IBM Aspera Shares Administrator Guide 1.9.1
IBM Aspera Shares
Administrator Guide 1.9.1
Linux 64-bit: RedHat 6 & 7, CentOS 6 & 7
Revision: 1.9.1.106796 Generated: 05/20/2015 14:10
| Contents | 2
Contents
Introduction............................................................................................................... 4
Installation................................................................................................................. 5
System Requirements............................................................................................................................................5
Installing Shares....................................................................................................................................................5
Configuring HTTP and HTTPS Fallback................................................................................................ 8
Installing Enterprise Server.................................................................................................................................. 9
Upgrading Shares..................................................................................................................................................9
Restoring Shares from a Backup........................................................................................................................12
Uninstalling Shares............................................................................................................................................. 12
Configuring a Directory Service (DS)............................................................................................................... 13
Installing an SSL Certificate for Shares............................................................................................................ 17
Configuring Shares........................................................................................................................18
Configuring Email.............................................................................................................................................. 18
Setting Up the SMTP Server................................................................................................................. 18
Updating Links in Email Notifications.................................................................................................. 18
Configure Email Settings........................................................................................................................19
Creating Email Templates.......................................................................................................................19
Creating and Modifying Variables......................................................................................................... 21
Configuring Security...........................................................................................................................................22
Configuring System Settings.............................................................................................................................. 23
Managing Nodes and Shares........................................................................................................24
Adding Nodes..................................................................................................................................................... 24
Adding Shares.....................................................................................................................................................27
Modifying Nodes................................................................................................................................................ 29
Browsing Nodes..................................................................................................................................................30
Modifying Shares................................................................................................................................................30
Browsing Shares................................................................................................................................................. 32
Searching Nodes and Shares.............................................................................................................................. 32
Transferring Content Between Shares................................................................................................................33
Managing Home Shares................................................................................................................34
Enabling and Disabling Home Shares............................................................................................................... 34
Managing User Accounts..............................................................................................................35
Configure User Preferences................................................................................................................................35
User Permissions.................................................................................................................................................36
Authorize a User, Group, or DS With Manager Permissions................................................................ 37
Creating Local Accounts.................................................................................................................................... 37
Adding Local Users................................................................................................................................ 37
Adding Local Groups............................................................................................................................. 40
Setting Up DS Users and Groups...................................................................................................................... 42
Importing DS Users................................................................................................................................42
Importing DS Groups............................................................................................................................. 42
Managing Users.................................................................................................................................................. 43
Setting Permissions for Individual DS Users.........................................................................................43
Managing Groups................................................................................................................................................46
Setting Permissions for Individual DS Groups...................................................................................... 46
Searching Accounts............................................................................................................................................ 50
| Contents | 3
Working with SAML.................................................................................................................... 51
Configuring SAML.............................................................................................................................................52
Configuring Your Identity Provider (IdP)..........................................................................................................53
Creating SAML Groups..................................................................................................................................... 54
Adding a SAML User to a Local Groups..........................................................................................................54
User Accounts Being Provisioned by SAML Just-In-Time (JIT) Provisioning.................................................54
Working with Rake Tasks............................................................................................................ 56
User Management Rake Tasks........................................................................................................................... 56
Group Management Rake Tasks.........................................................................................................................58
Share Management Rake Tasks..........................................................................................................................59
Node Management Rake Tasks.......................................................................................................................... 60
Other Configurations Using Rake Tasks............................................................................................................62
Configuring MySQL Server.........................................................................................................64
Using Another MySQL Server During Installation........................................................................................... 64
Using Another MySQL Server After Installation.............................................................................................. 64
Changing the Built-in MySQL Port................................................................................................................... 65
Configuring the Stats Collector................................................................................................... 66
Adding Existing Nodes to Stats Collector......................................................................................................... 66
Configure Stats Collector Log Levels................................................................................................................66
Lowering Stats Collector Polling Frequency..................................................................................................... 67
Retrieving Stats Collector Version Number.......................................................................................................67
Performing Maintenance Tasks................................................................................................... 68
Clearing Background Jobs..................................................................................................................................69
Fixing Services Not Running After Upgrading Shares..................................................................................... 69
Restart Shares Services.......................................................................................................................................69
Backing Up Shares and the Database................................................................................................................ 70
Gathering and Zipping Up All Logs for Support.............................................................................................. 70
Checking for SSH Issues....................................................................................................................................71
Monitoring...........................................................................................................................................................71
Viewing Activities.................................................................................................................................. 71
Viewing Background Jobs...................................................................................................................... 71
Viewing Errors and Warnings................................................................................................................ 71
Appendix.................................................................................................................. 72
Configuring a Remote Transfer-Server Node.................................................................................................... 72
Extending the Node Timeout............................................................................................................................. 74
Changing Nginx Ports........................................................................................................................................ 75
Open a MySQL Prompt..................................................................................................................................... 76
Generate an SSL Certificate...............................................................................................................................76
Setting Up Shares and Console on the Same Host............................................................................................77
Securing an SSH Server..................................................................................................................................... 78
Shares API Permissions......................................................................................................................................79
Troubleshooting...................................................................................................................................................80
Technical Support................................................................................................... 81
Feedback.................................................................................................................. 82
Legal Notice............................................................................................................. 83
| Introduction | 4
Introduction
IBM Aspera Shares is a multinode web transfer application that enables companies to share content in the form of
files and directories of any size within their organization or with external customers and partners. You can deploy
Shares as either of the following:
•
•
A single server solution that enables sharing content from a single content store and transfer node.
A separate server that consolidates multiple content nodes into a single view, and enables management of user
access and file transfers across all nodes.
Shares is powered by IBM Aspera Enterprise Server, which features the Aspera Node API, a daemon providing
REST-enabled file operations and a transfer management API.
Shares is capable of managing one or more transfer nodes, which can be local, remote, or cloud-based file systems.
Transfer nodes are accessed using the Aspera Node API, which is activated by the Aspera Enterprise Server license.
With Shares you can perform the following tasks:
•
•
•
•
•
•
•
Navigate across files and folders to locate and initiate a high-speed file transfer.
Use search, filtering, and sorting capabilities to find individual files or folders in content stores.
Provide secure authenticated access with support for users, groups, and directory services.
Manage access and visibility of nodes and directories.
Manage user activities at the directory level.
Set up a real-time activity feed that keeps track of user actions and operations such as creating, deleting, and
renaming files and directories. You can also keep track of all administration and management functions.
Configure system logging levels.
| Installation | 5
Installation
System Requirements
The IBM Aspera Shares application requires the following:
On the Shares server:
•
•
Linux 64-bit: RedHat 6 & 7, CentOS 6 & 7, with kernel 2.4 or higher and libc version GLIB 2.3.4 or higher
Shares package and license file
Shares includes an Nginx web server listening on port 80 and 443. For best results, Aspera recommends using a
machine that does not run a web server. If you are using a web server, keep port 80 or 443 open, configure either that
server or the Nginx server to use different ports. If you are installing an IBM Aspera Enterprise Server and Shares on
the same host and configure a firewall, close all ports that are not required. For details see the firewall configuration
section of the IBM Aspera Enterprise Server documentation.
On node machines:
•
•
•
IBM Aspera Enterprise Server 3.3.x (or later) or IBM Aspera Connect Server 3.3.x (or later). If older versions
of these products are already installed and running on the system, upgrade to the required version before setting
up the node server. See http://downloads.asperasoft.com/en/documentation/1 for information on installing or
upgrading these products.
Enterprise Server license file.
Identify a directory to use for sharing data.
On all machines (Shares and nodes):
•
•
Verify that the machine's hosts file has an entry for 127.0.0.1 localhost (/etc/hosts or C:\WINDOWS
\system32\drivers\etc\hosts).
Verify that SELINUX is disabled through cat /etc/sysconfig/selinux. SELINUX can be permissive or
disabled, but not enforced.
Installing Shares
For details on upgrading IBM Aspera Shares see Upgrading Shares on page 9
1. Download Shares from http://downloads.asperasoft.com/en/downloads/34. You need your Aspera credentials for
downloading the software.
2. To unpack, run the following command as root, where version is the package version:
[root] $ rpm -Uvh aspera-shares-version.rpm
The following is an example of what you can expect to see:
[root] $ rpm -Uvh aspera-shares-1.9.1.100746-1.x86_64.rpm
Preparing...
###########################################
[100%]
1:aspera-shares
###########################################
[100%]
To use a remote MySQL server and disable the local MySQL server,
add the connection information to this file:
| Installation | 6
/opt/aspera/shares/etc/my.cnf.setup
To complete the installation, please run this script as the root user:
[root]$ /opt/aspera/shares/u/setup/bin/install
3. Run the install script:
$ /opt/aspera/shares/u/setup/bin/install
Starting aspera-shares ...
Started
Testing 20 times if MySQL is accepting connections ...
Waiting for MySQL server to answer.
mysqld is alive
Writing /etc/init.d/aspera-shares ...
Running chkconfig to add the service to the runlevels ...
Generating a private key and self-signed certificate ...
To install your own private key and certificate authority-signed
certificate, replace these files
/opt/aspera/shares/etc/nginx/cert.key
/opt/aspera/shares/etc/nginx/cert.pem
Creating the shares database ...
Loading the shares database schema ...
Initializing the shares database ...
To create an admin user, run this command:
/opt/aspera/shares/u/shares/bin/run rake aspera:admin NAME="admin"
PASSWORD="jFOBTzkgoJBk836cVW3zFXTX7XvOJSg" EMAIL="aspera@example.com"
Creating the stats collector database ...
Generating stats collector keys ...
Done
The password is randomly generated, and you can copy and paste it to create the admin user.
Note: If you forget to make a note of the password at installation time, you can reset it by running the
following command from the Shares server root shell:
/opt/aspera/shares/u/shares/bin/run rake aspera:admin NAME="admin"
PASSWORD="jFOBTzkgoJBk836cVW3zFXTX7XvOJSg" EMAIL="aspera@example.com"
4. On the computer where Shares is installed, launch a web browser and navigate to http://shares_ip_address.
The Shares login page appears. Log in using the administrator username and password you created during the
installation process:
5. On the Change Password page that appears, provide a new password:
| Installation | 7
6. The Shares login page appears again. Log in with your new password.
7. The License page appears.
8. In the Add/Change License dialog that appears, paste your license key, and click Save.
9. Configure the server's hostname or IP address to send emails from Shares to users by selecting Other > Web
Server
10. Type the Shares server's hostname or IP address into the Host field. It is used as part of the URL in system emails
to users.
| Installation | 8
By default the port is set to 443, and SSL/TLS is selected.
11. Secure IBM Aspera Enterprise Server by doing the following:
•
•
•
Secure an SSH server.
Configure a firewall.
Set up SSL for nodes.
For details on how to perform these tasks, see http://downloads.asperasoft.com/en/documentation/1.
Configuring HTTP and HTTPS Fallback
HTTP Fallback serves as a secondary transfer method when the Internet connectivity required for Aspera accelerated
transfers (i.e., UDP port 33001, by default) is unavailable. When HTTP Fallback is enabled and UDP connectivity is
lost or cannot be established, the transfer will continue over the HTTP protocol.
Note: This feature requires configuring your settings in IBM Aspera Enterprise Server. For details on how
to perform these tasks, see the "Configuring HTTP and HTTPS Fallback" topic in your transfer product's
Administrator Guide.
You may configure HTTP/HTTPS Fallback in the Aspera Enterprise Server GUI or modify aspera.conf. To edit your
settings within the GUI, launch Enterprise Server and go to Configuration > Global (tab in left pane) > HTTP
Fallback (tab in right pane).
After modifying aspera.conf, run the following command (from Enterprise Server's bin directory) to validate
your updated configuration file:
$ /opt/aspera/bin/asuserdata -v
Warning: If IBM Aspera Shares is set to use Encryption-at-Rest, downloading unencrypted content through
HTTP Fallback will fail with the following errors:
•
•
•
•
Downloading unencrypted file(s) or folder(s) will fail with the "Insufficient permissions" error.
Downloading a mix of encrypted and unencrypted files or folders together will fail with the "Connection
lost" error.
Downloading a mix of folders, some folders with only encrypted files and other folders with only
unencrypted files, will fail with the "Server refused request" error.
Downloading encrypted file(s) or folder(s) with the wrong passphrase entered will fail with the "File
decryption error, bad passphrase" error.
What do you do if you need to change your HTTP Fallback port number?
| Installation | 9
In the event that you need to modify your HTTP Fallback port number, configure the following section In your
aspera.conf file (replacing <port> with your new port number):
<http_server>
<http_port><port></http_port>
<https_port><port></https_port>
<enable_http>true</enable_http>
<enable_https>true</enable_https>
</http_server>
Installing Enterprise Server
Installing IBM Aspera Enterprise Server involves the following tasks:
•
•
•
•
Obtaining the license.
Installing or upgrading Enterprise Server software.
Configuring Enterprise Server to work with Shares.
Optionally configuring HTTP fallback.
For details on how to perform these tasks, see http://downloads.asperasoft.com/en/documentation/1 (or http://
downloads.asperasoft.com/en/documentation/37 for Isilon).
Upgrading Shares
Note: Aspera® recommends that you backup your system before performing an upgrade. For details on how
to back up your system, see Backing Up Shares and the Database on page 70.
1. Download IBM Aspera Shares from http://downloads.asperasoft.com/en/downloads/34. You need your Aspera
credentials for downloading the software.
2. Stop Shares services if you are currently running Shares 1.0.3 or earlier:
[root] $ /etc/init.d/nginx stop
[root] $ /etc/init.d/delayed_job stop
3. Run the following command as root and follow the instructions, where version is the package version:
[root] $ rpm -Uvh aspera-shares-version.rpm
The following is an example of the instructions displayed when the rpm command finds a version of Shares prior
to 1.5.
[root] $ rpm -Uvh aspera-shares-1.9.1.100746-1.x86_64.rpm
Preparing...
###########################################
[100%]
You appear to be upgrading from a version that is too old.
