Setting up transfer users

HSTS uses system accounts to authenticate connections from Aspera clients. The system users must be added and configured as Aspera transfer users before clients can browse the server file system or run FASP transfers to and from the server. When creating transfer users, you can also specify user specific settings, such as transfer bandwidth, docroot, and file handling. User configuration is an important part of securing your server.

About this task

Important configuration notes:

  • Some Aspera features require a docroot in URI format or require a file restriction instead of a docroot. For more information, see Docroot versus file restriction.
  • If users connect to the server by providing IBM Aspera Shares credentials or by providing Node API credentials that are associated with the transfer user, changes to a user's configuration, such as their docroot, are not applied to the user until the Aspera Node Service is restarted. For instructions, see Restarting Aspera services.

To configure a system user account as an Aspera transfer user:

Procedure

  1. Create a default global transfer settings.
    To set default values to prohibit transfers in and out, set the encryption key, and set the default docroot for all users, run the following commands (if not already set): 
    > asconfigurator -x "set_node_data;authorization_transfer_in_value,deny"
 > asconfigurator -x "set_node_data;authorization_transfer_out_value,deny"
 > asconfigurator -x "set_node_data;token_encryption_key,token_key"
 > asconfigurator -x "set_node_data;absolute,docroot"

    For server security, apply the following settings:

    • Deny transfers by default, then enable transfers for individual users as required.
    • Set the token encryption key to a string of at least 20 random characters.
    • Set a default docroot to an empty folder or a part of the file system specific to each user.
    If there is a pattern in the docroot of each user, for example, C:\sandbox\username, you can use a substitutional string. You can assign independent docroot to each user without setting a docroot for each user individually.
    Substitutional String Definition Example
    $(name) System user's name C:\sandbox\$(name)
    $(DOMAIN) Domain user's domain name C:\sandbox\$(DOMAIN)\$(name)
    $(home) System user's home directory $(home)\Documents
  2. For server security, restrict the users' read, write, and browse permissions.
    Users are given read, write, and browse permissions to their docroot by default. For increased security, change the global default to deny these permissions: 
    > asconfigurator -x "set_node_data;read_allowed,false;write_allowed,false;dir_allowed,false"

    Run the following commands to enable permissions per user, as required:

    > asconfigurator -x "set_user_data;user_name,username;read_allowed,true"
 > asconfigurator -x "set_user_data;user_name,username;write_allowed,true"
 > asconfigurator -x "set_user_data;user_name,username;dir_allowed,true"
  3. If you provided an Aspera license during installation, rather than an entitlement, ensure that the transfer user read the permissions on the Aspera license file (aspera-license) so that they can run transfers.
    The license file is found in: C:\Program Files\Aspera\Enterprise Server\etc
  4. Restrict user permissions with aspshell.
    By default, all system users can establish a FASPĀ® connection and are only restricted by file permissions. Restrict the user's file operations by assigning them to use aspshell, which allows only the following operations:
    • Running Aspera uploads and downloads to or from this computer.
    • Establishing connections in the application.
    • Browsing, listing, creating, renaming, or deleting contents.

    These instructions explain one way to change a user account or active directory user account so that it uses the aspshell; there might be other ways to do so on your system.

    In Windows-based operating systems, setting the default shell is less flexible than in UNIX-based operating systems. As a result, when you configure the shell for all OpenSSH-based user connections, all users use the same shell, in this case aspshell.

    To restrict an OpenSSH key to use only Aspera-based transfer programs, apply a workaround for Windows. Add the following command directive at the beginning of the user public key in the authorized_keys file to enforce the restriction: 
    command="/path/to/aspshell -t"
    Replace /path/to/aspshell with the correct path to your HSTSaspshell executable file.
    Note: If you have a machine that is fully dedicated to Aspera transfer tasks and want to restrict all SSH connections, run the following command in Windows PowerShell. Modify it as necessary for your install path: 
    New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Program Files\Aspera\Enterprise Server\bin\aspshell.exe" -PropertyType String -Force
  5. Configure user-specific transfer settings.
    Besides the default global transfer settings, you can create user-specific and group-specific transfer settings. The user-specific settings have the highest priority, overriding both group and global settings. For more information, see Configuration precedence.

    To set user-specific values to authorize transfers in and out, docroot, and target rate, run the following commands:

    
> asconfigurator -x "set_user_data;user_name,username;authorization_transfer_in_value,allow"
 > asconfigurator -x "set_user_data;user_name,username;authorization_transfer_out_value,allow"
 > asconfigurator -x "set_user_data;user_name,username;absolute,docroot"
 > asconfigurator -x "set_user_data;user_name,username;transfer_in_bandwidth_flow_target_rate_default,rate"
 > asconfigurator -x "set_user_data;user_name,username;transfer_out_bandwidth_flow_target_rate_default,rate"

    For more information about other user settings, see aspera.conf - Authorization configuration, aspera.conf - Transfer configuration, and aspera.conf - File system configuration.

  6. Verify the configuration.
    If you modify aspera.conf by editing the text, use the following command to verify the XML form and values: 
    > asuserdata -v
  7. Restart the Aspera Node Service and IBM Aspera Central to activate your changes.

    Open Search from the taskbar and type Services, click IBM Aspera NodeD, and click Restart.

    Restart IBM Aspera Central from the Computer Management window. Open Search from the taskbar and type Services, click IBM Aspera Central, and click Restart.