File Transfer Server

The File Transfer Server is a process that is included on every Control-M/Agent that has Control-M MFT installed. It supports FTP/S, SFTP, and HTTP/S, and is embedded in the MFT process. The process runs by default, which you can disable, as described in MFT Server General Parameters.

The following diagram shows the File Transfer Server architecture:

Configuring MFT Client and Server

This procedure describes how to configure the MFT Client and Server, which enables you to transfer files directly from one MFT host to another MFT host, without using an FTP server on a third computer.

You can connect to a SFTP or a FTP client on an ad hoc basis, as follows:

  • SFTP client: <FTS hostname>:<FTS SFTP port>

  • FTP client: <FTS hostname>:<FTS FTP port>

    By default, the FTP server is down. You must enable the FTP server, as described in MFT Server General Parameters.

You can connect using a Web browser (HTTP/S), as follows:

  • https://<FTS_hostname>:<FTS HTTPS port>

Begin

  1. From the Configuration domain, click and then select Plug-ins.

  2. Select the required File Transfer plug-in and then from the Configuration drop-down list, do one or more of the following:
  3. Click Save.

Stopping the File Transfer Server

This procedure describes how to manually stop the File Transfer Server. The Agent host starts the File Transfer Server automatically after 30 seconds. You can disable the File Transfer Server permanently, as described in MFT Server General Parameters.

Begin

From the Agent host, run one of the following commands:

  • UNIX: <Agent Home>/cm/AFT/exe/shutb2b.sh

  • Windows: <Agent Home>\cm\AFT\exe\shutb2b.cmd

Starting the File Transfer Server

This procedure describes how to manually start the File Transfer Server.

Begin

  • From the Agent host, run one of the following commands:

    • UNIX: cm/AFT/exe/startb2b.sh

    • Windows: cm\AFT\exe\startb2b.sh

MFT Client Configuration Parameters

The following table lists the Control-M for MFT configuration parameters.

Area

Parameter

Description

General

 

 

Debug Level

Determines the debug level of Control-M MFT.

Valid values: 0-5

If the debug level of the Agent is higher than Control-M MFT, then the debug level of Control-M MFT is based on the Agent .

SSL Debug trace

Determines whether the Control-M for MFT SSL diagnostics must run.

To view SSL trace information in the log, add the following flag to the Java command in the ctmaftcontainer script: -Djavax.net.debug=ssl:[flag]

-Djavax.net.debug=ssl

-Djavax.net.debug=ssl:record

-Djavax.net.debug=ssl:handshake:data

Use PAM password authentication

Authenticates the local host with PAM based authentication (Linux only)

PGP temporary directory

Determines the temporary location where PGP files are stored (Default: <Control-M/Agent_Home_Dir>\cm\AFT\pgp_tmp.)

The users that are defined in the connection profile in the host where the Local CM checkbox is selected, must have read and write permissions in the PGP temporary directory.

Connection

Connection timeout

Determines the number of seconds the MFT client attempts to establish a connection to an FTP server before a timeout

Valid values: 0-9999

0 = No timeout

Default: 30

Number of retries

Determines the number of connection attempts between 0-99 after a connection failure to an FTP server (Default: 5).

When the remote FTP server is running on a z/OS system, this parameter has no effect.

Time between retries

Determines the number of seconds between each connection attempt to an FTP server (Default: 6)

File Watcher

Interval between file searches

Determines the range in seconds (1-9999) between successive attempts to detect the existence of a file and the range between attempts to monitor the size of a file after it is detected (Default: 30)

Number of iteration while size is static

Determines the numbers of attempts (1-999) to monitor the file size when it is static after it has reached its minimum detected size (Default: 3)

Checks that file is not in use

Checks if the file is used by another process or application on a local host. If it is, then the watch action fails.

You must have the lsof utility on your computer and it must exist in the root user path, and the Control-M/Agent must run as root user. Otherwise this check does not function properly (UNIX only).

