Shares Administrator Guide 1.0 -...

Shares Administrator Guide 1.0.2

Windows XP SP3, 2008, 2008 R2

Document Version: V1

2 Contents

Contents

Introduction........................................................................................................................................... 4

Installation............................................................................................................................................. 5

System Requirements..................................................................................................................... 5

Configuring the Firewall...................................................................................................................5

Securing your SSH Server.............................................................................................................. 7

Setting up Shares.......................................................................................................................... 13

Setting up Enterprise Server......................................................................................................... 21

Node and Shares Configuration........................................................................................................ 24

Node Configuration........................................................................................................................24

Share Configuration.......................................................................................................................29

Shares Accounts.................................................................................................................................34

Add your Directory Service (DS)................................................................................................... 34

Configuring DS within Shares........................................................................................................36

Configuring Local Groups..............................................................................................................54

Configuring Local Users................................................................................................................ 61

Using Shares....................................................................................................................................... 70

Overview of Nodes, Shares and Users......................................................................................... 70

Node Functions............................................................................................................................. 71

Share Functions............................................................................................................................ 73

Search Functionality...................................................................................................................... 75

Shares Administration........................................................................................................................77

Monitoring......................................................................................................................................77

Email..............................................................................................................................................78

Security..........................................................................................................................................80

Other Settings................................................................................................................................81

Appendix..............................................................................................................................................84

aspera.conf for Nodes................................................................................................................... 84

aspera.conf for S3......................................................................................................................... 86

Contents 3

Setting up SSL for your Node(s)....................................................................................................88

Backup Shares.............................................................................................................................. 92

Restore Shares..............................................................................................................................93

Uninstall Shares............................................................................................................................ 96

Technical Support...............................................................................................................................97

Feedback..............................................................................................................................................98

Legal Notice.........................................................................................................................................99

4 Introduction

IntroductionAn overview of Aspera Shares' features and benefits.

Overview

Welcome to Shares, Aspera’s multi-node web transfer application that empowers companies to share content in the

form of files and directories--of any size--within their organization or with external customers and partners. Simple and

intuitive, Aspera Shares can be deployed as either of the following:

• A single server solution that allows sharing content from a single content store and transfer node.

• A separate server that consolidates multiple content nodes into a single view, seamlessly managing user access

and file transfers across all of the nodes.

Aspera Shares is powered by Enterprise Server 3.0+, which features Aspera's Node API, a new daemon providing

REST-inspired file operations and a transfer management API.

Aspera Shares Features

• Users can easily navigate across files and folders to locate and initiate a high-speed file upload or download.

• A single view consolidates all underlying content stored across multiple content stores and nodes.

• Powerful search, filtering, and sorting capabilities makes it easy to find individual files or folders in a very large

content store.

• Secure authenticated access with support for users, groups, and directory services.

• Administrator role has complete control over access, including which nodes and directories are visible.

• Granular control over all end-user operations at the directory level.

• Real-time activity feed keeps track of end user actions and operations such as creating, deleting and renaming files

and directories, and all administration / management functions.

• Comprehensive system logging.

• Configurable thresholds for administrative alerts such as the % or amount of free space available.

Installation 5

InstallationInstalling Shares on your system(s).

System RequirementsSystem requirements for installing Shares.

The following requirements are applicable when installing the Shares application:

On the Shares server:

• Windows XP SP3, 2008, 2008 R2

• MySQL installer

• Shares installer and license file

The Shares application includes an Nginx web server listening on port 443. For best results, we recommend using a

machine that is not already running a web server for some other purpose. If an existing server is listening on port 443,

then either that server or the Nginx server must be configured to use a different port.

On your node machine(s):

• Enterprise Server 3.0+. Note that if Enterprise Server v2.x or older is already installed and running on your system,

then you must upgrade to Enterprise Server 3.0+ before setting up the node server. Please refer to our Website for

information on installing or upgrading.

• Valid Enterprise Server license file.

• Identify a directory that you plan to use for sharing data. Later on (in "Setting up Enterprise Server"), we will use this

directory as the absolute path for the transfer user.

On all machines (Shares and nodes):

• Verify that the machine's hosts file has an entry for "127.0.0.1 localhost" (C:\WINDOWS

\system32\drivers\etc\hosts).

• Check your firewall settings.

• Secure your SSH server.

Configuring the FirewallFirewall settings required by the product.

Your Aspera transfer product requires access through the ports listed in the table below. If you cannot establish the

connection, review your local corporate firewall settings and remove the port restrictions accordingly.

Product Firewall Configuration

Enterprise Server An Aspera server runs one SSH server on a configurable TCP port (33001 by default).