The currently installed version appears to be
1.0.3.69382-1
To upgrade, you must first back up your data and uninstall the old
version.
To back up your data:
[root]$ /opt/aspera/shares/script/rake.sh backup DIR=/tmp
This will create a backup directory with a name like
| Installation | 10
/tmp/20130101012345
You can import the contents of that directory during installation.
[root]$ cp /opt/aspera/shares/conf/cert.key /opt/aspera/shares/conf/
cert.pem /tmp/20130101012345
## Stop the application
[root]$ /etc/init.d/aspera_shares_nginx stop
[root]$ /etc/init.d/aspera_shares_delayed_job stop
## Remove the service scripts that cause the application to start on
server boot:
First, use the distribution-specific tool to uninstall the service
script from all runlevels:
A.
For RHEL, CentOS, or SUSE:
[root]$ chkconfig --del aspera_shares_nginx
[root]$ chkconfig --del aspera_shares_delayed_job
B.
For Debian or Ubuntu:
[root]$ update-rc.d -f aspera_shares_nginx remove
[root]$ update-rc.d -f aspera_shares_delayed_job remove
Next, remove the service scripts:
[root]$ rm /etc/init.d/aspera_shares_nginx
[root]$ rm /etc/init.d/aspera_shares_delayed_job
## Uninstall the rpm:
[root]$ rpm -e aspera-shares
## Back up any remaining files:
[root]$ mv /opt/aspera/shares /opt/aspera/shares.bak
## Stop the system MySQL unless otherwise needed
aspera-shares-1.9.1.100746 no longer uses the system-provided MySQL.
To stop:
[root]$ /etc/init.d/mysqld stop
[root]$ chkconfig mysqld off
--You are ready to install the new version and restore your backup.
## Install the rpm
[root]$ rpm -Uvh rpm -Uvh aspera-shares-1.9.1.100746-1.x86_64.rpmc
## Run the install script
[root]$ /opt/aspera/shares/u/setup/bin/install
| Installation | 11
## Restore your backup
[root]$ /opt/aspera/shares/u/setup/bin/restore /tmp/20130101012345
error:
install: %pre scriptlet failed (2), skipping error:
%pre(aspera-shares-1.9.1.100746-1.x86_64) scriptlet failed, exit status 1
error:
install: %pre scriptlet failed (2), skipping asperashares-1.9.1.100746-1
Upgrading from Shares 1.5+: If the rpm command finds Shares 1.5+ already installed on the system, it displays
instructions like the following:
[root] $ rpm -Uvh aspera-shares-1.9.1.100746-1.x86_64
Preparing...
###########################################
[100%]
Switching to the down runlevel ...
runsvchdir: down: now current.
Switched runlevel
Checking status of aspera-shares ...
Status is running
Stopping aspera-shares ...
Stopped
1:aspera-shares
[100%]
###########################################
To complete the upgrade, please run this script as the root user:
[root]$ /opt/aspera/shares/u/setup/bin/upgrade
4. Run the upgrade script:
[root] $ /opt/aspera/shares/u/setup/bin/upgrade
Starting aspera-shares ...
Started
Waiting for MySQL server to answer
mysqld is alive
Migrating the Shares database ...
Initializing the Shares database ...
Migrating the stats collector database ...
Done
5. If upgrading from Shares version prior to 1.5, restore the database:
[root] $ /opt/aspera/shares/u/setup/bin/restore directory
Checking status of aspera-shares ...
Status is running
mysqld is alive
Restoring the Shares database ...
Migrating the Shares database ...
Initializing the Shares database ...
Configuring the stats collector to poll all nodes ...
Done
| Installation | 12
6. Restart all Shares services.
Run the following commands to restart all Shares services at once.
# service aspera-shares stop
# service aspera-shares start
Refer to Restart Shares Services on page 69 for more information on how to restart your services.
Note: If after upgrading you notice that only the MySQL service is running, see Fixing Services Not Running
After Upgrading Shares on page 69 for instructions on how to fix the issue.
Restoring Shares from a Backup
Note: To perform a backup see Backing Up Shares and the Database on page 70.
1. Ensure that your IBM Aspera Shares backup is available.
Verify that you have copied the Shares backup files to your new machine. See Backing Up Shares and the
Database on page 70.
2. Stop Shares services.
Run the following script as root. The script stops Shares services, restores Shares data, and restarts Shares. You
cannot use this procedure with earlier versions of Shares.
# /opt/aspera/shares/u/setup/bin/restore /your_backup_dir/backup_id
For example, using the ID of the example directory generated in Backing Up Shares and the Database on page
70:
Run the following command:
# /opt/aspera/shares/u/setup/bin/restore /tmp/20130627025459
The Terminal will return the following information:
Checking status of aspera-shares ...
Status is running
mysqld is alive
Restoring the Shares database and config files ...
Migrating the Shares database ...
Initializing the Shares database ...
Configuring the stats collector to poll all nodes ...
Restoring the SSL certificates ...
Done
Uninstalling Shares
Note: If you wish to retain your data for future installations of IBM Aspera Sharesthen you should backup
your system before performing an uninstall. For details on how to back up your system, see Backing Up
Shares and the Database on page 70.
To remove Shares from the system, you must first stop its services from a terminal.
Run the following command to remove the Shares application from the system:
# rm /etc/init.d/aspera-shares
# rpm -e aspera-shares
| Installation | 13
Configuring a Directory Service (DS)
Configuring a DS involves two tasks:
•
•
Adding a DS account
Configuring DS users and groups
IBM Aspera Shares supports the Lightweight Directory Access Protocol (LDAP), and you can configure it to connect
to a directory service. The following directory service databases are supported:
•
•
•
•
Active Directory (AD)
Apple Open Directory
Fedora Directory Server
Open LDAP
Shares already has a default, local database. When you add local users, they will automatically be added to Admin >
Accounts > Directories > Local Database. For information on setting up local users, see Adding Local Users on
page 37.
1. To add a directory service account, log into Shares and navigate to Admin > Accounts > Directories > New.
2. Complete the form that appears with your specific directory service's settings and click Create ldap config.
Option
Description
Directory Type
Select a directory service type from one of the following options:
•
•
•
•
Active Directory (AD)
Apple Open Directory
Fedora Directory Server
Open LDAP
Name
Type a name for this directory service.
Description
Type a description for this directory service.
| Installation | 14
Option
Description
Host
The directory's address and port number. By default, unsecured LDAP uses port 389,
unsecured global catalog uses port 3268, and global catalog over SSL uses port 3269.
Base DN
The search treebase, for example, dc=myCompany,dc=com for myCompany.com.
Authentication
Credentials
•
•
Anonymous Bind
Simple Bind
If Simple Bind is selected, you must type your directory service user
name, which is typically a Distinguished Name (DN), for example,
CN=Administrator,CN=Users,DC=myCompany,DC=com)and directory service
password.
Encryption
•
•
Unencrypted (Default port 389)
Simple TLS (Default port 636)
Note: Aspera recommends selecting Simple TLS to secure your server. By
default, LDAP traffic is transmitted unsecured. You can make LDAP traffic
confidential and secure by enabling TLS.
After adding a DS to Shares, you can configure specific settings for your DS users and groups.
3. In the Detail tab, update the information that you entered for the DS account when you set it up.
4. In the Groups tab, edit the DS group permissions.
To set specific permissions for an individual DS group, click the corresponding Edit button. If no groups appear,
the number of records may exceed the limit for displaying a list in Shares. You can search for groups by name by
| Installation | 15
entering a minimum of two characters. For details on editing a DS group, see Setting Permissions for Individual
DS Groups on page 46.
5. In the Users tab, edit the DS users' permissions.
Your DS users are listed on this page, unless the number of records exceeds limit for displaying a list in Shares. If
no list appears, you can search for users by name by entering a minimum of two characters.
To set specific permissions for an individual DS user, click the corresponding Edit button. For details on editing a
DS user, see Setting Permissions for Individual DS Users on page 43.
6. In the Security tab, configure specific security settings for the entire directory.
•
•
•
If you select Disabled, no users from this directory can log into Shares. This also prevents you from giving
individual DS users and DS groups access to log in.
If you select Login, all users from this directory can log into Shares. If left clear, you may give individual DS
users and DS groups access to log in.
If you select Admin, all users in this directory have administrative permissions. If left clear, you may give
individual DS users and DS groups administrative access.
To configure DS users' security settings from their individual account pages, see Setting Permissions for
Individual DS Users on page 43.
| Installation | 16
7. In the Shares tab, authorize specific shares for this directory.
Clicking Add Share displays a list of nodes and shares that are currently configured in Shares.
Click Authorize to authorize a share. You can modify the directory's permissions for browsing, transferring, and
performing file operations within it. The default permission is browse. To edit these permissions or disallow the
directory's access to the share, click edit.
| Installation | 17
Select permissions that directory users have for the authorized share. For example, everyone in this directory is
allowed to browse the share. However, they cannot download, upload, perform any file operations, or receive
notifications about content availability within the share. After modifying the settings, click Update. You may
disallow access to this share by clicking Delete.
Note: If you authorize a share for an entire directory, any group within that directory will inherit the same
access permissions.
8. In the Activity tab, view and search for activities within the Activity directory. Search for a specific activity by
typing search text into the Events text box. You can also search for activities by specifying a data and time range.
Installing an SSL Certificate for Shares
To install an SSL certificate that you have purchased, or you have generated as described in Generate an SSL
Certificate on page 76, follow the steps below.
1. Rename the certificate files provided with IBM Aspera Shares.
Locate the original cert.pem and cert.key files in /opt/aspera/shares/etc/nginx. Rename them as
follows:
# cd /opt/aspera/shares/etc/nginx
# mv cert.pem cert.pem.orig
# mv cert.key cert.key.orig
2. Copy your new SSL cert files to /opt/aspera/shares/etc/nginx.
Rename the cert file cert.pem and rename the key file cert.key.
3. Restart the web service.
Restart nginx as follows:
# /opt/aspera/shares/sbin/sv restart nginx
| Configuring Shares | 18
Configuring Shares
Configuring Email
From the Email menu, the following capabilities are available:
•
•
•
•
Settings
Templates
Variables
SMTP
Setting Up the SMTP Server
1. Navigate to Admin > SMTP to configure the SMTP email server for IBM Aspera Shares.
2. To add a server's SMTP settings, select the SMTP option and complete the form, which requests the following
information:
Server
SMTP server address
Port
SMTP port
Domain
Domain name
Use TLS if available
Aspera recommends turning TLS (Transport Layer Security) on to secure
your email server.
Timeout
The timeout for connecting to SMTP servers. The default is 3 seconds.
Username
Email username
Password
Email password
From
Email sender’s address
3. To debug the SMTP server settings, click Send Test Email.
Note: If you get the error "Net::SMTPUnknownError: could not get 3xx (550)" when sending a test
message, you might be blocked by your domain as a potential spammer. Aspera recommends that you set
an SPF record for your domain to identify which mail servers are allowed to send email on behalf of your
domain. For more information about SPF and how to create an SPF record, see http://support.google.com/
a/bin/answer.py?hl=en&answer=33786&topic=2759192&rd=1
After you have configured the SMTP server, you can return to this page to view all Shares activity related to it in the
Activity tab. Each reported activity event is accompanied by a tag. You can click the tag to find related activities.
You can also perform an activity event search by clicking Search and entering the requisite information.
Updating Links in Email Notifications
IBM Aspera Shares generates links in email notifications using the host IP address set in its Web Server settings.
Whenever you change the IP address of the Shares machine, you must update this host address as well. By default, the
host address is set to example.com.
Navigate to Admin > Web Server and update Host with your computer's IP Address.
| Configuring Shares | 19
Configure Email Settings
Select the email notification settings a new IBM Aspera Shares user will inherit by default.
Item
Description
Notify users on share authorization.
Notify users when they are granted to a new share.
Notify users on transfer complete.
Notify users when a new transfer is completed to a share
(and share notification is enabled).
Notify admins on user share authorization Reset.
Notify admins when a user is authorized to a share
Note: This option is available for admins only.
Notify admins on self registration request.
Notify admins when there is a new user self registration
request and self registration is set to moderated.
Note: This option is available for admins only.
Note: Changing these preferences will not affect email settings for current users.
Creating Email Templates
IBM Aspera Shares comes with preconfigured notification templates, which you can access from the Templates link.
To view a template, click the link for its name.
To modify a template, create a new template by copying one of the preconfigured templates and editing it. You cannot
modify or delete the preconfigured templates. When editing a new template, you can configure both an HTML and
plain-text version, and you can use Shares built-in variables and variables you create.
•
•
To create a template, determine the type of template you want, and click Copy.
To select your template as the default to be used for sending test emails, click Default. This also enables
activation. The Delivered check box is inactive when checked. It only indicates that a template is the original
version delivered with Shares.
| Configuring Shares | 20
•
To edit the new template, click the link that is the template’s name.
The page that appears when you edit a new template includes three sections for modifying the email template:
Details
Lets you change the name of the template and set the
email subject line.
HTML Template
Lets you edit an HTML-formatted version of the
template.
Plain Template
Lets you edit a plain-text version of the template.
Email notifications always include the HTML and plain-text versions of the message. Therefore, you might want to
modify both templates.
Tip: It might be convenient to make changes in the plain-text template, then copy and paste the text to the
equivalent location in the HTML template. The edit box for both versions can be open at the same time
Using Variables in a Template
To use variables in a template, click Template Substitution Variables at the bottom of the page. This opens the
Substitution Variables dialog showing a list of variables that are available for this template. To see descriptions of
each variable, click Show More:
This dialog displays only those variables that you can enter in the type of template you are using, in this case, the
SendTestEmail type.
