Introduction to Aspera Authentication and Authorization

HST Server can be configured to support SSH or HTTPS authentication and authorization for browsing and transfers. For both methods, the client ascp process connects to the server by using the SSH protocol and initiates the server-side ascp process. Therefore, SSH connectivity and authentication to the server is always used.

SSH: SSH authentication is the original method for authentication, and is typically used for transfers between Aspera clients and servers. SSH authentication requires a system user account that is configured with a docroot or restriction in aspera.conf. The user can authenticate by providing a system password or SSH key.

HTTPS: HTTPS (Node API) authentication was introduced to support browsing and transfers that are initiated through Aspera web applications (IBM Aspera Faspex, IBM Aspera Shares, and IBM Aspera on Cloud), and uses a token-based authorization security layer in addition to SSH.

Authorization Tokens: When the server is configured for token authorization, the server-side ascp process requires a valid token from the client before it can start. It is the responsibility of the client to provide this token. The Aspera web applications do this automatically through HTTPS (Node API). The IBM Aspera Desktop Client GUI and IBM Aspera Command-Line Interface do this automatically when connecting to Aspera web applications.

Types of Tokens

Aspera uses three types of tokens: transfer tokens, basic tokens, and bearer tokens.

  • Transfer Tokens: A transfer token authorizes specific content uploads to a destination or content downloads from a remote source. Transfer-token-based authorization is generally used for FASP transfers initiated through Aspera web applications, such as IBM Aspera Faspex, IBM Aspera Shares, and IBM Aspera Application for Microsoft SharePoint, but can be used in place of SSH authentication for other types of Aspera products. For more information, see Transfer Token Creation (Node API) and Transfer Token Generation (astokengen).
  • Basic Tokens: An Aspera basic token is created from an access key ID and secret, which authorizes a transfer user access to a specific area of a storage and authenticates that user to the storage. Basic tokens are less restrictive than transfer tokens. They can be used to transfer with any Aspera server that supports access keys (all but IBM Aspera on Cloud). For more information, see Basic Tokens.
  • Bearer Tokens: A bearer token is created from an access key ID, access key secret, and an SSL private-public key pair. Bearer token authentication is required for transfers to and from IBM Aspera on Cloud, but can be used for transfers with all other Aspera servers, too. For more information, see Bearer Tokens.