Authorization configuration
The Authorization configuration options include connection permissions, token key, and encryption requirements.
Authorization settings reference
Setting | Description | Values | Default |
---|---|---|---|
Incoming Transfers |
|
allow, deny, or token | allow |
Incoming External Provider URL | Set the URL of the external authorization provider for incoming transfers. The default empty setting disables external authorization. Aspera servers can be configured to check with an external authorization provider. This SOAP authorization mechanism can be useful to organizations that require custom authorization rules. Requires a value for Incoming External Provider SOAP Action. | HTTP URL | blank |
Incoming External Provider SOAP Action | The SOAP action required by the external authorization provider for incoming transfers. Required if incoming external provider URL is set. | text string | blank |
Outgoing Transfers |
|
allow , deny , or token |
allow |
Outgoing External Provider URL | Set the URL of the external authorization provider for outgoing transfers. The default empty setting disables external authorization. HSTS can be configured to check with an external authorization provider. This SOAP authorization mechanism can be useful to organizations that requires custom authorization rules. Requires a value for Outgoing External Provider SOAP action. | HTTP URL | blank |
Outgoing External Provider Soap Action | The SOAP action required by the external authorization provider for outgoing transfers. Required if Outgoing External Provider URL is set. | text string | blank |
Token Encryption Cipher | Set the cipher used to generate encrypted transfer tokens. | aes-128 , aes-192 , or aes-256 |
aes-128 |
Token Encryption Key | Set the secret text phrase that is used to authorize the transfers that are configured to require a token. For security, set a token encryption key of at least 20 random characters. For more information, see Require token authorization: Set in the GUI. | text string | blank |
Token Life (seconds) | Set the token expiration for users of web-based transfer applications. | positive integer | 86400 (24 hrs) |
Strong Password Required for Content Encryption |
The password must include at least 6 characters, of which at least 1 is non-alphanumeric, at least 1 is a letter, and at least 1 is a digit. |
true or false |
false |
Content Protection Secret | Enable server-side encryption-at-rest (EAR) by setting the passphrase. Files uploaded to the server are encrypted while stored there, and are decrypted when they are downloaded. For more information, see Server-Side Encryption-at-Rest (EAR). | passphrase | none |
Content Protection Required | true - Requires that uploaded content is encrypted by the client
(enforce client-side encryption-at-rest). For more information, see Client-Side Encryption-at-Rest (EAR). Important: When a transfer falls back to
HTTP or HTTPS, content protection is no longer supported. If HTTP fallback occurs while downloading,
despite entering a passphrase, the file remains encrypted. If HTTP fallback occurs during upload,
despite entering a passphrase, the files are not encrypted.
|
true or false |
false |
Allow transfer when client lacks GCM |
By default, when a server is configured for a GCM cipher, for example aes-256-gcm, and the client
is running a server version 3.8 or lower, the transfer fails because clients that are running
version 3.8 or lower do not support GCM mode. However, setting
|
true or false |
true |
Do encrypted transfers in FIPS 140-2 certified encryption mode | Set to true for ascp to use a FIPS 140-2
certified encryption module. When enabled, transfer start is delayed while the FIPS module is
verified. When you run ascp in FIPS mode (that is,
Important: When set to
true , all ciphers and hash algorithms that are not
FIPS compliant aborts transfers. |
true or false |
false |
Encryption Allowed | Set the transfer encryption allowed by this computer. For security, you must require
transfer encryption. Aspera
supports three sizes of AES cipher keys (128, 192, and 256 bits) and supports two encryption modes,
Cipher Feedback mode (CFB) and Galois Counter Mode (GCM). The GCM mode encrypts data faster and
increases transfer speeds compared to the CFB mode, but the server must support and permit
it. Note: To
ensure client compatibility when requiring encryption, use a cipher with the form
aes-XXX , which is supported by all clients and servers. Requiring GCM causes the
server to reject transfers from clients that are running a version of ascp 3.8 or older, unless
<strict_allowed_cipher> is set to false . When a client requests
a shorter cipher key than is configured on the server or in an access key that authorizes the
transfer, the transfer is automatically upgraded to the server setting. For more information about
how the server and client negotiate the transfer cipher, see the description of -c
in Ascp command reference and Ascp4 command reference.Values: |
any , none , aes-128 ,
aes-192 , aes-256 , aes-128-cfb ,
aes-192-cfb , aes-256-cfb , aes-128-gcm ,
aes-192-gcm , or aes-256-gcm |
any |
Allow transfer when client lacks GCM | By default, when a server is configured for a GCM mode cipher, for example aes-256-gcm, and
the client is running a version of ascp 3.8 or older, the transfer fails. However, setting
<strict_allowed_cipher> to false permits transfers under these
conditions. |
true or false |
false |