File Transfer Server

The File Transfer Server is a process that runs on every Agent where Control-M MFT is installed and supports FTP/S, SFTP, and HTTP/S. It is embedded in the MFT process and runs by default, but you can disable it, as described in MFT Server General Parameters.

The following diagram shows the File Transfer Server architecture:

Configuring MFT Client and Server

This procedure describes how to configure the MFT Client and Server, which enables you to transfer files directly from one MFT host to another MFT host, without using an FTP server on a third computer.

You can connect to an SFTP or FTP client on an ad hoc basis, as follows:

  • SFTP Client: <FTS hostname>:<FTS SFTP port>

  • FTP Client: <FTS hostname>:<FTS FTP port>

    By default, the FTP server is down. You must enable the FTP server, as described in MFT Server General Parameters.

You can connect via a Web browser (HTTP/S), as follows:

https://<FTS_hostname>:<FTS HTTPS port>

Begin

  1. From the icon, select Configuration.

  2. From the drop-down list, select Plug-ins.

  3. Select the required File Transfer plug-in and then from the Configuration drop-down list, do one or more of the following:
  4. Click Save.

Stopping the File Transfer Server

This procedure describes how to manually stop the File Transfer Server. The Agent host starts the File Transfer Server automatically after 30 seconds. You can disable the File Transfer Server permanently, as described in MFT Server General Parameters.

Begin

From the Agent, run one of the following commands:

  • UNIX: <Agent Home>/cm/AFT/exe/shutb2b.sh

  • Windows: <Agent Home>\cm\AFT\exe\shutb2b.cmd

Starting the File Transfer Server

This procedure describes how to manually start the File Transfer Server.

Begin

  • From the Agent host, run one of the following commands:

    • UNIX: cm/AFT/exe/startb2b.sh

    • Windows: cm\AFT\exe\startb2b.sh

MFT Client Configuration Parameters

The following table lists the Control-M for MFT configuration parameters.

Area

Parameter

Description

General Debug Level

Determines the debug level of Control-M MFT.

Valid Values: 0–5

  • The MFT debug level is set to the Agent debug level when the Agent debug level is higher.

  • MFT log files are saved in the <Agent home dir>/proclog directory.

SSL Debug Trace

Determines whether to run the Control-M for MFT SSL diagnostics.

To view SSL trace information in the log, add the following flag to the Java command in the ctmaftcontainer script:

-Djavax.net.debug=ssl:[flag]

-Djavax.net.debug=ssl

-Djavax.net.debug=ssl:record

-Djavax.net.debug=ssl:handshake:data

Use PAM Password Authentication

(Linux only) Authenticates the local host with PAM based authentication.

PGP Temporary Directory

Determines the temporary location where PGP files are stored.

Default: <Agent_Home_Dir>\cm\AFT\pgp_tmp

Users that are defined in the connection profile on the host where the Local CM checkbox is selected, must have read and write permissions in the PGP temporary directory.

Connection

Connection Timeout

Determines the number of seconds the MFT client attempts to establish a connection to an FTP server before a timeout.

Valid Values: 0–9999

where 0 means no timeout.

Default: 30

Number of Retries

Determines the number of connection attempts between 0–99 after a connection failure to an FTP server

Default: 5)

When the remote FTP server is running on a z/OS system, this parameter has no effect.

Time Between Retries

Determines the number of seconds between each connection attempt to an FTP server.

Default: 6

File Watcher

Interval between File Searches

Determines the range, in seconds (1–9999), between successive attempts to detect the existence of a file and the range between attempts to monitor the size of a file after it is detected.

Default: 30

Number of Iterations while Size is Static

Determines the numbers of attempts (1–999) to monitor the file size when it is static after it has reached its minimum detected size.

Default: 3

Checks that File is Not in Use

(UNIX only) Checks if the file is used by another process or application on a local host. If it is, then the watch action fails.

You must have the lsof utility on your computer and it must exist in the root user path, and the Agent must run as root user. Otherwise this check does not function properly.