When you click or select text in a template edit box, the Add links in the variables list become active. Clicking Add
for a variable inserts it or replaces the selected text in the edit box. For example:
Select text in the edit box for the plain template, in this example, the word “User”:
| Configuring Shares | 21
To replace “User” with the full name of the user who performed the action that triggers this notification, click Add for
the by_full_name variable in the Substitution Variables dialog:
“User” is replaced with the by_full_name variable. In the results box, the variable is displayed as “First Last”
because the by_full_name variable cannot be fully interpreted until the notification has been triggered by the action
or event associated with a user. Similarly, “aspera_username” is not a variable, but a display string that represents the
variable by_username:
Creating and Modifying Variables
You can create or modify variables to be inserted in your IBM Aspera Shares notification templates. When editing
a variable, you can configure both an HTML and plain-text version. Variables are useful for creating reusable
boilerplate text that can be used across multiple email templates.
1. Click Email > Variables to open the Notification Variables page
| Configuring Shares | 22
2. To modify one of the Shares built-in variables, click Edit.
3. To create a new variable, click New Notification Variable. After you have created a variable, it appears as a new
entry in the Notification Variables list.
When you create and modify templates, the new variable is also available in the Substitution Variables dialog and
ready for use.
Configuring Security
Under Security, you can set the following options:
Session timeout:
Log out users after this many minutes of inactivity (1-480 minutes).
Require strong passwords:
Require passwords to be at least 8 characters and contain at least one
uppercase letter, lowercase letter, number, and symbol.
Password expiration interval:
Reset the number of days before a user must change the password (1-720 or
blank).
Failed login count:
Reset the number of failed logins within Failed login interval that will cause
the account to be locked (1-20).
Failed login interval:
Number of minutes within which Failed login count results in account being
locked (1-60).
Self registration:
Determines whether non-users can create or request user accounts. Choose
from the following options:
•
•
•
none Not allowed.
moderated You must approve the account before it is created. If you
allow self-registration, the moderated setting is recommended for
security.
unmoderated After a user registers, the user’s account is automatically
created.
Self-Registration
If users are allowed to self-register, they see a Request an Account link on the login page. After a user clicks this
link and completes the form, you are prompted under Admin > Accounts > Self Registration to Approve, Deny, or
Delete the user’s account. You can also perform a status search for new accounts.
Admins can configure whether they receive emails whenever there's a new self registration request in their personal
preferences. By default, admins are opted into receiving these emails. To change the default setting, see Configure
Email Settings on page 19.
The email template for such emails is also configurable. For more information on customizing templates, see Creating
Email Templates on page 19.
| Configuring Shares | 23
Configuring System Settings
The following System Settings configuration options are available under the Other menu on the Admin page:
Option
Description
Background
Modify or reset the parameters that IBM Aspera Shares checks when running background jobs.
License
View or change your Shares license.
Localization
Configure your Shares server with your local timezone, date format, and time format.
Logging
Configure whether logged events trigger a warning or an error.
Logos
Add, edit, or delete a custom logo for your Shares Web UI.
Messages
Create a login page message for your users, and a home page message.
Transfers
•
•
•
•
•
•
•
•
•
Web Server
Min connect version The minimum version of the IBM Aspera Connect Browser Plug-in that
can be used to transfer with Shares. The version must be in the form "X.Y" for example, 1, 1.2).
If you are using IBM Aspera Shares on Demand, the minimum accepted version of Connect
Browser Plug-in is 2.7.8, which is the default setting.
Upload target rate For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use the
node's settings.
Upload target rate cap For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use the
node's settings.
Download target rate For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use the
node's settings.
Download target rate cap For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use
the node's settings.
Starting policy: Select the policy to be enforced when the transfer starts:
Fixed The transfer transmits data at a rate equal to the target rate, although this may impact
the performance of other traffic present on the network.
High The transfer rate is adjusted to use the available bandwidth up to the maximum rate.
Fair The transfer attempts to transmit data at a rate equal to the target rate. If network
conditions do not permit that, it transfers at a rate lower than the target rate, but not less than
the minimum rate.
Low The transfer rate is less aggressive than Fair when sharing bandwidth with other
network traffic. When congestion occurs, the transfer rate is decreased to the minimum rate,
until other traffic retreats.
Allowed policy: Select the policies that are available to the user during transfer. If you do not
make any selections, the Inherit from node setting is displayed, which will apply the settings
inherited from the node.
Encryption: Select Optional or AES-128. If you do not make any selections, the Inherit from
node setting is displayed, which will apply the settings inherited from the node.
Encryption at rest: Select Optional or Required. If you do not make any selections, the Inherit
from node setting is displayed, which will apply the settings inherited from the node. If you
select Required, the uploaded files must be encrypted during a transfer to protect them while
they are stored on a remote server. The uploader sets a password before uploading the file, and
the downloader needs to enter that password to decrypt the file.
Configure the web server settings, including the host, port, and whether SSL/TLS is enabled. The
hostname or IP address entered into the Host field is used as part of the URL in Shares emails to
users. For example, when an account is created for a user, that user will receive an email prompting
the user to reset the password. This email contains a URL that points to whatever hostname or IP
address is entered into the Host field.
| Managing Nodes and Shares | 24
Managing Nodes and Shares
Note: If you do not have browse permissions but have all other permissions, you can still perform Upload
File and Upload Folder operations in the user interface (UI). However, you will not have permissions for
other UI operations such as Delete or Download, and the contents of the share are not displayed.
Managing nodes and IBM Aspera Shares involves the following administrative capabilities:
Administrative
Capability
Description
Node Administration
•
•
•
•
Nodes are only visible to administrators.
All administrators have the same level of privileges for all nodes.
Administrators can create, edit and delete nodes.
Shares requires user authentication to access the node.
Share Administration •
•
•
Only administrators can create, edit, and delete shares.
Only administrators can change share authorizations.
All administrators have the same level of privileges for share administration for all
shares.
Authorization
Only administrators can change share authorizations.
Precedence:
•
•
•
•
•
•
Authorizations can be granted to users, groups, and directory services.
Authorization at the user level takes precedence over the user's group or directory
service authorization.
• In the absence of user-level authorization, a user is granted the union of all
authorizations for the user's groups and directory services.
Administrators can view, edit, and remove authorizations.
Users can be authorized for any subset of the operations on a share, where operations
include the following:
•
•
•
•
•
•
Browse
Upload
Download
Make directory
Delete directory or file
Rename
Adding Nodes
Ensure that you have the following information available:
•
•
•
The node computer's hostname or IP address, along with a port and path (if applicable).
The node API username and password that you created when you set up IBM Aspera Enterprise Server on the
node machine.
If you are adding a node on a remote server, first follow the instructions in Configuring a Remote Transfer-Server
Node on page 72 to set up the remote transfer-server node.
1. On the IBM Aspera Shares Home window, click NODE+ to add a new node and complete the New Node
configuration form.
| Managing Nodes and Shares | 25
Field
Description
Example Value
Name
A description of the node.
Headquarters
Host
The node computer's hostname or IP address,
along with a port and path. The port field
represents the port on which the node service is
running. The default is 9092. The path field is an
advanced feature used for URL Proxy operations.
In nearly all cases, you may leave this field
blank.
In this example, Shares
and Enterprise Server are
installed on the same computer.
That means our hostname is
localhost and our node
service port is HTTPS 9092.
If the node is on a remote host,
use the IP address or resolvable
hostname.
Note: When adding a local node
multiple times, you must ensure each
node uses localhost as the host.
API Username
The node API username that you created when
node-admin
you set up Aspera Enterprise Server on the node
machine. This user is kept in the redis database
for authentication between the Shares application
and the node service.
API Password
The node API password that you created
when you set up Enterprise Server on the node
machine.
s3cur3_p433
Use SSL
To encrypt the connection to the node using
SSL, select this check box. Although the node
is configured to use an Aspera pre-installed
and self-signed certificate (/opt/aspera/etc/
aspera_server_cert.pem), you can use your own
certificate. To generate a new certificate, see the
Enabled, by default.
| Managing Nodes and Shares | 26
Field
Description
Example Value
Setting UP SSL for Node topic in the IBM Aspera
Enterprise Server Admin Guide.
Note: After generating a new
certificate, you must create a cert.pem
file that contains the private key and the
certificate. To do so, copy and paste the
entire body of the key and cert files into
a single text file. Then save the file as
filename_cert.pem.
Verify SSL Certificate
To verify the SSL certificate, select this check
box.
Enabled, by default.
Timeout
Sets the number of seconds Shares will wait for
this node to respond to a request.
30, by default
Open Timeout
Sets the number of seconds Shares will wait for
the connection to this node to open.
10, by default
Bytes free - warn
Issues a warning message when the node has
equal to or less than a specified number of
storage bytes free. You can enter the number as
G, MB, terrabytes, and bytes.
50G
Percent free - warn
Issues a warning message when the node has
equal to or less than a specified percent of its
storage free.
25%
Bytes free - error
Issues an error message when the node has equal
to or less than a specified number of storage
bytes free. You can input the number as G, MB,
terrabytes, and bytes.
10G
Percent free - error
Issues an error message when the node has equal
to or less than a specified percent of its storage
free..
10%
2. Click Create Node to save your entries. If your node has been created, it appears under the Nodes section on your
Home page.
3. Browse or edit a node by selecting the node’s drop-down menu.
From this drop-down menu, you can perform following tasks.
•
Browse the node
| Managing Nodes and Shares | 27
•
•
•
•
Edit the node
View shares
View administrative activity
Delete the node
For detailed information on these functions, see Modifying Nodes on page 29.
Note: You can add one machine as a node multiple times, in the cases that require different access
credentials to see files in multiple areas of the system. When adding a local node multiple times, you must
ensure each node uses localhost as the host.
Adding Shares
Ensure that you have the following information available:
•
•
The name of the node that you want to put the share on.
The node directory that you want to set up as the share.
You can add shares by using one of the following methods:
•
•
•
In the Home window click SHARES+. See the following procedure.
In the Home window click on a Node / Share / Bookmark, then select a folder and select Create Share. See the
following procedure.
In the Home window click on a Node / Share / Bookmark, then use the Share option in the dropdown menu next
to the folder that you want to share. See the following procedure.
1. On the Home window, click SHARES+ to add a new share and complete the New Share configuration form.
Field
Description
Example Value
Name
The name of the share is only a description, which
means that multiple shares can also have the same
name.
my first share
Node
Select a node from the drop-down list. This drop-down Select any node from the
list is automatically populated with nodes that you
drop-down list.
have previously configured. See Adding Nodes on page
24.
| Managing Nodes and Shares | 28
Field
Description
Example Value
Directory
Click Browse... to browse a nodes directories.
A directory called
documents.
You are prompted to select a directory in the pop-up
window. You have several options:
•
•
•
•
You can perform a search for a directory by typing
its name into the text field and clicking Search.
You can perform an advanced search by clicking
Advanced and typing criteria into the text field.
You can sort the directory list by:
• Type
• Size
• Size descending
• Last modified
• Last modified descending
You can select a radio button next to the directory
that you want to be the share, then click Select.
Bytes free - warn
Issues a warning message when the share has equal to
or less than a specified number of storage bytes free.
You can enter the number as G, MB, terrabytes, and
bytes.
5G
Percent free - warn
Issues a warning message when the share has equal to
or less than a specified percent of its storage free.
25%
Bytes free - error
Issues an error message when the share has equal to or
less than a specified number of storage bytes free. You
can enter the number as G, MB, terrabytes, and bytes.
1G
Percent free - error
Issues an error message when the share has equal to or
less than a specified percent of its storage free.
10%
2. Click Create Share to save your entries.
If the share has been created, it appears under the Shares section on your Home page.
3. From the share’s drop-down menu, you can perform the following tasks:
•
•
•
•
•
•
•
•
Browse
View activities
Make comments
Choose notification options
Edit
View authorizations
View administrative activity
Delete the share
| Managing Nodes and Shares | 29
For detailed information on these functions, see Modifying Shares on page 30 .
Modifying Nodes
After you have created a node, it appears under the NODES section on your Home page.
Use the drop-down menu to the right of the node name to browse, edit, view shares, view administrative activities, or
delete the node.
Action
Description
Browse node
See Browsing Nodes on page 30.
Edit
Select Edit from the drop-down list to the right of the node's name. From the
node's Detail view, you can check the node's status by performing a test, verify its
free space, and delete the node. You can also change the details that you provided
during the configuration step. See Adding Nodes on page 24 for details.
Shares
Select Shares from the drop-down list to the right of the node's name. This is also
accessible from the node's Detail view. You can view the name and directory for
each of the node's shares and edit each share. When you click Edit, the share's
detail page appears. See Modifying Shares on page 30.
Admin Activity
Select Admin Activity from the drop-down list to the right of the node's name.
This is also accessible from the node's Detail view. You can view a list of all
administrative activity that has occurred on the selected node. You can also search
for activity based on tagged events or a date range.
Delete
Select Delete from the drop-down list to the right of the node's name to delete the
node from Share. This is also accessible from the node's Detail view.
| Managing Nodes and Shares | 30
Browsing Nodes
When you browse a node, you can see all directories that exist on that node.
You can also search for a directory name and sort the directory list. The following buttons enable you to perform
actions on a directory or directories.
Action
Description
Bookmark
Create a shortcut to the selected directory. If you do not select any directory, the
bookmark is the node's root directory.
Download
Download the selected directory or directories using the IBM Aspera Connect
Browser Plug-in.
Upload
Upload a file or folder from another machine to this node using the Aspera
Connect browser plugin.
Delete
Delete the selected directory or directories.
New Folder
Create a new directory on the node.
Rename
Rename an existing directory on the node.
Create Share
Create a share for the selected directory. You can only select one directory
at a time. Click Create Share to open the New Share dialog. This dialog is
prepopulated with the node and directory information. To complete the other
fields, see Adding Nodes on page 24.
Sort
Sort the directories of a node by:
•
•
•
•
•
Type
Size
Size Descending
Last Modified
Last Modified Descending
Modifying Shares
After you have created a share, it appears under the SHARES section on your Home page.
| Managing Nodes and Shares | 31
Use the drop-down menu to the right of the share name to do the following on a share:
•
•
•
•
•
•
Browse
View activities, administrative activities, and authorizations
Make comments
Choose notification options
Edit
Delete the share
Action
Description
Browse share
See Browsing Shares on page 32.