IMPORTANT NOTE: Aspera strongly recommends running the SSH server on a non-

default port to ensure that your server remains secure from SSH port scan attacks. Please

http://downloads.asperasoft.com/en/documentation/1

6 Installation


refer to the topic Securing your SSH Server on page 7 for detailed instructions on

changing your SSH port.

Your firewall should be configured as follows:

• Allow inbound connections for SSH, which is on TCP/33001 by default, or on another non-

default, configurable TCP port. If you have a legacy customer base utilizing TCP/22, then

you can allow inbound connections on both ports. Please refer to the topic Securing your

SSH Server on page 7 for details.

• Allow inbound connections for fasp transfers, which use UDP/33001 by default, although

the server may also choose to run fasp transfers on another port.

• If you have a local firewall on your server (like Windows Firewall), verify that it is not

blocking your SSH and fasp transfer ports (e.g. TCP/UDP 33001).

The firewall on the server side must allow the open TCP port to reach the Aspera server.

Note that no servers are listening on UDP ports. When a transfer is initiated by an Aspera

client, the client opens an SSH session to the SSH server on the designated TCP port and

negotiates the UDP port over which the data transfer will occur.

For Aspera servers that have multiple concurrent clients, the Windows operating system does

not allow Aspera's fasp protocol to reuse the same UDP port for multiple connections. Thus, if

you have multiple concurrent clients and your Aspera server runs on Windows, then you must

allow inbound connections on a range of UDP ports, where the range of ports is equal to the

maximum number of concurrent fasp transfers expected. These UDP ports should be opened

incrementally from the base port, which is UDP/33001, by default. For example, to allow 10

concurrent fasp transfers, allow inbound traffic from UDP/33001 to UDP/33010.

Client Typically, consumer and business firewalls allow direct outbound connections from client

computers on TCP and UDP. There is no configuration required for Aspera transfers in this

case. In the special case of firewalls disallowing direct outbound connections, typically using

proxy servers for Web browsing, the following configuration applies:

• Allow outbound connections from the Aspera client on the TCP port (TCP/33001, by

default, when connecting to a Windows server, or on another non-default port for other

server operating systems).

• Allow outbound connections from the Aspera client on the fasp UDP port (33001, by

default).

• If you have a local firewall on your server (like Windows Firewall), verify that it is not

blocking your SSH and fasp transfer ports (e.g. TCP/UDP 33001).

IMPORTANT NOTE: Multiple concurrent clients cannot connect to a Windows Aspera

server on the same UDP port. Similarly, multiple concurrent clients that are utilizing two

Installation 7


or more user accounts cannot connect to a Mac OS X or FreeBSD Aspera server on the

same UDP port. If connecting to these servers, you will need to allow a range of outbound

connections from the Aspera client (that have been opened incrementally on the server

side, starting at UDP/33001). For example, you may need to allow outbound connections

on UDP/33001 through UDP/33010 if 10 concurrent connections are allowed by the server.

IMPORTANT NOTE: If you have a local firewall on your server (Windows firewall, Linux iptables or Mac ipfw), then

you will need to allow the Vlink UDP port (55001, by default) for multicast traffic. For additional information on setting

up Vlinks, please refer to the topic Setting Up Virtual Links.

Securing your SSH ServerSecure your SSH server to prevent potential security risks.

Introduction

Keeping your data secure is critically important. Aspera strongly encourages you to take additional steps in setting

up and configuring your SSH server so that it is protected against common attacks. Most automated robots will try to

log into your SSH server on Port 22 as Administrator, with various brute force and dictionary combinations in order

to gain access to your data. Furthermore, automated robots can put enormous loads on your server as they perform

thousands of retries to break into your system. This topic addresses steps to take in securing your SSH server against

potential threats, including changing the default port for SSH connections from TCP/22 to TCP/33001.

Why Change to TCP/33001?

It is well known that SSH servers listen for incoming connections on TCP Port 22. As such, Port 22 is subject to

countless, unauthorized login attempts by hackers who are attempting to access unsecured servers. A highly effective

deterrent is to simply turn off Port 22 and run the service on a seemingly random port above 1024 (and up to 65535).

To standardize the port for use in Aspera transfers, we recommend using TCP/33001.

Please note that your Aspera transfer product ships with OpenSSH listening on both TCP/22 and TCP/33001. As such,

Aspera recommends only exposing TCP/33001 through your organization's firewall and disabling TCP/22.

IMPORTANT NOTE: You need Administrator access privileges to perform the steps below.

1. Locate and open your system's SSH configuration file

Open your SSH configuration file with a text editor. You will find this file in the following system location:

8 Installation

OS Version Path

32-bit Windows C:\Program Files\Aspera\Enterprise Server\etc\sshd_config

64-bit Windows C:\Program Files (x86)\Aspera\Enterprise Server\etc\sshd_config

2. Add new SSH port

IMPORTANT NOTE: Before changing the default port for SSH connections, please verify with your network

administrators that TCP/33001 is open.