Pre/Post File Actions

Interval between Retries

Determines the number of seconds (1–9999) to wait before MFT attempts to perform a post action on the source or destination file after a successful transfer, as described in Advanced general parameters.

Default: 5

Number or Retries

Determines the number of retries (0–999) Control-M for MFT attempts to perform the post action on the source or destination file after a successful transfer, as described in Advanced general parameters.

Default: 3

Web Proxy

Web Proxy

Determines whether to transfer files through a Web Proxy server.

Supports FTP, FTPS, SFTP, and S3.

Proxy Host

Defines the hostname of the proxy server.

Proxy Port

Defines the port number of the proxy server.

Proxy User

(Optional) Defines the username of the proxy server.

Proxy Password

(Optional) Defines the user's password of the proxy server.

MFT Server General Parameters

The following table describes the MFT Server General parameters.

Parameter

Description

Enable File Transfer Server

Determines whether the File Transfer Server is enabled or disabled.

Host

Defines the hostname where the File Transfer Server is installed.

Home directory

Defines the root path where transferred files are stored.

If you want to use a different directory for each logged in user, you must add \${userName} to the path.

C:\temp\${userName}

Bob connects to the File Transfer Server and uploads the file a.txt to the root directory. The file is saved in C:\temp\Bob\a.txt.

Default:<Agent_Home>/CM/AFT/ftshome/${userName}

Generate Access Log

Determines whether the File Transfer Server creates a daily log, which tracks all internal user access information.

The log file format is fts_access_log.<YYYYMMDD>.csv and is located in the <Agent>/proclog directory.

Multiple login allowed

(FTP only) Determines whether multiple users can connect to the File Transfer Server simultaneously.

Max Logins

(FTP only) Determines the number of users that can connect to the File Transfer Server simultaneously.

Max Login Failures

(FTP only) Determines the maximum number of login attempts that are allowed before no more logins are allowed for the period of time defined by the next parameter.

Delay after Login Failure

(FTP only) Determines the number of seconds to wait after a login failure before the next attempt .

Throttling Activated

Determines whether to limit number of simultaneous uploads and downloads.

Max Simultaneous Uploads

Determines the maximum number of simultaneous uploads

Max Simultaneous Downloads

Determines the maximum number of simultaneous downloads

FTP/FTPS Server Parameters

The following table describes FTP/FTPS server parameters.

Parameter Description

Determines whether the File Transfer Server that supports client connection via FTP/FTPS is enabled.

Port

Determines the port number that the File Transfer Server listens to for FTP/FTPS connections.

This port is used by clients to connect to the FTP/FTPS server.

Default: 1221

Secured (FTPS)

Determines whether FTPS is enabled

Keystore File Path

Defines the path to the file that contains the server certificate.

The keystore must be in PKCS#12 format. If FIPS is enabled, the format must be BCFKS.

Keystore File Password

Defines the password of the file that contains the server certificate.

Ciphers

Lists the names of ciphers used for FTPS. If no ciphers are specified, all available ciphers are supported.

Listen for Implicit Connections

Determines whether to automatically turn on security after a connection is established between the FTPS client and the Managed File Transfer server.

Passive Port/s

Limits the range of dynamic ports that can be used for passive connections in FTP. Ports can be defined as single ports, closed or open ranges. Multiple definitions must be separated by commas.

2300: Uses 2300 as the passive port.

2300–2399: Uses all ports in the range.

2300–: Uses all ports larger than 2300.

2300, 2305, 2400–: Uses 2300 or 2305 or any port larger than 2400.

Authentication

Authenticates the FTP user with one of the following methods:

  • (Windows only) Windows local user.

  • LDAP

  • (UNIX only) PAM

SFTP Server Parameters

The following table describes SFTP server parameters.

Parameter

Description

Determines whether the File Transfer Server that supports client connection via SFTP is enabled.

Port

Determines the port number that the File Transfer Server listens to for SFTP connections.

This port is used by clients to connect to the SFTP server.

