Configuring for Shares

The steps below show how to set up as a transfer server for IBM Aspera Shares. The procedure assumes you have already set up your Shares application. For general information on setting up a transfer server (using the Node API), see Managing the Node API.

  1. Install Enterprise/Connect Server.

    Follow the instructions in Standard Installation to install either locally (on the same host as Shares) or remotely.

    The steps below must be performed with administrator permissions.

  2. Create a Node API username/password.
    Aspera's Web applications authenticate to the remote node service using a Node API username and password. The following command creates a Node API user/password and associates it with a file transfer user, aspera_user_1, which you will create in the next step. The Node API credentials can then be used to create nodes. Different nodes may use different Node API username/password pairs.
    > asnodeadmin -a -u node_api_username -p node_api_passwd -x aspera_user_1

    Adding, modifying, or deleting a node user triggers automatic reloading of the configuration and license files, as well as the user database.

  3. Create the file transfer user.
    The file transfer user authenticates the actual ascp transfer, and must be an operating system account on the node. Create a transfer user—for example, aspera_user_1—on your operating system (Control Panel > User Accounts). (Creating a user account requires administrator permissions.)
    Note: After creating a Windows user account, log in as that user as least once in order for Windows to set up the user's home folder—for example, C:\Users\aspera_user_1. Once the user's home folder has been created, log back in as an administrator and continue the steps below.

    After you've created the operating system account, set up this user in Point-to-Point. For instructions on setting up a user, see Setting Up Users.

    Note: The file transfer user requires a docroot. After setting a user's docroot, be sure to perform a reload, as described in aspera.conf for Nodes.
  4. Copy the public key to the transfer user’s SSH file.

    For example, if the file transfer user is aspera_user_1, the standard location for the public key is in the user's home folder, as follows:

    C:\Users\aspera_user_1\.ssh\authorized_keys
    
    

    The Aspera-provided key file is located in:

    C:\Program Files [(x86)]\Aspera\Enterprise Server\var\aspera_tokenauth_id_rsa.pub
    
    

    Open a command prompt window and run the following commands to create the user's public key folder:

    > cd user_home_folder
    > md .ssh

    Use a text editor to create the following file (with no file extension), if the file does not already exist:

    user_home_folder\.ssh\authorized_keys

    Copy the contents of aspera_tokenauth_id_rsa.pub to the authorized_keys file. Update the folder permissions in Windows Explorer by right-clicking the .ssh folder, selecting Properties, and then selecting the Security tab. Here, you can set permissions to read, write, and execute (full control).



  5. (Optional) Change HTTPS port and/or SSL certificate.
    The Aspera Node API provides an HTTPS interface for encrypted communication between node machines (on port 9092, by default). To modify the HTTPS port, see aspera.conf for Nodes. For information on maintaining and generating a new SSL certificate, see Setting up SSL for your Nodes.
  6. Modify aspera.conf
    Make the following changes in the aspera.conf file, located in C:\Program Files (x86)\Aspera\Enterprise Server\etc:
    • In the <central_server> section, confirm that <persistent_store> is set to enable (the default value).
    • In the <server_name> field, and ensure that server_ip_or_name has been replaced with the name or IP address of your server.
    • Ensure there is an <http_server> section and that <enable_http> and <enable_https> are set to 1 (enabled).
    <central_server>
        <persistent_store>enable</persistent_store>
    </central_server>
    <server>
        <server_name>server_ip_or_name</server_name>
    </server>
    <http_server>
      <http_port>8080</http_port>
      <enable_http>1</enable_http>
      <https_port>8443</https_port>
      <enable_https>1</enable_https>
    </http_server>
    

    Whenever you change these settings, you must restart asperacentral and asperanoded.

    To restart these services, click Control Panel > Administrative Tools > Services, right-click Aspera Central and Aspera NodeD, and click Restart.

  7. In aspera.conf, enable token authorization for transfer users.
    If you haven't done so already, set up the transfer user with an SSH public key as described in Setting Up Token Authorization.
    To enable token authorization for the transfer user (aspera_user_1 in the example below) add an authorization section that includes:
    • a <transfer> section specifying that both incoming and outgoing transfers (in and out) should use token encryption
    • a <token> section with an encryption key, which is a string of random characters (at least 20 characters recommended).
    <user>
        <name>aspera_user_1</name>
            <authorization>
                <transfer>
                    <in>
                        <value>token</value>
                    </in>
                    <out>
                        <value>token</value>
                    </out>
                </transfer>
                <token>
                    <encryption_key>gj5o930t78m34ejme9dx</encryption_key>
                </token>
            </authorization>
            <file_system>
                  ...
                  ...  
            </file_system>
    </user>

    Alternatively, you can configure token-authorization settings in a <group> section to be applied to all users in the group. Or, you can configure the settings in the <default> section to apply them globally for all users.

    For additional details on configuring token authorization, see Setting Up Token Authorization.

  8. Ensure that the firewall is set up correctly on your transfer server
    For details, see Configuring the Firewall.