Activity
Select Activity from the drop-down list to the right of the share's name. A list of
all activity that has occurred on the selected share appears. You can also search for
activity based on tagged events or a date range.
Comments
Select Comments from the drop-down list to the right of the share's name. A list
of any comments that have been made about the share appears. You can also add
your own comments.
Notifications
Select Notifications to choose to be notified when new content has been added to
your share.
Edit
Select Edit from the drop-down list to the right of the share's name. From the
share's Detail view, you can check the share's status by performing a test, verify its
free space, and delete the share. You can also change the details that you provided
during the configuration step. See Adding Shares on page 27.
Authorizations
Selecting Authorizations from the drop-down list opens the Authorizations tab
for the share. For existing users, groups, and directories, you can use the check
boxes to add, delete, and change authorizations for browsing, file transfer, file
operations, and notifications. To give new users and groups access to this share,
use the Authorize User and Authorize Group links. To add directories to this
share, use the Authorize Directory link. You can also search the system for users.
Refer to the User Permissions on page 36 topic for more information on the
different user roles.
Admin Activity
Select Admin Activity from the drop-down list to the right of the share's name.
This is also accessible from the share's Detail view. You will see a list of all admin
activity that has occurred on the selected share. You may also search for activity
based on tagged events or a date range.
| Managing Nodes and Shares | 32
Action
Description
Delete
Select Delete from the drop-down list to the right of the share's name to delete the
share. This is also accessible from the share's Detail view.
Browsing Shares
When you browse a share, you see all files and directories within that share.
You can also search for a directory name and sort the directory list. You can perform following actions on a directory
or directories:
Action
Description
Bookmark
Create a shortcut to the selected directory. If you do not select any directory, the
bookmark is the node's root directory.
Download
Download the selected directory or directories using the Aspera® Connect™
browser plugin.
Upload
Upload a file or folder from another machine to this node using the Aspera
Connect browser plugin.
Delete
Delete the selected directory or directories.
New Folder
Create a new directory on the node.
Rename
Rename an existing directory on the node.
Create Share
Create a share for the selected directory. You can only select one directory
at a time. Click Create Share to open the New Share dialog. This dialog is
prepopulated with the node and directory information. To complete the other
fields, see Adding Nodes on page 24.
Searching Nodes and Shares
You can perform keyword searches in a node or share, or accounts list.
To perform a search on a share or node, select a share or a node on your Home page, then within the Name: box,
enter a keyword for your search. You can also enable or disable the Search sub-folders option. Shares appends
| Managing Nodes and Shares | 33
any keyword that you enter with *. Therefore, if you enter the keyword "Dec", the search actually performs as
"*Dec*"and aspera Shares returns any string that contains this word.
To perform a keyword search and limit the number of results, use Advanced search. You can set the following filters:
Size
Enter minimum or maximum values. Include the unit of
measure as bytes, MB, or GB.
Last Modified
Enter from date or to date. Select a date from the popup
calendar.
Transferring Content Between Shares
Note: This feature is supported only by IBM Aspera Enterprise Server 3.4.5 or later.
You can transfer content from any share for which you have download permission to any share for which you have
upload permission. Conversely, you can transfer content to any share for which you have upload permission from any
share for which you have download permission.
1. Select one or more files or folders from a Share for which you have download permission.
2. Drag the files or folders to a Share for which you have upload permission, or to a bookmark.
When a transfer occurs, a transfer window opens showing the current status of each transfer that is being made.
In the Transfer dialog, you can also perform the following actions:
Action
Description
Pause
Temporarily pause a transfer.
Resume
Resume a previously paused transfer.
Clear all
Clear transfers from the list.
Remove
Remove transfer from the list. (This will also cancel any paused transfers.)
| Managing Home Shares | 34
Managing Home Shares
When Home Shares are enabled, users will automatically have a private share added and authorized when they first
log into Shares. Home share creation for new users applies to all new users, including local users, directory users, and
SAML users. Users can give other users access to their home folders.
You can choose which node to use for home directories. A new directory is created on the node, and a share is added
to the user’s account. The user’s name is used for both the directory and share name.
Home shares are treated like regular shares by the application. Therefore, you can choose to authorize additional users
to these shares or remove them individually after the initial creation.
If you disable home shares on a node, any existing home directories on the node are not deleted.
When you log in, you can see all the home shares under the HOME SHARES heading.
Note: If the home share creation fails when a user first logs in, an error is logged in the activity log. The next
time the user logs in, another attempt to create the home folder is made.
Enabling and Disabling Home Shares
1. On the Admin window, under Other, click Home Shares. The Home Shares dialog appears.
2. To enable the automatic creation of home shares, select the check box new to Enable Home Shares. To disable
home shares, leave the check box clear.
3. From the Node drop-down list, select a node. You can also add a new node by clicking New Node. See Adding
Nodes on page 24 for details on how to add a node.
4. Select the default directory or click Browse to select a different directory for the home share.
5. Click Save.
Note: When you disable home shares, home shares that already exist are not affected, and existing users
can use their existing home shares. However, home shares for new users will not be created.
Note: When you modify the destination directory or node for home shares, existing home shares do
not change to point to the new destination. However, home shares for new users are created at the new
destination.
| Managing User Accounts | 35
Managing User Accounts
Configure User Preferences
To configure your individual user account's settings, select your username in the top right corner and select
Preferences.
Here you can change general settings such as your first and last name, your password, and your email address. You
can also change your email notification options, configure your system display, and choose to suppress the Aspera
Connect install dialog.
Email Settings
Note: All notifications are enabled by default.
| Managing User Accounts | 36
Item
Description
Notify me when I am granted access to a new share
Receive an email whenever you are given access to a
new share.
Notify me when a new transfer is completed to a share
(and share notification is enabled)
Receive an email when new content has been added to
your share. An admin must enable notifications for that
share for you to receive an email.
Notify me when a user is authorized to a share
Receive an email whenever a user is given access to a
share.
Note: This option is available for admins only.
Notify me when a new user has requested an account
Receive an email whenever a new user requests an
account when self-registration is enabled and set to
moderated.
Note: This option is available for admins only.
Display
Item
Description
Time Zone
The time zone for your system.
Date Order
The order that date, month, and year are displayed.
Date Delimiter
Separates the date, month, and year.
Time Format
Display a 12-hour time format or a 24-hour time format.
Number Delimiter
Denotes the thousands place in a number. For example, if
a comma (,) is chosen as the delimiter: "1,000".
Note: Number delimiter and separator cannot
be the same.
Number Separator
Denotes the decimal place in a number. For example, if a
period () is chosen as the delimiter: "10.25".
Note: Number delimiter and separator cannot
be the same.
Items Per Page:
The number of items Shares will display per page. The
default is 50.
Connect Install Dialog
As you navigate through the Shares web UI, each page check for the presence of the Connect browser plugin. If the
plugin is not present, it shows a message to download the plugin. Changing the value of this option from the default
"false" to "true" will stop Shares from auto-prompting on each visited page.
User Permissions
There are three levels of permissions for an account authorized to access a share.
| Managing User Accounts | 37
Admin
Users with the admin permission can create new shares and users and have full rights to modify or remove all existing
shares and users.
Managers
Administrators can use the manager permission to delegate the creation of Shares and Users to another user
without giving that account full administration privileges. Assigning a user to a share as its manager gives that user
administrative privileges for that share and all inherited subdirectories. If a user creates a new share within a managed
share, the manager of the share automatically gains administrative rights to the new share as well. Refer to Authorize
a User, Group, or DS With Manager Permissions on page 37 for instructions on how to authorize manager
permissions for a user.
Restrictions on the Manager Permission
Though a user with manager permissions effectively becomes the admin for that share, there are the following
restrictions:
•
•
•
•
•
•
A manager cannot modify or delete the top-level share or any shares above it.
A manager cannot create a share at the same level of the first Shares.
For a manager to administer a group, the manager must have manager permissions for all of that group's shares.
Managers cannot edit Admin User properties, but they can edit other managers by navigating to Admin > Users.
A manager cannot create new users or groups if those users or groups will inherit shares not managed by the
manager.
For a manager to change the password or email of a user, the manager should be a manager of all of that user's
shares.
User
A user can access any share it has authorizations to access, but the actions it is allowed to take can be set and
managed by any user with administrative priviliges for that share. Some common actions include browsing,
uploading, and downloading files, and modifying the directory holding the files.
Authorize a User, Group, or DS With Manager Permissions
The following instructions describe the process of authorizing a user, group, or directory service (DS) with permission
to manage a share.
1. Use the drop-down menu to the right of the share and select Authorizations.
2. Add a user, group, or DS. Use the Authorize User, the Authorize Group, and the Authorize Directory links.
3. Search for the name of the user, group, or DS you want to give access to the share. Once you have found the
correct user, group, or DS, click the Add button.
4. On the Authorizations page, check the manage box to enable management of the share.
The user, group, or DS should now be authorized with permissions to create and modify Shares and Users within the
managed share.
Creating Local Accounts
Adding Local Users
Administrators can create IBM Aspera Shares user accounts that are automatically added to the local database. For
DS users, see Importing DS Users on page 42. After creating local users you can add them to a local Shares
group.
1. Log into Shares and navigate to Admin > Accounts > Users > New
| Managing User Accounts | 38
2. Enter the following details:
•
•
•
•
•
First Name
Last Name
Username
Email Address
Initial Login action (you can either send a login link that takes the user to the set-password page, or set a
temporary password on the user's behalf).
The User dialog appears, displaying with the tabs described in the following table:
Tab
Description
Detail
Update the local user's name, username, and email address, or delete the local user from
Shares.
Member of
Add this user to a local group by selecting one from the drop-down list. Only local groups
that have been added to Shares appear on this list.
Note: You cannot add local users to a DS group, only to local groups. For
instructions on configuring DS users, see Importing DS Users on page 42.
After adding a local user to a local group, you can click Edit to modify the group's
settings, or click Remove to delete the user from the group.
Clicking Edit takes you to local group's configuration page. See Adding Local Groups on
page 40 for details on modifying a local group's settings.
Security
You can update the following security settings:
•
•
•
•
•
•
•
Shares
Send the user a password reset link.
Disable the user's account. If you disable this user's account in this dialog, the user
cannot log into Aspera Shares even if the user belongs to a group that has group
access permissions.
Allow the user to log into the Shares application.
Make this user an administrator.
Allow the user to log into the API. Users who do not have Browse permissions, can
still log into the API and perform transfer and file operations.
Set an account expiration date.
Set a temporary password.
Click Add Share to authorize specific shares for the local user to access. If this user
belongs to a local group, and the group has access to a share, that share is listed here
because permission to access the share is inherited from the group.
A list of nodes and shares appears. Click Authorize to authorize a share.
| Managing User Accounts | 39
Tab
Description
You can modify the local user's permissions for browsing, transferring, and performing
file operations within it. The default permission is browse. If browse is not selected, the
local user is only able to access functions if the user has been made an API user To edit
these permissions or disallow the local user's access to the share, click edit.
Select permissions that the local user has for the authorized share.
After modifying the settings, click Update. You may disallow access to this share by
clicking Delete.
Preferences
Select a timezone and input any comments.
Transfer Setting
You can override settings of Shares and groups, if the user belongs to a group, by
implementing transfer settings specifically for this user. Click Override these settings to
make transfer settings changes in the enabled text boxes.
Transfer settings include the following:
•
•
•
Upload target rate For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use
the node's settings.
Upload target rate cap For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank
to use the node's settings.
Download target rate For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to
use the node's settings.
| Managing User Accounts | 40
Tab
Description
•
•
Download target rate cap For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave
blank to use the node's settings.
Starting policy: Select the policy to be enforced when the transfer starts:
Fixed The transfer transmits data at a rate equal to the target rate, although this
may impact the performance of other traffic present on the network.
• High The transfer rate is adjusted to use the available bandwidth up to the
maximum rate.
• Fair The transfer attempts to transmit data at a rate equal to the target rate. If
network conditions do not permit that, it transfers at a rate lower than the target
rate, but not less than the minimum rate.
• Low The transfer rate is less aggressive than Fair when sharing bandwidth with
other network traffic. When congestion occurs, the transfer rate is decreased to the
minimum rate, until other traffic retreats.
Allowed policy: Select the policies that are available to the user during transfer. If
you do not make any selections, the Inherit from node setting is displayed, which
will apply the settings inherited from the node.
Encryption: Select Optional or AES-128. If you do not make any selections, the
Inherit from node setting is displayed, which will apply the settings inherited from
the node.
Encryption at rest: Select Optional or Required. If you do not make any selections,
the Inherit from node setting is displayed, which will apply the settings inherited
from the node. If you select Required, the uploaded files must be encrypted during a
transfer to protect them while they are stored on a remote server. The uploader sets a
password before uploading the file, and the downloader needs to enter that password
to decrypt the file.
•
•
•
•
Activity
View and search for Shares activities by this user.
Adding Local Groups
Administrators can create IBM Aspera Shares local groups, in which all users who belong to the group have the same
Shares access permissions and belong to the local database, rather than a DS.
1. Log in to Shares and navigate to Admin > Accounts > Groups > New.
2. Enter the new local group's Name.
The Group dialog appears, which displays following six tabs:
| Managing User Accounts | 41
3. Configure specific settings for your new local group:
Tab
Description
Detail
Update the local group’s name, username, and email address, or delete the local group
from Shares.
Member of
Add members to the local group by selecting local users from the drop-down list. You
will only see local users who have been added to Aspera Shares.
Note: You cannot add DS users to a local group. You can configure DS groups
by navigating to Admin > Accounts > Directories.
After adding a member to your local group, you can click Edit to modify users’ settings,
or click Remove to delete them from the group.
When you click Edit, the individual user's configuration page appears. See Adding Local
Users on page 37 for details on modifying a local user's settings.
Security
Configure specific security settings for all members of the group, including whether
members of the group can log into Shares, and whether all groups are administrators.
•
•
If you select Login, all users in this group can log into Shares. If left clear, you may
give individual users access to log in.
If you select Admin, all users in this group have administrative permissions. If left
clear, you may give individual users administrative access.