The OpenSSH suite included in the installer uses TCP/22 and TCP/33001 as the default ports for SSH connections.

Aspera recommends disabling TCP/22 to prevent security breaches of your SSH server.

Once your client users have been notified of the port change (from TCP/22 to TCP/33001), you can disable

Port 22 in your sshd_config file. To disable TCP/22 and use only TCP/33001, comment-out Port 22 in your

sshd_config file.

...

#Port 22

Port 33001

...

IMPORTANT NOTE: Aspera recognizes that disabling the default SSH connection port (TCP/22) may affect your

client users. When you change the port, ensure that you advise your users on configuring the new port number.

Basic instructions for specifying the SSH port for fasp file transfers can be found below. To change the SSH port

for Aspera Client, click Connections on the main window, and select the entry for your computer. Under the

Connection tab, click Show Advanced Settings and enter the SSH port number in the SSH Port (TCP) field.

Installation 9

To make an impromptu connection to TCP/33001 during an ascp session, specify the SSH port (33001) with the -P

(capital P) flag. Please note that this command does not alter ascp or your SSH server's configuration.

> ascp -P 33001 ...

3. Disable non-admin SSH tunneling

IMPORTANT NOTE: The instructions below assume that OpenSSH 4.4 or newer is installed on your system.

For OpenSSH 4.4 and newer versions, the "Match" directive allows some configuration options to be selectively

overridden if specific criteria (based on user, group, hostname and/or address) are met. If you are running an

OpenSSH version older than 4.4, the "Match" directive will not be available and Aspera recommends updating to the

latest version.

In OpenSSH versions 4.4 and newer, disable SSH tunneling to avoid potential attacks; thereby only allowing

tunneling from Administrator group users. To disable non-admin SSH tunneling, add the following lines at the end of

the sshd_config file:

...

AllowTcpForwarding no

Match Group Administrators

10 Installation

AllowTcpForwarding yes

Depending on your sshd_config file, you may have additional instances of AllowTCPForwarding that are set

to the default Yes. Please review your sshd_config file for other instances and disable as appropriate.

4. Update authentication methods

Public key authentication can prevent brute force SSH attacks if all password-based authentication methods

are disabled. Thus, Aspera recommends disabling password authentication in the sshd_config file and

enabling private/public key authentication. To do so, add or uncomment PubkeyAuthentication yes in the

sshd_config file and comment out PasswordAuthentication yes.

...

PubkeyAuthentication yes

#PasswordAuthentication yes

PasswordAuthentication no

...

5. Restart the SSH server to apply new settings

When you have finished updating your SSH server configuration, you must restart the server to apply your new

settings. Restarting your SSH server will not impact currently connected users. To restart your SSH Server, go to

Control Panel > Administrative Tools > Services . Locate the OpenSSH Service and click Restart.

6. Restrict user access

Restricting user access is a critical component of securing your server. When a user's docroot is empty (i.e. blank),

that user has full access to your server's directories and files. To restrict the user, you must set a non-empty

docroot, which automatically changes the user's shell to aspshell (Aspera shell). You can do so from the product

GUI by going to Configuration > Users > Docroot > Absolute Path . Input a path in the blank field and ensure

that Override is checked.

Installation 11

Once you have set the user's docroot, you can further restrict access by disabling read, write and/or browse. You

may do so via the product GUI (as shown in the screenshot above).

Field Description Values

Absolute Path The area of the file system (i.e. path) that is accessible to the Aspera user.

The default empty value gives a user access to the entire file system.

Path or blank

Read Allowed Setting this to true allows users to transfer from the designated area of the

file system as specified by the Absolute Path value.• true

• false

Write Allowed Setting this to true allows users to transfer to the designated area of the

file system as specified by the Absolute Path value.• true

• false

Browse Allowed Setting this to true allows users to browse the directory. • true

• false

7. Review your logs periodically for attacks

Aspera recommends reviewing your SSH log periodically for signs of a potential attack. Launch Control Panel >

Administrative Tools > Event Viewer . To see only SSH Server events, select View > Filter... to bring up the

filter settings. In Application Properties > Filter tab, select sshd in the Event source menu to display only SSH

Server events. You may also apply other conditions when needed.

12 Installation

With a filter applied, you can review the logs in the Event Viewer main window, or select Action > Save Log File

As... to export a log file using .txt or .csv format.

Look for invalid users in the log, especially a series of login attempts with common user names from the same

address, usually in alphabetical order. For example:

...

Mar 10 18:48:02 sku sshd[1496]: Failed password for invalid user alex from 1.2.3.4

port 1585 ssh2

...

Mar 14 23:25:52 sku sshd[1496]: Failed password for invalid user alice from 1.2.3.4

port 1585 ssh2

...

If you have identified attacks:

• Double-check the SSH security settings in this topic.

• Report attacker to your ISP's abuse email (e.g. abuse@your-isp).

Installation 13

Setting up SharesSet up Shares on your system(s).

The instructions below will walk you through setting up the Shares application and a MySQL database on your

Windows system. These instructions assume that Shares and MySQL will be installed on the same, local machine.

1. Login as System Administrator and download the MySQL and Shares executables.

Before installing Shares, ensure that you are logged into your machine as a local system Administrator. Once

confirmed, download the Aspera Shares and MySQL executable files from our Website (input your Aspera

credentials when prompted). Note that you need to download two executables:

• AsperaMysql-<version>.exe

• AsperaShares-<version>.exe

2. Run the MySQL and Shares executables.

Install MySQL on your system by running AsperaMysql-<version>.exe. Follow the on-screen instructions.

IMPORTANT NOTE: On Windows 2008 with UAC (User Account Control) enabled, you must run the installer as an

Administrator. To do so, right-click the executable and select the option Run as administrator. You may be asked

to enter the administrator's password to allow the installer to make changes to your computer.

After the license agreement screen, select "Typical" as the desired setup type.

http://downloads.asperasoft.com/en/downloads/34

14 Installation

The installer will then prompt you to create or update an Aspera service account that runs the services for Aspera

products. By default, the user name is svcAspera.

Installation 15

If your machine is not joined to a Windows domain, then a local user (such as the default svcAspera) is all that is

required to run Aspera services. If the local account does not already exist, enter new credentials and click Next. If

the account exists (e.g. created through the previous installation), enter the account password and click Next.

IMPORTANT NOTE: On Windows XP 32-bit, instead of creating a user account, you may check the option Run

Aspera services as a local SYSTEM account to run these services by the local user "SYSTEM."

If your machine is joined to a domain, or you need to support requirements #2 and/or #3 below, then the type of

account specified will vary. Please refer to the table below. If the server is configured to accept the domain user

login, use a domain account that has been added to the local administrator's group to run the services. You must

create this domain account on your Domain Controller first.

No. Requirement Type of Service Account User

1 Provision local transfer users only. Local account. Domain account with local admin privileges can be used,

but is not required.

2 Provision Active Directory accounts

for transfer users (users who

wish to transfer with your server

are authenticated through Active

Directory).

Domain account with local admin privileges.

3 Transfer users store files on a

remote file system (not on your

server machine), such as an SMB

file share.

Domain account with local admin privileges. In some cases, additional

actions are required to support this requirement. Please refer to the

aspera knowledgebase or contact Aspera Technical Support for

assistance.

After creating your Aspera service account, click the Install button on the next screen.

https://support.asperasoft.com/categories/20004723-aspera-knowledgebase

16 Installation

During the installation process, Windows will start the MySQL service. Once complete, install the Shares application

(as Administrator) by running AsperaShares-<version>.exe. Follow the on-screen instructions and select the

Install button when prompted.

Installation 17

3. Run the Shares setup script

Once the "Aspera Shares Setup Wizard" completes, you will receive a prompt with a checkbox and a Finish button.

By default, the Run the setup script to complete the installation checkbox is turned on. Once you click Finish,

the Shares installer will automatically run the setup command. Follow the configuration instructions to complete

the setup process, which includes inputting the MySQL root password, creating the Shares DB username and

password, and creating the Shares admin account.

IMPORTANT NOTE:

If you do not want to run the setup command automatically, then uncheck (turn off) the Run the setup script to

complete the installation checkbox. If you choose not to run the setup at the end of the Shares installation, you

can run it manually by following the instructions below.

1. Open an administrative command prompt.

2. cd to C:\shares\www\script\windows.

3. Run shares_installer.bat and follow the prompts.

4. Install the Shares license.

On the computer that has the Shares application installed on it, launch your web browser and go to https://

shares-ip-address/. Log in with the administrator's username and password.

18 Installation

You can install the license by navigating to the Admin screen (via the Admin link).

Then, select Other > License .

Installation 19

5. Configure your server's hostname or IP address to send emails from Shares to users.

From the Shares Admin screen, select Other > Web Server .

20 Installation

Input your Shares server's hostname (or IP address) into the Host field, as it will be used as part of the URL

in system emails to users. For example, when an account is created for a user, that user will receive an email

Installation 21

prompting him or her to reset the password. This email contains a URL that points to whatever hostname or IP

address is put in into the Host field.

Setting up Enterprise ServerSet up Enterprise Server v3.0+ to work with Shares.

The instructions below walk you through setting up Aspera Enterprise Server 3.0+ on the same (local) machine

as Aspera Shares. These instructions assume that you have already set up your mySQL database and Shares

application. For instructions on setting up a remote transfer server (using the Node API), please refer to your Enterprise

Server guide.

WARNING! If Enterprise Server v2.7.4 or older is already installed and running on your system, then you must

upgrade to Enterprise Server 3.0+ before setting up the node server. Please refer to your Enterprise Server guide

for information on installing or upgrading.

1. Download and install Enterprise Server v3.0+.

Follow the instructions in the Enterprise Server guide for installing Enterprise Server v3.0+ and a valid license file.

2. Create a Node API username.

Aspera's Web applications authenticate to the remote node service via a Node API username and password. We

will create a Node API user/password now, and associate it with a file transfer user that we will create in the next

step. The Node API credentials can then be used to create nodes. Note that different nodes may use different Node

API username/password pairs.

> asnodeadmin.exe -a -u your_node_api_username -p your_node_api_password -x asp1

Note that adding, modifying or deleting a node-user triggers automatic reloading of the configuration and license

files, as well as the user database.

3. Create a file transfer user (e.g. asp1).





22 Installation

This is the user who authenticates the actual ascp transfer, and must be an Operating System account on the node.

Create a new transfer user "asp1" (as an Administrator) on your Operating System via the GUI ( Control Panel >

User Accounts .

IMPORTANT NOTE: After creating a user account on Windows (e.g. asp1), you need to login as that user as least

once in order for Windows to set up the user's home folder (e.g. C:\Users\asp1). Once the user's home folder

has been created, you can log back in as an Administrator and continue the steps below.

You must then set up this user within Enterprise Server. To set up a user, follow the instructions in the topic

"Setting up Users."

IMPORTANT NOTE: A docroot must be created for the file transfer user who authenticates the ascp transfer (global

or per-user). After modifying a user's docroot, you must perform a reload operation, as described in the topic

"aspera.conf for Nodes."

4. Copy the public key to the transfer user’s .ssh file.

For our example file transfer user, asp1, we will assume the following:

• The public key install location will be C:\Users\asp1\.ssh\authorized_keys.

• The key file is located in C:\Program Files (x86)\Aspera\Enterprise Server\var

\aspera_id_dsa.pub.

Open a Command Prompt ( Start menu > All Programs > Accessories > Command Prompt ) and run the

following commands to create the user's public key folder:

> cd "C:\Users\asp1"

> md .ssh

Use a text editor to create the following file (without a file extension):

C:\Users\asp1\.ssh\authorized_keys

Copy the contents of aspera_id_dsa.pub into the authorized_keys file and update the directory permissions

by right-clicking the .ssh folder and selecting the Security tab. Here, you can set permissions to read, write and

execute (full control).

Installation 23

5. (Optional) Change HTTPS port and/or SSL certificate.

The Aspera Node API provides an HTTPS interface for encrypted communication between node machines (on Port

9092, by default). To modify the HTTPS port, please view the topic "aspera.conf for Nodes." For instructions on

maintaining and generating a new SSL certificate, please refer to the topic "Setting up SSL for your Node(s)."

IMPORTANT NOTE: Most of the node settings require that you restart the asperanoded service if you change

their values. To restart the asperanoded service, run the following command(s). Please refer to the topic

"aspera.conf for Nodes" for details.

24 Node and Shares Configuration

Node and Shares ConfigurationNew node and share configuration instructions.

Node ConfigurationConfigure a new node using the Shares' GUI.

The following instructions explain how to configure a node within the Shares application. These instructions assume

that you have already installed the Shares application and Enterprise Server v3.0+ on your local machine (along with

the appropriate licenses). Before you continue, make sure that you have the following information available:

• The node computer's hostname or IP address, along with a port and path (if applicable).

• The node API username and password, which you created when you set up Enterprise Server on your node

machine.

1. Log into the Shares application with your admin username and password.


localhost/. Log in with your admin username and password.

Once logged in, you will arrive at your Home screen.

Node and Shares Configuration 25

2. On the Home screen, click the NODE + button to add a new node and complete the New Node configuration form.

You can quickly add a new node by clicking the NODE + on your Home screen.

When the New Node configuration screen appears, complete the form fields with the information you collected at

the beginning of this exercise. Below is a description of each field, along with example values.


Field Description Sample Value

Name A description of the node. "Headquarters"

Host The node computer's hostname or IP address, along

with a port and path (if applicable). The "port" field

represents the port on which the node service is

running; which, by default, is 9092. The "path" field is an

advanced feature used for URL proxying. In nearly all

cases, you may leave this field blank.

In our example, the Shares

application and Enterprise

Server are installed on

the same computer. That

means our hostname is

localhost and our node

service port is HTTPS

9092. If the node is on

a remote host, use the

IP address or resolvable

hostname, e.g. "10.1.2.3"

and "9092".



