| Appendix |
340
Allow transfers for specific users by running the following commands for each user:
# asconfigurator -x
"set_user_data;user_name,
username
;authorization_transfer_in_value,allow"
# asconfigurator -x
"set_user_data;user_name,
username
;authorization_transfer_out_value,allow"
Note:
For a user that is used by Shares or Faspex (usually
xfer
), allow transfers only with a token by setting
authorization_transfer_{in|out}_value
to
token
.
5.
Encrypt transfer authorization tokens.
When a client requests a transfer from a server through an Aspera web application, an authorization token is
generated. Set the encryption key of the token for each user or group on the server:
# asconfigurator -x
"set_user_data;user_name,
username
;token_encryption_key,
token_string
"
# asconfigurator -x
"set_group_data;group_name,
groupname
;token_encryption_key,
token_string
"
The token string should be at least 20 random characters.
Note:
This is not used to encrypt transfer data, only the authorization token.
6.
Require encryption of content in transit.
Your server can be configured to reject transfers that are not encrypted, or that are not encrypted with a strong
enough cipher. Aspera recommends setting an encryption cipher of at least AES-128. AES-192 and AES-256 are
also supported but result in slower transfers. Run the following command to require encryption:
# asconfigurator -x
"set_node_data;transfer_encryption_allowed_cipher,aes-128"
By default, your server is configured to transfer (as a client) using AES-128 encryption. If you require higher
encryption, change this value by running the following command:
# asconfigurator -x "set_client_data;transport_cipher,
value
"
You can also specify the encryption level in the command line by using
-c
cipher
with
ascp
and
async
transfers.
ascp4
transfers use AES-128 encryption.
7.
Configure SSH fingerprinting for HST Server.
For transfers initiated by a web application (such as Faspex, Shares, or Console), the client browser sends the
transfer request to the web application server over an HTTPS connection. The web application requests a transfer
token from the target server. The transfer is executed over a UDP connection directly between the client and the
target server and is authorized by the transfer token. Prior to initiating the transfer, the client can verify the server's
authenticity to prevent server impersonation and man-in-the-middle (MITM) attacks.
To verify the authenticity of the transfer server, the web application passes the client a trusted SSH host key
fingerprint of the transfer server. The client confirms the server's authenticity by comparing the server's fingerprint
with the trusted fingerprint. In order to do this, the host key fingerprint must be set in the server's
aspera.conf
.
Note:
Server SSL certificate validation (HTTPS) is enforced if a fingerprint is specified in
aspera.conf
and HTTP fallback is enabled. If the transfer "falls back" to HTTP and the server has a self-signed certificate,
validation fails. The client requires a properly signed certificate.
If you set the host key path, the fingerprint is automatically extracted from the key file and you do not extract it
manually.
Retreiving and setting the host key fingerprint: