Authorization configuration

The Authorization configuration options include connection permissions, token key, and encryption requirements.

Note: For security, deny incoming and outgoing transfers globally, then allow transfers by individual users, as needed.

Open the application with privileges.
Click Configuration > Authorization.
Edit Global , Groups, and Users settings on their Authorization tabs. Select Override in the option's row to set an effective value. User settings take precedence over group settings, which take precedence over global settings.

Authorization settings reference

Setting	Description	Values	Default
Incoming Transfers	`allow` - enable users to transfer to this computer. `deny` - prevents the transfers to this computer. `token` - allows only the transfers that were initiated with valid tokens to this computer. Token-based transfers are typically used by web applications such as IBM Aspera Faspex and IBM Aspera Shares and require a Token Encryption Key.	allow, deny, or token	allow
Incoming External Provider URL	Set the URL of the external authorization provider for incoming transfers. The default empty setting disables external authorization. Aspera® servers can be configured to check with an external authorization provider. This SOAP authorization mechanism can be useful to organizations that require custom authorization rules. Requires a value for Incoming External Provider SOAP Action.	HTTP URL	blank
Incoming External Provider SOAP Action	The SOAP action required by the external authorization provider for incoming transfers. Required if incoming external provider URL is set.	text string	blank
Outgoing Transfers	`allow` - enable users to transfer from this computer. `deny` - prevents the transfer from this computer. `token` - allows only the transfers that were initiated with valid tokens from this computer. Token based transfers are typically used by web applications such as IBM Aspera Faspex and IBM Aspera Shares and require a Token Encryption Key.	`allow`, `deny`, or `token`	`allow`
Outgoing External Provider URL	Set the URL of the external authorization provider for outgoing transfers. The default empty setting disables external authorization. HSTS can be configured to check with an external authorization provider. This SOAP authorization mechanism can be useful to organizations that requires custom authorization rules. Requires a value for Outgoing External Provider SOAP action.	HTTP URL	blank
Outgoing External Provider Soap Action	The SOAP action required by the external authorization provider for outgoing transfers. Required if Outgoing External Provider URL is set.	text string	blank
Token Encryption Cipher	Set the cipher used to generate encrypted transfer tokens.	`aes-128`, `aes-192`, or `aes-256`	`aes-128`
Token Encryption Key	Set the secret text phrase that is used to authorize the transfers that are configured to require a token. For security, set a token encryption key of at least 20 random characters. For more information, see .	text string	blank
Token Life (seconds)	Set the token expiration for users of web-based transfer applications.	positive integer	`86400` (24 hrs)
Strong Password Required for Content Encryption	`true` - Requires that the password for content encryption that is the client-side encryption at rest. The password must include at least 6 characters, of which at least 1 is non-alphanumeric, at least 1 is a letter, and at least 1 is a digit.	`true` or false	`false`
Content Protection Secret	Enable server-side encryption-at-rest (EAR) by setting the passphrase. Files uploaded to the server are encrypted while stored there, and are decrypted when they are downloaded. For more information, see .	passphrase	none
Content Protection Required	`true` - Requires that uploaded content is encrypted by the client (enforce client-side encryption-at-rest). For more information, see Client-Side Encryption-at-Rest (EAR). Important: When a transfer falls back to HTTP or HTTPS, content protection is no longer supported. If HTTP fallback occurs while downloading, despite entering a passphrase, the file remains encrypted. If HTTP fallback occurs during upload, despite entering a passphrase, the files are not encrypted.	`true` or `false`	`false`
Allow transfer when client lacks GCM	By default, when a server is configured for a GCM cipher, for example aes-256-gcm, and the client is running a server version 3.8 or lower, the transfer fails because clients that are running version 3.8 or lower do not support GCM mode. However, setting `<strict_allowed_cipher>` to `false` permits transfers under these conditions.	`true` or `false`	`true`
Do encrypted transfers in FIPS 140-2 certified encryption mode	(V.4.4.6) Set `fips_mode` to enabled or required so that ascp uses a FIPS 140-2 certified encryption module. Enabling FIPS mode might delay startup while the system verifies the FIPS module. The `fips_mode` option supports three values: `enabled`, `disabled`, and `required`. Use `enabled` or `required` to activate FIPS mode. The older `true` and `false` values remain supported for compatibility with earlier versions. When you set `fips_mode` to `enabled` or `required`, both systems must use compatible FIPS settings for transfers to succeed. If any of the systems use `required` but the other system does not use `enabled` or `required`, the transfer fails. If you use passphrase-protected SSH keys, they must be FIPS-compliant. This means either generating them using `ssh-keygen` on a FIPS-enabled system, or converting existing keys to a FIPS-compatible format by running: `openssl pkcs8 -topk8 -v2 aes128 -in id_rsa -out new-id_rsa` Important: When set to `enabled`, all ciphers and hash algorithms that are not FIPS-compliant stops transfers.	`enabled`, `required`, `disabled`	`disabled`
Encryption Allowed	Set the transfer encryption allowed by this computer. For security, you must require transfer encryption. Aspera supports three sizes of AES cipher keys (128, 192, and 256 bits) and supports two encryption modes, Cipher Feedback mode (CFB) and Galois Counter Mode (GCM). The GCM mode encrypts data faster and increases transfer speeds compared to the CFB mode, but the server must support and permit it. Note: To ensure client compatibility when requiring encryption, use a cipher with the form `aes-XXX`, which is supported by all clients and servers. Requiring GCM causes the server to reject transfers from clients that are running a version of ascp 3.8 or older, unless `<strict_allowed_cipher>` is set to `false`. When a client requests a shorter cipher key than is configured on the server or in an access key that authorizes the transfer, the transfer is automatically upgraded to the server setting. For more information about how the server and client negotiate the transfer cipher, see the description of `-c` in Ascp command reference and Ascp4 command reference. Values: `any` - allow transfers that use any encryption cipher or none. none - require unencrypted transfers. For security, avoid using this value. aes-128, `aes-192`, or `aes-256` - allow transfers that use an encryption cipher key that is as long or longer than the setting. These settings use the CFB or GCM mode that depends on the client version and cipher requested. Supports all client versions. aes-128-cfb, `aes-192-cfb`, or `aes-256-cfb` - require that transfers use the CFB encryption mode and a cipher key that is as long or longer than the setting. Supports all client versions. aes-128-gcm, `aes-192-gcm`, or `aes-256-gcm` - require that transfers use the GCM encryption mode and a cipher that is as long or longer than the setting.	`any`, `none`, `aes-128`, `aes-192`, `aes-256`, `aes-128-cfb`, `aes-192-cfb`, `aes-256-cfb`, `aes-128-gcm`, `aes-192-gcm`, or `aes-256-gcm`	`any`
Allow transfer when client lacks GCM	By default, when a server is configured for a GCM mode cipher, for example aes-256-gcm, and the client is running a version of ascp 3.8 or older, the transfer fails. However, setting `<strict_allowed_cipher>` to `false` permits transfers under these conditions.	`true` or `false`	`false`