API Username The node API username that you created when you set

up Enterprise Server on your node machine. Note that

this user is kept in the redis database for authentication

between the Shares application and the node service.

"node-admin"

API Password The node API password that you created when you set

up Enterprise Server on your node machine.

"s3cur3_p433"

Use SSL To encrypt the connection to the node using SSL,

enable this box. Although the node is configured to use

Aspera's pre-installed, self-signed certificate (/opt/

aspera/etc/aspera_server_cert.pem), you can

use your own certificate by replacing the files located in

the following directories:

• /opt/aspera/shares/conf/cert.key

• /opt/aspera/shares/conf/cert.pem

To generate a new certificate, follow the instructions

provided in the topic "Setting up SSL for your Node(s)"

and use the OpenSSL command-line binary (/opt/

aspera/shares/bin/openssl).

IMPORTANT NOTE: After generating a new

certificate, you must create a “cert.pem” file that

contains both the private key and the certificate. To

do so, copy and paste the entire body of the key

and cert files into a single text file (i.e. paste the

private key, the certificate, and then save the file as

"your_cert.pem").

Enabled, by default.

Verify SSL Certificate To verify the SSL certificate, enable this box. Enabled, by default.

Bytes free - warn If you would like to receive a warning message when

the node has equal to or less than a certain number of

storage bytes free, then enter that number into this field.

You can input the number as G, MB, terrabytes and

bytes.

50G

Percent free - warn If you would like to receive a warning message when

the node has equal to or less than a certain percent

of its storage free, then enter that percentage into this

field.

25%



Bytes free - error If you would like to receive an error message when

the node has equal to or less than a certain number of

storage bytes free, then enter that number into this field.

You can input the number as G, MB, terrabytes and

bytes.

10G

Percent free - error If you would like to receive an error message when the

node has equal to or less than a certain percent of its

storage free, then enter that percentage into this field.

10%

3. Save and confirm.

After inputting the node details, click the Create Node button. If your node has been successfully created, it will

appear under the Nodes section on your Home page.

From here, you can perform multiple actions.

• Click the node's name to browse files on the node

• Use the drop-down menu to the right of the node name to browse, edit, view shares, view admin activity or

delete the node.


For detailed information on these functions, please refer to the topic "Node Functions".

IMPORTANT NOTE: One machine can be added as a node multiple times, in the circumstance that different access

credentials are required to see files in multiple areas of the system.

Share ConfigurationConfigure a new share on a selected node.

The following instructions explain how to configure a share (essentially a directory on a node) within the Shares

application. These instructions assume that you have already installed the Shares application and Enterprise Server

v3.0+ on your local machine (along with the appropriate licenses), and have followed the instructions in the topic Node

Configuration to create at least one node. Before you continue, make sure that you have the following information

available:

• The name of the node that you would like to put the share on.

• The node directory that you would like to set up as the share.

1. If you have not already done so, log into the Shares application with your admin username and password.


shares-ip-address/. Log in with your admin username and password.

Once logged in, you will arrive at your Home screen. Note that the example below assumes that you have already

set up a node (per the topic Node Configuration).


2. On the Home screen, click the SHARES + button to add a new share and complete the New Share configuration

form.

You can quickly add a new share by clicking the SHARES + button on your Home screen.

When the New Share configuration screen appears, complete the form fields with the information you collected at

the beginning of this exercise. Below is a description of each field, along with example values.



Name The name of the share is simply a description,

which means that multiple shares can also have

the same name.

"my first share"

Node Select a node from the drop-down list. This drop-

down list is automatically populated with nodes

that you have previously configured (refer to

Node Configuration).

In our example, the node is called

"my first node." We will select this

name from the drop-down list.

Directory Once you select a node from the drop-down list

above, you will be able to browse its directories

using the Browse... button. If you are not able to

browse the node's directories, please check your

node configuration.

When you click the Browse... button, you will

be prompted to select a directory in the pop-up

window. Here, you have several options:

• You can perform a simple search for a

directory by inputting it into the name field and

clicking Search.

We are going to make the

"documents" directory our share on

this node.



• You can perform an advanced search by

clicking the Advanced link, and inputting your

criteria.

• You can sort the directory list by type, size,

size descending, last modified and last

modified descending.

• You can select a radio button next to the

directory that you would like to be the share.

After clicking the corresponding radio button,

click the Select button.

Bytes free - warn If you would like to receive a warning message

when the share has equal to or less than a

certain number of storage bytes free, then enter

that number into this field. You can input the

number as G, MB, terrabytes and bytes.

5G

Percent free - warn If you would like to receive a warning message


certain percent of its storage free, then enter that

percentage into this field.

25%

Bytes free - error If you would like to receive an error message


certain number of storage bytes free, then enter

that number into this field. You can input the

number as G, MB, terrabytes and bytes.

