage directory on the remote server, while stripping the srcbase path and preserving the rest of the file structure. The following produces / storage/monday/file1and /storage/tuesday/* on the remote server: # ascp --src-base=/data/content /data/content/monday/file1 /data/content/ tuesday/ root@ :/storage Download only the contents of a file and a directory to a new directory Download a file, /monday/file1, and a directory, /tuesday/*, from the remote server, while stripping the srcbase path and preserving the rest of the file structure. The following produces /data/monday/file1 and / data/tuesday/* on the local machine: # ascp --src-base=/storage/content root@ :/storage/content/monday/ file1 root@ :/storage/content/tuesday/ /data Delete a local directory once it has been transferred to the remote server Remove /content/ from the local machine after its contents (excluding partial files) have been transferred to the remote server. The following produces /storage/content/* on the remote server: # ascp -k2 -E "*.partial" --remove-after-transfer --remove-emptydirectories /data/content root@ :/storage Delete a local directory once its contents have been transferred to the remote server Remove /content/ from the local machine after the contents (excluding partial files) have been transferred to the remote server, while stripping the srcbase path and preserving the rest of the file structure. The following produces /storage/* on the remote server: # ascp -k2 -E "*.partial" --src-base=/data/content --remove-after-transfer --remove-empty-directories /data/content root@ :/storage Important: For version 2.7.1, the "-d" option is required when specifying the "--src-base" option if the target directory does not exist. As of version , this constraint has been removed. Ascp Transfers with Object Storage and HDFS With an Aspera On Demand-entitled Aspera server installed in your cloud or on-premises object storage, you can use ascp to transfer to and from it. The syntax of an ascp command transferring to cloud or on-premises object storage depends on how you authenticate the transfer. The following options for authenticating to the object storage are described below: Specify the storage password or secret key in the transfer user's docroot. (Preferred method) Set the storage password or secret key as an environment variable. Specify the storage password or secret key in the command line. Authenticating the Aspera Transfer User You must enter the transfer user's password each time you run an ascp transfer, unless you either set the transfer user's password as an environment variable or set up an SSH key (token) and specify it in the command.

271 Enterprise Server Configuration and Transfer Reference 271 Environment Variable:To set the transfer user's password as the value of the ASPERA_SCP_PASS environment variable, run the following command: # export ASPERA_SCP_PASS = password SSH Key:To authenticate with an SSH key, configure token authorization as described in Aspera Enterprise Server Admin Guide: Setting Up Token Authorization. When you run the ascp transfer, specify the SSH key as an option: # ascp -i path_to_private_key... With Docroot Configured: Authenticate in the Docroot If your transfer user account has a docroot set, ascp transfers to and from AWS S3, IBM COS - S3, Google Cloud Storage, Akamai, Softlayer, and Azure are the same as regular ascp transfers. For command syntax examples, see Ascp General Examples. For instructions on configuring a docroot for these types of storage, see Aspera Enterprise Server Admin Guide (Linux): Docroot Path Formatting for Cloud, Object, and HDFS Storage. You are prompted for the transfer user's password upon running these commands unless you have set the ASPERA_SCP_PASS environment variable or are using an SSH key, as described previously. With No Docroot Configured: Authenticate with Environment Variables You can set an environment variable (ASPERA_DEST_PASS) with the storage password or access key using the command below: # export ASPERA_DEST_PASS = secret_key With this and ASPERA_SCP_PASS set, run ascp with the syntax listed in the table above, but you do not need to include the storage password or access key, and are not prompted for the Aspera password upon running the command. Note: The ASPERA_DEST_PASS variable is not applicable to Google Cloud Storage or AWS S3 using IAM roles. With No Docroot Configured: Authenticate in the Command Line If you do not have a docroot configured and do not set an environment variable (described previously), you must authenticate in the command line. In the examples below, you include the storage password or secret key as part of the destination path. You are prompted for the transfer user's password upon running these commands unless you have set the ASPERA_SCP_PASS environment variable or are using an SSH key, as described above. Storage Platform ascp Syntax and Examples AWS S3 If you are using IAM roles, you do not need to specify the access ID or secret key for your S3 storage. Upload syntax: # ascp options --mode=send --user=username -host=s3_server_addr source_files s3://access_id:secret_key@s3.amazonaws. Upload example: # ascp --mode=send --user=bear -host=s3.asperasoft.com bigfile.txt s3://1k3c18fbwf9902:geyu...aqxuxttvhwtc@s3.amazonaws.com/ demos2014

272 Enterprise Server Configuration and Transfer Reference 272 Storage Platform ascp Syntax and Examples Dowload syntax: # ascp options --mode=recv --user=username -host=s3_server_addr s3://access_id:secret_key@s3.amazonaws.com/my_bucket my_source_path destination_path Download example: # ascp --mode=recv --user=bear --host=s3.asperasoft.com s3://1k3c18fbwf9902:geyu...aqxuxttvhwtc@s3.amazonaws.com/ demos2014/bigfile.txt /tmp/ Azure Upload syntax: # ascp options --mode=send --user=username -host=server_address source_files azu://storage_account:storage_access_ke Upload example: # ascp --mode=send --user=as037d8eda429737d6 -host=dev d2.azure.asperaondemand.com bigfile.txt azu://astransfer:znfmtu...nbtkhb@blob.core.windows.net/abc Dowload syntax: # ascp options --mode=recv --user=username -host=server azu://storage_account:storage_access_key@blob.core.windows.n Download example: # ascp --mode=recv --user=as037d8eda429737d6 -host=dev d2.azure.asperaondemand.com azu:// astransfer:znfmtu...nbtkhb@blob.core.windows.net/abc / downloads Google Cloud Storage Note: The examples below require that the VMI running the Aspera server is a Google Compute instance. # ascp options --mode=send --user=username -host=server_address source_files gs:///my_bucket/my_path Upload example: # ascp --mode=send --user=bear --host= bigfile.txt gs:///2017_transfers/data Dowload syntax: # ascp options --mode=recv --user=username -host=server gs:///my_bucket/my_path/source_file destination_path Download example: # ascp --mode=recv --user=bear --host= gs:///2017_transfers/data/bigfile.txt /data

273 Enterprise Server Configuration and Transfer Reference 273 Storage Platform ascp Syntax and Examples HDFS Aspera recommends running ascp transfers with HDFS with a docroot configured. IBM COS - S3 Upload syntax: # ascp options --mode=send --user=username -host=server_address source_files s3://access_id:secret_key@accessor_endp Upload example: # ascp --mode=send --user=bear -host=s3.asperasoft.com bigfile.txt s3://3iti3oiufeh233:krcew...aiuwq@ /demo2017 Dowload syntax: # ascp options --mode=send --user=username -host=server_address s3://access_id:secret_key@accessor_endpoint/vault_na source_files destination_path Download example: # ascp --mode=send --user=bear --host=s3.asperasoft.com s3://3iti3oiufeh233:krcew...aiuwq@ /demo2017 / tmp/ IBM Cloud Object Storage (COS) Swift and IBM Bluemix Aspera recommends running ascp transfers with IBM Cloud Object Storage (COS) - Swift and IBM Bluemix with a docroot configured. OpenStack Swift Upload syntax: # ascp options --mode=send --user=username -host=ip_addr source_files swift://account_id:api_key@auth_url/my_bucket Example Upload: # ascp --mode=send --user=bear -host= bigfile.txt swift:// XYZO :bob:437e...bc16@sjc01.objectstorage.service.networklayer.com test Dowload syntax: # ascp options --mode=recv --user=username -host=ip_addr swift://account_id:api_key@auth_url/my_bucket/ my_source_path destination_path Download example: # ascp --mode=recv --user=bear --host= swift:// XYZO :bob:437e29...f616@sjc01.objectstorage.service.networklayer.c test/bigfile.txt /tmp/ Note: Swift requires additional Trapd configuration settings that can be included as queries attached to the docroot, with the format docroot?setting.

274 Enterprise Server Configuration and Transfer Reference 274 Storage Platform ascp Syntax and Examples For example, for an upload to IBM COS - Swift, the path is written as follows: swift:// XYZO :bob:437e...bc16@sjc01.objectstorage.service.networklayer test?aspera.swift.endpoint.auth-path=/auth/v1.0 Applying Filters to Include and Exclude Files Filters allow you to refine the list of files (or directories) designated for transfer. With filters, you indicate which files in the transfer list to skip or include. At runtime, ascp looks for filters in two locations: on the ascp command line, and in aspera.conf. Filters can be set in the aspera.conf file either from the GUI, or by modifying it directly with an editor or asconfigurator. When filtering rules are found in aspera.conf, they are applied before rules on the command line. If no filtering rules are specified, ascp transfers all source files in the transfer list. This topic describes filtering using option flags on the ascp command line. Note: Filter settings apply only when the server is acting as a client. Servers cannot exclude files or directories uploaded or downloaded by remote clients. Specifying Rules on the Command Line To specify filtering rules on the ascp command line, use the -E and -N options: -E pattern -N pattern Exclude files or directories matching pattern. Include files or directories matching pattern. Each rule consists of a -E or -N option and its pattern. A pattern can be a file or directory name, or a set of names expressed with UNIX glob patterns. To determine which files to transfer, each file in the set of source files to transfer (the transfer list) is evaluated by the filters as follows: 1. ascp compares the next file (or directory) in the transfer list to the first rule. 2. If the file matches the pattern, ascp includes it (-N) or excludes it (-E) and for this file, filtering stops. 3. If the file does not match, ascp compares it with the next rule and repeats the process for each rule until a match is found or until all rules have been tried. 4. If the file never matches any rules, it is included in the transfer. Filtering operates only on the set of files and directories in the transfer list. That is, an include option (-N) cannot add files or directories that are not already part of the transfer list. Filtering is a process of exclusion, and -N rules act as overrides to any -E rules that follow them. For example, consider the following example command: $ ascp -N 'file2' -E 'file[0-9]' /tmp/l/file* user1@examplehost:/tmp The transfer set is file* (all files that start with file). If file1, file2, and filea are in /tmp/l, they are filtered as follows: 1. When file1 is compared with the first rule (-N), no match is found, and filtering continues. When file1 is compared with the second rule (-E), there is a match; file1 is therefore excluded from transfer, and filtering stops for file1. 2. When file2 is compared with the first rule, there is a match; file2 is therefore included in the transfer, and filtering stops for file2. 3. When filea is compared with the first rule, no match is found. When it is compared with the second rule, again no match is found. Because no further rules exclude it, filea is therefore included in the transfer. If directories or files reside in directories that have already been excluded, they will also be excluded and therefore not checked against any further rules. Thus, with the command-line options -E '/above/' -N '/above/

275 Enterprise Server Configuration and Transfer Reference 275 below', the file /above/below is never considered because its parent directory /above/ has already been excluded. Creating Rule Patterns In order to filter directories and files to be transferred, their names are matched against patterns (globs) that include wildcards and special characters. The patterns use the standard globbing syntax found in UNIX systems as well as several Aspera extensions to the standard. Character case: Case always matters, even if the scanned file system does not enforce such a distinction. For example, "debug" does not match "Debug". To match both, the pattern should be "[Dd]ebug". Single quotes: Patterns must be interpreted only by ascp, not by the command shell. For this reason, patterns that contain wildcards should be surrounded by single quotes to protect them from expansion by the shell. (Even if patterns contain no wildcards, they can still be surrounded by single quotes.) Partial matches: With globs, unlike standard regular expressions, the entire filename or directory name must match the pattern. That is, abcdef matches the pattern abc*f but abcdefg does not. Pattern position: A pattern given with -N will match a path only if it falls directly under the transfer directory. However, a pattern given with -E will match a path regardless of where (which level) the path falls under the transfer directory. For example, given the pattern 'zzz*' and a transfer directory AAA: The -N option matches only if the path to file (or directory) zzz falls directly under AAA. That is, AAA/zzz. The -E option matches regardless of the where the path to file (or directory) zzz falls under AAA. For example, AAA/abc/def/zzz. Standard Globbing: Wildcards and Special Characters / The only recognized path separator. \ Quotes any character literally, including itself. The \ character is exclusively a quoting operator, not a path separator. * Matches zero or more characters, except a /, or the. when preceded immediately by a / character.? Matches any single character, except a /, or a. when preceded immediately by a / character. [ ] Matches exactly one of a set of characters, except a / or a. preceded immediately by a / character. [^ ] When ^ is the first character, matches exactly one character not in the set. [! ] When! is the first character, matches exactly one character not in the set. [x-x] Matches exactly one of a range of characters. [:xxxxx:] For details about this type of wildcard, see any POSIX-standard guide to globbing. Globbing Extensions: Wildcards and Special Characters /** Like * but also matches the / character, or a. preceded immediately by a / (that is, the. in /. ). * or /** at end of pattern Matches both directories and files. / at end of pattern Matches directories only. With -N, no files under matched directories or their subdirectories are included in the transfer. All subdirectories are still included, although their files will not be included. However, with -E, excluding a directory also excludes all files and subdirectories under it.

276 Enterprise Server Configuration and Transfer Reference 276 no / or * at end of pattern Matches files only. / at start of pattern Must match the entire string from the root of the transfer set. (Note: The leading / does not refer to the system root or the docroot.) Standard Globbing Examples Wildcard Example Matches Does Not Match / abc/def/xyz abc/def/xyz abc/def \ abc\? abc? abc\? abc/d abcd * abc*f abcdef abc.f abc/f abcefg? abc?? abcde abc.z abcdef abc/d abc/. [ ] [abc]def adef cdef abcdef ade [^ ] [^abc]def zdef.def 2def bdef /def /.def [! ] [!abc]def zdef.def 2def cdef /def /.def [:xxxxx:] [[:lower:]]def cdef ydef Adef 2def.def Globbing Extension Examples Wildcard Example Matches Does Not Match /** a/**/f a/f a/.z/f a/d/e/f a/d/f/ za/d/f * at end of rule abc* abc/ abcfile /** at end of rule abc/** abc/.file abc/d/e/ abc/ / at end of rule abc/*/ abc/dir abc/file no / at end of rule abc abc (file) abc/ / at start of rule /abc/def /abc/def xyz/abc/def Rule Composition Example Transfer Result -N rule Includes all files and directories whose names match rule. Because there is no -E, all the originally specified files and directories are included anyway; in other words, by itself, a -N rule does nothing. -N rule1 -E rule2 Includes all files and directories whose names match rule1. Excludes all that match rule2, except those that also matched rule1. -E rule Excludes all files and directories whose names match rule. -E rule1 -N rule2 Excludes all files and directories whose names match rule1. Because there is no -E following the -N, all files and directories not already excluded by the preceding -E are included anyway; in other words, a trailing -N rule does nothing to change the result. Testing Your Filter Rules If you plan to use filtering rules, it's best to test them first. An easy way to test filtering rules, or to learn how they work, is to set up source and destination directories and use demo.asperasoft.com as the Aspera server:

277 Enterprise Server Configuration and Transfer Reference On your computer, create a small set of directories and files that generally matches a file set you typically transfer. Since filenames are all that matter, the files can be small. 2. Place the file set in an accessible location, for example /tmp/src. 3. Upload the file set to the Aspera demo server as user "aspera". Specify the demo-server target directory Upload. You will be prompted for the password, which is "demoaspera": $ ascp /tmp/src aspera@demo.asperasoft.com:upload/ 4. Create a destination directory on your computer, for example /tmp/dest. 5. You can now download your files from the demo server to /tmp/dest, running the ascp commands with -N and -E to test your filtering rules. For example: $ ascp -N 'wxy/**' -E 'def' aspera@demo.asperasoft.com:upload/src/abc/ / tmp/dest 6. Compare the destination directory with the source to determine whether files were filtered as expected. $ diff -r dest/ src/ The diff output will show the missing (untransferred) files and directories. Example Filter Rules The example rules below are based on running a command such as the following to download a directory AAA from demo.asperasoft.com to /tmp/dest: $ ascp rules aspera@demo.asperasoft.com:upload/aaa /tmp/dest The examples below use the following file set: AAA/abc/def AAA/abc/.def AAA/abc/.wxy/def AAA/abc/wxy/def AAA/abc/wxy/.def AAA/abc/wxy/tuv/def AAA/abc/xyz/def/wxy AAA/wxyfile AAA/wxy/xyx/ AAA/wxy/xyxfile Key for interpreting example results below: < xxx/yyy = Excluded xxx/yyy = Included zzz/ = directory name zzz = filename (1) Transfer everything except files and directories starting with ".": -N '*' -E 'AAA/**' Results: AAA/abc/def AAA/abc/wxy/def AAA/abc/wxy/tuv/def AAA/abc/xyz/def/wxy AAA/wxyfile AAA/wxy/xyx/

278 Enterprise Server Configuration and Transfer Reference 278 AAA/wxy/xyxfile < AAA/abc/.def < AAA/abc/.wxy/def < AAA/abc/wxy/.def (2) Exclude directories and files whose names start with wxy: -E 'wxy*' Results: AAA/abc/def AAA/abc/.def AAA/abc/.wxy/def AAA/abc/xyz/def/ < AAA/abc/wxy/def < AAA/abc/wxy/.def < AAA/abc/wxy/tuv/def < AAA/abc/xyz/def/wxy < AAA/wxyfile < AAA/wxy/xyx/ < AAA/wxy/xyxfile (3) Include directories and files that start with "wxy" if they fall directly under AAA: -N 'wxy*' -E 'AAA/**' Results: AAA/wxy/ AAA/wxyfile < AAA/abc/def < AAA/abc/.def < AAA/abc/.wxy/def < AAA/abc/wxy/def < AAA/abc/wxy/.def < AAA/abc/wxy/tuv/def < AAA/abc/xyz/def/wxy < AAA/wxy/xyx/ < AAA/wxy/xyxfile (4) Include directories and files at any level that start with wxy, but do not include dot-files, dot-directories, or any files under the wxy directories (unless they start with wxy). However, subdirectories under wxy will be included: -N '*/wxy*' -E 'AAA/**' Results: AAA/abc/wxy/tuv/ AAA/abc/xyz/def/wxy AAA/wxyfile AAA/wxy/xyx/ < AAA/abc/def < AAA/abc/.def < AAA/abc/.wxy/def < AAA/abc/wxy/def * < AAA/abc/wxy/.def < AAA/abc/wxy/tuv/def < AAA/wxy/xyxfile * Even though wxy is included, def is excluded because it's a file.