To configure users' security settings from their individual account pages, see Adding
Local Users on page 37 for details.
Shares
Click Add Share to authorize specific shares for the members of this group to access.
A list of nodes and shares that are currently configured in Shares appears. Click
Authorize to authorize a share.
After authorizing a share, you can modify the group's permissions for browsing,
transferring, and performing file operations within it. The default permission is browse.
To edit these permissions or disallow the group's access to the share, click edit.
Select permissions that group members have for the authorized share. Click Update. You
can disallow access to this share by clicking Delete.
Transfer Setting
You can override Shares settings for this group by implementing transfer settings
specifically for members of this group. Click Override these settings to make transfer
settings changes in the enabled text boxes.
Transfer settings include the following:
•
•
•
•
•
Upload target rate For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use
the node's settings.
Upload target rate cap For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank
to use the node's settings.
Download target rate For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to
use the node's settings.
Download target rate cap For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave
blank to use the node's settings.
Starting policy: Select the policy to be enforced when the transfer starts:
•
Fixed The transfer transmits data at a rate equal to the target rate, although this
may impact the performance of other traffic present on the network.
| Managing User Accounts | 42
Tab
Description
High The transfer rate is adjusted to use the available bandwidth up to the
maximum rate.
• Fair The transfer attempts to transmit data at a rate equal to the target rate. If
network conditions do not permit that, it transfers at a rate lower than the target
rate, but not less than the minimum rate.
• Low The transfer rate is less aggressive than Fair when sharing bandwidth with
other network traffic. When congestion occurs, the transfer rate is decreased to the
minimum rate, until other traffic retreats.
Allowed policy: Select the policies that are available to the user during transfer. If
you do not make any selections, the Inherit from node setting is displayed, which
will apply the settings inherited from the node.
Encryption: Select Optional or AES-128. If you do not make any selections, the
Inherit from node setting is displayed, which will apply the settings inherited from
the node.
Encryption at rest: Select Optional or Required. If you do not make any selections,
the Inherit from node setting is displayed, which will apply the settings inherited
from the node. If you select Required, the uploaded files must be encrypted during a
transfer to protect them while they are stored on a remote server. The uploader sets a
password before uploading the file, and the downloader needs to enter that password
to decrypt the file.
•
•
•
•
Click Save to keep the new settings or Cancel cancel setting changes. You may also click
Use Inherited Settings to return to the application-wide transfer configuration.
Activity
View and search for Shares activities by this group.
Setting Up DS Users and Groups
Importing DS Users
1. Click Admin > Users > Search. The User Search dialog appears.
2. Type the username or at least two characters of the username and click Search. A list of users that match the
characters appears.
3. Click Edit next to the username to import the user. You can now edit the user’s profile. For details on how to edit
a user’s profile, see Adding Local Users on page 37.
Importing DS Groups
1. Click Admin > Groups > Search. The Group Search dialog appears.
| Managing User Accounts | 43
2. Type the group name or at least two characters of the group name and click Search. A list of groups that match the
characters appears.
3. Click Edit next to the group to import the group. You can now edit the group’s profile. For details on how to edit a
group’s profile, see Adding Local Groups on page 40.
Managing Users
Setting Permissions for Individual DS Users
You can configure DS users with unique settings. Clicking Edit for a corresponding DS user.
Tab
Description
Detail
View the DS user's name, modify the directory, or delete the user from the IBM Aspera Shares
application.
Member of
Displays all groups to which this DS user belongs. If the number of groups exceeds 100, a
search facility is opened.
A group's Edit link takes you to a DS group's configuration page. For details on modifying DS
group settings, see Importing DS Groups on page 42.
Security
Click Security to update the following settings:
•
•
•
•
•
Shares
Disable the user's account. The user is unable to log into Shares even if the user belongs to a
group or directory that has access permissions.
Allow the user to log into Shares.
Make this user an Administrator.
Allow the user to log into the API. Users who do not have Browse permissions, can still log
into the API and perform transfer and file operations.
Set an account expiration date.
Click Add Share to authorize specific shares for the DS user to access. If this user belongs to
a DS group, and the group has access to a share, that share is listed here because permission to
access the share is inherited from the group. The same is true if the entire directory has access to
this share.
| Managing User Accounts | 44
Tab
Description
A list of nodes and shares appears. Click Authorize to authorize a share. .
You can modify the DS user's permissions for browsing, transferring, and performing file
operations within it. The default permission is browse. If browse is not selected, the DS user is
only able to access functions if the user has been made an API user To edit these permissions or
disallow the DS user's access to the share, click edit.
Select permissions that the DS user has for the authorized share.
After modifying the settings, click Update. You may disallow access to this share by clicking
Delete.
Preferences
Select a timezone and add any comments.
| Managing User Accounts | 45
Tab
Description
Transfer Settings
You can override settings of Shares for this user by implementing transfer settings specifically
for this. Click Override these settings to make transfer settings changes in the enabled text
boxes.
Transfer settings include the following:
•
•
•
•
•
Upload target rate For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use the
node's settings.
Upload target rate cap For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use
the node's settings.
Download target rate For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use the
node's settings.
Download target rate cap For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to
use the node's settings.
Starting policy: Select the policy to be enforced when the transfer starts:
•
•
Fixed The transfer transmits data at a rate equal to the target rate, although this may
impact the performance of other traffic present on the network.
High The transfer rate is adjusted to use the available bandwidth up to the maximum rate.
| Managing User Accounts | 46
Tab
Description
Fair The transfer attempts to transmit data at a rate equal to the target rate. If network
conditions do not permit that, it transfers at a rate lower than the target rate, but not less
than the minimum rate.
• Low The transfer rate is less aggressive than Fair when sharing bandwidth with other
network traffic. When congestion occurs, the transfer rate is decreased to the minimum
rate, until other traffic retreats.
Allowed policy: Select the policies that are available to the user during transfer. You can
also select Inherit from node to use the node’s setting.
Encryption: Select Optional or AES-128. You can also select Inherit from node to use the
node’s setting.
Encryption at rest: Select Optional or Required. You can also select Inherit from node to
use the node’s setting. If you select Required, the uploaded files must be encrypted during
a transfer to protect them while they are stored on a remote server. The uploader sets a
password before uploading the file, and the downloader needs to enter that password to
decrypt the file.
•
•
•
•
Activity
View and search for Shares activities by a specific user.
Managing Groups
Setting Permissions for Individual DS Groups
You can configure DS groups with unique settings. Click Edit for a corresponding DS group and to configure the
following group settings.
Tab
Description
Detail
View the DS group's name, modify the directory, or delete the directory from IBM Aspera
Shares.
Member Of
If this group is a member of another group, this tab provides that information.
| Managing User Accounts | 47
Tab
Description
Members
Displays this group's DS members and enables you to edit corresponding DS user settings. For
details on editing DS user settings, see Importing DS Users on page 42.
Security
Configure specific security settings for all members of the DS group, including whether
all members of the group can log into Shares, and whether all members of the group are
administrators. If you leave these check boxes clear, you can configure local users’ security
settings from their individual account pages. See Adding Local Users on page 37 for details.
Shares
Authorize specific shares for the members of this DS group to access.
Clicking Add Share provides a list of nodes and shares that are currently configured in the
Shares application’s Authorize link.
| Managing User Accounts | 48
Tab
Description
Click Authorize to authorize a share. You can modify the DS group's permissions for browsing,
transferring, and performing file operations within it. The default permission is browse. To edit
these permissions or disallow the DS group's access to the share, click edit.
Note: If you authorized a share for this DS group's entire directory, then this group will
inherit the same access permissions for that share.
Note: If you authorize the share for this DS group's entire directory, the Inherited?
column is populated with the text "Inherited."
Select permissions that group members have for the authorized share. For example, our
accounting department is allowed to browse, download, and upload spreadsheets, to perform all
file operations within the Spreadsheets share.
After modifying the settings, click Update. You may disallow access to this share by clicking
Delete.
Transfer Settings
You can override the settings of Shares for this group by implementing transfer settings
specifically for members of this group. Click Override these settings to make transfer settings
changes in the enabled text boxes.
| Managing User Accounts | 49
Tab
Description
Transfer settings include the following:
•
•
•
•
•
Upload target rate For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use the
node's settings.
Upload target rate cap For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use
the node's settings.
Download target rate For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use the
node's settings.
Download target rate cap For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to
use the node's settings.
Starting policy: Select the policy to be enforced when the transfer starts:
Fixed The transfer transmits data at a rate equal to the target rate, although this may
impact the performance of other traffic present on the network.
• High The transfer rate is adjusted to use the available bandwidth up to the maximum rate.
• Fair The transfer attempts to transmit data at a rate equal to the target rate. If network
conditions do not permit that, it transfers at a rate lower than the target rate, but not less
than the minimum rate.
• Low The transfer rate is less aggressive than Fair when sharing bandwidth with other
network traffic. When congestion occurs, the transfer rate is decreased to the minimum
rate, until other traffic retreats.
Allowed policy: Select the policies that are available to the user during transfer. You can
also select Inherit from node to use the node’s setting.
Encryption: Select Optional or AES-128. You can also select Inherit from node to use the
node’s setting.
Encryption at rest: Select Optional or Required. You can also select Inherit from node to
use the node’s setting. If you select Required, the uploaded files must be encrypted during
a transfer to protect them while they are stored on a remote server. The uploader sets a
•
•
•
•
| Managing User Accounts | 50
Tab
Description
password before uploading the file, and the downloader needs to enter that password to
decrypt the file.
You can also select Inherit from node to use the node's settings.
Click Save to keep the new settings or Cancel cancel setting changes. You may also click Use
Inherited Settings to return to the application-wide transfer configuration.
Activity
View and search for activity by members of this DS group.
Searching Accounts
To search for accounts from the Admin tab:
1. Under Accounts, select Groups or Users depending on what account type you want to search for.
2. Click the "Search" link at the top of the page.
3. Enter at least two characters for your search query. You can search by username, first name, or last name.
Note: Shares does not support searching by full name. For example, if you are searching for a user
"jd_user1" with first name "John" and last name "Doe", searching "John" or "Doe" would both return
"jd_user1", but searching "John Doe" would not return the user.
| Working with SAML | 51
Working with SAML
IBM Aspera Shares supports Security Assertion Markup Language (SAML) 2.0, an open, XML-based standard that
allows secure web domains to exchange user authentication and authorization data. With the SAML model, you
can configure the Shares web application as a SAML "online service provider" (SP) that contacts a separate online
"identity provider" (IdP) to authenticate users who will use Shares to access secure content.
With SAML enabled and configured, a user logging into Shares is redirected to the IdP sign-on URL. If the user has
already signed in with the IdP, the IdP sends a SAML assertion back to Shares. The user is now logged into Shares.
When SAML is enabled, Shares creates a user account based on the information provided by a SAML response, and
therefore the Shares user account does not need to be created manually. However, any changes to the account that are
made on the DS server are not picked up by SAML.
These instructions assume you are already familiar with SAML and already have an identity provider (IdP) -- either
third-party or internal -- that meets the following requirements:
•
•
•
•
can be configured to use an HTTP POST binding
can be connected to the same directory service being used by Shares (however, SAML and DS cannot be used
together)
will not be configured to use pseudonyms
can be configured to return assertions to the SP (Shares) that include the entire contents of the signing certificate
Note: SAML and directory services should not be enabled together. Although there is a directory service
behind a SAML IdP, Shares users will not have access to it. If Shares is being set up to use SAML, the
following is recommended: (1) directory service sync should be disabled; and (2) existing directory service
users should first be removed from the Shares system.
Setting up an Identity Provider
Please refer to Configuring Your Identity Provider (IdP) on page 53 for information on setting up an identity
provider for Shares.
Enabling SAML Authentication in Shares
Please refer to Configuring SAML on page 52 for instructions on how to enable SAML authentication in Shares.
Creating SAML Groups
Please refer to Creating SAML Groups on page 54 for instructions on how to set up SAML groups in Shares.
Adding individual SAML Users to a Local Group
Please refer to Adding a SAML User to a Local Groups on page 54 for instructions on how to add individual
SAML users to a local group.
User Accounts Being Provisioned by SAML Just-In-Time (JIT) Provisioning
Please refer to User Accounts Being Provisioned by SAML Just-In-Time (JIT) Provisioning on page 54 for
information on SAML Just-In-Time (JIT) Provisioning for Shares.
Note: Shares provides a mechanism for administrators to bypass the SAML login and log in using a
local username and password. This allows administrators to log in and correct server settings, including a
misconfigured SAML setup. To bypass the SAML login and sign in with the regular login, add local=true to
the end of the login URL. For example:
https://server_ip/login?local=true
| Working with SAML | 52
Configuring SAML
Before following the instructions below, have the following information on hand:
•
•
IdP Single Sign-On URL
IdP Certificate Fingerprint OR IdP Certificate
1. In IBM Aspera Shares, navigate to Admin > Directories.
2. For the SAML IdP entry, click Edit.
The Detail tab appears with the following form:
3. Select the check box Log in using a SAML Identity Provider.
4. (Optional) Enable SAML login redirection.
If enabled, entering the default Shares URL will direct users to the SAML login page. If disabled, the Shares URL
will direct users to the local login page.
Figure 1: Local login page
| Working with SAML | 53
5. Enter the SAML entry-point address provided by the IdP in the IdP Single Sign-On URL text box.
6. Enter either the IdP Certificate Fingerprint or the IdP Certificate.
7. Click Save to keep your changes, or Cancel to cancel your changes.
A Shares administrator can bypass the SAML login and sign in with the regular login form by adding the
local=true parameter to the login URL, for example:
https://10.0.176.30/login?local=true
Configuring Your Identity Provider (IdP)
IdP Requirements
The following instructions to configure SAML for IBM Aspera Shares assume that you have an IdP that meets the
following requirements:
•
•
•
•
•
•
Supports SAML 2.0
Able to use an HTTP POST binding.
Able to connect to the same directory service being used by Shares.
Not configured to use pseudonyms.