1G

Percent free - error If you would like to receive an error message


certain percent of its storage free, then enter that

percentage into this field.

10%

3. Save and confirm.

After inputting the share details, click the Create Share button. If your share has been successfully created, it will

appear under the Shares section on your Home page.



• Click the share's name to browse files on the share.

• Use the drop-down menu to the right of the share name to browse, view activity, make comments, edit, view

authorizations, view admin activity or delete the share.

For detailed information on these functions, please refer to the topic "Share Functions".

34 Shares Accounts

Shares AccountsSetting up Shares directory service, group and user accounts.

Add your Directory Service (DS)Adding your directory service to Shares.

The Shares application supports the Lightweight Directory Access Protocol (LDAP) and can be configured to connect

to a directory service. The following directory service databases are supported:

• Active Directory (AD)

• Apple Open Directory

• Fedora Directory Server

• Open LDAP

Note that Shares already has a default, local database. When you add local users, they will automatically be added to

Local Database (viewable via Admin > Accounts > Directories ). For additional information on setting up local users,

please refer to Configuring Local Users.

To add a new directory service account, log into Shares and go to Admin > Accounts > Directories > New .

Shares Accounts 35

Complete the form that appears with your specific directory service's settings and click the Create ldap config button.

An example is shown below, along with a description of all settings in the proceeding table.

Option Description

Directory Type Select your directory service type from one of the following options:

• Active Directory (AD)

• Apple Open Directory

• Fedora Directory Server

• Open LDAP

Name Input a name for this directory service.

36 Shares Accounts

Option Description

Description Input a description for this directory service.

Host The directory's address and port number. By default, unsecured LDAP uses port 389,

unsecured global catalog uses port 3268, and global catalog over SSL uses port 3269.

Base DN The search treebase (e.g. dc=myCompany,dc=com for myCompany.com)

Authentication

Credentials• Anonymous Bind

• Simple Bind

If Simple Bind is selected, then you are required to input your directory

service user name, which is typically a Distinguished Name (DN) (e.g.

CN=Administrator,CN=Users,DC=myCompany,DC=com) and directory service password.

Encryption • Unencrypted (Default port 389)

• Simple TLS (Default port 636)

NOTE: Aspera highly recommends selecting Simple TLS to secure your server. By

default, LDAP traffic is transmitted unsecured. You can make LDAP traffic confidential and

secure by enabling TLS.

Now that you have added your directory service to Shares, you can configure specific settings for your DS user(s) and

group(s).

Configuring DS within SharesSetting up your DS groups and DS users within Shares.

After adding your directory service to Shares, you can configure specific settings for your DS user(s) and group(s).

Tab Description

DetailUpdate the information that you inputted for the DS account when you first set it up.

Shares Accounts 37

Tab Description

GroupsView and edit your DS group permissions. Your DS groups will be listed on this page, along

with Edit buttons.

38 Shares Accounts

Tab Description

To set specific permissions for an individual DS group, click the corresponding Edit button.

For further instruction on editing a DS group, please refer to the section "Setting Permissions

for Individual DS Groups."

UsersView and edit your DS users' permissions. Your DS users will be listed on this page (unless

the number of records exceeds Shares' limit for displaying a list), along with Edit buttons. If

no list appears, you can search for users by name (where you must input a minimum of one

character to perform a search).

To set specific permissions for an individual DS user, click the corresponding Edit button. For

further instruction on editing a DS user, please refer to the section "Setting Permissions for

Individual DS Users."

SecurityThis tab allows you to configure specific security settings for the entire directory.

• If you select (checkmark) Disabled, then no users from this directory can log into Shares.

This also prevents you from giving individual DS users and DS groups access to log in.

• If you select (checkmark) Login, then all users from this directory can log into Shares. If

left unchecked, you may give individual DS users and DS groups access to log in.

Shares Accounts 39

Tab Description

• If you select (checkmark) Admin, then all users in this directory have Administrative

permissions. If left unchecked, you may give individual DS users and DS groups

administrative access.

To configure DS users' security settings from their individual account pages, please refer to

the section "Setting Permissions for Individual DS Users."

SharesClick the Add Share link to authorize specific shares for this directory.

Upon doing so, you will be provided a list of nodes and shares that are currently configured in

your Shares application, along with an Authorize link.

40 Shares Accounts

Tab Description

After authorizing a share, you can modify the directory's permissions for browsing,

transferring and performing file operations within it. Note that the default permission is browse

only. To edit these permissions or de-authorize the directory's access to the share, click the

edit link.

From here, select (checkmark) permissions that directory users have for the authorized

share. For example, everyone in this directory is allowed to browse the company's event

photos; however, they cannot download, upload, or perform any file operations within the

share. After modifying your settings, click the Update button. You may de-authorize access to

this share by clicking Delete.