279 Enterprise Server Configuration and Transfer Reference 279 (5) Include wxy directories and files at any level, even those starting with ".": -N '*/wxy*' -N '*/wxy/**' -E 'AAA/**' Results: AAA/abc/wxy/def AAA/abc/wxy/.def AAA/abc/wxy/tuv/def AAA/abc/xyz/def/wxy AAA/wxyfile AAA/wxy/xyx/ AAA/wxy/xyxfile < AAA/abc/def < AAA/abc/.def < AAA/abc/.wxy/def (6) Exclude directories and files starting with wxy, but only those found at a specific location in the tree: -E '/AAA/abc/wxy*' Results: AAA/abc/def AAA/abc/.def AAA/abc/.wxy/def AAA/abc/xyz/def/wxy AAA/wxyfile AAA/wxy/xyx/ AAA/wxy/xyxfile < AAA/abc/wxy/def < AAA/abc/wxy/.def < AAA/abc/wxy/tuv/def (7) Include the wxy directory at a specific location, and include all its subdirectories and files, including those starting with ".": -N 'AAA/abc/wxy/**' -E 'AAA/**' Results: AAA/abc/wxy/def AAA/abc/wxy/.def AAA/abc/wxy/tuv/def < AAA/abc/def < AAA/abc/.def < AAA/abc/.wxy/def < AAA/abc/xyz/def/wxy < AAA/wxyfile < AAA/wxy/xyx/ < AAA/wxy/xyxfile Creating SSH Keys (Command Line) Public key authentication (SSH Key) is a more secure alternative to password authentication that allows users to avoid entering or storing a password, or sending it over the network. Public key authentication uses the client computer to generate the key-pair (a public key and a private key). The public key is then provided to the remote computer's administrator to be installed on that machine.

280 Enterprise Server Configuration and Transfer Reference Create a.ssh directory in your home directory if it does not already exist: $ mkdir /home/username/.ssh Go to the.ssh folder: $ cd /home/username/.ssh 2. Run ssh-keygen to generate an SSH key-pair. Run the following command in the.ssh folder to create a key pair. For key_type, specify either RSA (rsa) or ED25519 (ed25519). At the prompt for the key-pair's filename, press ENTER to use the default name id_rsa or id_ed25519, or enter a different name, such as your username. For a passphrase, you can either enter a password, or press return twice to leave it blank: # ssh-keygen -t key_type Note: When you run ascp in FIPS mode (<fips_enabled> is set to true in aspera.conf), and you use passphrase-protected SSH keys, you must either (1) use keys generated by running ssh-keygen in a FIPS-enabled system, or (2) convert existing keys to a FIPS-compatible format using a command such as the following: # openssl pkcs8 -topk8 -v2 aes128 -in id_rsa -out new-id_rsa 3. Retrieve the public key file. The key-pair is generated to your home directory's.ssh folder. For example, assuming you generated the key with the default name id_rsa: /home/username/.ssh/id_rsa.pub Provide the public key file (for example, id_rsa.pub) to your server administrator so that it can be set up for your server connection. 4. Start a transfer using public key authentication with the ascp command. To transfer files using public key authentication on the command line, use the option -i private_key_file. For example: $ ascp -T -l 10M -m 1M -i ~/.ssh/id_rsa myfile.txt jane@ :/space In this example, you are connecting to the server ( , directory /space) with the user account jane and the private key ~/.ssh/id_rsa. Ascp FAQs 1. How do I control the transfer speed?

281 Enterprise Server Configuration and Transfer Reference 281 You can specify a transfer policy that determines how a FASP transfer utilizes the network resource, and you can specify target and minimum transfer rates where applicable. In an ascp command, use the following flags to specify transfer policies that are fixed, fair, high, or low: Policy Fixed Fair High Low Command template --policy=fixed -l target_rate --policy=fair -l target_rate -m min_rate --policy=high -l target_rate -m min_rate --policy=low -l target_rate -m min_rate The policies have the following characteristics: fixed Attempts to transfer at the specified target rate, regardless of the actual network capacity. This policy transfers at a constant rate and finishes in a guaranteed time. This policy typically occupies most of the network's bandwidth, and is not recommended in most file transfer scenarios. In fixed mode, a maximum (target) rate value is required. high Monitors the network and adjusts the transfer rate to fully utilize the available bandwidth up to the maximum rate. When congestion occurs, a it transfers at a rate twice of a session with fair policy. In this mode, both the maximum (target) and the minimum transfer rates are required. fair Monitors the network and adjusts the transfer rate to fully utilize the available bandwidth up to the maximum rate. When other types of traffic build up and congestion occurs, it shares bandwidth fairly by transferring at an even rate. In this mode, both the maximum (target) and the minimum transfer rates are required. low Similar to fair mode, the low policy uses the available bandwidth up to the maximum rate, but is much less aggressive when sharing bandwidth with other network traffic. When congestion builds up, the transfer rate is reduced to the minimum rate until other traffic retreats. 2. What transfer speed should I expect? How do I know if something is "wrong" with the speed? Aspera's FASP transport has no theoretical throughput limit. Other than the network capacity, the transfer speed may be limited by rate settings and resources of the computers. To verify that your system's FASP transfer can fulfill the maximum bandwidth capacity, prepare a client machine to connect to this computer, and test the maximum bandwidth. Note: This test typically occupies most of a network's bandwidth. Aspera recommends this test be performed on a dedicated file transfer line or during a time of low network activity. On the client machine, start a transfer with fixed bandwidth policy. Start with a lower transfer rate and gradually increase the transfer rate toward the network bandwidth (for example, 1 MB, 5 MB, 10 MB, and so on). Monitor the transfer rate; at its maximum, it should be slighly below your available bandwidth: $ ascp -l 1m source-file destination To improve the transfer speed, also consider upgrading the following hardware components: Component Hard disk The I/O throughput, the disk bus architecture (such as RAID, IDE, SCSI, ATA, and Fiber Channel). Network I/O The interface card, the internal bus of the computer.

282 Enterprise Server Configuration and Transfer Reference 282 Component CPU Overall CPU performance affects the transfer, especially when encryption is enabled. 3. How do I ensure that if the transfer is interrupted or fails to finish, it will resume without retransferring the files? Use the -k flag to enable resume, and specify a resume rule: -k 0 Always retransfer the entire file. -k 1 Check file attributes and resume if the current and original attributes match. -k 2 Check file attributes and do a sparse file checksum; resume if the current and original attributes/ checksums match. -k 3 Check file attributes and do a full file checksum; resume if the current and original attributes/ checksums match. Corruption or deletion of the.asp-meta file associated with an incomplete transfer will often result in a permanently unusable destination file even if the file transfer resumed and successfully transferred. 4. How does Aspera handle symbolic links? The ascp command follows symbolic links by default. This can be changed using --symboliclinks=method with the following options: follow Follow symbolic links and transfer the linked files. copy Copy only the alias file. If a file with the same name exists on the destination, the symbolic link is not copied. copy+force Copy only the alias file. If a file with the same name exists on the destination, the symbolic link replaces the file. If the file of the same name on the destination is a symbolic link to a directory, it is not replaced. skip Skip the symbolic links. Important: On Windows, the only option is skip. 5. What are my choices for overwriting files on the destination computer? In ascp, you can specify the --overwrite=method rule with the following method options: never Never overwrite the file. However, if the parent folder is not empty, its access, modify, and change times may still be updated. always Always overwrite the file. diff Overwrite the file if it is different from the source. If a complete file at the destination is the same as the source then it is not overwritten. Partial files are overwritten or resumed depending on the resume policy. diff+older Overwrite the file if it is older and different than the source. older Overwrite the file if its timestamp is older than the source timestamp. Important: If the overwrite method is diff or diff+older, difference is determined by the resume policy (k{ }). If -k 0 or no -k is specified, the source and destination files are always considered different and the destination file is always overwritten. If -k 1, the source and destination files are compared based on file attributes (currently file size). If -k 2, the source and destination files are compared based on sparse checksum. If -k 3, the source and destination files are compared based on full checksum. ascp4: Transferring from the Command Line with A4 Introduction to A4 Aspera A4 is an optimized transfer engine based on FASP technology. A4 is designed for sending extremely large sets of individual files efficiently, and it supports UDP multicast. The executable, ascp4, is similar to ascp and shares many of the same options and capabilities. For more information on using ascp4 for UDP multicast, see the IBM Aspera Faspstream User Guide.

283 Enterprise Server Configuration and Transfer Reference 283 As installed, ascp is used for transfers intiated from the GUI and ascp4 transfers can only be initiated from the command line. For information on how to make GUI-initiated transfers use ascp4, see Using A4 from the GUI. A4 Command Reference Supported environment variables, the general syntax, and command options for A4 are described in the following section. ascp4 exits with a 0 on success or a 1 on error. The error code is logged in the ascp4 log file. Important: Not all standard ascp options are available with ascp4. To use ascp4 to transfer with object storage, you must set the chunk size on the server to 64 kb for transfers that include primarily small files, and set it to 1 Mb for transfers that include primarily large files. If the chunk size is not set on the server, then the transfer fails. Environment Variables If needed, you can set the following environment variables for use with the ascp4 command. Item Setting Password ASPERA_SCP_PASS=password Token ASPERA_SCP_TOKEN=token Cookie ASPERA_SCP_COOKIE=cookie ascp4 Syntax ascp4 options [[user@]srchost:]source_file1[,source_file2,...] [[user@]desthost:]target_path User If you do not specify a username for the transfer, the local username is authenticated by default. Note: If you are authenticating on a Windows machine as a domain user, the transfer server strips the domain from the username. For example, Administrator is authenticated rather than DOMAIN \Administrator. Thus, you must specify the domain explicitly. Target path If there are multiple source arguments, then the target path must be a directory. To describe filepaths, use single-quote (' ') and forward-slashes (/) on all platforms. Avoid the following characters in filenames: / \ " : '? > < & *. URIs are supported in paths, but only under the following restrictions: URI target paths can be specified only on the command line. If the source paths are URIs, they must all be in the same cloud storage account. No docroot (download), local docroot (upload), or source prefix can be specified. If a destination path is a URI, no docroot (upload) or local docroot (download) can be specified. The special schemes stdio:// and stdio-tar:// are supported only on the client. They cannot be used as an upload destination or download source. If required, specify the URI passphrase as part of the URI or set it as an environment variable (ASPERA_SRC_PASS or ASPERA_DST_PASS, depending on the direction of transfer).

284 Enterprise Server Configuration and Transfer Reference 284 Ascp4 Options Option -h, --help Display usage reference, then exit. -A, --version Display version and license information, then exit. -T Disable encryption for maximum throughput. -p Preserve file timestamps for source modification time (mtime) and last access time (atime). Important: On Windows, mtime and atime can be affected when the system automatically adjusts for Daylight Savings Time (DST). For details, see the Microsoft KB article, -q Quiet mode. This option disables the progress display. -l max_rate Set the target transfer rate. (Default: 10 Mbps) This option accepts suffixes "G/ g" for Giga, "M/m" for Mega, "K/k" for Kilo, and "P/p/%" for percentage, and decimals are allowed. If the client does not specify a target rate, the server target rate is used. If local or server rate caps are specified, the "starting" (default) rate does not exceed the cap. -m min_rate Set the minimum transfer rate in Kbps. (Default: 0) If the client does not specify a minimum rate, the server minimum rate is used. If local or server rate caps are specified, the "starting" (default) rate does not exceed the cap. -i private_key_file Use public key authentication and specify the private key file. Typically, the private key file is in the directory $HOME/.ssh/. -Z dgram_size Specify the datagram size (MTU) for FASP. By default, the detected path MTU is used. (Range: bytes) Note: As of version 3.3, datagram size can be enforced by setting <datagram_size> in aspera.conf on the server. If size is set with both -Z (client side) and <datagram_size> (server side), the server setting is used. If the client-side is pre-3.3, datagram size is determined by the -Z setting, regardless of the server-side setting for <datagram_size>. If pre-3.3 client does not specify -Z, then datagram size is based on the discovered MTU and the server logs the message "LOG Peer client doesn't support alternative datagram size". -X rexmsg_size Set the maximum size of a retransmission request in bytes. (Max: 1440). -L local_log_dir Specify a local logging directory. -R remote_log_dir Specify a remote logging directory. Note: Client users that are restricted to aspshell are not allowed to use this option. -O fasp_port Set the UDP port for FASP transfers. (Default: 33001) -P ssh-port Set the TCP port for FASP session initiation. (Default: 22) -E pattern Exclude (-E) or include (-N) files or directories with the specified pattern from the transfer. Up to 16 -E and -N patterns can be used. The following two symbols can be used in the pattern: -N pattern * (asterisk) represents zero or more characters in a string, for example *.tmp matches.tmp and abcde.tmp.? (question mark) represents a single character, for example t?p matches tmp but not temp.