Default: 1222

Keystore File Path

Defines the path to the file that contains the client's certificate.

Keystore File Password

Defines the password for the file that contains the server's certificate.

The keystore must be in PKCS#12 format. If FIPS is enabled, the format must be BCFKS.

Ciphers

Lists the names of ciphers used for SFTP.

Known User File Path

Defines the path to the file that contains known users by SFTP.

Authentication

Authenticates the SFTP user with one of the following methods:

  • (Windows only) Windows local user.

  • LDAP

  • (UNIX only) PAM

Override Home Directory for Specific Internal Users

Determines which internal users can override their specific home directory to connect to the FTS/Hub with SFTP. The home directory changes are saved in the fts_config.proerties file in the following format:

home.directory.expression.<user>=<home_dir>

The home directory can be a network path in the UNC format.

MFT Server Authentication Parameters

The following table describes MFT Server Authentication parameters.

Parameter

Description

Allowed Users

Determines who can access the File Transfer Server.

The list is separated with a comma. Wildcards can be used.

johnd,adm*,mydomain\user1

Blocked Users

Determines who cannot access the File Transfer Server.

The list is separated with a comma. Wildcards can be used.

johnd,adm*,mydomain\user1

Search User

Defines the LDAP browse user.

Password

Defines the password of the user defined in the Search user field. The value of this field can be left blank if the Search User does not have a defined password.

URL

Defines the URL address and port of a directory server.

Base DN

Defines the point from where the server searches for users.

ou=sales,dc=company,dc=us,dc=com

Username Attribute

Defines the name of the LDAP attribute that contains the username.

DN Attribute

Defines the name of the LDAP attribute that contains the distinguished name

Timeout

Determines the number of milliseconds to wait before a timeout.

Default: 30,000

Service name

Defines the PAM service name.

Default: passwd

In non-root mode, you can only authenticate the Agent user. To authenticate other users, you must run as root.

BMC does not recommend that you run as root.

Connecting to the SFTP Server with Public Key Authentication

This procedure describes how to connect to the SFTP Server with Public Key authentication without logging in with a user and password for each connection.

The File Transfer Server only accepts SSH keys with a non-empty passphrase.

Begin

  1. Generate client public keys or use existing keys from your SFTP client.

    If your client is Control-M MFT, see Generating SSH Keys.

  2. Navigate to the following location:

    <Agent_Home>\CM\AFT\data\

  3. Open the authorized_keys file and add a new line with the following format:

    <user> <key format> <key content>

    Where:

    • <user>: The username that is authenticated by an external authentication tool, such as LDAP or PAM.

    • <key format>: Key format that is defined by the key generator, such as ssh-rsa.

    • <key content>: The public key component with out the key comments section.

      cuser ssh-rsa AAAAB3NzaC1yc2EAAAAB97sd6f7f6dsfe3sdfsdalkjhfsdklafdufdsAJSDJKAJDHGjhgaSDjhgAjkhgA=

Customizing the MFT File Transfer Server Website

This procedure describes how to customize your MFT File Transfer Server Website. You can customize the logo, change the login page background image, and change the site icon on the browser tab.

Begin

  1. From the Agent account where MFT is installed, navigate to one of the following locations:

    • Windows: <ag>\cm\AFT\data\resources\
    • Linux: <ag>/cm/AFT/data/resources/

  2. Customize your website, as follows:

    • To change the login page background image, update bg-login.jpg.

    • To change the company logo to appear on a dark background bar, update CompanyLogoForDarkBar.svg.

    • To change the company logo to appear on a light background bar, update CompanyLogoForLightBar.svg.

      To optimize image dimensions, use the following:

      • *.jpg File Format: 1200 x 800 px.

      • *.svg File Format: 76 x 32 px, or any 2:1 ratio.

    • To change the site icon on the browser tab, update FileExchange.ico.

  3. Restart the File Transfer Server by running one of the following:

    • Windows: shutb2b.cmd

    • Linux: shutb2b.sh