Configuring Faspex with faspex.yml
This topic covers additional Faspex configuration options that can be applied in faspex.yml. These options include the following:
- Hidden Directory Service (DS) features
- Hidden password settings
- Hidden self-registered users settings
- Hidden metadata settings
- Hidden package upload settings
Note: Modifying faspex.yml is for advanced administrative users only.
The faspex.yml file is located in the following directory: /opt/aspera/faspex/config/faspex.yml
Important: Be sure to back up faspex.yml before
modifying.
The following tables describe hidden options, along with their default values, that can be
added to the production section. For example, in order to require newly
created users to reset their passwords the first time they log in, add the line below to the
production section of faspex.yml.
production:
...
ForcePasswordResetForNewUsers: true
...Note: Whenever faspex.yml has been modified, be sure to restart Faspex by running the
following command:
asctl faspex:restartDirectory Services
| Option | Description | Default |
|---|---|---|
| DsUsernameAttribute | Specifies the DS attribute to use as the Faspex username. The chosen attribute
should be unique. Note: This option should be set before importing any DS users and
should not be changed afterwards. Examples: mail, samaccountname (Active
Directory).
|
Depends on attributes returned by directory service |
| DsSyncPeriod | Specifies how much time must pass since the last synchronization operation in order for a group or user to be judged in need of another. | 3600 (seconds) / 1 hour |
| DsCheckPeriod | Specifies check period for synchronization operations. It is during these checks that the DsSyncPeriod parameter is used to determine if synchronization is necessary. | 600 (seconds) / 10 minutes |
| DsSyncActiveState | Determines whether to sync, or not. Valid values: true, false. | true |
| CanonicalizeLdapGroupMemberSearch | Causes Faspex to strip spaces out of DNs during comparisons that may prevent Faspex from properly identifying DS users. Should only be set to true if it is proven that your LDAP server is returning DNs with inconsistent spacing (for example, inserting or omitting spaces when user info is queried as part of an LDAP group vs. individually). Valid values: true, false. | false |
Password
| Option | Description | Default |
|---|---|---|
| StrongPasswordRegex | A regular expression that can be used to customize strong password requirements. Changing this setting does not affect existing passwords, but any new password must match with this regular expression. Example: (?=.*[A-Z])(?=.*(\d|\W|_)).{7,} | (?=.*\d)(?=.*([a-z]|[A-Z]))(?=.*(\W|_)).{6,} |
| StrongPasswordRequirements | A description of the strong password requirements. Should match the regular expression specified by StrongPasswordRegex. Example: “Must be at least seven characters long, with at least one capital letter and one number or symbol.” | “Must be at least six characters long, with at least one letter, one number, and one symbol.” |
| ForcePasswordResetForNewUsers | Setting this option to true requires newly created users to reset their passwords the first time they log in. | false |
Self-Registered and External Users
| Option | Description | Default |
|---|---|---|
| EnforceSelfRegisteredUserEmailUniqueness | Prevents registering for an account using an email address that is already used by a full Faspex user (for example. not merely in use by an external email user record). Valid values: true, false. | false (not enforced) |
| SelfRegistrationUsesEmailAsLogin | Forces self-registering users to choose a login name that is in the format of an email address. This makes entering email address redundant but it is still required. Valid values: true, false. | false (not enforced) |
| RequireExternalRecipientsToRegister | When a package is sent to an external email address, the recipient is required to
self-register with that email address as the account name in order to access the
package. Valid values: true, false. Important:
Self-registration must be enabled. Otherwise, the recipient is redirected to "Page not
Found". For more information, see Configuring Security Settings
Tip: You have the option of requiring admin moderation for users creating
new accounts with self-registration. For more information on self-registration
settings, see Enabling Self-Registration.
|
false (not enforced) |
| HideSenderUsernameToExternalRecipients |
When external users download a package, the Connect logs and Connect manifests do not show the sender's username. |
false |
Metadata
| Option | Description | Default |
|---|---|---|
| SaveMetadataInPackage | Whenever this option is set to "true" and the Save metadata to
file checkbox is enabled on the Metadata Profiles page, the Create New
Dropbox page, or the Edit Dropbox page, the metadata file is included inside packages,
instead of being deposited in a package's root directory. Set the SaveMetadataInPackage option in the "Production" section of the faspex.yml file. For more information, see Applying Metadata Profile to Normal Packages. |
false |
| ExcludeMetadataFromCookie | This setting excludes metadata from Faspex cookies and also relaxes the length
requirements on metadata from 2,000 characters per profile to 30,000
characters. Note: When this option is enabled, IBM Aspera Console cannot report the
metadata for Faspex transfers.
|
false |
Package Upload
| Option | Description | Default |
|---|---|---|
| PackageUploadTimeout | The package upload timeout timer starts when a user sends a new package. Even if queued, if a package does not start within the package upload timeout, Faspex marks the package as "Upload never started" and sends a failure notification to the Upload CC list. Extend the duration to account for transfers that may stay queued longer than the default duration. | 60 |
Accepted Hosts
Thie AcceptedHosts configuration defines a list of hostnames users can access Faspex through. If you try to log in to the web application from an unlisted hostname or perform a GET request with an unlisted hostname, Faspex returns the error, "Invalid hostname". To access Faspex from an alternate hostname, whitelist alternate hostnames by following the instructions in Configuring the Faspex Web Server.