285 Enterprise Server Configuration and Transfer Reference 285 Option Rules are applied in order, and each rule is applied to the files that were filtered by the preceeding rules. --mode=mode Specify the transfer direction, either send or recv. Requires --host. --host=host The server's hostname or address. If a value is not provided, the source files or the target path must specify the host name as "host:filename". Requires --mode. --policy=xfer_policy Set the transfer policy, which can be any of the following: fixed Attempts to transfer at the specified target rate, regardless of the actual network capacity. This policy transfers at a constant rate and finishes in a guaranteed time. This policy can occupy most of the network's bandwidth, and is not recommended in most file transfer scenarios. Requires a maximum (target) rate value. high Monitors the network and adjusts the transfer rate to fully utilize the available bandwidth up to the maximum rate. When congestion occurs, the transfer rate is twice as fast as fair. Requires both the maximum (target) and the minimum transfer rates. fair Monitors the network and adjusts the transfer rate to fully utilize the available bandwidth up to the maximum rate. When congestion occurs, bandwidth is shared fairly by transferring at an even rate. Requires both the maximum (target) and the minimum transfer rates. low Similar to fair mode, the low policy uses the available bandwidth up to the maximum rate, but is less aggressive. When congestion occurs, the transfer rate is reduced to the minimum rate until other traffic retreats. If --policy is used, it is reflected in the GUI. If --policy is not used, ascp4 uses the server-side setting (fair by default). --user=username The username authenticated by the transfer server. If you do not specify a username for the transfer, the local username is authenticated by default. Note: If you are authenticating on a Windows machine as a domain user, the transfer server strips the domain from the username. For example, Administrator is authenticated rather than DOMAIN \Administrator. Thus, you must specify the domain explicitly. symbolic-links=method Specify how to handle symbolic links. On Windows, the only option is skip. On other operating systems, this option takes following values (default: follow): --src-base=prefix follow Follow symbolic links and transfer the linked files. copy Copy only the alias file. If a file with the same name exists on the destination, the symbolic link is not copied. skip Skip symbolic links. Specify the prefix that is deleted from the file path of each source object. The remaining portion of the source path is kept intact at the destination. Available only in send mode (--mode=send). Example: Using --src-base The directory /clips on the server contains the following folders and files: /clips/outgoing/file1 /clips/outgoing/foldera/file2 /clips/outgoing/folderb/file3

286 Enterprise Server Configuration and Transfer Reference 286 Option To transfer all the folders and files in /clips/outgoing (but not /outgoing itself) to the /incoming directory at the destination, run the following command: # ascp4 -d --src-base=/clips/outgoing/ root@ :/clips/outgoing/ /incoming At the destination, the following folders and files appear in /incoming: (docroot)/incoming/file1 (docroot)/incoming/foldera/file2 (docroot)/incoming/folderb/file3 Files outside of the source base (for example, /temp/file4) are not transferred, and warnings are generated. Example: Without --src-base If the source item is a folder and --src-base is not used, then the contents of the folder and the folder itself are transferred. For example, run the same command as in the previous example but without --src-base: # ascp4 -d root@ :/clips/outgoing/ /incoming At the destination, the following folders and files appear in /incoming: (docroot)/incoming/outgoing/file1 (docroot)/incoming/outgoing/foldera/file2 (docroot)/incoming/outgoing/folderb/file3 If the source object is a single file and --src-base is not used, then only the file is transferred. For example: # ascp4 -d root@ :/clips/outgoing/file1 root@ :/ clips/outgoing/foldera/file2 /incoming At the destination, the following files appear in /incoming: (docroot)/incoming/file1 (docroot)/incoming/file2 --file-list=filename Specify the source content in a file that contains a list of filepaths. The file list supports UTF-8 files and input from standard input through "-". The sources can exist on either the local host or the remote host (in terms of download), but not on both. Each source must be specified on a separate line: src src2... srcn Important: Multiple --file-list options are not supported in one ascp4 command. If multiple file lists are specified, all but the last are ignored. In addition, you cannot include file names in a command with --file-list. Only files from the file list are transferred.

287 Enterprise Server Configuration and Transfer Reference 287 Option Paths in file lists cannot use syntax. You must use --user with --file-list. --faspmgr-io Run A4 in API mode using FASP manager I/O. A4 reads FASPMGR4 commands from management and executes them. The FASPMGR4 commands are PUT/ WRITE/STOP to open/write/close on a file on the server. --delete-before Delete files that exist at the destination but not at the source before starting the transfer. Objects in the destination with the same name but different type or size as objects in the source are not deleted. Requires write permissions on the destination. Do not use with multiple sources, keepalive, URI storage, or HTTP fallback. Using --delete-before can be faster than --delete-after because the destination data set used to compare objects may be smaller before the transfer occurs. Can also be specified as --delete-before-transfer. --delete-after Delete files that exist at the destination but not at the source after all files are transferred. Objects in the destination with the same name but different type or size as objects in the source are not deleted. Requires write permissions on the destination. Do not use with multiple sources, keepalive, URI storage, or HTTP fallback. Using --delete-after can be slower than --delete-before because the destination data set used to compare objects may be larger after the transfer occurs. Can also be specified as --delete-after-transfer. --preserve-fileowner-uid Preserve the owner information (uid) of transferred files. --preserve-fileowner-gid Preserve group information (gid) of transferred files. --preserve-accesstime Preserve the file timestamps (same as -p). --preserve-sourceaccess-time Preserve the file timestamps (same as -p). --preservemodification-time Preserve the file timestamps (same as -p). --preserve-creationtime Preserve the file timestamps (same as -p). --chunk-size=bytes Buffer size that is used for storage read/write operations as well as for an internal transmission and compression "unit". Valid range: 4 kb Mb. --read-threads=num Number of storage "read" threads (sender only). Default: 2. --write-threads=num Number of storage "write" threads (receiver only). Default: 2. Note: Requires that the transfer user be authenticated as a superuser. Note: Requires that the transfer user be authenticated as a superuser. Note: For ascp4 transfers to object or HDFS storage, write threads cannot exceed the maximum number of jobs configured for Trapd (default: 15). To use more threads, open /opt/aspera/etc/ trapd/trap.properties on the server and set the value for

288 Enterprise Server Configuration and Transfer Reference 288 Option aspera.session.upload.max-jobs to one larger than the number of write threads. For example, # Number of jobs allowed to run in parallel for uploads. # Default is 15 aspera.session.upload.max-jobs=50 --scan-threads=num Number of directory "scan" threads (sender only). Default: 2. --meta-threads=num Number of directory "creation" threads (receiver only). Default: 2. --compression=method Compress file data inline. The method can be one of: none, zlib, or lz4. Default is lz4. --compressionhint=num For use with compression algorithms that allow you to set compression level (currently only zlib). A lower value results in less, but faster, data compression (0 = no compression). A higher value results in greater, slower compression. Acceptable values are -1 to 9, where -1 is "balanced". Default: compare=method The compare method can be size, size+mtime, md5, md5-sparse, sha1, or sha1-sparse. If the --overwrite method is diff or diff+older, the default compare method is size. --overwrite=method Overwrite files at the destination with source files of the same name. (Default: always) This option can use the following methods: always Always overwrite the file. never Never overwrite the file. If the destination contains partial files that are older or the same as the source files and resume is enabled, the partial files resume transfer. Partial files with checksums or sizes that differ from the source files are not overwritten. diff Overwrite if the file is different from the source, depending on the compare method (default is size). If resume is not enabled, partial files are overwritten if they are different from the source, otherwise they are skipped. If resume is enabled, only partial files with different sizes or checksums from the source are overwritten; otherwise, files resume. diff+older Overwrite if the destination is older and different from the source, depending on the compare method (default is size). If resume is not enabled, partial files are overwritten if they are older and different from the source, otherwise they are skipped. If resume is enabled, only partial files that are different and older than the source are overwritten, otherwise they are resumed. older Overwrite if the destination timestamp is older than the source timestamp. --resume Resume a copy rather than retransfer if partial files are present at the destination and they do not differ from the source file based on the compare method. If the files no longer match, then the source file is retransferred. -k resume_level Enable resumption of partial transfers. The resume_level can be 0 (default), 1, 2, or 3. -k 0: Always retransfer the entire file (same as --overwrite=always). -k 1: Check file modification time and size and resume if they match (same as --overwrite=diff --compare=size --resume).

289 Enterprise Server Configuration and Transfer Reference 289 Option -k 2: Check sparse checksum and resume if they match (same as -overwrite=diff --compare=md5-sparse --resume). -k 3: Check full checksum and resume if they match (same as -overwrite=diff --compare=md5 --resume). --sparse-file Enable A4 to write sparse files to disk. This option prevents A4 from writing zero content to disk for sparse files; A4 writes a block to disk if even one bit is set in that block. If no bits are set in the block, A4 does not write the block (by default A4 blocks are 64K). --no-read In test mode, do not read the contents of source files. --no-write In test mode, do not write the contents of destination files. --no-open In test mode, do not actually open or write the contents of destination files. --memory=bytes Maximum memory that the local ascp4 process is allowed. Default 256MB. --remote-memory=bytes Maximum memory that the remote ascp4 process is allowed. Default 256MB. --exclude-newerthan=mtime Exclude files from the transfer based on when the file was last changed. This option does not apply to directories. --exclude-olderthan=mtime Using A4 from the GUI Transfers intiated from the GUI use ascp and ascp4 transfers can be run only from the command line. You can make transfers initiated from the GUI use ascp4 by following these steps. 1. Back up the ascp executable. Locate the ascp executable. /opt/aspera/bin/ascp Rename the file ascp-version.bak. 2. In the same directory, make a copy of ascp4 and rename it ascp. The transfer server now uses ascp4 for transfers initiated from the GUI. Important: Not all standard ascp options are available with ascp4. Getting Started with the Aspera Trapd Service Trapd is the Aspera service that enables Aspera servers to write to cloud or on-premises object storage, as well as Hadoop Distributed File System (HDFS). Trapd is currently only available with Enterprise Server for Linux. The Enterprise Server should be in close proximity to the object storage to reduce any latency. Requirements and Set Up Trapd is included with Aspera On Demand applications and Aspera Enterprise Server for Linux 64-bit. Trapd is enabled in Aspera On Demand, but is disabled by default in Enterprise Server. Trapd can be enabled by running the following command: # /opt/aspera/bin/astrap-config.sh enable

290 Enterprise Server Configuration and Transfer Reference 290 The Aspera server must be configured to access the object storage. For stand-alone servers, this configuration is typically done when setting the docroot in aspera.conf (see Setting Docroots for Object Storage and HDFS). The Aspera client may also specify the object storage path and credentials as part of the transfer command (see Ascp Transfers with Object Storage and HDFS). For multi-tenant use cases, such as the Aspera Transfer Cluster Manager (ATCM) or the Aspera Transfer Service (ATS), configuration is done as part of creating an access key (see the documentation for those products for more information). Configuration For general information about configuring Trapd, see General Trap Configuration Reference. For information about using Trapd features, see Working with Trap. Trapd works with many types of storage and comes packaged with templates of configuration files for all supported storage types. For more information, see the topics relevant to your storage type. General Trap Configuration Reference Setting Docroots for Object Storage and HDFS Docroot path syntax is typically a protocol followed by URL-encoded storage account access credentials and a path in that storage. Aspera-required object storage configuration properties can also be set in the docroot or set in the protocol-specific Trapd.properties configuration file. The general syntax is: protocol://user:password@object_storage_url/path/[?storage_configuration] Docroot paths may be set to cloud or on-premises object storage in the Enterprise Server GUI or by editing aspera.conf using asconfigurator. To set the docroot for a user with asconfigurator, run the following command: # asconfigurator -x "set_user_data;user_name,username;absolute,docroot" The docroot can also be configured manually by adding the following text to /opt/aspera/etc/ aspera.conf: <user> <name>username</name>... <file_system> <access><paths><path> <absolute>docroot</absolute> </path></paths></access> </file_system> </user> Note: After setting the docroot, you must restart the Asperanoded service by running the following command: # service asperanoded restart Object Storage Docroot Formats Docroot Formatting Requirements: The protocol prefixes for cloud-based docroot paths are case sensitive. For example, "s3://" is the correct prefix for S3 storage and "S3://" does not work.

291 Enterprise Server Configuration and Transfer Reference 291 The variable components of URI docroots must be URL encoded, unless you are entering them in the Enterprise Server GUI. For more information, see URL Encoding. AWS S3 Aspera recommends using IAM assumed roles, in which case the docroot has the format: s3://s3.amazonaws.com/my_bucket/ For more information on the IAM roles required for Aspera, see the following knowledge base article: Without IAM roles, you must specify your access_id and secret_key. You can find these values in the AWS Management Console by clicking your login name and selecting Security Credentials from the drop-down menu. The docroot includes this information with the following format: The docroot can also be used to set storage configuration properties including AWS storage class, infrequent acccess, server encryption, or AWS KMS encryption, by adding the appropriate option: s3://s3.amazonaws.com/my_bucket/?storage-class=reduced_redundancy s3://s3.amazonaws.com/my_bucket/?storage-class=infrequent_access s3://s3.amazonaws.com/my_bucket/?server-side-encryption=aes256 s3://s3.amazonaws.com/my_bucket/?server-side-encryption=aws_kms These options can be combined as in the following example, where the & that combines the queries must be URI encoded: s3://s3.amazonaws.com/my_bucket/?storageclass=reduced_redundancy&server-side-encryption=aes256 Azure blob Google Cloud Storage If the instance was set up with a Google service account, the docroot is set as: gs:///my_bucket/my_path Without a Google service account, obtain the.p12 private key for your storage. For instructions on generating a private key, see the Google Cloud Platform documentation: Save the.p12 file in /opt/aspera/etc/trap. You can specify the project ID and path to the private key either as part of the docroot URI, as in the following example: gs:// _address@storage.googleapis.com/my_bucket/? aspera.gssession.projectid=project_id&aspera.gssession.pk12=path_to_private_ absolute> Note: The _address is the service account ID associated with the storage. You must URL encode the "@" when entering the address in the docroot. For example, if the service account ID is test@developer.gserviceaccount.com, then it is entered in the docroot as: test%40developer.gserviceaccount.com

292 Enterprise Server Configuration and Transfer Reference 292 Hadoop Distributed File System (HDFS) Where username is that of an Enterprise Server transfer user. You can use any transfer user on the Enterprise Server because the HDFS URI indicates which user is connecting to HDFS. IBM Cloud Object Storage (COS) - S3 s3://access_id:secret_key@accessor_endpoint/vault_name OpenStack Swift, including IBM COS - Swift The following is the basic docroot format for all Swift-based object storage systems, including IBM Cloud Object Storage (COS) - Swift: swift://account_id:api_key@auth_url/my_bucket The auth_url is the URL pointing to the Keystone Admin service and is entered in the docroot without the preceding " For example, if auth_url is reported as then the auth_url is lonidentity.open.softlayer.com in the docroot. Additional docroot requirements for OpenStack Swift: Additional configuration of Trapd is required for OpenStack Swift-based storages to use the KeyStone idenity service. These can be set in the docroot, with the format docroot?setting. For SoftLayer (including IBM COS - Swift), add?aspera.swift.endpoint.auth-path=/ auth/v1.0 to the docroot. For example, a docroot for IBM COS - Swift is written: swift:// XYZO :bob:437e...bc16@sjc01.objectstorage.service.networklayer.com/ test?aspera.swift.endpoint.auth-path=/auth/v1.0 URL Encoding Docroots pointing to object storage are written as URIs, in which the variable components such as access IDs, passwords and secret keys, bucket names, and paths to folders must be URL encoded. For example, when setting a docroot for AWS S3 with the following format: s3://access_id:secret_key@s3.amazonaws.com/my_bucket The values for access_id, secret_key, my_bucket, and my_path must be URL encoded while preserving the separators (: and /). URL Encoding Characters The following reserved characters are often included in passwords and secret keys: Character! # $ & ' ( ) * + URL encoded %23 %24 %26 %27 %28 %29 %2A %2B Character. / : ; [ ] URL encoded %2F %3A %3B %3D %3F %40 %5B %5D %21 %2C To URL encode other characters and to encode entire strings at once, you may use the online tool:

293 Enterprise Server Configuration and Transfer Reference Select UTF-8 as the target. Examples AWS S3 docroot with the following inputs: access_id = abc+d secret_key = ef/gh my_bucket/my_path = unicode###/movies The encoded URI is: s3://abc%2bd:ef%2fgh@s3.amazonaws.com/unicode%e6%96%87%e4%bb %B6%E5%A4%B9%2Fmovies Note: The forward slash between the bucket name and path is also encoded. If the docroot also contains queries, for example if the following aspera.conf settings are specified as part of the docroot: storage-class=reduced_redundancy server-side-encryption=aes256 The "&" between the two settings must be encoded as &amp because the URI is in an XML file, as follows: s3://abc%2bd:ef%2fgh@s3.amazonaws.com/unicode%e6%96%87%e4%bb %B6%E5%A4%B9%2Fmovies?storage-class=REDUCED_REDUNDANCY&server-sideencryption=AES256 Docroot Restriction for URI Paths If you are using IBM Aspera Files or Aspera On Demand with Console to transfer files to and from cloud storage, you must configure a docroot restriction on your cloud-based transfer server instead of a docroot absolute path. A configuration with both a docroot absolute path (docrooted user) and a restriction is not supported. The primary purpose of restrictions is to allow access to certain storage (for example, Amazon S3) for clients that have their own storage credentials. A docroot restriction limits the files a client is allowed to access for browsing and transfers. Files are rejected unless they match any restrictions that are present. Restriction Syntax Restrictions work for URI paths and are processed in the following order: If a restriction starts with "!", any files that match are rejected. If a restriction does not start with a "!", any files that match are kept. If any restrictions other than "!" exist, and the file does not match any of them, the file is rejected. Files that fail restrictions during directory iteration are ignored as if they do not exist. Restriction syntax is specific to the storage: Storage Type Format Example local storage file:////* S3 and IBM Cloud Object Storage (Cleversafe) s3://* Swift storage swift//* Azure storage azu://*

294 Enterprise Server Configuration and Transfer Reference 294 To add a restriction, follow these steps: 1. Add a restriction. Restrictions can be added to specific users or to all users. Note: For Aspera on Demand, you can also enter these settings from Console. To add a restriction for a user, for example the Files system user xfer restricted to \s3://*, run the following command: # asconfigurator -x "set_user_data;user_name,xfer;file_restriction,\s3:// *" To add a restriction that applies to all users, such as \s3://*, run the following command: # asconfigurator -x "set_node_data;file_restriction,\s3://*" 2. Validate your changes. # /opt/aspera/bin/asuserdata -v You can also check your configuration by opening /opt/aspera/etc/aspera.conf in a text editor. A restriction configuration will look similar to the following, with a user-specific configuration in the <user> section and an all-users configuration in the <default> section: <paths> <path> <restrictions> <restriction>s3://*</restriction> </restrictions> </path> </paths> Configuring for Small File Uploads If you need to upload many small files (100 Kb or less) to object storage, Aspera recommends using the configuration described below to optimize transfer speed. These instructions require you to configure settings on the server and the client, both of which must be running an Aspera product version or higher. Check the version of your Aspera product by running the following command: # ascp -A Configuring the Server 1. Disable pre-calculating job size. You can disable the pre-calculate job size option by editing aspera.conf or through Aspera Console. Editing aspera.conf: Run the following command as root: # asconfigurator -x "set_node_data;pre_calculate_job_size,no" This command adds the following text to the <file_system> section of /opt/aspera/etc/ aspera.conf: <file_system>... <pre_calculate_job_size>no</pre_calculate_job_size> </file_system>

295 Enterprise Server Configuration and Transfer Reference 295 Using Aspera Console: Log into Console as admin and go to Nodes > edit > Configuration > Advanced File Handling. In the row for Pre-Calculate Job Size, select the OVERRIDE box, then select no from the drop-down menu. 2. Run the Trapd setup script: # /opt/aspera/bin/astrap-config.sh enable 3. Modify the Trapd configuration. Open /opt/aspera/etc/trapd/trap.properties. Locate the following line: #aspera.session.upload.start-check-small-file.enabled=true Uncomment the line and change the value to false: aspera.session.upload.start-check-small-file.enabled=false Note: After making this change, Trap does not check if a directory already exists in your object storage with the same name as a file you are transferring into the storage. For example, if you upload a file named "foo" and your object storage container already has a directory named "foo," your container will have both a file "foo" and a directory "foo."

296 Enterprise Server Configuration and Transfer Reference Restart Trapd: # /etc/init.d/asperatrapd restart Configuring the Client Transfers initiated by the client can be optimized for many small files to object storage from the Aspera GUI or by using ascp command options. 1. Disable resuming incomplete files. (Recommended) In the GUI, click Connections. Select the connection you wish to modify then click File Handling. Unselect Resume incomplete files. Click OK to apply this setting to all transfers with this connection. Transfers initiated from the command line automatically re-transfer the entire file by default (equivalent to -k 0), unless preceding transfers have specified a different value for -k. In this case, you must use the -k 0 option. 2. Configure the resume options if resume must be used. If you must have resume enabled, the following settings optimize resume for transfer speed.

297 Enterprise Server Configuration and Transfer Reference 297 In the GUI, click Connections. Select the connection you wish to modify then click File Handling. Under When checking files for differences, select Compare file attributes from the drop-down menu. Under When a complete file already exists at the destination, select Always overwrite from the drop-down menu. Click OK to apply these settings to all transfers with this connection. To specify the same settings in an ascp command line transfer, run ascp with the following option: $> ascp -k 1 --overwrite=always Disable calculation of source files size before transferring with the GUI. This optional step makes the start of the transfer faster by avoiding the calculation before the transfer commences. Transfers initiated from the command line do not calculate source files size before transferring by default. In the GUI, click Connections. Select the connection you wish to modify then click Transfer. Select Disable calculation of source files size before transferring. Click OK to apply this setting to all transfers with this connection. If you do not see this option, click Show Advanced Settings to make it visible.

298 Enterprise Server Configuration and Transfer Reference 298 Resuming Transfers to Object Storage and HDFS File transfer resume works differently when the target is object storage, and the process depends on the storage platform. Files are transferred to object storage in parts, which are finalized into a complete object once all parts have uploaded. Configuring File Resume: You can configure file resume as for regular transfers using the GUI or command line. In the GUI, go to Connections > File Handling and select Resume incomplete files. Files in object or HDFS storage can be compared using timestamps but not checksums. Thus, in the server GUI, select Compare file attributes from the dropdown menu for When checking files for differences. To specify the same resume policy in an ascp command, use the option -k 1. Resume Behavior: Resume does not occur if the file is smaller than one part. In general, a file resumes if at least one part has been transferred to the destination. During a transfer, browsing the storage through the GUI or Node API shows partial transfers as filename.partial files. These may be real files or placeholders, depending on the storage type. Real.partial files are visible with the storage's default browser whereas placeholder.partial files are not. When the upload is complete, real.partial files are deleted and placeholder.partial files are no longer produced.

299 Enterprise Server Configuration and Transfer Reference 299 Naming Constraints Path names in Hadoop Distributed File System (HDFS) By default, each component of a path is limited to 255 bytes in UTF-8 encoding. This value can be configured in the Hadoop configuration file (/etc/hadoop/conf/hdfs-default.xml) by changing the value of dfs.namenode.fs-limits.max-component-length. A value of 0 disables the limit but may create incompatibilities with other file systems that do not support long paths. Bucket and Container Names Many object storage platforms (including AWS S3, Google Cloud Storage, and Azure, require DNS-compliant bucket names, with additional constraints specific to certain platforms. Container names in object storage using the OpenStack Swift API, do not need to be DNS-compliant, as described below. Rules for DNS-compliance: Names must be between three and 63 characters long. Names must be a series of one or more labels, with adjacent labels separated by a period (.). Labels can contain lowercase letters, numbers, and hyphens (-), but must start and end with a lowercase letter or a number (labels cannot start or end with a period). Periods may not be adjacent to another period or a hyphen and nor can a hyphen be adjacent to another hyphen. For example, "..", "--", "-.", and ".-" are not valid. Labels cannot be formatted as IP addresses (for example, ). Additional Information: Object Storage Platform Additional Information on Bucket Names AWS S3 For more information, see: BucketRestrictions.html Google Cloud Storage Names containing periods may be up to 222 characters total, but each label must be no more than 63 characters. Names may not begin with "goog", nor contain "google" or close misspellings of "google." For more information, see: naming#requirements Azure For more information, see: storageservices/fileservices/naming-andreferencing-containers--blobs--and-metadata? redirectedfrom=msdn Container Names in OpenStack Swift: Container names must be unique within each account and consist of one to 256 UTF-8 characters. Names can start with any character and contain any character except forward slash (/). For more information, see:

300 Enterprise Server Configuration and Transfer Reference 300 Object Names, Key Names, and Blob Names In general, object names, key names, and blob names must be a sequence of Unicode characters whose UTF-8 encoding is one to 1024 bytes long. This format applies to AWS S3, Google Cloud Storage, and Azure. Object storage using the OpenStack Swift API has no restrictions on object names. The following character sets are generally safe: Alphanumeric characters: 0-9, a-z, A-Z!-_.*'() The following characters may require special handling, such as URL encoding or referencing as HEX: &$@=;:+,? spaces ASCII character ranges 00-1F hex (0-31 decimal) and 7F (127 decimal). Avoid the following characters: \{}^%`[]"<~# Non-printable ASCII characters ( decimal characters) Object Storage Platform Additional Information on Object Name, Key Name, or Blob Name Requirements AWS S3 For more information, see: UsingMetadata.html#object-keys Google Cloud Storage Names cannot contain Carriage Return or Line Feed characters Avoid control characters that are illegal in XML 1.0 (#x7f -#x84 and #x86-#x9f) For more information, see: naming#objectnames Azure Blob names are case sensitive. Avoid blob names that end with a period, a forward slash (/), or a sequence of the two. Blob names cannot contain more than 254 path segments, where a path segment is the string between delimiter characters (such as the forward slash) that correspond to the name of a virtual directory. For more information, see: storageservices/fileservices/naming-and-referencingcontainers--blobs--and-metadata Object Metadata Names (Keys) and Values Object metadata is a set of name-value pairs. Users can often add customized metadata names, within the constraints of the object storage platform.

301 Enterprise Server Configuration and Transfer Reference 301 Object Storage Platform Object Metadata Name Requirements AWS S3 Name-value pairs must conform to US-ASCII when using REST, and to UTF-8 when using SOAP or browser-based uploads (POST requests). When using the REST API, user-defined metadata names must begin with "x-amz-meta-". PUT request headers are limited to 8 Kb, of which 2 Kb may be user-defined metadata. User-defined metadata is calculated as the total bytes of the UTF-8 encoded name and value. For more information, see: UsingMetadata.html#object-metadata Google Cloud Storage Custom metadata names must begin with "x-googmeta-". Each individual metadata entry is limited to bytes, and 512 Kb for the total metadata server. For more information, see: OpenStack Swift Metadata names are case-insensitive. Names may contain ASCII 7-bit characters that are not control (0-31) characters, DEL, or a separator character. Underscores (_) are silently converted to hyphens (-). For more information, see: index.html Azure Metadata names must follow the naming rules for C# identifiers. The combined size of the name-value pair may not exceed 8 Kb. For more information, see: storageservices/fileservices/naming-and-referencingcontainers--blobs--and-metadata Troubleshooting Trap Trapd Log Location If you have problems with transfers to cloud, object, or HDFS storage, Aspera Support may ask to view your logs. The log files are found in the following location: /opt/aspera/var/log/trapd

302 Enterprise Server Configuration and Transfer Reference 302 This directory contains the following log files: Log name aspera-trapd.log Main log. aspera-trapd-debug-log.log Debug log. aspeartrapd-start.log Start/stop information and version. buffer-pool.log Shared memory. example: gc _15_52_32.log Java VM garbage collector. The file name starts with gc- and is followed by a timestamp. http-tx.log HTTP requests (only appears when Trapd is run in debug mode). std_out.log Redirection of standard streams. File is usually empty. storage-perf.log HTTP connections performances (only appears when Trapd is run in debug mode). trapd_stdout.log Startup script and thread dump. transfer-stats.log Transfer statistics. tx.log Transfer logs. You can also determine the version of Trapd by running the following command: # /etc/init.d/asperatrapd version Authentication and Authorization Installing SSL Certificates This topic assumes you have a signed root certificate or certificate bundle (root certificate with chained or intermediary certificates) from an authorized Certificate Authority to configure on your Aspera transfer server. If you need to request a certificate from a Certificate Authority (CA), see the article How to Generate a Certificate Signing Request (CSR) in the Aspera Support Knowledgebase. Procedure Overview This procedure describes how to install SSL certificates for an Aspera transfer server. The procedure uses three files: aspera_server_key.pem aspera_server_cert.pem Created automatically during transfer server installation. Resides in the default Aspera installation directory: / opt/aspera/etc Contains the default private key. In this procedure, you replace the default private key with the new private key generated with the certificate signing request (CSR). Created automatically during transfer server installation. Resides in the default Aspera installation directory: / opt/aspera/etc

303 Enterprise Server Configuration and Transfer Reference 303 aspera_server_cert.chain Contains the default self-signed certificate. In this procedure, you replace the default self-signed certificate with the content described in step 3 below. You create this file, as described below. You place the file in the same directory as aspera_server_key.pem and aspera_server_cert.pem. You place the certificate bundle (chained or intermediary certificates) from the CA in this file. The default filenames and locations can be changed by configuring settings in the transfer server's aspera.conf file, using asconfigurator commands: # asconfigurator -x "set_http_server_data;cert_file,path/certfile.pem" # asconfigurator -x "set_http_server_data;key_file,path/keyfile.pem" # asconfigurator -x "set_server_data;cert_file,path/certfile.chain" Note: The chain file for asperanoded must match the location and name of the asperanoded certfile, but with the.chain extension. The commands add the following text to aspera.conf: <http_server>... <key_file>path/keyfile.pem</key_file> --> <cert_file>path/certfile.pem</cert_file> -->... </http_server> <!-- key file for asperahttpd <server>... <cert_file>path/certfile.chain</cert_file> asperanoded -->... </server> <!-- cert file for asperahttpd <!-- cert file for The aspera.conf is located in: /opt/aspera/etc/aspera.conf Install Certificates 1. Back up the default private key and self-signed certificate, using the following commands: # cd /opt/aspera/etc # cp aspera_server_key.pem aspera_server_key.pem.bak # cp aspera_server_cert.pem aspera_server_cert.pem.bak 2. In aspera_server_key.pem, replace the existing content with the new private key generated with the certificate signing request (CSR). 3. In aspera_server_cert.pem, replace the existing content with the following, in the order shown: a. the new private key b. the server certificate c. any chained or intermediary certificates from the CA in order of ascending authority, for example: intermediary certificate 1

304 Enterprise Server Configuration and Transfer Reference 304 intermediary certificate 2 intermediary certificate 3 d. the root certificate from the CA 4. Create a new file named aspera_server_cert.chain. This file must reside in the same directory as the.pem files. If you have a certificates bundle from the CA, the contents of aspera_server_cert.chain must consist of the following, in the order shown: a. the server certificate b. the certificates bundle, which includes the root certificate If you do not have a certificates bundle from the CA, the contents of aspera_server_cert.chain must consist of the following, in the order shown: a. the server certificate b. any chained or intermediary certificates from the CA in order of ascending authority, for example: intermediary certificate 1 intermediary certificate 2 intermediary certificate 3 c. the root certificate from the CA Restart Services Restart the services asperacentral, asperahttpd, and asperanoded using the following commands: # service asperacentral restart # service asperahttpd restart # service asperanoded restart Verify Proper Installation To verify the root certificate and the certificate chain, run the command-line tool openssl to connect to the asperanoded service. For example, assuming you are using the default node port (HTTPS 9092): # /opt/aspera/bin/openssl s_client -connect myserver:9092 The output returned from this command will show a return value of 0 for success or 1 for failure. Success: The following sample output shows that verification was successful because verify return is 0. depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. For authorized use only", CN = VeriSign Class 3Public Primary Certification Authority - G5 verify error:num=20:unable to get local issuer certificate verify return:0 Failure: The following sample ouput shows that verification failed because verify return is 1. depth=0 C = US, ST = California, L = Emeryville, O = IBM, OU = Aspera Inc IT Department, CN = *.asperafiles.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = US, ST = California, L = Emeryville, O = IBM, OU = Aspera Inc IT Department, CN = *.asperafiles.com verify error:num=27:certificate not trusted verify return:1

305 Enterprise Server Configuration and Transfer Reference 305 depth=0 C = US, ST = California, L = Emeryville, O = IBM, OU = Aspera Inc IT Department, CN = *.asperafiles.com verify error:num=21:unable to verify the first certificate verify return:1 Note: You must see as many elements in the output as there are certificates in the chain. In the example below, there is one root certificate and two chained certificates, and therefore the output must show three elements to prove the installation was successful. Success: The following example shows a successful verification for one root certificate and two intermediary certificates in the chain: Certificate chain 0 s:/c=us/st=california/l=emeryville/o=ibm/ou=aspera Inc IT Department/ CN=*.asperafiles.com i:/c=us/o=symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4 1 s:/c=us/o=symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4 i:/c=us/o=verisign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/cn=verisign Class 3 Public Primary Certification Authority - G5 2 s:/c=us/o=verisign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/cn=verisign Class 3 Public Primary Certification Authority - G5 i:/c=us/o=verisign, Inc./OU=Class 3 Public Primary Certification Authority Failure: The following example shows an unsuccessful verification, since only the root certificate is displayed. Certificate chain 0 s:/c=us/st=california/l=emeryville/o=ibm/ou=aspera Inc IT Department/ CN=*.asperafiles.com i:/c=us/o=symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4 If verification is unsuccessful, run the following command to inspect your certificate content: # /opt/aspera/bin/openssl x509 -in certificate.crt -text -noout Setting Up Token Authorization When accounts on a transfer server are configured to require token authorization, only transfers initiated with a valid token are allowed to transfer to or from the server. The token authorization requirement can be set for individual users, entire user groups, or globally for all users. Token authorization can be set independently for incoming transfers and outgoing transfers. Note: Token authorization is required for initiating transfers with the Shares product. Set up token authorization for a transfer user as follows: 1. Choose or create the transfer user on the server. The examples below use the transfer user aspera_user_1. 2. Log in as the user to ensure that any created files are owned by the user. Create the directory.ssh and the file authorized_keys if they don't already exist. For example: /home/aspera_user_1/.ssh/authorized_keys 3. Append the token-authorization public key to the user's authorized_keys file.

