Configuring the IBM Aspera NodeD service

The IBM® Aspera® NodeD Service handles HTTP/HTTPS requests to HSTS. You can configure server settings that include the hostname, HTTP/HTTPS ports, the address and port of the Redis database, and SSL certificates.

Configuration methods

The server can be configured for the Node API by using the asconfigurator command line tool or by editing the <server> section of aspera.conf:

  • Asconfigurator: Use the following syntax, substituting option with the option from the following table and value with the wanted value:
    # /opt/aspera/bin/asconfigurator -x "set_server_data;option,value"

    To view the current settings, run the following command:

    # /opt/aspera/bin/ asuserdata -a
  • Aspera.conf: Open it in a text editor with administrative privileges from the following location:
    /opt/aspera/etc/aspera.conf

    After manually editing aspera.conf, validate your XML by running the following command:

    # /opt/aspera/bin/asuserdata -v

Node API configuration options

Important configuration considerations:

  • Certain services must be restarted for changes in the settings to take effect, as described in the To Activate Changes column. The commands to restart these services are given following the table.
  • In addition to the Aspera server configuration, if you plan to transfer many small files with the Node API, you might need to increase the number of file descriptors available on your system. If too few descriptors are available, the Redis database and the transfer fail. For instructions, see Node API transfers of many small files fails.
asconfigurator option
aspera.conf setting
Description and Values To Activate Changes...
server_name
<server_name>
Hostname or IP address.

Default: hostname

Restart asperanoded.
http_port
<http_port>
HTTP service port. Value is an integer 1 - 65535, default 9091. This setting is overridden by <listen>. Restart asperanoded.
https_port
<https_port>
HTTPS service port. Value is an integer 1 - 65535, default 9092. This setting is overridden by <listen>. Restart asperanoded.
enable_http
<enable_http>
Enable HTTP for the Node API services by setting to true. Default: false. This setting is overridden by <listen>. Restart asperanoded.
enable_https
<enable_https>
Enable HTTPS for the Node API services by setting to true. Default: true. This setting is overridden by <listen>. Restart asperanoded.
workers
<workers>
Number of worker threads. Default: 20. Restart asperanoded.
transfers_multi_session_default
<transfers_multi_session_default>
Number of ascp workers per transfer. Default: 1. Restart asperanoded.
listen
<listen>
To bind asperanoded on a specific address (or addresses), specify a comma-delimited list of listening ports. Ports have the format [ip_address:]port[s]. To specify a secure port, add 's' to the end of the port number, for example 127.0.0.1:9092s.

The IP address is optional; however, if no IP address is specified then the port binds to all network interfaces on the server, rather than to the single address.

Setting this option overrides <http_port>, <https_port>, <enable_http>, and <enable_https>.

Restart asperanoded.
cert_file
<cert_file>
Full path name of the SSL certificate, which must be in .pem format.

Default: /opt/aspera/etc/aspera_server_cert.pem

Restart asperanoded.
max_response_time
<max_response_time>
Maximum amount of time to wait for a long-running operation. Default: 10. Reload node configuration.
db_dir
<db_dir>
Path to the directory where the database file is saved. Before changing this value, you must back up your database. See Backing up and restoring the node user database records.

Default:

Restart asperanoded and the Redis database.
db_port
<db_port>
Database service port. Value is an integer 1 - 65535, default: 31415. Before changing this value, you must back up your database. See Backing up and restoring the node user database records. Restart asperanoded and the Redis database.
ssl_ciphers
<ssl_ciphers>
The SSL encryption ciphers that the server allows, each separated by a colon (:). Default: all of the following values:
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-CCM8
ECDHE-ECDSA-AES256-CCM
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA
ECDHE-RSA-AES256-SHA
DHE-RSA-AES256-CCM8
DHE-RSA-AES256-CCM
DHE-RSA-AES256-SHA256
DHE-RSA-AES256-SHA
ECDHE-ECDSA-AES128-CCM8
ECDHE-ECDSA-AES128-CCM
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES128-SHA
DHE-RSA-AES128-CCM8
DHE-RSA-AES128-CCM
DHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA
AES256-GCM-SHA384
AES128-GCM-SHA256
AES256-CCM8
AES256-CCM
AES128-CCM8
AES128-CCM
AES256-SHA256
AES128-SHA256
AES256-SHA
AES128-SHA

Note that for every OpenSSH version update, the supported ciphers change. To check the supported ciphers, run:
/opt/aspera/bin/openssl ciphers
By running the command, the list of supported ciphers that use secure encryption algorithms compatible with the SSL protocol (TLSv1.2, TLSv1.3) displays.

This option might also be set in the <client> section, in which case, when this machine functions as a client, the specified ciphers are requests to the server. If any of the ciphers in the server's allowlist coincide with those in the client's request list, communication is allowed; otherwise, it is denied.

If you override this setting, the override is always be used. If you do not override it, the default setting depends on the value of <ssl_protocol>.

If <ssl_protocol> is set to TLSv1.2, a wide range of cipher suites is available, including some that may be considered weaker if not configured properly. If the protocol is TLSv1.3, only a smaller set of stronger cipher suites is supported. Some older web browsers or clients might not be able to handle the stronger suites, potentially leading to compatibility issues.

Restart asperanoded.
ssl_protocol
<ssl_protocol>
The SSL protocol versions that the server allows. This option might also be set in the <client> section, in which case, when this machine is a client, the specified protocols function as requests to the server. If any of the protocols in the server's allowlist coincide with those in the client's request list, communication is allowed; otherwise, it is denied.

Supported values: tlsv1.2, tlsv1.3. Default: tlsv1.2.

Restart asperanoded.
activity_logging
<activity_logging>
If true, enable querying transfers by using GET /ops/transfers or to retrieve usage data by using GET /usage. Default is false. Restart asperanoded.
activity_event_logging
<activity_event_logging>
If true, allow the Node API to query transfers that are associated with this access key through the /events endpoint. The server configuration can be overridden by the access key configuration. This option must be enabled for event reporting to IBM Aspera on Cloud. Default is false. Restart asperanoded.
files_recursive_counts_enabled
<files_recursive_counts_enabled>
If true, enable recursive counts. This option must be enabled for event reporting to IBM Aspera on Cloud. The server configuration can be overridden by the access key configuration. Default is false. Restart asperanoded.
aej_logging
<aej_logging>
If true, enable reporting to the IBM Aspera on Cloud Activity app. The server configuration can be overridden by the access key configuration. Default is false. Restart asperanoded.

Restarting the Redis service

Note: Running the commands requires root privileges.

  1. Restart the Redis service. Run the following commands:
    Run the following commands to restart the Aspera Redis service:
    systemctl restart asperaredisd
    For Linux® systems that use init.d:
    # service asperanoded restart