Can return assertions to Shares that include the entire contents of the signing certificate.
If prompted, set to sign the SAML response. (Signing the SAML assertion is optional.)
You must set the following information to set up your Identity Provider to work with Shares:
Name ID Format
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Entity ID
https://www.our-shares-server.com/aspera/shares/auth/saml/
metadata
Binding
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Callback URL
https://www.our-shares-server.com/aspera/shares/auth/saml/
callback
You can retrieve this data directly from auth/saml/metadata if the IdP is capable of reading SAML XML
metadata for a service provider.
Assertion Message Elements
Shares expects assertion messages from an IdP to contain the following elements:
Element
Required?
Format
SAML_SUBJECT
yes
urn:oasis:names:tc:SAML:1.1:nameidformat:unspecified
email
yes
urn:oasis:names:tc:SAML:1.1:nameidformat:unspecified
given_name
yes
urn:oasis:names:tc:SAML:1.1:nameidformat:unspecified
id
yes
urn:oasis:names:tc:SAML:1.1:nameidformat:unspecified
surname
yes
urn:oasis:names:tc:SAML:1.1:nameidformat:unspecified
| Working with SAML | 54
Note: Shares users with SAML accounts may appear to be unaffected by session timeouts. Because a session
cookie is still active on the IdP server, users are logged in again automatically without the login page.
Creating SAML Groups
SAML groups are created in IBM Aspera Shares one of two ways:
•
•
Creating a SAML group in Shares using the web UI and logging in as a SAML user. The Shares SAML group will
be mapped to the external SAML group.
A SAML group is automatically created in Shares when a user logs in using SAML credentials.
The following instructions describe how to create a SAML group in Shares using the web UI>
1. When SAML is enabled, you can create SAML groups by navigating to Admin > Groups.
2. Click New SAML Group to create a SAML group.
3. Enter the group name, which is the distinguished name (DN).
4. Click Create Group to create the SAML group.
You can view and manage your SAML group in the Groups section under Admin.
Adding a SAML User to a Local Groups
If there are specific SAML users you want to manage in Shares instead of in SAML, you can add these SAML users
to a local Shares group.
Note: You cannot add DS users to a local group.
1. Import SAML user.
Import the SAML group the user is a member of into Shares by logging in as a user in that SAML group. A
SAML group is automatically created when a user logs in using SAML credentials. For more information on
creating SAML groups, refer to Creating SAML Groups on page 54.
2. Create new Shares group.
Navigate to Admin > Groups and select New. Give your group a name and select Create Group.
3. Add the imported SAML user.
Within your new group, select the Members tab, select the SAML user from the dropdown, then click the Add
button.
User Accounts Being Provisioned by SAML Just-In-Time (JIT)
Provisioning
When new user accounts are being provisioned through SAML JIT Provisioning, new SAML groups are created
when the SAML response contains group information, and that group does not yet exist in IBM Aspera Shares. A
SAML user belonging to multiple groups will get permissions and settings of all groups the user belongs to. For
| Working with SAML | 55
example, if group A disallows sending to external users but group B does not, users who belong to both groups are
allowed to send to external users. Settings that require specific handling are as follows:
•
•
•
•
Account expiration is only enabled if all groups to which a user belongs specify account expiration. If account
expiration is enabled, the expiration date is set to the latest expiration date from among all groups.
For the settings “Server Default”, “Yes” or “Allow”, and “No” or “Deny”, the setting is set to “Yes” if any group
specifies yes, and it is set to “No” if all groups are set to no. Otherwise it is set to the server default
For package deletion policy, override is enabled if all groups specify override, or the least restrictive group setting
is less restrictive than the server-wide setting. If override is enabled, the least restrictive group setting is used. “Do
nothing” is less restrictive than “Delete files after all recipients download all files,” which in turn is less restrictive
than “Delete files after any recipient downloads all files.”
For advanced transfer settings, override is enabled if all groups specify override or if any group specifies any
transfer rate that is higher than the server default. If override is enabled, each transfer rate is set to the higher of the
highest value from among the groups and the server default. The minimum rate policy is locked only if all groups
specify the setting.
| Working with Rake Tasks | 56
Working with Rake Tasks
Rake tasks can be used to configure and manage IBM Aspera Shares users, groups, shares, and nodes from the
command line.
1. Navigate to the shares folder.
cd /opt/aspera/shares/u/shares/bin
2. Test that your rake tasks are working correctly.
./run rake -T
Note: Repeat the above steps each time you need to run rake tasks to prepare your environment to run rake
tasks.
See below for a list of all the rake tasks you can run in Shares.
User Management Rake Tasks on page 56
Group Management Rake Tasks on page 58
Share Management Rake Tasks on page 59
Node Management Rake Tasks on page 60
Other Configurations Using Rake Tasks on page 62
User Management Rake Tasks
The following rake tasks cover how to create, modify and delete users as well as how to export and import users
from .csv files.
Tip: Square brackets in usage statements denote optional arguments and need not be included when running
the commands.
Note: Linux users must navigate to /opt/aspera/shares/u/shares/bin/ in the Terminal before
running rake tasks.
Create User
Command Usage
Syntax
Example
rake data:user:create -- --username <username> -password <password>
--email <email> --first_name <first_name> --last_name <last_name>
././run rake data:user:create -- --username user -password 3x@mp13_p@zzw0rd
--email user@asperasoft.com --first_name John --last_name Doe
| Working with Rake Tasks | 57
Delete User
Command Usage
Syntax
Example
rake data:user:delete -- --username <username>
./run rake data:user:delete -- --username user
Updating User
Command Usage
Syntax
Example
rake data:user:update -- --username <username> --password
<password>
--email <email> --first_name <first_name> --last_name <last_name>
./run rake data:user:update -- --username user -password 3x@mp13_p@zzw0rd
--email user@asperasoft.com --first_name John --last_name Doe
Export a List of Users
Command Usage
Syntax
Example
rake data:user:export --path <path>
./run rake data:user:export --path /tmp
Note: Exporting will not write user passwords to the .csv file. You must add them manually if
you want passwords in the exported .csv file.
Import Users (from .csv)
Command Usage
Syntax
Example
rake data:user:import -- --path <path>
./run rake data:user:import -- --path /tmp/users.csv
Note: The format of the .csv file should be, for each user:
Username, Email, First Name, Last Name, Password
Users for whom no passwords are specified will be given a random password and must click
the Forgot your username and password? link before logging in.
| Working with Rake Tasks | 58
Group Management Rake Tasks
The following rake tasks cover how to create and delete groups and how to add or delete users from a group.
Tip: Square brackets in usage statements denote optional arguments and need not be included when running
the commands.
Note: Linux users must navigate to /opt/aspera/shares/u/shares/bin/ in the Terminal before
running rake tasks.
Create Group
Command Usage
Syntax
Example
rake data:group:create -- --group_name <group_name>
./run rake data:group:create -- --group_name users
Delete Group
Command Usage
Syntax
Example
rake data:group:delete -- --group_name <group_name>
./run rake data:group:delete -- --group_name users
Add User to a Group
Command Usage
Syntax
Example
rake data:group:user:add -- --username <username> -group_name <group_name>
./run rake data:group:user:add -- --group_name user -group_name users
Remove User from a Group
Command Usage
Syntax
Example
rake data:group:user:remove -- --username <username> -group_name <group_name>
./run rake data:group:user:remove -- --username user -group_name users
| Working with Rake Tasks | 59
Share Management Rake Tasks
The following rake tasks cover how to create, modify, and delete a share and how to manage a user or group's share
permissions.
Tip: Square brackets in usage statements denote optional arguments and need not be included when running
the commands.
Note: Linux users must navigate to /opt/aspera/shares/u/shares/bin/ in the Terminal before
running rake tasks.
Create Share
Command
Usage
Syntax
rake data:share:create -- --node_name <node_name> -share_name <share_name> --directory <directory>
Example
./run rake data:share:create -- --node_name aspera -share_name share1 --directory /mnt
Delete Share
Command
Usage
Syntax
rake data:share:delete -- --share_name <share_name>
Example
./run rake data:share:delete -- --share_name share1
Modify Share
Note: Same syntax as create share. Change the values as needed to modify the attributes of a share with the
specified name.
Command Usage
Syntax
Example
rake data:share:create -- --node_name <node_name> -share_name <share_name> --directory <directory>
./run rake data:share:create -- --node_name aspera -share_name share1 --directory /mnt
Manage User's Share Permissions
Command Usage
Syntax
rake data:user:share_permissions -- --username <username> -share_name <share_name>
| Working with Rake Tasks | 60
Command Usage
[--<INSERT DESIRED PERMISSION> <true or false> --<INSERT DESIRED
PERMISSION> <true or false> ...]
Where valid permissions are:
•
•
•
•
•
•
•
•
Example
browse_permission
download_permission
upload_permission
mkdir_permission
delete_permission
rename_permission
content_availability_permission
manage_permission
./run rake data:user:share_permissions -- --username users -share_name share1
--upload_permission true --mkdir_permission true
Manage Group's Share Permissions
Command Usage
Syntax
rake data:group:share_permissions -- --group_name <group_name> -share_name <share_name>
[--<INSERT DESIRED PERMISSION> <true or false> --<INSERT DESIRED
PERMISSION> <true or false> ...]
Where valid permissions are:
•
•
•
•
•
•
•
•
Example
browse_permission
download_permission
upload_permission
mkdir_permission
delete_permission
rename_permission
content_availability_permission
manage_permission
./run rake data:group:share_permissions -- --groupname users -share_name share1
--upload_permission true --mkdir_permission true
Node Management Rake Tasks
The following rake tasks cover how to create and delete a node.
Tip: Square brackets in usage statements denote optional arguments and need not be included when running
the commands.
Note: Linux users must navigate to /opt/aspera/shares/u/shares/bin/ in the Terminal before
running rake tasks.
| Working with Rake Tasks | 61
Create Node
Command Usage
Syntax
Example
rake data:node:create -- --name <name> --host <host> -api_username <api_username> --api_password [--options <value>
<api_password> [--options]
./run rake data:node:create -- --name aspera --host localhost -api_username
xfer1 --api_password 3x@mp13_p@zzw0rd
Note: You must create a node user and password to finish creating the new node. Refer to the Setting up
Node Users section in the Enterprise Server Administrator Guide for instructions on how to create a node
user.
Delete Node
Command Usage
Syntax
Example
rake data:node:delete -- --name <name>
./run rake data:node:delete -- --name aspera
Update Node
Command Usage
Syntax
Example
rake data:node:update -- --name <name> [--options]
./run rake data:node:update -- --name aspera
Options
When running the create and update tasks above, you can add the following options to your command to edit their
values:
Option
Default
--port <port>
9092
--ssl (true | false)
true
--verify_ssl (true | false)
false
--timeout <timeout>
30
--open_timeout <open_timeout>
10
| Working with Rake Tasks | 62
Other Configurations Using Rake Tasks
The following rake tasks cover how to add or configure an LDAP, configure web server settings, and configure smtp
server settings.
Tip: Square brackets in usage statements denote optional arguments and need not be included when running
the commands.
Note: Linux users must navigate to /opt/aspera/shares/u/shares/bin/ in the Terminal before
running rake tasks.
Add or Configure LDAP
Command Usage
Syntax
Example
rake data:ldap_config -- --directory_type <directory_type> -name <name> [--description <description>]
--host <host> --port <port> [--base_dn <base_dn>] -authentication_method <authentication_method>
[--username <username> --password <password> -encryption <encryption>]
./run rake data:ldap_config -- --directory_type ActiveDirectory -name test_dir
--host ldap.aspera.us --port 1234 -base_dn OU=AsperaDirectory,DC=aspera,DC=asperasoft,DC=com
--authentication_method simple --username user1 -password 3x@mp13_p@zzw0rd --encryption simple_tls
Where acceptable directory types are:
•
•
•
•
ActiveDirectory
OpenDirectory
FedoraDirectoryServer
OpenLdap
Where acceptable authentication methods are:
•
•
anonymous
simple (Simple bind requires a username and a password.)
Where acceptable encryption types are:
•
•
unecrypted
simple_tls_tls
Note: Encryption is, by default, set to unencrypted.
| Working with Rake Tasks | 63
Configure web server settings
Command Usage
Syntax
Example
rake data:web_server -- --host <host> --port <port> --tls <tls>
./run rake data:web_server -- --host this.is.an.example -port 1234 --tls true
Configure smtp server settings
Command Usage
Syntax
Example
rake data:smtp_server -- --server <server> --port <port> -domain <domain> --tls <tls> --username
<username> --password <password> --from <from>
./run rake data:smtp_server -- --server example_server -port 1234
--domain example.domain --tls true --username <username> user1
--password 3x@mp13_p@zzw0rd
--from user@asperasoft.com
Note: The first time this task is run, it will create a new entry, and require an entry for all of the fields.
Afterward, tunning the task again will only modify specified fields, leaving non-specified fields the same.
| Configuring MySQL Server | 64
Configuring MySQL Server
Using Another MySQL Server During Installation on page 64
Using Another MySQL Server After Installation on page 64
Changing the Built-in MySQL Port on page 65
Using Another MySQL Server During Installation
When installing the .rpm, a message is printed describing how to use another mysql server. The message is:
To use a remote MySQL server and disable the local MySQL server,
add the connection information to this file:
/opt/aspera/shares/etc/my.cnf.setup
The default contents of my.cnf.setup are:
[client]
user
password
host
port
= root
=
= localhost
= 4406
Update the contents of my.cnf.setup with your MySQL server information.
If you set a password in my.cnf.setup, then the install script assumes an already configured MySQL server is
available, and uses the values in my.cnf.setup. Additionally, the built-in MySQL server is disabled.
Using Another MySQL Server After Installation
To use another MySQL server after rpm installation has occurred, you must update .my.cnf files and application
configuration files.
1. Update the .my.cnf files with your MySQL server information in each of the following locations:
• /opt/aspera/shares/.my.cnf
• /opt/aspera/shares/u/shares/.my.cnf
• /opt/aspera/shares/u/stats-collector/.my.cnf
2. Update the Shares application config file located at /opt/aspera/shares/u/shares/config/
database.yml.