306 Enterprise Server Configuration and Transfer Reference 306 Aspera provides a public key in the file aspera_tokenauth_id_rsa.pub stored in the following location: /opt/aspera/var/aspera_tokenauth_id_rsa.pub 4. Ensure that.ssh and.ssh/authorized_keys are owned by the user. For example: drwxr-xr-x 2 aspera_user_1 -rw-r--r-- 1 aspera_user_1 authorized_keys xgroup xgroup Mar 20 Mar ssh.ssh/ 5. Make sure the user has no password. If the system does not allow this, create a very large password. 6. Make sure the user's login shell is aspshell. For information on setting this, see Securing Your SSH Server. 7. Configure the user for token authorization To configure user authorization from the GUI, see Configuring Token Authorization from the GUI. To configure user authorization from aspera.conf, see Configuring Token Authorization in aspera.conf. Note: Instead of setting authorization for each user individually, you can set it for a group, or set it globally for all users. 8. Create a node user and associate it with the transfer user. The examples below use the Node API user nuser. # /opt/aspera/bin/asnodeadmin -au nuser -x aspera_user_1 -p nuser_passwd 9. Test the node user: # curl -ki -u nuser:nuser_passwd Configuring Token Authorization from the GUI Requirements: You have created a transfer user on your server. You have set up the transfer user with an SSH public key as described in Setting Up Token Authorization. 1. Launch the application and click Configuration. 2. Click Users and choose a user to configure.

307 Enterprise Server Configuration and Transfer Reference 307 Alternatively, click Groups and choose a group to configure, or click Global to configure options for all users. 3. In the right panel of the Server Configuration dialog, click Authorization. 4. Set token authorization for incoming and outgoing transfers. Select the override boxes for Incoming Transfers and Outgoing Transfers. Under Effective Value, select token from the dropdown menu. 5. Set the token encryption key. Select the override box for Token Encryption Key and enter the token encryption key. The encryption key should be a string of random characters (at least 20 recommended). 6. Click Apply to save the changes, or click OK to save the changes and close the dialog. Token Generation (Node API) A token authorizes content uploads to a destination or content downloads from a remote source. Token-based authorization is generally used instead of SSH authentication for FASP transfers initiated through IBM web applications, such as IBM Aspera Shares, Faspex, and Sharepoint, but can be used in place of SSH authentication for other types of Aspera products. When a user requests a transfer from Shares. Faspex, or Sharepoint in the web UI, an operational token is automatically generated using the Node API and is used to authorize the ascp session between the client and the Shares, Faspex, or Sharepoint node, within constraints set in the command line and aspera.conf. Aspera recommends using the Node API tool to generate tokens, though they can be generated using the astokengen tool. Using the Node API tool enables greater flexibility and functionality because astokengen creates tokens constrained by the settings in aspera.conf. In practice, astokengen is most useful for decoding tokens during application development for debugging purposes. For more information on astokengen, see Token Generation (astokengen). For more information on using the Node API, request access to the Aspera Developer Network (ADN) from your Aspera account manager. Prerequisite: Setup for Token Authorization Before generating and using tokens, you must set up a transfer user for token authorization and associate the transfer user with a node username and password. For instructions, see Setting Up Token Authorization.

308 Enterprise Server Configuration and Transfer Reference 308 Generating Tokens with Node API Calls Curl is used to call the API, and is freely available for download for all operating systems supported by Aspera from: To generate a token, you run a curl command to the /files/upload_setup or /files/download_setup endpoint (depending on what kind of token you want to generate). The request provides a JSON Object called the transfer_requests. The Node API output response, a transfer_specs JSON Object, includes a token, as well as a description of who is authorized to transfer using the token, what files can be transferred, and transfer properties. Note: When generating tokens with an IBM Aspera Shares server, the endpoints are /node_api/files/ upload_setup and /node_api/files/download_setup. Upload token General syntax: # curl -i -X POST -u node_username:node_user_password -d '{"transfer_requests" : [{"transfer_request" : { "paths" : [{}], "destination_root" : "/" } } ] }";' http(s)://node_server:node_port/files/ upload_setup This command specifies the following: -i Include the HTTP header in the output. -X POST Specify a POST request to the HTTP server, rather than the default GET request. (This option is not required when -d is used, but is included here for completeness). -u node_username:node_user_password Authenticate using the node username and node user password that are associated with the transfer user who has been configured for token authorization. -d Send the specified data payload to the HTTP server. The payload can be entered in the command line, as it is here, or stored in a file, as described below. http(s)://... The endpoint URL. For example, the following request allows the user, lion, who is associated with the node username, nodeuser, and node username password, nodepassword, to upload any files from the source to any location on the destination, serengeti.com: # curl -i -v -X POST -u nodeuser:nodepassword -d '{ "transfer_requests" : [ { "transfer_request" : { "paths" : [{}], "destination_root" : "/" } } ] }";' The response output is the following, from which you can extract the token string ATV7_HtfhDaJwWfc6RkTwhkDUqjHeLQePiOHjIS254_LJ14_7VTA: HTTP/ OK Cache: no-cache Connection: close Content-Type: application/x-javascript { "transfer_specs" : [{ "transfer_spec" : { "paths" : [{}], "source_root" : "", "destination_root" : "/", "token" : "ATV7_HtfhDa-JwWfc6RkTwhkDUqjHeLQePiOHjIS254_LJ14_7VTA", "direction" : "send", "target_rate_cap_kbps" : , "cipher" : "none", "rate_policy_allowed" : "fair", "rate_policy" : "fair",

309 Enterprise Server Configuration and Transfer Reference 309 } }] "target_rate_kbps" : 45000, "min_rate_kbps" : 0, "remote_host" : "serengti.com", "remote_user" : "lion", "ssh_port" : 22, "fasp_port" : 33001, "http_fallback" : true, "http_fallback_port" : 8080 } You can also specify the transfer request parameters in a file and refer to it in the curl command, which is particularly useful for transfer requests that list many items for source content and destination. For example, the transfer request file, upload_setup.json, could contain the following information for a file pair list: { } "transfer_requests" : [ { "transfer_request" : { "destination_root" : "/", "paths" : [ { "destination" : "/archive/monday/texts/first_thing", "source" : "/monday/first_thing.txt" }, { "destination" : "/archive/monday/texts/next_thing" "source" : "/monday/next_thing.txt", }, { "destination" : "/archive/monday/texts/last_thing", "source" : "/monday/last_thing.txt" } ] } } ] To use this file in the curl command, specify the path to the file in the -d option, as follows: Download token The method for generating a download token is the same as for an upload token, except that you use the /files/ download_setup (or /node_api/files/download_setup in the case of Shares) endpoint. Using Tokens in the Command Line Once the token is generated, it can be used to authorize FASP transfers by setting the ASPERA_SCP_TOKEN environment variable or using the -W option for ascp and async sessions. Token Generation (astokengen) Overview The astokengen command line tool enables users to generate and decode tokens, but Aspera recommends using the Node API tool to do this as it provides more functionality. For instructions see Token Generation (Node API) and the Aspera Developer Network. The Node API response includes FASP transfer parameters and the token

310 Enterprise Server Configuration and Transfer Reference 310 string, whereas astokengen generates only a specific type of token. In practice, astokengen is most useful for decoding tokens during application development for debugging purposes. Prerequisite: Setup for Token Authorization Before generating and using tokens, you must set up a transfer user for token authorization and associate the transfer user with a node username and password. For instructions, see Setting Up Token Authorization. Synax and Options # astokengen [options] The astokengen command takes the options described in the table below. Option (short form) Option (long form) -A --version Print version information. --mode=mode Direction of the transfer mode (send recv) --path=path Source path --dest=destination Destination path --user=user Generate the token for this user name. This name is embedded in the token and also used to retrieve further information from aspera.conf (user_value and token_life_seconds). --file-list=filename Specifies a file name that contains a list of sources for a download token. Each line of the file contains a single source and blank lines are ignored. For example: -p -u /monday/first_thing.txt /monday/next_thing.txt /monday/last_thing.txt --file-pair-list=filename Specifies a file name that contains a multiplexed list of source and destination pairs for an upload or download token. Each pair of lines encodes one source and one destination and blank lines are ignored. For example /monday/first_thing.txt /archive/monday/texts/ first_thing /monday/next_thing.txt /archive/monday/texts/ next_thing

311 Enterprise Server Configuration and Transfer Reference 311 Option (short form) Option (long form) /monday/last_thing.txt /archive/monday/texts/ last_thing -v token Verify token against user and path parameters. -t token Display the contents of the token. -k passphrase Passphrase to decrypt token. For use with -t. -b Assume user name and paths are encoded in base64. General Usage Examples Display the contents of the token: # astokengen -t token [options] Authorize uploads to a specific destination: # astokengen --mode=send [options] -u user --dest=path [-v token] Authorize uploads of one or more files as source/destination pairs to a specific destination: # astokengen --mode=send [options] -u user --file-pair-list=filename -dest=destination [-v token] Authorize downloads of one or more files or directories from a specific destination: # astokengen --mode=recv [options] -u user -p path [-p path ] [-v token] Authorize downloads of files specified in a file list: # astokengen --mode=recv [options] -u user --file-list=filename [-v token] Authorize downloads of one or more files as source/destination pairs: # astokengen --mode=recv [options] -u user --file-pair-list=filename [v token]

312 Enterprise Server Configuration and Transfer Reference 312 Usage Examples Example Common upload In a common upload, only the destination is encoded into the token. # astokengen --user=user --dest=path --mode=send Source paths and file lists (--path and --file-list) are not allowed and will cause astokengen to fail. Paired upload The destination is prepended to the destinations in the paired list file and they are encoded into the token. The destinations are in the odd numbered lines of the file (1, 3, 5, 7, and so on). # astokengen --user=user --dest=path --file-pair-list=filename --mode=send Source paths and file lists (--path and --file-list) are not allowed and will cause astokengen to fail. Common download The specified paths are encoded into the token. # astokengen --user=user --path=filepath1 --path=filepath2 -mode=recv # astokengen --user=user --file-list=filename --mode=recv In this case, --dest and --file-pair-list are illegal. Paired download The source files from the file pair list are encoded in the token. The sources are in the even numbered lines of the file (0, 2, 4, 6, 8, etc.). # astokengen --user=user --file-pair-list=filename --mode=recv In this case, --dest, --path and --file-list are illegal. Configuring Token Authorization in aspera.conf Requirements: You have created a transfer user on your server. You have set up the transfer user with an SSH public key as described in Setting Up Token Authorization. The examples below use a transfer user called aspera_user_1. 1. Run the following command: # asconfigurator -x "set_user_data;user_name,aspera_user_1;authorization_transfer_in_value,token;authoriz Aspera recommends that the key be a random string of at least 20 characters. This command creates the following text in aspera.conf: <user> <name>aspera_user_1</name> <authorization> <transfer> <in> <value>token</value> </in>

313 Enterprise Server Configuration and Transfer Reference 313 <out> <value>token</value> </out> </transfer> <token> <encryption_key>gj5o930t78m34ejme9dx</encryption_key> </token> </authorization> <file_system> </file_system> </user> You can also configure token-authorization settings in the <default> section to apply them globally for all users. For instructions on how to run asconfigurator commands to do so, as well as to view other token configuration options, see User, Group and Default Configurations. 2. Optional: you can manually edit aspera.conf in a text editor with write permission. Open the file from the following location: /opt/aspera/etc/aspera.conf Add text as needed to configure token authorization for the user or globally. Save your changes. Validate the aspera.conf file using the asuserdata utility: # /opt/aspera/bin/asuserdata -v Access Key Authentication Access key authentication provides an alternative to the security credentials of a node user or system user. Because an access key is restricted to its own storage (local or cloud), it allows access control and usage reporting to be segregated by storage. This offers significant benefits to multi-tenant service providers and enterprise installations with multiple departments. Access key authentication supports Aspera client products, such as Desktop Client, Pointto-Point Client, Enterprise Server, Connect, and Drive. It also supports Faspex, Shares, and Aspera Files. For details about using access key authentication with these products, see the documentation for these products. Node Access through SSH and HTTPS A node (a transfer server) is accessed over SSH or HTTPS: SSH services are best suited for access when all computers are part of the same administrative domain (in the same organization and with the same administrators). HTTPS is best suited for services offered to arbitrary clients or the Internet at large. Access through SSH and HTTPS use various types of authentication: SSH services (ascp and async) SSH user and password or user and key Token - SSH authentication bypass using the Aspera web private key protected by requiring an authorization token (ATM). Access key - SSH authentication bypass using the Aspera web private key protected by requiring an access key and secret. HTTPS (Node API) Basic authentication using a node user and password. Basic authentication using an access key and secret. Note: When using access key authentication, the following constraints apply:

314 Enterprise Server Configuration and Transfer Reference 314 Access keys cannot be used by users with docroots. If a docroot is configured (in aspera.conf), access key creation and use will fail. A restriction is required. No restriction results in failure. Although access keys can be created with no storage, using that access key with a transfer will result in failure. Creating and Testing Access Keys Set up a node user, associate it with a system user, and reload asperanoded by running the following commands. In the examples below, asp1 is the node user, aspera is the node user's password, and xfer is the system user. Running asnodeadmin requires root or admin permissions. # /opt/aspera/bin/asnodeadmin -a -u asp1 -p aspera -x xfer # /opt/aspera/bin/asnodeadmin --reload To create access keys, run curl commands as in the following examples. Curl is included in many Unix-based operating systems. To check if it is installed, type curl in the command line. If it is not installed, download it from the Curl website: To create an access key with local storage, run the following: # curl -ki -u asp1:aspera localhost:9092/access_keys where: Indicates the next argument is the data to send. The "@" identifies access_key-makelocal.json as a file containing the data, in this case, a JSON payload file. For an example of the text to include in access_key-make-local.json and examples of access key files for other types of storage, see below. -i -k Includes the HTTP header in the output. Allows curl to perform "insecure" SSL connections and transfers. -u 'asp1:aspera' Specifies the user name asp1 and password aspera to use for server authentication. Indicates where to store the access keys. Similarly, to create an access key with cloud storage for Swift you specify a different JSON payload file: # curl -ki -u asp1:aspera localhost:9092/access_keys Examples of JSON payload files for various storage types: access_key-make-local.json { "id" : "dideuflcpg9iydsvxj0scq4moohnjtkvp5q2nrwjdgia", "secret" : "aspera", "storage" : { "type" : "local", "path" : "/home/asp1/data" }

