Setting up the Control-M MFT Enterprise Environment
This procedure describes how to set up the Control-M MFT Enterprise environment.
Before you begin
Ensure that you have installed the following:
-
Control-M/EM 9.0.21.200
-
Control-M/Server 9.0.20 and higher
-
Control-M/Agent 9.0.20 or higher
Begin
-
Install the Control-M MFT Deployment package on a Control-M/EM server 9.0.21.200, as described in Control-M MFT Deployment Package Installation.
-
Deploy Control-M MFT 9.0.21.200 to at least one Control-M/Agent.
-
Install Control-M MFT Enterprise on a Control-M/EM server.
-
Install Control-M MFT Gateway in Linux computer demilitarized zone (DMZ), also known as a perimeter network, as described in Installing the Control-M MFT Enterprise Gateway on Linux.
-
Add additional Hubs and Gateways to the same environment, as described in Setting up High Availability for Control-M MFT Enterprise.
Create Creating External Users and Creating Virtual Folders.
-
Allow external users to access the Gateway, by doing one of the following:
-
Provide them their login credentials (username, password) and the Gateway/Load-balancer public hostname and ports (per protocol).
-
If your Mail Server details are defined in Site Settings, you can generate a unique password for new users, and the credentials are sent to their email.
-
-
Allow internal users to access the Hub by doing one of the following:
-
Create an SFTP connection profile using the Hub as the host with port 1222, as described in Creating a Centralized Connection Profile.
-
Provide them the Hub hostname and listening ports (per protocol).
Default Ports: 7443 (HTTPS), 1222 (SFTP), 1221 (FTPS). To access virtual folders, you must use HTTPS or SFTP.
-
-
Transfer files between external and internal users, as described in Defining a File Transfer Job.
By default, the user home directory is used. To push or pull files to and from a virtual folder, use the B2B Home sub-folder as defined in Hub Settings.
To read all text files from folder1, define the following path:
/b2bhome/folder1/incoming/*.txt
Setting up High Availability for Control-M MFT Enterprise
This procedure describes how to set up High Availability for Control-M MFT Enterprise, which enables you to add multiple Hubs and Gateways in your environment. This ensures that file transfers between external and internal users are successful even if one Hub or Gateway is down. In this environment, communication is bidirectional. The Hub communicates with the Gateway via port 9443 and Gateway communicates with the Hub via port 7443.
BMC recommends to set up at least three Hubs and two Gateways. If you only use two Hubs and one host goes down, you cannot update users, folders, groups, rules, or settings, until a second Hub is active again. The configuration data is not stored in an external database. Configurations are synchronized to each host in the cluster and stored locally.
Before you begin:
-
All Hubs must be on version 9.0.21.200 or higher and installed on the same platform (Windows or Linux).
-
All Hubs must be on the same version.
-
All Gateways must have the same authentication password that is defined during installation.
-
Verify that firewall ports are opened (GTW > Hub: 1222, 7443; Hub > GTW: 9443, Hub x<->Hub y: 3180-3183)
-
All Control-M/Agents must be part of the same Host Group. For more information, see Host group management.
-
BMC recommends to move MFT keystore files to a shared location to simplify maintenance.
Begin
-
Complete all steps described in Setting up the Control-M MFT Enterprise Environment.
-
Define additional Hubs and Gateways, as described in Adding Hubs and Gateways.
-
Create a shared drive for uploaded files and define the path in the Home Directory field in General Settings .
All Hubs must have read/write access to this path.
After your environment is setup, the following data is synced between all Hubs and Gateways.
-
MFT Enterprise database entities, such as Users, Folders, Groups, and Rules
-
MFT Enterprise configuration parameters, such as Hub settings, and Gateway settings
-
MFT Enterprise host data: (data/zoo.cfg file, data/gateways.json file)
-
MFT Enterprise profiles and templates, such as Connection Profiles, PGP templates, and MVS templates
-
-
Set up a load balancer and distribute the load between the Gateways for all incoming requests via HTTPS (9443), SFTP (1224), FTP (1223) and AS2 (10083/7).
-
Define the load balancer's public domain name/IP in the Domain Name, as described in Hub Settings.
If the load balancer can be accessed on https://file.company.com:9443, define files.company.com)
The load balancer must be configured to work with session stickiness (all requests on the same session must be routed to the same Gateway).
Setting up a Control-M MFT AS2 Configuration
Applicability Statement 2 (AS2) is an http-based protocol that specifies how structured business-to-business data is securely transferred over the internet. The AS2 protocol facilitates the ability to exchange AS2 electronic data interchange (EDI) messages over HTTP/S protocol.
This procedure describes how to set up a Control-M MFT B2B AS2 configuration, which enables you to transfer and receive files with an AS2 trading partner.
Begin
-
Add your AS2 key pair and trading partner’s AS2 certificate to the Control-M MFT keystore by doing the following:
-
From the java keytool, import your key pair and partner’s certificate to the data/as2/keys/as2_keystore.pfx file.
The keystore default password is: password
-
Record the Alias names used for your key and for your partner’s certificate.
-
Provide your public certificate key to the partner (so they can add it to their keystore).
-
-
Send AS2 messages to your partner by doing the following:
-
Create an AS2 connection profile, as described in Creating a Centralized Connection Profile.
-
Verify that Partner Certificate Alias defined in AS2 Settings is the same alias defined in step 1.
-
Test the connectivity to the AS2 server.
A test file is sent to the AS2 server. You can configure the filename and content of the test file by editing the as2.testFileUploadPath parameter value in the data/aft_configurable.properties file.
-
Define a File Transfer job that sends files to your partner's AS2 server.
Verify that the selected connection profile is Local to AS2.
-
-
Receive AS2 messages from your partner by doing the following:
-
Define the partner on the Hub by creating an external user, as described in Creating External Users (Do not define AS2 settings yet).
-
Create a virtual folder on the Hub where AS2 messages are stored and associate the partner with it, as described in Creating Virtual Folders.
-
Select the user you created above and add the AS2 settings, as described in Creating External Users.
The partner’s AS2 ID and Alias must be similar to the values specified in the Connection Profile.
-
Configure AS2 settings on the Hub, as described in AS2 Settings.
-
Verify that the AS2 Listener Listen for AS connection and additional ports is selected and ports are available.
The default ports for receiving messages/MDN receipts are 9443 for HTTPS and 10087/3 for HTTP.
External users can connect to the following URLs to submit AS2 messages or return MDN receipts:
-
HTTPS:
• To send messages to https://<gateway_or_loadbalancer>:9443/HttpReceiverServlet
• To send MDN receipts to https://<gateway_or_loadbalancer>:9443/MDNHttpReceiverServlet
-
HTTP:
• To send messages to http://<gateway_or_loadbalancer>:10087/HttpReceiver
• To send MDN receipts to http://<gateway_or_loadbalancer>:10083/HttpReceiver
-
-