Pre/Post File Actions

Interval between retries

Determines the number of seconds (1-9999) to wait before Control-M for MFT attempts to perform a post action on the source or destination file after a successful transfer, as described in Advanced general parameters (Default: 5).

Number or retries

Determines the number of retries (0-999) Control-M for MFT attempts to perform the post action on the source or destination file after a successful transfer, as described in Advanced general parameters (Default: 3).

Web Proxy

Web Proxy

Determines whether to transfer files through a Web Proxy server

Supports FTP, FTPS, SFTP, and S3.

Proxy Host

Defines the hostname of the proxy server

Proxy Port

Defines the port number of the proxy server

Proxy User

(Optional) Defines the username of the proxy server

Proxy Password

(Optional) Defines the user's password of the proxy server

MFT Server General Parameters

The following table describes the MFT Server General parameters.

Parameter Description
Enable File Transfer Server

Determines whether the File Transfer Server is enabled or disabled.

Host

Defines the hostname where the File Transfer Server is installed

Home directory

Defines the root path where transferred files are stored.

If you want to use a different directory for each logged in user, you must add \${userName} to the path.

C:\temp\${userName}

Bob connects to the File Transfer Server and uploads the file a.txt to the root directory, the file is saved in C:\temp\Bob\a.txt.

Default:<Agent_Home>/CM/AFT/ftshome/${userName}

Generate Access Log

Determines whether the File Transfer Server creates a daily log, which tracks all internal user access information.

The log file format is fts_access_log.<YYYYMMDD>.csv and is located in the <Agent>/proclog directory.

Multiple login allowed

Determines whether multiple users can connect to the File Transfer Server simultaneously.

FTP only

Max. logins

Determines the number of users that can connect to the File Transfer Server simultaneously

FTP only

Max login failures

Determines the maximum number of login attempts that are allowed before no more logins are allowed for the period of time defined by the next parameter

FTP only

Delay after login failure

Determines the number of seconds to wait after a login failure before the next attempt

FTP only

Throttling activated

Determines whether to limit number of simultaneous uploads and downloads.

Max simultaneous uploads

Determines the maximum number of simultaneous uploads

Max simultaneous downloads

Determines the maximum number of simultaneous downloads

FTP/FTPS Server Parameters

The following table describes FTP/FTPS server parameters.

Parameter Description

Determines whether the File Transfer Server that supports client connection via FTP/FTPS is enabled

Port

Determines the port number that the File Transfer Server listens to for FTP/FTPS connections

This port is used by clients to connect to the FTP/FTPS server (Default: 1221).

Secured (FTPS)

Determines whether FTPS is enabled

Keystore file path

Defines the path to the file that contains the server certificate.

The keystore must be in PKCS#12 format. If FIPS is enabled, the format must be BCFKS.

Keystore file password

Defines the password of the file that contains the server certificate

Ciphers

Lists the names of ciphers used for FTPS. If no ciphers are specified, all available ciphers are supported.

Listen for implicit connections

Determines whether to automatically turn on security after a connection is established between the FTPS client and the Managed File Transfer server.

Passive Port/s

Limits the range of dynamic ports that can be used for passive connections in FTP. Ports can be defined as single ports, closed or open ranges. Multiple definitions must be separated by commas.

EXAMPLE:

2300 :Uses 2300 as the passive port

2300-2399:Uses all ports in the range

2300-:Uses all ports larger than 2300

2300, 2305, 2400-: Uses 2300 or 2305 or any port larger than 2400

Authentication

Authenticates the FTP user with one of the following methods:

  • Windows local user (Windows only)

  • LDAP

  • PAM (UNIX only)

SFTP Server Parameters

The following table describes SFTP server parameters.

Parameter Description
Determines whether the File Transfer Server that supports client connection via SFTP is enabled

Port

Determines the port number that the File Transfer Server listens to for SFTP connections

This port is used by clients to connect to the SFTP server (Default: 1222).