315 Enterprise Server Configuration and Transfer Reference 315 } access_key-make-aws.json { "id" : "AWSQ4VuvaYA9mMRf55NyNsiVGC-HHSBh0FTuqMH8aHsA", "secret" : "aspera", "storage" : { "type" : "aws_s3", "path" : "/", "endpoint" : "s3.amazonaws.com", "bucket" : "aspera-demo", "storage_class" : "STANDARD", "server_side_encryption" : null, "credentials" : { "access_key_id" : "AKI...KHQ", "secret_access_key" : "KScx...PHcm1" } } } access_key-make-azure-sas.json { "secret" : "aspera", "storage" : { "type" : "azure_sas", "path" : "/", "credentials" : { "shared_access_signature" : " temp?sv= &sr=c&sig=yfew...79uxe %3D&st= T07%3A00%3A00Z&se= T07%3A00%3A00Z&sp=rwdl" } } } access_key-make-azure.json { "secret" : "aspera", "storage" : { "type" : "azure", "container": "temp", "path" : "/", "credentials" : { "storage_endpoint" : "blob.core.windows.net", "account" : "asperadev", "key" : "1XWGPGsn7...QObRmSQ==" } } } access_key-make-swift.json { "id" : "Yc6Q4VuvaYA9mMRf55NyNsiVGC-HHSBh0FTuqMH8aHsA", "secret" : "aspera", "storage" : { "type" : "softlayer_swift",

316 Enterprise Server Configuration and Transfer Reference 316 "path" : "/", "container" : "wallball", "credentials" : { "authentication_endpoint" : " sjc01.objectstorage.service.networklayer.com/auth/v1.0", "username" : "IBMOS :IBM303446", "api_key" : "e0a d6706" } } } To view a list the access keys, run the following command: # curl -ki -u asp1:aspera The command returns output similar to the following. In the example below, the first access key listed is one created for local storage and the second is for swift storage, with the text copied from the access key file: HTTP/ OK Cache: no-cache Connection: close Content-Type: application/json; charset=utf-8 [ { "id" : "dideuflcpg9iydsvxj0scq4moohnjtkvp5q2nrwjdgia", "uri" : "file:////home/asp1/data", "file_id" : "1", "token_verification_key" : null, "license" : null, "storage" : { "type" : "local", "path" : "/home/asp1/data" } }, { "id" : "Yc6Q4VuvaYA9mMRf55NyNsiVGC-HHSBh0FTuqMH8aHsA", "uri" : "swift://sjc01.objectstorage.softlayer.net/wallball", "file_id" : "1", "token_verification_key" : null, "license" : null, "storage" : { "type" : "softlayer_swift", "path" : "/", "container" : "wallball", "credentials" : { "authentication_endpoint" : " auth/v1.0", "username" : "IBMOS %3AIBM303446", "api_key" : "e0a8987b571cca4e475c8dd816c2d2db71b6d6e060f2a75ce23b1832c12d6706" } } } ] To test whether you can browse the storage for each key, run the following commands. To specify the user (-u) enter the access key ID.

317 Enterprise Server Configuration and Transfer Reference 317 Testing the local storage: # curl -ki -u dideuflcpg9iydsvxj0scq4moohnjtkvp5q2nrwjdgia:aspera localhost:9092/files/1/files Testing the Swift storage: # curl -ki -u Yc6Q4VuvaYA9mMRf55NyNsiVGC-HHSBh0FTuqMH8aHsA:aspera localhost:9092/files/1/files Client-Server Authentication Using Basic Authentication with Access Key Basic authentication is used by Aspera Faspex and Aspera Shares. 1. On the server, create a system user xfer and configure the user for token authorization, as described in Setting Up Token Authorization. 2. Create an access key for the storage type, as described in Creating and Testing Access Keys above. 3. Obtain the id of the access key corresponding to the storage type by running the following command: # curl -ki -u asp1:aspera 4. Create a basic auth token by encoding the access_key_id:secret in base64. $ echo -n dideuflcpg9iydsvxj0scq4moohnjtkvp5q2nrwjdgia:aspera base64 The basic auth token looks similar to the following: ZGlEZXVGTGNwRzlJWWRzdnhqMFNDcTRtT29oTkpUS3ZwNVEyblJXakRnSUE6YXNwZXJh 5. Set the basic auth token as an environment variable by running the following command: # export ASPERA_SCP_TOKEN="Basic ZGlEZXVGTGNwRzlJWWRzdnhqMFNDcTRtT29oTkpUS3ZwNVEyblJXakRnSUE6YXNwZXJh" To upload a file using access keys and basic auth, use the following syntax: # ascp [--tags='{"aspera":{"node":{access_key":"access_key_id", "file_id":"value"}}}'] --mode=send --host= user=username i path/to/private_key_file -d filename directory Where the path to the private key file is the following: /opt/aspera/var/aspera_tokenauth_id_rsa The directory can be / to indicate the top of the access key storage, or /directory to indicate a subdirectory. For example: # ascp --tags='{"aspera":{"node": {access_key":"dideuflcpg9iydsvxj0scq4moohnjtkvp5q2nrwjdgia", "file_id":"1"}}}' --mode=send --host= user=xfer -i /opt/aspera/ var/aspera_tokenauth_id_rsa -d testfile03 /tmp The tags are optional. The tag "file_id":"1" can be used to indicate the top of the access key storage. Client-Server Authentication Using Bearer Token and File IDs Bearer token authentication is a requirement for Aspera Files. Server setup:

318 Enterprise Server Configuration and Transfer Reference Create a private/public key pair. $ openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:4096 $ openssl rsa -pubout -in private_key.pem -out public_key.pem These commands create the private key file private_key.pem and the public key file public_key.pem/ 2. Use the node user to create an access key, as described in Creating and Testing Access Keys above. This access key cannot be used by any other Aspera authentication system. 3. Obtain the id of the access key corresponding to the storage type by running the following command: $ curl -ki -u asp1:aspera 4. Set the public key as the 'token verification key' of the access key. "JSON encode" the public key text (convert it into a single line with new lines indicated by \r\n) and use it in the following command: $ curl -X PUT -ki -u dideuflcpg9iydsvxj0scq4moohnjtkvp5q2nrwjdgia -d '{"token_verification_key":"-----begin PUBLIC KEY-----\r \nmigfma0gcsqgsib3dqebaquaa4gnadcbiqkbgqdmlkm2xispwjj4nxbhua0m2zam\r \niog3jm3vemw6rhe6lutxm1kxrawih5pyd8ougoautzmw7mnl3cbebdzmc+cuqeks\r \nkfjrywczngqcrxc9v+xkk0yn8bzvmdmrsinmnq5tpfg3sz4kjcf9qmj\/tsr3rfns\r \nryar\/idootbgjggqkwidaqab\r\n-----end PUBLIC KEY-----"}' 5. Create a JSON file containing the bearer token payload and save it as bearer_token.json. { } "user_id": "luke@aspera.us", "scope": "node.dideuflcpg9iydsvxj0scq4moohnjtkvp5q2nrwjdgia:all", "expires_at": "" "group_ids": [], Ensure that the file does not end with a new line. If it does, truncate it to size - 1. For example, if the file is 154 lines with the new line, the command to remove the new line is as follows: $ truncate bearer_token.json --size Create a signature for the token. $ sudo openssl dgst -sha512 -sign private_key.pem bearer_token.json base64 > signature 7. Create the signed token. $ cat bearer_token.json > bearer_token.json.signed $ echo "==SIGNATURE==" >> bearer_token.json.signed $ cat signature >> bearer_token.json.signed 8. Inspect the token: $ cat token-bearer-luke@aspera.us.json { "user_id": "luke@aspera.us", "scope": "node.dideuflcpg9iydsvxj0scq4moohnjtkvp5q2nrwjdgia:all", "expires_at": "" "group_ids": [], } ==SIGNATURE== YJixqw+5VjsGGIgOavoPdbhgr+1r9VGrKxBjAjV9mcMti0OJorbY7svIokz4 WLkszV5guz539nwcQCdiuISeGlBrJYMKfludCGP8MGxl8PaiZzJfzii6FWtm K+4BhXlMDN4JIK+cAPL/zkdMu71mO2n8XcPOfXQv9HkUO8NXxl0ue7fDYnX6 +eb4gekgk7latgfw2hbaybsykq8k7uiwowc2/7qzdxxclei70ojr7zhe3wsr

319 Enterprise Server Configuration and Transfer Reference 319 FhR3yhfusz97XS5Zj2+nlfxE4hxw5sZrhQDqcp3vQwl26arMNI16vvuTZBY2 LUFY6f4mVmKmrz7hSGt1Gz9liO6jTImIYHmthzZ1TQ== 9. Construct the final bearer token: $ cat bearer_token.json.signed openssl zlib base64 -w0 > bearer_token.json.sig.z.b Create permissions for user ID (access ID) luke@aspera.us to the top level of the storage. $ curl -d '{"file_id":"1", "access_type":"user","access_id":"luke@aspera.us","access_level":"edit"}' \ -ki -u dideuflcpg9iydsvxj0scq4moohnjtkvp5q2nrwjdgia:aspera localhost:9092/permissions HTTP/ OK Cache: no-cache Connection: close Content-Type: application/json; charset=utf-8 { } "id" : "1", "file_id" : "1" To test the access key, run the following command to browse the top directory of the access key: # curl -i -u dideuflcpg9iydsvxj0scq4moohnjtkvp5q2nrwjdgia:aspera localhost:9092/files/1 To test the bearer token, run the following to browse the top directory of the access key: # curl -ki -H "Authorization: Bearer ejwvknmuolgard/5df/ pkhlftg7scmikzioesqxcqcbwmkdk/3t7n/fakzv7l7ib+7t7kye7064c3+m/yd+kxfhz7hf/ ILs+hk36SWqYpD9rUXP7baWfPbteSmDUWUwl69bVszYUhC6zjgKMt6xXF447fVtPYVl +W9Klybu0/xMOHxWB4YcfOPGDwFwMP9H4iWLBN/Ts4Nh8dvS706/fyH/ I15ejSDrnerb49YXwc7G0Fg4r8lIsJEfzHfM62tKkQWhL0WHNyMoebry5tqxoRXtBaettpiRt6vVyXwX +I342cXcVqLoIkGv5CASI8no +SoILb0LBzI8COrIkvArR3nIY9NA2FdQQRn1B8Yo1l5YmUxyA7pGgMhpr5sHF01UCNeKp74irWafha14TQvSI7dW PWuev1lCPDM1mkjm449Mm6kSRJnT3lgYGWuWArwgBCBuiXuWagHqn9rDtO0bG8/k/ loteoej1jr1cczzskapjvebpq +b8kltzcxpxteszg1iyd5mv16zbzotalqatbrqep4lsr0pr29vwe/ R4EnkgIWQJVpVz/KuIPvE/7gjG1om/QTCVuxIXR+tAgg+mm5b3LQU0s2W +/btuinqnlbqnqa2wufcfaej4wyp8m+h6rxw1oud6krly7imwrjcqltr +Uoj0ePh/JgnZc6L807YztmeM7J9nAzrps8C6wh2w9VkK6Eqa6mv6wvA70z/ QbsJDmXFtBh14A7og80JqsPGkKOOr4moX9KyoG54JTSwf3EBxw2FvtjwDTP54NvcE14VcA3o3eQLQ2RF758jGJ2j +PxC/gc1nBpn" -H "X-Aspera-AccessKey: dideuflcpg9iydsvxj0scq4moohnjtkvp5q2nrwjdgia" files/1 Both of these tests should return a list of files and directories in the top directory. To do a simple upload using the bearer token, set the bearer token as an environment variable and run an ascp transfer specifying the access key: # export ASPERA_SCP_TOKEN="Bearer ejwvknmuolgard/5df/ pkhlftg7scmikzioesqxcqcbwmkdk/3t7n/fakzv7l7ib+7t7kye7064c3+m/yd+kxfhz7hf/ ILs+hk36SWqYpD9rUXP7baWfPbteSmDUWUwl69bVszYUhC6zjgKMt6xXF447fVtPYVl +W9Klybu0/xMOHxWB4YcfOPGDwFwMP9H4iWLBN/Ts4Nh8dvS706/fyH/ I15ejSDrnerb49YXwc7G0Fg4r8lIsJEfzHfM62tKkQWhL0WHNyMoebry5tqxoRXtBaettpiRt6vVyXwX +I342cXcVqLoIkGv5CASI8no +SoILb0LBzI8COrIkvArR3nIY9NA2FdQQRn1B8Yo1l5YmUxyA7pGgMhpr5sHF01UCNeKp74irWafha14TQvSI7dW PWuev1lCPDM1mkjm449Mm6kSRJnT3lgYGWuWArwgBCBuiXuWagHqn9rDtO0bG8/k/

320 Enterprise Server Configuration and Transfer Reference 320 loteoej1jr1cczzskapjvebpq +b8kltzcxpxteszg1iyd5mv16zbzotalqatbrqep4lsr0pr29vwe/ R4EnkgIWQJVpVz/KuIPvE/7gjG1om/QTCVuxIXR+tAgg+mm5b3LQU0s2W +/btuinqnlbqnqa2wufcfaej4wyp8m+h6rxw1oud6krly7imwrjcqltr +Uoj0ePh/JgnZc6L807YztmeM7J9nAzrps8C6wh2w9VkK6Eqa6mv6wvA70z/ QbsJDmXFtBh14A7og80JqsPGkKOOr4moX9KyoG54JTSwf3EBxw2FvtjwDTP54NvcE14VcA3o3eQLQ2RF758jGJ2j +PxC/gc1nBpn" # ascp --tags='{"aspera":{"node": {"access_key":"dideuflcpg9iydsvxj0scq4moohnjtkvp5q2nrwjdgia","file_id":"1"}}}' -mode=send --host=hostname --user=xfer -i /opt/aspera/var/ aspera_tokenauth_id_rsa -d testfile01 / Asconfigurator Reference The asconfigurator Utility The asconfigurator utility is a command-line tool for interacting with aspera.conf, the file that holds most configuration settings for your Aspera transfer server. asconfigurator comes bundled with your installation of Enterprise Server, Connect Server, and Point-to-Point Client. Why Use asconfigurator? Because aspera.conf is an XML file, users can configure their transfer server by editing the file directly. However, editing the file manually can be cumbersome and error-prone because correct syntax and structure are strictly enforced. The asconfigurator utility enables you to edit aspera.conf through commands and parses, validates and writes well-formed XML while also confirming that the values entered for parameters are valid. With asconfigurator, you can edit aspera.conf quickly and safely, with one or two commands. After Editing aspera.conf Whether you use asconfigurator or manually edit aspera.conf, the file must be re-read and certain services restarted in order for the changes to take effect. For detailed information, see the Administrator's Guide: Restarting Aspera Services for your Aspera transfer server. Syntax and Usage General Syntax # asconfigurator -x "command[;parameter,value;parameter,value]" The command is either a set command for setting a configuration or a delete command for removing a configuration. For any command you may enter one or more set of parameters and values separated by semicolons. Note: The user executing asconfigurator commands must meet the following requirements: Have write access to aspera.conf. Not be configured to use a shell that restricts command usage (aspshell does not allow the use of asconfigurator). Commands for Setting Parameter Values Command set_user_data Sets data in the user section. For parameters and values, see User, Group and Default Configurations.

