Configuring for Shares

The steps below show how to set up IBM Aspera Enterprise Server as a transfer server for IBM Aspera Shares. The procedure assumes you have already set up your Shares application. For general information on setting up a transfer server (using the Node API), see Managing the Node API.

  1. Install Enterprise/Connect Server.

    Follow the instructions in Standard Installation to install Enterprise Server either locally (on the same host as Shares) or remotely.

    The steps below must be performed as root.

  2. Create a Node API username.

    Aspera's Web applications authenticate to the remote node service using a Node API username and password. The following command creates a Node API user/password and associates it with a file transfer user, aspera_user_1, which you will create in the next step. The Node API credentials can then be used to create nodes. Note that different nodes may use different Node API username/password pairs.

    # /opt/aspera/bin/asnodeadmin -a -u node_api_username -p node_api_passwd -x aspera_user_1
  3. Create a file transfer user.

    The file transfer user authenticates the actual ascp transfer, and must be an operating system account on the node. To create a transfer user—for example, aspera_user_1—run the following command:

    # useradd aspera_user_1

    After you've created the operating system account, set up this user in Enterprise Server. For instructions on setting up a user, see Setting Up Users.

    Note: The file transfer user requires a docroot. After setting a user's docroot, be sure to perform a reload, as described in aspera.conf for Nodes.
  4. Copy the public key to the transfer user’s SSH file.

    For example, if the file transfer user is aspera_user_1, the standard location for the public key is in the user's home directory, as follows: C:\Users\aspera_user_1\.ssh\authorized_keys

    /home/aspera_user_1/.ssh/authorized_keys

    The Aspera-provided key file is located in:

    /opt/aspera/var/aspera_id_dsa.pub

    On the command line, run the following to create the user's public key folder (if it does not already exist):

    # mkdir /home/aspera_user_1/.ssh

    Run the following commands to create the keyfile authorized_keys (if it does not already exist), and append the key text to it. Update the directory permissions and ownership if necessary.

    # cat /opt/aspera/var/aspera_id_dsa.pub >> /home/aspera_user_1/.ssh/authorized_keys

    Run the following commands to change the key directory and keyfile's ownership to user aspera_user_1, to allow access by the aspera_user_1 group, and to set permission bits:

    # chown -R aspera_user_1:aspera_user_1 /home/aspera_user_1/.ssh/authorized_keys
    # chmod 600 /home/aspera_user_1/.ssh/authorized_keys
    # chmod 700 /home/aspera_user_1
    # chmod 700 /home/aspera_user_1/.ssh 
  5. (Optional) Change HTTPS port and/or SSL certificate.

    The Aspera Node API provides an HTTPS interface for encrypted communication between node machines (on port 9092, by default). To modify the HTTPS port, see aspera.conf for Nodes. For information on maintaining and generating a new SSL certificate, see Setting up SSL for your Nodes.

  6. Modify aspera.conf

    Make the following changes in the aspera.conf file, located in /opt/aspera/etc:

    • In the <central_server> section, look for <persistent_store> and be sure that it is set to enable (the default value). This setting allows the retention of historical transfer data used by the stats collector.
    • In the <server> section, look for the <server_name> tag, and replace server_ip_or_name with the name or IP address of your server. If the <server> section does not exist, create it.
    • Ensure there is an <http_server> section and that <enable_http> and <enable_https> are set to "1" (enabled).
    <central_server>
        <persistent_store>enable</persistent_store>
    </central_server>
    <server>
        <server_name>server_ip_or_name</server_name>
    </server>
    <http_server>
      <http_port>8080</http_port>
      <enable_http>1</enable_http>
      <https_port>8443</https_port>
      <enable_https>1</enable_https>
    </http_server>
    

    Whenever you change these settings, you must restart asperacentral and asperanoded.

    # /etc/init.d/asperanoded restart
    # /etc/init.d/asperacentral restart
  7. In aspera.conf, enable token authorization for transfer users.

    If you haven't done so already, set up the transfer user with an SSH public key as described in Setting Up Token Authorization.

    In your aspera.conf file, add an authorization section for a transfer user as shown for the user aspera_user_1 in the example below. The authorization section should specify the following:

    • a <transfer> section specifying that both incoming and outgoing transfers (in and out) should use token encryption
    • a <token> section with an encryption key, which is a string of random characters (at least 20 characters recommended).
    <user>
        <name>aspera_user_1</name>
            <authorization>
                <transfer>
                    <in>
                        <value>token</value>
                    </in>
                    <out>
                        <value>token</value>
                    </out>
                </transfer>
                <token>
                    <encryption_key>gj5o930t78m34ejme9dx</encryption_key>
                </token>
            </authorization>
            <file_system>
                  ...
                  ...  
            </file_system>
    </user>

    Alternatively, you can configure token-authorization settings in a <group> section to be applied to all users in the group. Or, you can configure the settings in the <default> section to apply them globally for all users.

    For additional details on configuring token authorization, see Setting Up Token Authorization.

  8. Ensure that the firewall is set up correctly on your transfer server
    For details, see Configuring the Firewall.