Replace the bolded example variables with your MySQL server information.
production:
database: shares
username: "mysql_user"
password: "3xamp13MySQLp4zzw0rd1234567"
host: 10.0.0.0
port: 1234
encoding: utf8
reconnect: false
pool: 5
| Configuring MySQL Server | 65
production_stats_collector:
database: stats_collector
username: "mysql_user"
password: "3xamp13MySQLp4zzw0rd1234567"
host: 10.0.0.0
port: 1234
encoding: utf8
reconnect: false
pool: 5
3. Update the stats collector configuration file located at /opt/aspera/shares/u/stats-collector/
etc/persistence.xml.
Replace the bolded example variables with your MySQL server information.
<!-- connection URL: jdbc:mysql://HOST:PORT/DATABASE -->
<property name="hibernate.connection.url"
value="jdbc:mysql://10.0.0.0:1234/stats_collector"/>
<property name="hibernate.connection.username" value="mysql_user"/>
<property name="hibernate.connection.password"
value="3xamp13MySQLp4zzw0rd1234567"/>
4. Restart all services.
Run the following commands to restart all Shares services at once.
# service aspera-shares stop
# service aspera-shares start
5. Disable the built-in MySQL server.
To stop the built-in MySQL from running, you must remove it from the runlevels that include it. Run the
following commands:
rm /opt/aspera/shares/etc/runit/runlevels/setup/mysqld
rm /opt/aspera/shares/etc/runit/runlevels/up/mysqld
Changing the Built-in MySQL Port
Edit the my.cnf file to change the built-in MySQL port.
The my.cnf file can be found at /opt/aspera/shares/etc/my.cnf. Find the [mysqld] section and change
the value for port.
For example, to add the port 12345, make the following edits in my.cnf:
[mysqld]
port = 12345
| Configuring the Stats Collector | 66
Configuring the Stats Collector
Adding Existing Nodes to Stats Collector on page 66
Configure Stats Collector Log Levels on page 66
Lowering Stats Collector Polling Frequency on page 67
Retrieving Stats Collector Version Number on page 67
Adding Existing Nodes to Stats Collector
The following steps assume you have already set up the RUBY environment necessary to run rake tasks. If you have
not done so, refer to Working with Rake Tasks on page 56 for instructions on how to do so. If you have already set up
the environment, continue on to the next step.
1. Navigate to the shares folder.
cd /opt/aspera/shares/u/shares/bin
2. Run the following rake tasks to add existing nodes to stats collector:
run rake aspera:stats_collector:add_all_nodes
Configure Stats Collector Log Levels
Edit the stats collector logging configuration file (logback.xml) to enable more detailed informaiton in its logs.
1. Open the logback.xml file located at /opt/aspera/shares/u/stats-collector/etc/
logback.xml.
2. Towards the bottom of the file, change INFO to DEBUG in the following section:
Change the INFO flag to DEBUG.
The log level flag is set to INFO by default.
<root level="${statscollector.log.level:-INFO}">
<appender-ref ref="FILE"/>
<appender-ref ref="STDERR" />
</root>
3. Restart stats collector for the changes to take effect.
Run the following command:
# /opt/aspera/shares/sbin/sv restart stats-collector
Stats collector logs should now show debugging information. To change log levels back to normal, open the
logback.xml file and change DEBUG back to INFO.
| Configuring the Stats Collector | 67
Lowering Stats Collector Polling Frequency
Lowering the frequency that stats collector polls nodes for statistics can free up memory and lower the load on your
server. This is especially applicable to cases where the stats collectors of multiple machines are all polling a single
node for statistics.
1. Access the stats-collector.properties file.
Find the stats-collector.properties file at /opt/aspera/shares/u/stats-collector/etc/statscollector.properties.
2. Uncomment and change the polling.period variable:
## The time period at which nodes are polled for new statistics.
## Default 1s
# polling.period=
For example, increase the polling period to 5 seconds to lower the load on
your server:
## The time period at which nodes are polled for new statistics.
## Default 1s
polling.period=5s
3. Restart stats collector for the changes to take effect.
Run the following command:
# /opt/aspera/shares/sbin/sv restart stats-collector
Retrieving Stats Collector Version Number
Run the following command:
/opt/aspera/shares/u/stats-collector/bin/run java -jar lib/statscollector-admin.jar -A
| Performing Maintenance Tasks | 68
Performing Maintenance Tasks
The following system configuration options are available under the Other menu on the Admin page:
System Settings
Option
Description
Background
Modify or reset the parameters that IBM Aspera Shares checks when running background jobs.
License
View or change your Shares license.
Localization
Configure your Shares server with your local timezone, date format, and time format.
Logging
Configure whether logged events trigger a warning or an error.
Logos
Add, edit, or delete a custom logo for your Shares Web UI.
Messages
Create a login page message for your users, and a home page message.
Transfers
•
•
•
•
•
•
Min connect version The minimum version of the Aspera Connect™ browser plugin that
can be used to transfer with Shares. The version must be in the form "X.Y" for example, 1,
1.2. If you are using Aspera On-Demand Shares, the minimum accepted version of Connect
is 2.7.8, which is the default setting.
Upload target rate For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use the
node's settings.
Upload target rate cap For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use
the node's settings.
Download target rate For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use
the node's settings.
Download target rate cap For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to
use the node's settings.
Starting policy: Select the policy to be enforced when the transfer starts:
Fixed The transfer transmits data at a rate equal to the target rate, although this may
impact the performance of other traffic present on the network.
• High The transfer rate is adjusted to use the available bandwidth up to the maximum
rate.
• Fair The transfer attempts to transmit data at a rate equal to the target rate. If network
conditions do not permit that, it transfers at a rate lower than the target rate, but not less
than the minimum rate.
• Low The transfer rate is less aggressive than Fair when sharing bandwidth with other
network traffic. When congestion occurs, the transfer rate is decreased to the minimum
rate, until other traffic retreats.
Allowed policy: Select the policies that are available to the user during transfer. If you do
not make any selections, the Inherit from node setting is displayed, which will apply the
settings inherited from the node.
Encryption: Select Optional or AES-128. If you do not make any selections, the Inherit
from node setting is displayed, which will apply the settings inherited from the node.
Encryption at rest: Select Optional or Required. If you do not make any selections, the
Inherit from node setting is displayed, which will apply the settings inherited from the
node. If you select Required, the uploaded files must be encrypted during a transfer to
protect them while they are stored on a remote server. The uploader sets a password before
uploading the file, and the downloader needs to enter that password to decrypt the file.
•
•
•
•
| Performing Maintenance Tasks | 69
Option
Description
Web Server
Configure the web server settings, including the host, port, and whether SSL/TLS is enabled.
The hostname or IP address entered into the Host field is used as part of the URL in Shares
emails to users. For example, when an account is created for a user, that user will receive
an email prompting the user to reset the password. This email contains a URL that points to
whatever hostname or IP address is entered into the Host field.
Clearing Background Jobs
If IBM Aspera Shares background jobs are not responding, they can be cleared using the command line.
1. Clear background jobs in MySQL.
Run the following command:
# /opt/aspera/shares/bin/run mysql -e 'delete from delayed_jobs'
2. Restart Aspera background jobs.
# /opt/aspera/shares/sbin/sv restart shares-background-default-0
Fixing Services Not Running After Upgrading Shares
After an upgrade, it may seem that only MySQL is running and the other services are missing. The problem may be
that an error during the upgrade left Shares in the "setup" runlevel instead of the "up" runlevel. to fix the problem, you
need to change the current runlevel to be the "up" runlevel.
Important: Do not add symlinks to /opt/aspera/shares/etc/runitrunlevels/setup.
Use the following command from runit:
/opt/aspera/shares/sbin/runsvchdir up
Shares is now at the "up" runlevel and the other services should now work.
Restart Shares Services
Some troubleshooting fixes may require that you stop, start, or restart one or more IBM Aspera Shares services.
Restarting All Shares Services
Run the following commands to restart all Shares services at once.
# service aspera-shares stop
# service aspera-shares start
Restarting Individual Services
Follow this syntax:
Restart a service:
#/opt/aspera/shares/sbin/sv restart [command service]
| Performing Maintenance Tasks | 70
For example, to start and stop the stats-collector command service:
# /opt/aspera/shares/sbin/sv restart stats-collector
Note: Command services support all sv commands including stop, start, and restart.
Command services include:
•
•
•
•
•
crond
mysqld
nginx
shares-background-0
stats-collector
Tip: The shares-background-0 command service runs scheduled jobs in queue, such as sending emails.
Backing Up Shares and the Database
Tip: The Shares web UI and nginx service will still be available while performing a backup.
1. Run the following script as a root user.
The script stops Shares services, backs up all necessary files, and restarts Shares. You cannot use this procedure
with earlier versions of Shares.
# /opt/aspera/shares/u/setup/bin/backup /your_backup_dir
For example:
# /opt/aspera/shares/u/setup/bin/backup /tmp
Creating backup directory /tmp/20130627025459 ...
Checking status of aspera-shares ...
Status is running
mysqld is alive
Backing up the Shares database and config files ...
Backing up the SSL certificates ...
Done
2. Make a note of the ID of the created backup directory for future use. In the above example example:
20130627025459.
For instructions on how to restore a backup of Shares, see Restoring Shares from a Backup on page 12.
Gathering and Zipping Up All Logs for Support
Aspera Technical Support often requires system logs to help troubleshoot errors. The following command gathers
the logs created by IBM Aspera Shares, background processes, and stats collector into a .zip file that can be sent to
Aspera Technical Support.
Gather and zip up logs for support:
Run this command in one line:
tar czvf /tmp/shares-logs-backup-`date "+%Y-%m-%d-%H-%M-%S"`.tar.gz \
/opt/aspera/shares/u/shares/log/production.log* \
/opt/aspera/shares/var/log/shares-background-0/current \
/opt/aspera/shares/var/log/shares-background-0/*.s \
/opt/aspera/shares/u/stats-collector/logs/statscollector.*log* \
;
| Performing Maintenance Tasks | 71
Checking for SSH Issues
Aspera® recommends that you review your SSH log periodically for signs of a potential attack. Locate and open your
syslog, for example, /var/log/auth.log or /var/log/secure. Depending on your system configuration,
syslog's path and file name may vary.
Look for invalid users in the log, especially a series of login attempts with common user names from the same
address, usually in alphabetical order. For example:
...
Mar 10 18:48:02 sku sshd[1496]: Failed password for invalid user alex from
1.2.3.4 port 1585 ssh2
...
Mar 14 23:25:52 sku sshd[1496]: Failed password for invalid user alice from
1.2.3.4 port 1585 ssh2
...
If you have identified attacks:
•
•
Check the SSH security settings.
Report attackers to your ISP's abuse email, for example, abuse@your-isp.
Monitoring
From the Admin menu, the following monitoring capabilities are available from the left navigation menu:
•
•
•
Activity
Background Jobs
Errors and Warnings
Viewing Activities
Click Activity, to view all activity that has occurred on the IBM Aspera Shares server. Activities reported include
the following:
•
•
•
•
•
•
Nodes and shares created and deleted
Logins and logouts
Directories created and deleted
Files deleted
Node and share status
Transfers to shares
Each reported activity event is accompanied by a tag. Click the tag to find related activities.
To perform an activity event search, click Search and enter the requisite information.
Viewing Background Jobs
To view, start, or delete background jobs that are running on the IBM Aspera Shares server, click Background
Jobs.
Viewing Errors and Warnings
To view or search for errors and warnings that have occurred on the IBM Aspera Shares server, click Errors and
Warnings.
| Appendix | 72
Appendix
Configuring a Remote Transfer-Server Node
Follow the steps below to set up a remote transfer-server node for IBM Aspera Shares.
Important: Note that all steps must be performed on the remote machine (transfer server), as the root user.
1. Set up the Node API.
The Node API must be set up in the IBM Aspera Enterprise Server for Shares to communicate with the remote
machine. Refer to the Node API Setup section in the Managing the Node API section of the IBM Aspera
Enterprise Server Administrator's Guide for instructions on how to set up the Node API in Enterprise Server.
2. Create the system user "shares".
This is the user who authenticates the actual ascp transfer, and must be an operating system account. Run the
following commands to create the system user "shares".
# /usr/sbin/groupadd -r shares
# /usr/sbin/useradd -r shares -s /bin/aspshell-r -g shares
3. Create and configure the "shares" package directory.
Run the following commands to configure the "Shares" directory /home/shares/ and the
shares_packages subdirectory:
# mkdir -p /home/shares/shares_packages
# chown shares:shares /home/shares/
# chown shares:shares /home/shares/shares_packages
4. Configure aspera.conf.
Add the shares package directory as a docroot in aspera.conf. The aspera.conf file can be found in the
following location:
/opt/aspera/etc/aspera.conf
Below is a typical Shares aspera.conf file. Yours may differ, particularly if you have installed other Aspera
products. Modify the following, as necessary:
•
•
•
In the file below, look for the <absolute> tag to see how the docroot has been defined in this installation, and
adjust yours accordingly.
Look for the <server_name> tag below, and ensure that SERVER_IP_OR_NAME has been replaced with the
name or IP address of your server.
In the <central_server> section, set <persistent_store> to enable as shown below. Shares 3.5+ requires
persistent storage to be enabled. By default, <persistent_store> is disabled (not set).