321 Enterprise Server Configuration and Transfer Reference 321 Command set_group_data Sets data in the group section. For parameters and values, see User, Group and Default Configurations. set_trunk_data Sets data in the trunk section, which contains Vlink settings. For parameters and values, see Trunk (Vlink) Configurations. set_central_server_data Sets data in the central server section, which contains Aspera Central and SOAP settings. For parameters and values, see Central Server Configurations. set_database_data Sets data in the database section, which contains settings for use with Aspera Console (earlier than 3.0). For parameters and values, see Database Configurations. set_server_data Sets data in the server section, which contains transfer server feature settings for use with the Node API. For parameters and values, see Server Configurations. set_http_server_data Sets data in the HTTP fallback server section. For parameters and values, see HTTP Server Configurations. set_client_data Sets data from the client section, which holds client transfer settings. For parameters and values, see Client Configurations. set_node_data Sets data in the default section, which holds the "global" node settings. For parameters and values, see User, Group and Default Configurations. Note: To reset a parameter to its default value, you can use a set command for the parameter with a value of AS_NULL. Commands for Deleting Configurations Delete commands can be used for removing a user, group or Vlink configuration. Command delete_user Deletes a user's configurations. delete_group Deletes a group's configurations. delete_trunk Deletes a Vlink's configurations. Modifying Files other than aspera.conf The general syntax above modifies the default aspera.conf. You can also run asconfigurator to modify an XML file of your choice instead of aspera.conf. The command below takes a path to a file to modify. If the file does not exist, it is created. # asconfigurator -x "command[;parameter,value;parameter,value]" /path/to/ file The command below takes paths to two files. The first file is used as a base, and the modifications are written to the second file. # asconfigurator -x "command[;parameter,value;parameter,value]" /path/to/ file /path/to/file1

322 Enterprise Server Configuration and Transfer Reference 322 Using Fitness Rules Fitness rules allow you to apply configuration settings conditionally when specified rules are met. Fitness rules are added to aspera.conf configurations as attributes within XML tags, such as the following: <value fitness="peer_ip"( )>allow</value> In the example above, the parameter is set to allow if the peer IP address is Fitness Rule Syntax: # asconfigurator -x "command;parameter,value,fitness,fitness_rule(fitness_template)" Fitness Rule Example cookie() cookie(wilcard_template) The parameter value is applied if the cookie passed from the application matches the specified template. peer_ip() peer_ip(ip_address/netmask) The parameter value is applied if the IP address of the peer (the client) matches the specified IP address and optionally, its netmask. peer_domain() peer_domain(wilcard_template) The parameter value is applied if the domain of the peer (the client) matches the specified template. For example, to set a peer_ip fitness rule on the authorization_transfer_in_value configuration so that incoming transfers from are denied, run the following command: # asconfigurator -x "set_node_data;authorization_transfer_in_value,deny,fitness,peer_ip( )" Examples Below are some example commands and usage tips. Note: You can also see sample commands for nearly all configurations by running the following asuser command: # /opt/aspera/bin/asuserdata -+ Setting the docroot of your transfer user # asconfigurator -x "set_user_data;user_name,transferuser;absolute,/path/ to/docroot" Enabling HTTP Fallback using HTTPS on port # asconfigurator -x "set_http_server_data;enable_https,true" # asconfigurator -x "set_http_server_data;https_port,8444" Note: You can also chain two or more parameters to set within the same command. The two commands above can be combined as follows (separated by semi-colons): # asconfigurator -x "set_http_server_data;enable_https,true;https_port,8444"

323 Enterprise Server Configuration and Transfer Reference 323 Setting the global inbound target transfer rate to 80Mb/s # asconfigurator -x "set_node_data;transfer_in_bandwidth_flow_target_rate_default,80000" Getting all the configurations set on the group aspera_group # /opt/aspera/bin/asuserdata -g aspera_group Creating and enabling a Vlink with an ID of 101 and a capacity of 100Mb/s # asconfigurator -x "set_trunk_data;id,101;trunk_on,true;trunk_capacity,100000" Allowing only encrypted transfers # asconfigurator -x "set_node_data;transfer_encryption_allowed_cipher,aes-128" Setting the hostname of the Aspera server to example.com # asconfigurator -x "set_server_data;server_name,example.com" Setting the global token life back to the default value of 24 hours (86400 seconds) Note: You can reset any setting to its default value by setting it to AS_NULL # asconfigurator -x "set_node_data;token_life_seconds,as_null" Reading Output The output for asconfigurator commands are structured and display feedback about the success or failure of each command. Set commands When successful, set commands print success to standard out: # asconfigurator -x "set_server_data;enable_http,true" success When unsuccessful, set commands print failure to standard out, and an explanation of why they failed: # asconfigurator -x "set_server_data;enable_http,true" failure Syntax Error: Syntax error. Valid values are "assert_current","server" or"option_mask", got "enable_htt" Reading aspera.conf configuration settings with asuserdata You can view the current configuration settings by section and all the possible parameters with their default values and corresponding asconfigurator syntax by running asuserdata. # /opt/aspera/bin/asuserdata [options] [commands] The asuserdata command must be run either from within the Aspera bin directory, or with the full path in front of it. Multiple command flags can be specified per call. The option flags modify the output of command flags that follow them (but not command flags that precede them).

324 Enterprise Server Configuration and Transfer Reference 324 Command Flags Command Flag -u user Outputs configurations set in the user section for the specified user. -g group Outputs configurations set in the group section for the specified group. -d Outputs configurations set in the database section. -c Outputs configurations set in the central server section. -t Outputs configurations set in the HTTP server section. -a Outputs configurations set in all sections except the user and group section. -s Outputs the default specification for aspera.conf configurations. Similar to -+ but does not show asconfigurator commands. -+ Outputs the default specification for aspera.conf configurations and corresponding asconfigurator commands for each parameter. Option Flags Option Flag -x Formats output as XML. -b Formats output in human readable language. Note: To see all asuserdata command options, run asuserdata -h. User, Group and Default Configurations General Syntax This collection of commands configures settings for transfer authorization, bandwidth, and encryption. These settings can apply to particular users, users in particular groups, or globally to all users. The syntax of set commands for users, groups and global settings are: # asconfigurator -x "set_user_data;user_name,username;parameter,value" # asconfigurator -x "set_group_data;group_name,groupname;parameter,value" # asconfigurator -x "set_node_data;parameter,value" Setting or getting user/group data requires you to specify the username or group name as the first parameter of the asconfigurator command. Note: Not all available parameters are listed below, only the most commonly used. To view a complete list, run the following command: # /opt/aspera/bin/asuserdata -+ Transfer Authorizations absolute The docroot path of a user. Values: (String) authorization_transfer_in_value Incoming transfer authorization. The token value only allows transfers initiated with valid tokens.

325 Enterprise Server Configuration and Transfer Reference 325 Values: allow (default), deny, token authorization_transfer_out_value Outgoing transfer authorization. The token value only allows transfers initiated with valid tokens. Values: allow (default), deny, token authorization_transfer_in_external_provider_url The URL of the external authorization provider for incoming transfers. Values: (String) authorization_transfer_out_external_provider_url The URL of the external authorization provider for outgoing transfers. Values: (String) authorization_transfer_in_external_provider_soap_action The SOAP action required by the external authorization provider for incoming transfers. Values: (String) authorization_transfer_out_external_provider_soap_action The SOAP action required by the external authorization provider for outgoing transfers. Values: (String) token_encryption_type The cipher used to generate encrypted authorization tokens. Values: aes-128 (default), aes-192, aes-256 token_encryption_key The secret passphrase used to generate encrypted authorization tokens. Use instead of token_encryption_keyfile. Values: (String) token_life_seconds The length of time a token is valid in seconds. The default value is seconds (24 hours). Values: (Number) Transfer Bandwidth Policies transfer_in_bandwidth_aggregate_trunk_id The ID of the Vlink to apply to incoming transfers. A value of 0 disables the Vlink. Values: (Number 0-255) transfer_out_bandwidth_aggregate_trunk_id The ID of the Vlink to apply to outgoing transfers. A value of 0 disables the Vlink. Values: (Number 0-255) transfer_in_bandwidth_flow_target_rate_cap The maximum value to which the target rate for incoming transfers can be set. Values: (Number) transfer_out_bandwidth_flow_target_rate_cap The maximum value to which the target rate for outgoing transfers can be set (in Kbps). Values: (Number) transfer_in_bandwidth_flow_target_rate_default The default value to which the target rate for incoming transfers is set (in Kbps).

326 Enterprise Server Configuration and Transfer Reference 326 Values: (Number) transfer_out_bandwidth_flow_target_rate_default The default value to which the target rate for outgoing transfers is set (in Kbps). Values: (Number) transfer_in_bandwidth_flow_target_rate_lock A value of false allows users to adjust the transfer rate for incoming transfers. A value of true prevents users from adjusting the transfer rate for incoming transfers. Values: false (default), true transfer_out_bandwidth_flow_target_rate_lock A value of false allows users to adjust the transfer rate for outgoing transfers. A value of true prevents users from adjusting the transfer rate for outgoing transfers. Values: false (default), true transfer_in_bandwidth_flow_min_rate_cap The maximum value to which the minimum rate for incoming transfers can be set (in Kbps). Transfers cannot go slower than the minimum rate. Values: (Number) transfer_out_bandwidth_flow_min_rate_cap The maximum value to which the minimum rate for outgoing transfers can be set (in Kbps). Transfers cannot go slower than the minimum rate. Values: (Number) transfer_in_bandwidth_flow_min_rate_default The default value to which the minimum rate for incoming transfers is set (in Kbps). Transfers cannot go slower than the minimum rate. Values: (Number) transfer_out_bandwidth_flow_min_rate_default The default value to which the minimum rate for outgoing transfers is set (in Kbps). Transfers cannot go slower than the minimum rate. Values: (Number) transfer_in_bandwidth_flow_min_rate_lock A value of false allows users to adjust the minimum rate for incoming transfers. A value of true prevents users from adjusting the minimum rate for incoming transfers. Values: false (default), true transfer_out_bandwidth_flow_min_rate_lock A value of false allows users to adjust the minimum rate for outgoing transfers. A value of true prevents users from adjusting the minimum rate for outgoing transfers. Values: false (default), true transfer_in_bandwidth_flow_policy_default The default bandwidth policy for incoming transfers. The bandwidth policy determines how transfers adjust their rates according to network conditions. Values: fair (default), fixed, high, low transfer_out_bandwidth_flow_policy_default The default bandwidth policy for outgoing transfers. The bandwidth policy determines how transfers adjust their rates according to network conditions. Values: fair (default), fixed, high, low

327 Enterprise Server Configuration and Transfer Reference 327 transfer_in_bandwidth_flow_policy_lock A value of false allows users to adjust the bandwidth policy for incoming transfers. A value of true prevents users from adjusting the bandwidth policy for incoming transfers. Values: false (default), true transfer_out_bandwidth_flow_policy_lock A value of false allows users to adjust the bandwidth policy for outgoing transfers. A value of true prevents users from adjusting the bandwidth policy for outgoing transfers. Values: false (default), true transfer_in_bandwidth_flow_policy_allowed The allowed bandwidth policies for incoming transfers. The chosen value and any policy less aggressive will be allowed. In order from most to least aggressive the policies are fixed, high, fair and low. Values: any (default), high, fair, low transfer_out_bandwidth_flow_policy_allowed The allowed bandwidth policies for outgoing transfers. The chosen value and any policy less aggressive will be allowed. In order from most to least aggressive the policies are fixed, high, fair and low. Values: any (default), high, fair, low Transfer Encryption transfer_encryption_allowed_cipher The type of transfer encryption accepted. When set to 'any' both encrypted and unencrypted transfers are allowed. Values: any (default), aes-128, aes-192, aes-256, none transfer_encryption_fips_mode Whether transfers should be encrypted with a FIPS certified encryption module. Values: false (default), true content_protection_required Whether transferred content should be left encrypted at the destination. Values: false (default), true content_protection_strong_pass_required Whether a strong passphrase is required for content protection (6 characters long, at least one letter, number and special symbol). Values: false (default), true Transfer File System Options resume_suffix The extension of files used to store metadata and enable resumption of partially completed transfers. Include a '.' in the suffix, such as:.aspera Values: (String), default.aspx preserve_attributes The file creation policy. When set to none the timestamps of source files are not preserved. When set to times the timestamps of source files are preserved at the destination. Values: use client setting (default), none, times overwrite

328 Enterprise Server Configuration and Transfer Reference 328 Whether Aspera clients are allowed to overwrite existing files on the server. Values: allow (default), deny file_manifest A file manifest is a file containing a list of everything transferred in a given transfer session. When set to text file manifests are generated. Values: none (default), text, disable file_manifest_path The location (path) where file manifests are created. Values: (Absolute path) pre_calculate_job_size The policy of calculating total job size before a transfer. If set to any, the client configuration is followed. If set to no, job size calculation is disabled before transferring. Values: any (default), no, yes replace_illegal_chars Convert restricted Windows characters in file and directory names to a non-reserved character of your choice. Values: (Non-reserved character) file_filters Include or exclude files or directories with the specified pattern in the transfer. Add multiple entries for more inclusion/exclusion patterns. To specify an inclusion, add '+ ' (+ and whitespace) at the beginning of the pattern. To specify an exclusion, add '- ' (- and whitespace) at the beginning of the pattern. Two symbols can be used in the setting of patterns: * (Asterisk) Represents zero to many characters in a string, for example, *.tmp matches.tmp and abcde.tmp.? (Question Mark) Represents one character, for example, t?p matches tmp but not temp. Values: (String) partial_file_suffix Extension to be added to the names of files that are currently only partially transferred. Include a '.' in the suffix, such as:.aspera Values: (String) file_checksum Type of checksum to compute while reading a file. Checksums are used to verify that file contents on the destination match what was read on the destination. Values: any (default), md5, sha1, sha256, sha384, or sha512 async_enabled Whether async is enabled on the server. Values: true (default), false async_connection_timeout The time period async waits to establish a connection, in seconds. Values: (Number) async_session_timeout The time period async waits for an unresponsive session, in seconds.

329 Enterprise Server Configuration and Transfer Reference 329 Values: (Number) Document Root Options absolute The absolute path of the document root (docroot), which is the area of the file system that is accessible by Aspera users. Values: (Absolute path) read_allowed Whether users are allowed to transfer files from the docroot (in other words, download from the docroot). Values: true (default), false write_allowed Whether users are allowed to transfer files to the docroot (in other words, upload to the docroot). Values: true (default), false dir_allowed Whether users are allowed to browse files in the docroot. Values: true (default), false file_restriction Restrict the files that are allowed for transfers. Restrictions are set as wildcard templates. The first character is a separator (preferably a " ") which can be used to set multiple restrictions. Restrictions are processed in order and according to the following rules: If a restriction starts with a "!", any files that match the rest of the wildcard template are rejected. If a restriction does not start with a "!", then any file that matches is allowed Any other files are rejected For example: /home/aspera/* home/janedoe/* Values: (Character separator)(wildcard template)[(character separator)(wildcard template)] Trunk (Vlink) Configurations General Syntax This collection of commands configures settings related to Vlinks, which are aggregate bandwidth caps applied to transfer sessions. The syntax for setting trunk configurations is the following : # asconfigurator -x "set_trunk_data;id,trunk_id;parameter,value" Setting or getting trunk data requires you to specify the ID number of the Vlink as the first parameter of the asconfigurator command. Note: Not all available parameters are listed below, only the most commonly used. To view a complete list, run the following command: # /opt/aspera/bin/asuserdata -+ Vlink Configurations trunk_id The ID of the Vlink.

