Create the transfer user for your tethered node

Edit online

To use an HSTS Server as a tethered node with Aspera on Cloud, your HSTS server requires a specially configured system user for SSH authentication when starting transfers. This system user must be named xfer. Use this procedure to configure the system user name, file restriction, public key, API credentials, and other required settings.

This is step 6 in tethering a node

Before you begin step 6, be sure you have completed step 5: Configure Nginx reverse proxy and server certificates.

ssl certs firewall HTTPs proxy configure node nginx transfer user optional for HA cluster add node mark remote storage alee and aejd backup and restore

Procedure

Note: You can connect your HSTS node to storage in the public cloud; to do so, your HSTS must be in the same region as the cloud storage you want to access through the HSTS node.
  1. Create a system user account named xfer.

    The user account name must be xfer for use with AoC. Do not use any other name; only xfer will work. Do not create a password for xfer unless the system requires it, in which case use a very large and complex one.

  2. Restrict the xfer user's access to the file system or object storage. With the correct file restriction, your tethered node can connect with storage in the public cloud, in a private cloud, on premises, or on local disk.

    Use the following syntax:

    /opt/aspera/bin/asconfigurator -x "set_user_data;user_name,xfer;file_restriction,|path"

    The pipe character is a delimiter.

    The restriction path syntax depends on the storage:

    • Local, Unix-like OS:
      • Specific folder: file:////folder/*
      • Drive root: file:////*
    • Local: Windows OS:
      • Specific folder : file:///c%3A/folder/*
      • Drive root: file:///c*
    • Alibaba Cloud: oss://*
    • Amazon S3: s3://*
    • Azure storage: azu://*
    • Azure Data Lake: adl://*
    • Azure Files storage: azure-files://*
    • Google Cloud storage : gs://*
    • HDFS: hdfs://*
    • IBM Cloud Object Storage - S3: s3://*
    • Multiple storage locations in the region, in the local disk, or in the UNC path: *
      • For example, to limit the xfer user's access to its home directory:
        # /opt/aspera/bin/asconfigurator -x "set_user_data;user_name,xfer;file_restriction, |file:////home/xfer/*"
      • As another example, this command sets a file restriction in S3 storage:
        # /opt/aspera/bin/asconfigurator -x "set_user_data;user_name,xfer;file_restriction,|s3://*"
      • As a third example, use the command that follows to set a file restriction allowing multiple storage locations in the region, in the local disk, or in the UNC path. With this configuration you can add multiple nodes to Aspera on Cloud based on this tethered HSTS node, with each node secured by a unique access key.
        # /opt/aspera/bin/asconfigurator -x "set_user_data;user_name,xfer;file_restriction,|*"
        Using this file restriction, you could, for example, point to multiple locations as follows (Linux example): 
        /mnt/nfs/mount/path
/home/xfer/transferfolder
  3. Make sure that the xfer user has browse, read, write, and execute privileges to the local directories or mount points that must be accessed for transfers.

    For example, the xfer user's home directory.

    If the storage is AWS S3, see Create an AWS S3 IAM role and policy for a procedure.

  4. Make sure that the xfer user has read and write privileges to the local directories or mount points that must be accessed for transfers.

    For example, the xfer user's home directory.

  5. Restrict the xfer user's operations on the server with aspshell.

    Aspera strongly recommends this restriction. By default, system users can establish a FASP connection and are only restricted by file permissions. The aspshell permits only the following operations:

    • Running Aspera uploads and downloads to or from this computer.
    • Establishing connections in the application.
    • Browsing, listing, creating, renaming, or deleting contents.

    In addition, the aspshell does not allow interactive login.

    Do the following:

    # usermod -s /bin/aspshell xfer

    Then confirm that the xfer user's account has been updated for aspshell:

    # grep xfer /etc/passwd
xfer:x:1002:1002:xfer user,,,:/home/xfer:/bin/aspshell
  6. Add the Aspera public key to the xfer transfer user's SSH authorized_keys file.

    Set the Aspera public SSH key as an authorized key for the xfer transfer user, and ensure that the user owns the file.

    # mkdir /home/xfer/.ssh
# cp /opt/aspera/var/aspera_tokenauth_id_rsa.pub /home/xfer/.ssh/authorized_keys
# chmod 700 /home/xfer/.ssh
# chmod 600 /home/xfer/.ssh/authorized_keys
# chown -R xfer:xfer /home/xfer/.ssh
  7. Create Node API user credentials for the xfer transfer user.

    Node API credentials are required for accessing the AoC Web application.

    Use the following syntax:

    /opt/aspera/bin/asnodeadmin -a -u node_username -p node_password -x xfer

    For example:

    # /opt/aspera/bin/asnodeadmin -a -u nu-001 -p 2seKret4u -x xfer
  8. Confirm that the Node API credentials were created successfully.

    Use the following command:

    # /opt/aspera/bin/asnodeadmin -l

    Based on the preceding credentials-creation example, the output looks like this:

    List of node user(s):
                user       system/transfer user                    acls
====================    =======================    ====================
              nu-001                     xfer    []
  9. Configure the xfer transfer user for token authorization.

    Token-based authorization is used for transfers. It can be set independently for incoming transfers and outgoing transfers. There are two methods available.

    • Aspera recommends best practices using askmscli, supported in IBM Aspera HSTS v3.9.6.2 and above. For details and procedures, see "Token Encryption Key" in this document: Security Enhancements for HSTS 3.9.6.2.
    • You can also configure token authorization in aspera.conf. See the following example.

    This example shows the method using aspera.conf to require token authorization for both uploads and downloads, and to set the token encryption key (passphrase), which is used to encrypt the authorization token, to a random string. Aspera recommends that you set token_encryption_key to a value of least 20 random characters. Do not use the string shown in this example.

    # asconfigurator -x "set_user_data;user_name,xfer;authorization_transfer_in_value,token;authorization_transfer_out_value,token;token_encryption_key,gj5o930t78m34ejme9dx"
  10. Restart asperanoded to activate your changes. 
    # systemctl restart asperanoded

Next step in tethering a node

You've completed the configuration of the xfer transfer user required for your tethered node. For step 7 in tethering the HSTS node to your AoC organization, go to Configure the HA Redis backend for a tethered node cluster.