<?xml version='1.0' encoding='UTF-8'?>
<CONF version="2">
<central_server>
<address>127.0.0.1</address>
<port>40001</port>
<compact_on_startup>enable</compact_on_startup>
<persistent_store>enable</persistent_store>
<persistent_store_on_error>ignore</persistent_store_on_error>
<persistent_store_max_age>86400</persistent_store_max_age>
| Appendix | 73
<event_buffer_overrun>block</event_buffer_overrun>
</central_server>
<default>
<file_system>
<pre_calculate_job_size>yes</pre_calculate_job_size>
</file_system>
</default>
<aaa>
<realms>
<realm>
<users>
<user>
<name>shares</name>
<file_system>
<access>
<paths>
<path>
<absolute>/home/shares/shares_packages</absolute>
<show_as>/</show_as>
<dir_allowed>true</dir_allowed>
</path>
</paths>
</access>
<directory_create_mode>770</directory_create_mode>
<file_create_mode>660</file_create_mode>
</file_system>
<authorization>
<transfer>
<in>
<value>token</value>
</in>
<out>
<value>token</value>
</out>
</transfer>
<token>
<encryption_key>af208360-dbdd-4033-a35b-2370941f37e9</
encryption_key>
</token>
</authorization>
</user>
</users>
</realm>
</realms>
</aaa>
<http_server>
<http_port>8080</http_port>
<enable_http>1</enable_http>
<https_port>8443</https_port>
<enable_https>1</enable_https>
</http_server>
<server>
<server_name>SERVER_IP_OR_NAME</server_name>
</server>
</CONF>
After modifying aspera.conf, restart Aspera Central and Aspera NodeD services.
# /etc/init.d/asperacentral restart
# /etc/init.d/asperanoded restart
5. Verify you have installed a valid Shares license on your transfer server.
| Appendix | 74
If you need to update your transfer server license (by following the instructions in the Updating Product License
section of the Enterprise Server Admin Guide), you must reload the asperanoded service afterwards. Reload the
asperanoded service by running asnodeadmin.exe, found in the following location:
# /opt/aspera/bin/asnodeadmin --reload
6. Set up the node user.
Run the following commands to set up the node user (where "node-admin" is the node user, "s3cur3_p433"
is his password and "shares" is the system user), and then reload asperanoded.
# /opt/aspera/bin/asnodeadmin -a -u node-admin -p s3cur3_p433 -x shares
# /opt/aspera/bin/asnodeadmin --reload
7. Install the Aspera Connect™ key.
First, locate your Aspera Connect key as follows:
/opt/aspera/var/aspera_id_dsa.pub
Then, run the following commands to create a .ssh folder (if it does not already exist) in the shares user's
home directory:
# mkdir -p /home/shares/.ssh
Run the following commands to create the keyfile authorized_keys (if it does not already exist), and append the
key text to it:
# cat /opt/aspera/var/aspera_id_dsa.pub >> /home/shares/.ssh/
authorized_keys
Run the following commands to change the key directory and keyfile's ownership to the shares user and set
permission bits:
#
#
#
#
#
chown
chown
chmod
chmod
chmod
shares:shares /home/shares/.ssh
shares:shares /home/shares/.ssh/authorized_keys
600 /home/shares/.ssh/authorized_keys
700 /home/shares
700 /home/shares/.ssh
8. Set up token authorization.
Refer to the Setting Up Token Authorization topic in the Aspera Enterprise Server Administrator's Guide.
Extending the Node Timeout
Edit the client.rb file located at /opt/aspera/shares/u/shares/lib/node_api/client.rb.
Near line 28, modify :timeout ==> 30 to another value. Below, 30
has been replaced by 60 to lengthen the timeout value to one minute:
def rest_client_site(path = base_url)
RestClient::Resource.new(path,
:user => username,
:password => password,
:verify_ssl => verify_ssl,
:timeout => 60,
:open_timeout => 10, # TODO: what should the timeouts be?
:headers => {
| Appendix | 75
)
end
}
:content_type => :json,
:accept => :json,
Changing Nginx Ports
1. Open the IBM Aspera Shares Nginx config file found at /opt/aspera/shares/etc/nginx/
nginx.conf.
2. Update the the HTTP and HTTPS server blocks with your desired ports.
These are the default settings for the two server blocks:
server {
listen 80 deferred;
return 301 https://$host$request_uri;
}
server {
listen 443 deferred;
ssl on;
}
Update the values of the listen and return directives with the desired
ports:
server {
listen 9080 deferred;
return 301 https://$host:9443$request_uri;
}
server {
listen 9443 deferred;
ssl on;
}
3. Update the passenger_pre_start directive located at /opt/aspera/shares/etc/nginx/conf.d/
shares-pre-start.conf.
The default value for passenger_pre_start is the following:
passenger_pre_start https://example.com:443/;
Update the passenger_pre_start with your desired port. For example:
passenger_pre_start https://example.com:9443/;
Note: Prior to Shares 1.8, the passenger_pre_start directive is in the main nginx.conf file.
4. Tell Nginx to reload its config file.
/opt/aspera/shares/sbin/nginx -s reload
| Appendix | 76
Open a MySQL Prompt
Open up a MySQL client prompt.
# /opt/aspera/shares/bun/run mysql
Generate an SSL Certificate
Generate your own private key, csr and pem file.
To generate a new certificate, follow the instructions provided below using the OpenSSL command-line binary (/
opt/aspera/shares/bin/openssl).
1. Enter the OpenSSL command to generate your Private Key and Certificate Signing Request.
In this step, you will generate an RSA Private Key and CSR using OpenSSL. In a Terminal window, enter
the following command (where my_key_name.key is the name of the unique key that you are creating and
my_csr_name.csr is the name of your CSR):
$ openssl req -new -nodes -newkey rsa:2048 -keyout my_key_name.key out my_csr_name.csr
2. Enter your X.509 certificate attributes.
After entering the command in the previous step, you will be prompted to input several pieces of information,
which are the certificate's X.509 attributes.
Important: The common name field must be filled in with the fully qualified domain name of the server
to be protected by SSL. If you are generating a certificate for an organization outside of the US, please
refer to the link http://www.iso.org/iso/english_country_names_and_code_elements for a list of 2-letter,
ISO country codes.
Generating a 1024 bit RSA private key
....................++++++
................++++++
writing new private key to 'my_key_name.key'
----You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----Country Name (2 letter code) [US]:Your_2_letter_ISO_country_code
State or Province Name (full name) [SomeState]:Your_State_Province_or_County
Locality Name (eg, city) []:Your_City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your_Company
Organizational Unit Name (eg, section) []:Your_Department
Common Name (i.e., your server's hostname) []:secure.yourwebsite.com
Email Address []:johndoe@yourwebsite.com
You will also be prompted to input "extra" attributes, including an optional challenge password. Please note that
manually entering a challenge password when starting the server can be problematic in some situations (e.g.,
| Appendix | 77
when starting the server from the system boot scripts). You can skip inputting a challenge password by hitting the
"enter" button.
...
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
After finalizing the attributes, the private key and CSR will be saved to your root directory.
Important: If you make a mistake when running the OpenSSL command, you may discard the generated
files and run the command again. After successfully generating your key and Certificate Signing Request,
be sure to guard your private key, as it cannot be re-generated.
3. Send CSR to your signing authority
You now need to send your unsigned CSR to a Certifying Authority (CA). Once the CSR has been signed, you
will have a real Certificate, which can be used by Apache.
Important: Some Certificate Authorities provide a Certificate Signing Request generation tool on their
Website. Please check with your CA for additional information.
4. (Optional) Generate a Self-Signed Certificate
At this point, you may need to generate a self-signed certificate because:
•
•
You don't plan on having your certificate signed by a CA
Or you wish to test your new SSL implementation while the CA is signing your certificate
You may also generate a self-signed certificate through OpenSSL. This temporary certificate will generate an error
in the client's browser to the effect that the signing certificate authority is unknown and not trusted. To generate a
temporary certificate (which is good for 365 days), issue the following command:
openssl x509 -req -days 365 -in my_csr_name.csr -signkey my_key_name.key out my_cert_name.crt
Setting Up Shares and Console on the Same Host
Important: You need to ensure that you install IBM Aspera Console before you install IBM Aspera Shares.
1. Install Console
2. Install Shares .rpm, but do not run the install script
3. Use a text editor to open the my.cnf.setup file located at:
/opt/aspera/shares/etc/my.cnf.setup
Provide the MySQL username and password that you used during the install of Console.
[client]
user
password
host
port
=
=
=
=
root
aspera
127.0.0.1
4406
| Appendix | 78
4. Run the Shares installer.
/opt/aspera/shares/u/setup/bin/install
5. Disable the Apache Web Server.
asctl apache:stop
6. Create a symlink to a file located at /opt/aspera/shares/etc/nginx/locations-enabled/
console.
ln -s ../locations-available/console /opt/aspera/shares/etc/nginx/
locations-enabled/
7. Restart the Nginx service.
service aspera-shares restart
Securing an SSH Server
SSH servers listen for incoming connections on TCP port 22. Therefore, port 22 is subjected to unauthorized login
attempts by hackers trying to access unsecured servers. To prevent unauthorized server assess, you can turn off port
22 and run the service on a random port between 1024 and 65535.
The following task requires root access privileges.
Aspera® transfer products ship with OpenSSH listening on both TCP/22 and TCP/33001. Aspera recommends using
TCP/33001 only and disabling TCP/22.
1. Use a text editor to open the SSH configuration file.
/etc/ssh/sshd_config
Note: Before changing the default port for SSH connection, verify with your network administrators that
TCP/33001 is open. Notify users of the port change
2. Add the new SSH port
Port 22 Port 33001
Note: Before changing the default port for SSH connections, verify that TCP/33001 is open.
To enable TCP/33001 while you are migrating from TCP/22, open port 33001 within the sshd_config file
where SSHD is listening on both ports.
3. Disable TCP/22 by commenting it out in the sshd_config file.
4. Disable TCP/22 by modifying /etc/services so that the only open SSH port is TCP/33001.
5. In OpenSSH versions 4.4 and later, disable SSH tunneling to avoid potential attacks by adding the following lines
at the end of the sshd_config file. As a result only Root users are permitted to tunnel.
...
AllowTcpForwarding no
Match Group root
AllowTcpForwarding yes
Depending on your sshd_config file, you may have additional instances of AllowTCPForwarding that are
set to the default Yes. Review your sshd_config file for other instances and disable as appropriate.
Disabling TCP forwarding does not improve security unless users are also denied shell access, as they can
always install their own forwarders. Review your user and file permissions, and see the following instructions on
modifying shell access.
| Appendix | 79
6. Update authentication methods by adding or uncomment PubkeyAuthentication yes in the
sshd_config file and comment out PasswordAuthentication yes.
...
PubkeyAuthentication yes
#PasswordAuthentication yes
PasswordAuthentication no
...
7. Disable root login by commenting out PermitRootLogin yes in the sshd_config file and adding
PermitRootLogin No.
...
#PermitRootLogin yes
PermitRootLogin no
...
Administrators can then use the su command if root privileges are needed.
8. Restart the SSH server to apply the new settings.
Restart or reload the SSH Server using the following commands:
OS Version
Instructions
RedHat (restart)
$ sudo service sshd restart
RedHat (reload)
$ sudo service sshd reload
Debian (restart)
$ sudo /etc/init.d/ssh restart
Debian (reload)
$ sudo /etc/init.d/ssh reload
Shares API Permissions
Aspera products such as IBM Aspera Drive and IBM Aspera Enterprise Server have integrated capabilities for
working with IBM Aspera Shares. Such products interact with Shares using the API. To allow the API to correctly
access the users shares please below ensure that the permissions are correctly configured.
1. For each Shares user, ensure that the API Login check box is checked under the Security tab. On Shares 1.6 and
later versions, this permission is enabled by default whenever new users are created.
2. Create shares, and authorize users for each share. The table below describes the mapping between the API
permissions and Shares user permissions.
API Permission to Allow
Share Permissions that should be Enabled
View
browse and download
Edit
upload, rename, mkdir
Delete
delete
| Appendix | 80
Troubleshooting
Issue: I have forgotten my IBM Aspera Shares Administrator password
Solution:
You can reset your Shares Administrator password by opening a root terminal on your Shares server and then run the
following command:
/opt/aspera/shares/u/shares/bin/run rake aspera:admin NAME="admin"
PASSWORD="example-password" EMAIL="email@example.com"
| Technical Support | 81
Technical Support
For further assistance, you may contact Aspera through the following methods:
Contact Info
Email
support@asperasoft.com
Phone
+1 (510) 849-2386
Request Form
https://support.asperasoft.com/anonymous_requests/new/
The technical support service hours:
Support Type
Hour (Pacific Standard Time, GMT-8)
Standard
8:00am – 6:00pm
Premium
8:00am – 12:00am
We are closed on the following days:
Support Unavailable
Dates
Weekends
Saturday, Sunday
Aspera Holidays
See our Website.
| Feedback | 82
Feedback
The Aspera Technical Publications department wants to hear from you on how Aspera can improve customer
documentation. To submit feedback about this guide, or any other Aspera product document, visit the Aspera Product
Documentation Feedback Forum.
Through this forum, you can let us know if you find content that is not clear or appears incorrect. Aspera also
invites you to submit ideas for new topics, and for improvements to the documentation for easier reading and
implementation. When you visit the Aspera Product Documentation Feedback Forum, remember the following:
•
•
You must be registered to use the Aspera Support Website at https://support.asperasoft.com/.
Be sure to read the forum guidelines before submitting a request.
| Legal Notice | 83
Legal Notice
© 2012-2015
Aspera, Inc., an IBM Company. All rights reserved.
Licensed Materials - Property of IBM
© Copyright IBM Corp., 2012, 2015. Used under license.
US Government Users Restricted Rights- Use, duplication or disclosure restricted by GSA ADP Schedule
Contract with IBM Corp.
Aspera, the Aspera logo, and FASP transfer technology are trademarks of Aspera, Inc., registered in the United
States. Aspera Connect Server, Aspera Drive, Aspera Enterprise Server, Aspera Point-to-Point, Aspera Client,
Aspera Connect, Aspera Cargo, Aspera Console, Aspera Orchestrator, Aspera Crypt, Aspera Shares, the Aspera
Add-in for Microsoft Outlook, and Aspera Faspex are trademarks of Aspera, Inc. All other trademarks mentioned
in this document are the property of their respective owners. Mention of third-party products in this document is
for informational purposes only. All understandings, agreements, or warranties, if any, take place directly between
the vendors and the prospective users.
© Copyright 2024