330 Enterprise Server Configuration and Transfer Reference 330 Values: (Number 1-255) trunk_on Whether the Vlink is enabled (true) or disabled (false). Values: true, false trunk_capacity The bandwidth capacity of the Vlink (in Kbps). Values: (Number) Central Server Configurations General Syntax This collection of commands configures settings related to Aspera Central, which is a service that manages transfer server SOAP features and historical transfer data. The syntax for setting central server parameters is the following: # asconfigurator -x "set_central_server_data;parameter,value" Note: Not all available parameters are listed below, only the most commonly used. To view a complete list, run the following command: # /opt/aspera/bin/asuserdata -+ Central Server Configurations address The network interface address on which the Aspera Central listens. The default enables the transfer server to accept transfer requests from the local computer. Setting the value to allows the transfer server to accept transfer requests on all network interfaces. Values: (Network interface address, default ) port The port on which the Aspera Central service listens. Values: (Number , default 40001) persistent_store Whether to store transfer history locally. This should be enabled if the transfer server will be used with Faspex or Shares. Values: enable (default), disable persistent_store_max_age The time in seconds to retain local transfer history data. Values: (Number, default 86400) persistent_store_on_error Whether the Central server should terminate (exit) when an error occurs while writing to the local transfer history database, or ignore the error. Values: ignore (default), exit compact_on_startup Whether to compact the local transfer history database on startup (note that this may take awhile). Values: ignore (default), exit

331 Enterprise Server Configuration and Transfer Reference 331 files_per_session The number of file names to be recorded for any transfer session. For example, if the value is set to 50 the first 50 filenames will be recorded for any session. A setting of 0 logs all filenames. The session will still record the number of files transferred, and the number of files completed, failed or skipped. Values: (Number, default ) ignore_empty_files Whether to block the logging of zero byte files (true) or not (false). Values: true (default), false ignore_skipped_files Whether to block the logging of skipped files (true) or not (false). Values: true (default), false ignore_no_transfer_files Whether to block the logging of files that were not transferred because they already exist at the destination (true) or not (false). Values: true (default), false HTTP Server Configurations General Syntax This collection of commands configures settings related to the Aspera HTTP server, which enables the HTTP Fallback feature. The syntax for setting HTTP server parameters is the following : # asconfigurator -x "set_http_server_data;parameter,value" Note: Not all available parameters are listed below, only the most commonly used. To view a complete list, run the following command: # /opt/aspera/bin/asuserdata -+ HTTP Server Configurations cert_file The absolute path to an SSL certificate file to use for HTTP Fallback. If left blank the default certificate that came with your transfer server installation will be used. Values: (Absolute path) key_file The absolute path to an SSL key file to use for HTTP Fallback. If left blank the default key file that came with your transfer server installation will be used. Values: (Absolute path) bind_address The network interface on which the HTTP Fallback server listens. The default value allows the HTTP Fallback server to accept transfer requests on all network interfaces. Values: (Network interface address, default ) restartable_transfers Whether interrupted transfers should resume at the point of interruption (true) or not (false).

332 Enterprise Server Configuration and Transfer Reference 332 Values: true (default), false session_activity_timeout The amount of time in seconds that the HTTP Fallback server will wait before canceling a transfer session that can't communicate with the client. A value of 0 means the HTTP Fallback server will never timeout due to lack of communication from the client. Values: (Number, default 20]) http_port The port on which the HTTP server listens. Values: (Number , default 8080) https_port The port on which the HTTPS server listens. Values: (Number , default 8443) enable_http Whether HTTP Fallback is enabled for failed UDP transfers to continue over HTTP (true) or not (false). Values: true (default), false enable_https Whether HTTP Fallback is enabled for failed UDP transfers to continue over HTTPS (true) or not (false). Values: true (default), false Database Configurations General Syntax This collection of commands configures settings related to the MySQL database that stores transfer data (for use with Aspera Console before version 3.0). The syntax for setting database parameters is the following: # asconfigurator -x "set_database_data;parameter,value" Database Configurations server The IP address of the database server (or the IP address of the Aspera Console server). Values: (IP address, default ) port The port that the database server listens on. The default value for an Aspera Console installation is Values: (Number , default 4406) user The user login for the database server. Values: (String) password The password for the database server. Values: (String)

333 Enterprise Server Configuration and Transfer Reference 333 database_name The name of the database used to store Aspera transfer data. Values: (String) threads The number of parallel connections used for database logging. Values: (Number, default 1) exit_on_database_error Whether all transfers are stopped on a database error (true) or not (false). Values: false (default), true session_progress Whether transfer status should be logged at a given interval (true) or not (false). Transfer status includes number of files transferred, bytes transferred, among other stats. Values: true (default), false session_progress_interval The frequency at which an Aspera node logs transfer session data, in seconds. Values: (Number , default 1) file_events Whether complete file paths and file names should be logged (true) or not (false). Performance may be impacted when setting this to true for transfers of thousands of files. Values: true (default), false file_progress Whether file status, such as bytes transferred, should be logged (true) or not (false). Values: true (default), false file_progress_interval The frequency with which an Aspera node logs file transfer data, in seconds. Values: (Number , default 1) files_per_session The number of file names to be recorded for any transfer session. For example, if the value is set to 50 the first 50 filenames will be recorded for any session. A setting of 0 logs all filenames. The session will still record the number of files transferred, and the number of files completed, failed or skipped. Values: (Number, default 0) file_progress_interval The frequency at which an Aspera node logs file transfer data, in seconds. Values: (Number , default 1) ignore_empty_files Whether to block the logging of zero byte files (true) or not (false). Values: false (default), true ignore_skipped_files Whether to block the logging of skipped files (true) or not (false). Values: false (default), true ignore_no_transfer_files

334 Enterprise Server Configuration and Transfer Reference 334 Whether to block the logging of files that were not transferred because they already exist at the destination (true) or not (false). Values: false (default), true Server Configurations General Syntax This collection of commands configures settings related to transfer server features such as the Aspera Node API service (asperanoded), Aspera Watch Service, Aspera Watchfolders, and Aspera Proxy. The syntax for setting server parameters is the following: # asconfigurator -x "set_server_data;parameter,value" Note: Not all available parameters are listed below, only the most commonly used. To view a complete list, run the following command: # /opt/aspera/bin/asuserdata -+ Transfer Server server_name The hostname or IP address of this Aspera transfer server. Values: (String) transfers_multi_session_default The default value for the number of sessions in a multi-session transfer. Values: (Number, default 1) transfers_retry_duration The time duration during which transfer retries are attempted. Values: (Time value, default 20m) transfers_retry_all_failures Whether a transfer should be retried after all failures (true) or not (false). If set to false, transfers won't be retried for failured deemed unretryable, such as for permission failures. Values: false (default), true http_port The HTTP port on which the asperanoded service listens. Values: (Number , default 9091) https_port The HTTPS port on which the asperanoded service listens. Values: (Number , default 9092) enable_http Whether HTTP is enabled for asperanoded on the port configured for http_port (true) or not (false). Values: false (default), true enable_https Whether HTTPS is enabled for asperanoded on the port configured for https_port (true) or not (false).

335 Enterprise Server Configuration and Transfer Reference 335 Values: true (default), false cert_file The full path of the SSL certificate file for asperanoded. Values: (Absolute file path) ssh_host_key_fingerprint The SSH key fingerprint used by Aspera clients to determine the server's authenticity. The client confirms a server's authenticity by comparing the server's fingerprint with the trusted fingerprint. Values: (String) ssh_host_key_path The path to the transfer server's public or private key file, from which the fingerprint is extracted automatically. Values: (Absolute file path) ssh_port The port to use for SSH authentication of transfer users. Values: (Number, default 33001) max_response entries The maximum number of items the Node API will return on calls. Values: (Number, default 1000) max_response time_sec The time limit in seconds before an unresponsive Node API response times out. Values: (Number, default 10) db_dir The path to the directory where the redis database file for the Node API is saved. Values: (Absolute path) db_port The port on which the redis database for the Node API listens. Values: (Number, default 31415) activity_logging Whether transfer logs should be queriable via the Node API (true) or not (false). Values: false (default), true watchd_enabled Whether the Watchfolder (asperawatchd) service is enabled (true) or not (false). Values: false (default), true ssl_ciphers The list of SSL encryption ciphers that the server will allow. Each cipher is separated by a colon (:). See the server documentation for the default list of ciphers. Values: (Colon-delimited list) ssl_protocol The minimum allowed SSL protocol. Higher security protocols are always allowed. tlsv1 (default), tlsv1.1, tlsv1.2 Aspera Proxy proxy_enabled

336 Enterprise Server Configuration and Transfer Reference 336 Whether forward proxy is on (true) or off (false). Values: false (default), true proxy_authentication Whether to enable the authentication requirement for the forward proxy server (true) or not (false). Values: false (default), true proxy_bind_ip_address The IP address that the forward proxy server binds to (also the IP address that the client connects to) allows the proxy server to bind to all available interfaces. Values: (IP address, default ) proxy_bind_ip_netmask The netmask that the forward proxy server binds to (also the netmask that the client connects to). Values: (String) proxy_port_range_low The lower bound of the port range for the forward proxy. Values: (Number, default 5000]) proxy_port_range_high The upper bound of the port range for the forward proxy. Values: (Number, default 10000) proxy_cleanup_interval The interval in seconds at which the forward proxy server scans and cleans up expired sessions. Values: (Number, default 0) proxy_keepalive_internal The interval in seconds at which the ascp client sends keep-alive requests. This option is propogated to the client. Values: (Number, default 0) proxy_session_timeout The interval in seconds after which a session times out if no keep-alive updates have been received. Values: (Number, default 0) rproxy_rules_rule_proxy_port The reverse proxy server port that receives UDP traffic. Values: (Number, default 33001) rproxy_rules_rule_host The IP address and SSH port of the internal destination. If unspecified the default port is 22. Values: (IP address and port) rproxy_rules_rule_hosts The list of IP addresses and SSH ports for the load-balancing feature. The first character is a separator (preferably a " ") which can be used to set multiple hosts. For example: : : :33001 Values: (Character separator)(ip address)[(character separator)(ip address)] rproxy_rules_rule_squash_user The account name used for authenticating with the internal server. Values: (String)

337 Enterprise Server Configuration and Transfer Reference 337 rproxy_rules_rule_key_file The path to the SSH private key for authenticating with the internal server. Values: (Absolute path) rproxy_rules_rule_udp_port_reuse Whether the reverse proxy should reuse the UDP port (true) or not (false). Setting this to false enables reverse proxy to create iptables rules that increment the UDP port number that clients connect to, and the internal server's UDP port to which transfers are routed to. Values: true (default), false rproxy_rules_rule_balancing The method for distributing transfers as part of the load balancing feature. Currently roundrobin is the only supported method. Values: round-robin (default) rproxy_enabled Whether reverse proxy is on (true) or off (false). Values: false (default), true rproxy_log_level The level of debug messages to log for reverse proxy. Values: 0 (default), 1, 2 rproxy_log_directory The reverse proxy server log file location. If no value is set, the proxy logs to syslog. Values: (Absolute path) Client Configurations General Syntax Guidelines This collection of commands configures settings related to client transfers, which are transfers you initiate with ascp on the command line or the GUI of your product. The syntax for setting client parameters is the following: # asconfigurator -x "set_client_data;parameter,value" Note: Not all available parameters are listed below, only the most commonly used. To view a complete list, run the following command: # /opt/aspera/bin/asuserdata -+ Parameters and Values transport_cipher The encryption cipher to use for transfers. Values: aes-128 (default), aes-192, aes-256, none ssl_ciphers The list of SSL encryption ciphers that the server will allow. Each cipher is separated by a colon (:). See the server documentation for the default list of ciphers. Values: (Colon-delimited list) ssl_protocol The minimum allowed SSL protocol. Higher security protocols are always allowed.

338 Enterprise Server Configuration and Transfer Reference 338 Values: tlsv1 (default), tlsv1.1, tlsv1.2 default_ssh_key The path to the default SSH key that should be used in command line transfers. Values: (Absolute path) Troubleshooting Appendix Appendix Restarting Aspera Services Aspera Central If Aspera Central is stopped, or if you have modified the <central_server> or <database> sections in aspera.conf, then you need to restart the service. Run the following command in a Terminal window to restart asperacentral: # /etc/init.d/asperacentral restart Aspera NodeD Restart Aspera NodeD if you have modified any setting in aspera.conf. Run the following commands to restart asperanoded: # /etc/init.d/asperanoded restart Aspera HTTPD Restart Aspera HTTPD if you have modified any setting in aspera.conf. Run the following commands to restart asperahttpd: # /etc/init.d/asperahttpd restart Testing and Optimizing Transfer Performance To verify that your system's FASP transfer is reaching the target rate and can use the maximum bandwidth capacity, prepare a client machine to connect to this server. For these tests, you can transfer an existing file or file set, or you can transfer uninitialized data in place of a source file, which you can have destroyed at the destination, eliminating the need to read from or write to disk and saving disk space. To send random data in place of a source file, run the following command: # ascp --mode=send --user=username --host=host_ip_address faux:///fname?fsize target_path where fname is the name assigned to the file on the destination and fsize is the number of bytes to send. fsize can be set with modifiers (k/k, m/m, g/g, t/t, p/p, or e/e) up to 9 EB.

339 Enterprise Server Configuration and Transfer Reference 339 To send a file but not save the results to disk at the destination, run the following command: # ascp --mode=send --user=username --host=host_ip_address source_file1 faux:// To send random data and not save the results to disk, run the following command: # ascp --mode=send --user=username --host=host_ip_address faux:///fname?fsize faux:// For usage examples, see Ascp General Examples. Once you start a transfer from the command line, you can monitor it from the GUI. 1. Start a transfer with Fair transfer policy and compare the transfer rate to the target rate. On the client machine, open the user interface and start a transfer (either from the GUI or command line). Click Details to open the Transfer Monitor. To leave more network resources for other high-priority traffic, use the Fair policy and adjust the target rate and minimum rate by sliding the arrows or entering values. 2. Test the maximum bandwidth. Note: This test will typically occupy a majority of the network's bandwidth. Aspera recommends performing it on a dedicated file transfer line or during a time of very low network activity. Use Fixed policy for the maximum transfer speed. Start with a lower transfer rate and increase gradually toward the network bandwidth. To improve the transfer speed, you may also upgrade the related hardware components:

340 Enterprise Server Configuration and Transfer Reference 340 Component Hard disk The I/O throughput, the disk bus architecture (e.g. RAID, IDE, SCSI, ATA, and Fiber Channel). Network I/O The interface card, the internal bus of the computer. CPU Overall CPU performance affects the transfer, especially when encryption is enabled. Log Files The application log file includes detailed transfer information and can be useful for review and support requests. You can redirect Aspera logging so that it is not recorded in the system log file and configure log rotation. Viewing Logs and Setting Log Preferences To view the log, from the GUI, click Tools > View Log. Note: To view logs from the command line in Linux, you must have a functional web-browser or other default application for opening HTML files. To set the logging level for transfers, open the My Preferences dialog by clicking Tools > Preferences or by clicking Preferences in the upper-right corner of the application window. The five logging levels to select from are: Off, Error, Warn, Info, and Debug. The system default is Info.

341 Enterprise Server Configuration and Transfer Reference 341 Redirecting Aspera Logging to a Different Location On Linux systems, the application transfer logs are recorded in the system log file. Instead of mixing Aspera logging with system logging, you may want to redirect Aspera logging to a separate log file of your choice. RedHat, CentOS, and Debian On RedHat, CentOS, and Debian, the transfer logs are recorded in the following log file: /var/log/messages To redirect Aspera logging, modify /etc/syslog.conf (/etc/rsyslog.conf in the case of Red Hat or CentOS 6.XA) and add local2.none to the /var/log/messages line. For example, if you have the following line: *.info;mail.none;authpriv.none;cron.none /var/log/messages Change it to: *.info;mail.none;authpriv.none;cron.none;local2.none /var/log/messages Next, forward local2.info log messages to your new file. For example, to write to /var/log/aspera.log, add the following line just below the line you modified above: local2.info -/var/log/aspera.log The log file name should be separated from the log facility (local2.info) by tab characters, not spaces and be preceded by a hyphen. The hyphen before the log file name allows for asynchronous logging. Next, restart the syslog daemon to have it load the new configuration: # service syslog restart In the case of Red Hat or CentOS 6.X: # service rsyslog restart Your Aspera log messages now appear in /var/log/aspera.log instead of /var/log/messages. SLES (Suse) systems On SLES (Suse) systems, the transfer logs are recorded in the following system log file: /var/log/ localmessages