Authorization configuration

The Authorization configuration options include connection permissions, token key, and encryption requirements.

Note: For security, deny incoming and outgoing transfers globally, then allow transfers by individual users, as needed.
  1. Open the application with Administrator privileges.
  2. Click Configuration > Authorization.

    Bring up the Server Configuration window

    Authorization configuration options.

  3. Edit Global , Groups, and Users settings on their Authorization tabs. Select Override in the option's row to set an effective value. User settings take precedence over group settings, which take precedence over global settings.

Authorization settings reference

Setting Description Values Default
Incoming Transfers

allow - enable users to transfer to this computer.

deny - prevents the transfers to this computer.

token - allows only the transfers that were initiated with valid tokens to this computer. Token-based transfers are typically used by web applications such as IBM Aspera Faspex and IBM Aspera Shares and require a Token Encryption Key.

allow, deny, or token allow
Incoming External Provider URL Set the URL of the external authorization provider for incoming transfers. The default empty setting disables external authorization. Aspera servers can be configured to check with an external authorization provider. This SOAP authorization mechanism can be useful to organizations that require custom authorization rules. Requires a value for Incoming External Provider SOAP Action. HTTP URL blank
Incoming External Provider SOAP Action The SOAP action required by the external authorization provider for incoming transfers. Required if incoming external provider URL is set. text string blank
Outgoing Transfers

allow - enable users to transfer from this computer.

deny - prevents the transfer from this computer.

token - allows only the transfers that were initiated with valid tokens from this computer. Token based transfers are typically used by web applications such as IBM Aspera Faspex and IBM Aspera Shares and require a Token Encryption Key.

allow, deny, or token allow
Outgoing External Provider URL Set the URL of the external authorization provider for outgoing transfers. The default empty setting disables external authorization. HSTS can be configured to check with an external authorization provider. This SOAP authorization mechanism can be useful to organizations that requires custom authorization rules. Requires a value for Outgoing External Provider SOAP action. HTTP URL blank
Outgoing External Provider Soap Action The SOAP action required by the external authorization provider for outgoing transfers. Required if Outgoing External Provider URL is set. text string blank
Token Encryption Cipher Set the cipher used to generate encrypted transfer tokens. aes-128, aes-192, or aes-256 aes-128
Token Encryption Key Set the secret text phrase that is used to authorize the transfers that are configured to require a token. For security, set a token encryption key of at least 20 random characters. For more information, see Require token authorization: Set in the GUI. text string blank
Token Life (seconds) Set the token expiration for users of web-based transfer applications. positive integer 86400 (24 hrs)
Strong Password Required for Content Encryption

true - Requires that the password for content encryption that is the client-side encryption at rest.

The password must include at least 6 characters, of which at least 1 is non-alphanumeric, at least 1 is a letter, and at least 1 is a digit.

true or false false
Content Protection Secret Enable server-side encryption-at-rest (EAR) by setting the passphrase. Files uploaded to the server are encrypted while stored there, and are decrypted when they are downloaded. For more information, see Server-Side Encryption-at-Rest (EAR). passphrase none
Content Protection Required true - Requires that uploaded content is encrypted by the client (enforce client-side encryption-at-rest).

For more information, see Client-Side Encryption-at-Rest (EAR).

Important: When a transfer falls back to HTTP or HTTPS, content protection is no longer supported. If HTTP fallback occurs while downloading, despite entering a passphrase, the file remains encrypted. If HTTP fallback occurs during upload, despite entering a passphrase, the files are not encrypted.
true or false false
Allow transfer when client lacks GCM

By default, when a server is configured for a GCM cipher, for example aes-256-gcm, and the client is running a server version 3.8 or lower, the transfer fails because clients that are running version 3.8 or lower do not support GCM mode. However, setting <strict_allowed_cipher> to false permits transfers under these conditions.

true or false true
Do encrypted transfers in FIPS 140-2 certified encryption mode Set to true for ascp to use a FIPS 140-2 certified encryption module. When enabled, transfer start is delayed while the FIPS module is verified.

When you run ascp in FIPS mode (that is, <fips_enabled> is set to true in aspera.conf), and you use passphrase protected SSH keys, you must use the keys generated by running ssh-keygen in a FIPS enabled system, or convert existing keys to a FIPS compatible format by running a command such as the following example:

openssl pkcs8 -topk8 -v2 aes128 -in id_rsa -out new-id_rsa
Important: When set to true, all ciphers and hash algorithms that are not FIPS compliant aborts transfers.
true or false false
Encryption Allowed Set the transfer encryption allowed by this computer. For security, you must require transfer encryption. Aspera supports three sizes of AES cipher keys (128, 192, and 256 bits) and supports two encryption modes, Cipher Feedback mode (CFB) and Galois Counter Mode (GCM). The GCM mode encrypts data faster and increases transfer speeds compared to the CFB mode, but the server must support and permit it.
Note: To ensure client compatibility when requiring encryption, use a cipher with the form aes-XXX, which is supported by all clients and servers. Requiring GCM causes the server to reject transfers from clients that are running a version of ascp 3.8 or older, unless <strict_allowed_cipher> is set to false. When a client requests a shorter cipher key than is configured on the server or in an access key that authorizes the transfer, the transfer is automatically upgraded to the server setting. For more information about how the server and client negotiate the transfer cipher, see the description of -c in Ascp command reference and Ascp4 command reference.

Values:

  • any - allow transfers that use any encryption cipher or none.
  • none - require unencrypted transfers. For security, avoid using this value.
  • aes-128, aes-192, or aes-256 - allow transfers that use an encryption cipher key that is as long or longer than the setting. These settings use the CFB or GCM mode that depends on the client version and cipher requested. Supports all client versions.
  • aes-128-cfb, aes-192-cfb, or aes-256-cfb - require that transfers use the CFB encryption mode and a cipher key that is as long or longer than the setting. Supports all client versions.
  • aes-128-gcm, aes-192-gcm, or aes-256-gcm - require that transfers use the GCM encryption mode and a cipher that is as long or longer than the setting.
any, none, aes-128, aes-192, aes-256, aes-128-cfb, aes-192-cfb, aes-256-cfb, aes-128-gcm, aes-192-gcm, or aes-256-gcm any
Allow transfer when client lacks GCM By default, when a server is configured for a GCM mode cipher, for example aes-256-gcm, and the client is running a version of ascp 3.8 or older, the transfer fails. However, setting <strict_allowed_cipher> to false permits transfers under these conditions. true or false false