Keystore file path

Defines the path to the file that contains the client's certificate

Keystore file password

Defines the password for the file that contains the server's certificate.

The keystore must be in PKCS#12 format. If FIPS is enabled, the format must be BCFKS.

Ciphers

Lists the names of ciphers used for SFTP.

Known user file path

Defines the path to the file that contains known users by SFTP

Authentication

Authenticates the SFTP user with one of the following methods:

  • Windows local user (Windows only)

  • LDAP

  • PAM (UNIX only)

Override home directory for specific internal users

Determines which internal users can override their specific home directory to connect to the FTS/Hub with SFTP. The home directory changes are saved in the fts_config.proerties file in the following format:

home.directory.expression.<user>=<home_dir>

The home directory can be a network path in the UNC format.

MFT Server Authentication Parameters

The following table describes MFT Server Authentication parameters.

Parameter Description

Allowed users

Determines who can access the File Transfer Server.

The list is separated with a comma. Wildcards can be used.

johnd,adm*,mydomain\user1

Blocked users

Determines who cannot access the File Transfer Server.

The list is separated with a comma. Wildcards can be used.

johnd,adm*,mydomain\user1

Search User

Defines the LDAP browse user

Password

Defines the password of the user defined in the Search user field. The value of this field can be left blank if the Search user does not have a defined password.

URL

Defines the URL address and port of a directory server.

Base DN

Defines the point from where the server searches for users.

ou=sales,dc=company,dc=us,dc=com

Username Attribute

Defines the name of the LDAP attribute that contains the username.

DN Attribute

Defines the name of the LDAP attribute that contains the distinguished name

Timeout

Determines the number of milliseconds to wait before a timeout (Default: 30000)

Service name

Defines the PAM service name.

Default: passwd

In non-root mode, you can only authenticate the Agent user. To authenticate other users, you must run as root.

BMC does not recommend to run as root.

Connecting to the SFTP Server with Public Key Authentication

This procedure describes how to connect to the SFTP Server with Public Key authentication without logging in with a user and password for each connection.

The File Transfer Server only accepts SSH keys with a non-empty passphrase.

Begin

  1. Generate client public keys or use existing keys from your SFTP client.

    If your client is Control-M MFT, see Generating SSH Keys.

  2. Navigate to the following location:

    <Agent_Home>\CM\AFT\data\

  3. Open the authorized_keys file and add a new line with the following format:

    <user> <key format> <key content>

    Where:

    • <user> is the username that is authenticated by an external authentication tool, such as LDAP or PAM.

    • <key format> key format that is defined by the key generator, such as ssh-rsa.

    • <key content> The public key conmponent with out the key comments section.

      cuser ssh-rsa AAAAB3NzaC1yc2EAAAAB97sd6f7f6dsfe3sdfsdalkjhfsdklafdufdsAJSDJKAJDHGjhgaSDjhgAjkhgA=

Customizing the MFT File Transfer Server Website

This procedure describes how to customize your MFT File Transfer Server Website. You can customize the logo, change the login page background image, and change the site icon on the browser tab.

Begin

  1. From the Agent account where MFT is installed, navigate to one of the following locations:

    • Windows: <ag>\cm\AFT\data\resources\
    • LINUX: <ag>/cm/AFT/data/resources/

  2. Customize your website, as follows:

    • To change the login page background image, update bg-login.jpg.

    • To change the company logo to appear on a dark background bar, update CompanyLogoForDarkBar.svg.

    • To change the company logo to appear on a light background bar, update CompanyLogoForLightBar.svg.

      To optimize image dimensions, use the following:

      • .jpg file format: 1200 x 800 px.

      • .svg file format: 76 x 32 px (or any 2:1 ratio).

    • To change the site icon on the browser tab, update FileExchange.ico.

  3. Restart the File Transfer Server by running one of the following:

    • Windows: shutb2b.cmd

    • LINUX: shutb2b.sh