IMPORTANT NOTE: If you authorize a share for an entire directory, then any group within

that directory will inherit the same access permissions.

ActivityView and search for activity within this directory.

Shares Accounts 41

Tab Description

Setting Permissions for Individual DS Groups

You may configure your DS groups with unique settings (rather than defaulting to the directory settings). You will arrive

at the tabs below after clicking the Edit button for a corresponding DS group.

Tab Description

DetailView the DS group's name, modify the directory, or delete the directory from the Shares

application.

42 Shares Accounts

Tab Description

Member OfIf this group is a member of another group, then that will be indicated under this tab.

MembersDisplays this group's DS members and allows you to edit corresponding DS user settings.

Please refer to the section "Setting Permissions for Individual DS Users" for details on editing

DS user settings.

SecurityThis tab allows you to configure specific security settings for all members of the DS group,

including whether or not all members of the group can log into Shares, as well as if all

members of the group are administrators. If you select (checkmark) Login, then all users

in this group can log into Shares. If you select (checkmark) Admin, then all users in this

group have Administrative permissions. If you leave these boxes unselected, then you can

configure each local users' security settings from their individual account pages. Please refer

to the topic Configuring Local Users for details.

Shares Accounts 43

Tab Description

SharesClick the Add Share link to authorize specific shares for the members of this DS group to

access.



IMPORTANT NOTE: If you authorized a share for this DS group's entire directory, then this

group will inherit the same access permissions for that share.

44 Shares Accounts

Tab Description

After authorizing a share, you can modify the DS group's permissions for browsing,

transferring and performing file operations within it. Note that the default permission is browse

only. To edit these permissions or de-authorize the DS group's access to the share, click the

edit link.

IMPORTANT NOTE: If the share had been authorized for this DS group's entire directory,

then the Inherited? column will be populated with the text "Inherited."

From here, select (checkmark) permissions that group members have for the authorized

share. For example, our accounting department is allowed to browse, download and upload

spreadsheets, as well as perform all file operations within the "Spreadsheets" share.

After modifying your settings, click the Update button. You may de-authorize access to this

share by clicking Delete.

Transfer SettingsImplement transfer settings/restrictions specifically for members of this group. In doing so,

you will be overriding Share's app-wide transfer settings just for this group. To configure

transfer settings just for this group, start by clicking the Override these settings button

(which will enable the input boxes).

Shares Accounts 45

Tab Description

Now, you can configure your own transfer settings for this group.

46 Shares Accounts

Tab Description

Transfer settings include the following:

• Upload target rate: For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use the

node's settings.

• Upload target rate cap: For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to

use the node's settings.

• Download target rate: For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use

the node's settings.

• Download target rate cap: For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to


• Starting policy: Select the policy that will be enforced when the transfer starts, where

policies include fixed, high, fair and low. You can also select Inherit from node to use the

node's settings. If fixed, the transfer will utilize a fixed rate policy. Under this policy, the

transfer will transmit data at a rate equal to the target rate (although this may impact the

performance of other traffic present on the network). If fair, the transfer will utilize a fair

rate policy. Under this policy, the transfer will attempt to transmit data at a rate equal to the

Shares Accounts 47

Tab Description

target rate. If network conditions do not permit that to be achieved, it will transfer at a rate

lower than the target rate, but not less than the minimum rate.

• Allowed policy: Select the policies that are available to the user during the transfer. You

can also select Inherit from node to use the node's settings. For example, if the starting

policy is fair, then you may allow them to change between fair and low by selecting the

fair and low option from the drop-down list.

• Encryption: Select from optional or AES-128. You can also select Inherit from node to


• Encryption at rest: Required or optional. You can also select Inherit from node to use

the node's settings. If required, uploaded files must be encrypted during a transfer for

the purpose of protecting them while stored on a remote server. The uploader sets a

password before uploading the file, and then the downloader is required to enter that

same password to decrypt the protected file.

Click the Save button to keep your new settings. You may also click the Use Inherited

Settings button to return to the app-wide transfer configuration.

ActivityView and search for activity by members of this DS group.

Setting Permissions for Individual DS Users

You may configure your DS users with unique settings (rather than defaulting to the directory or group settings). You

will arrive at the tabs below after clicking the Edit button for a corresponding DS user.

48 Shares Accounts

Tab Description

DetailView the DS user's name, modify the directory, or delete the user from the Shares

application.

Member ofAdd this user to a DS group by selecting one from the drop-down list. You will only see DS

groups that have been added to Shares (i.e. Setting Permissions for Individual DS Groups

through the Shares UI).

IMPORTANT NOTE: You will not be able to add DS users to a local group; only DS

groups. For instructions on configuring local users, see the topic Configuring Local Users.

After adding a DS user to a DS group, you may click the Edit link to modify the group's

settings or Remove to delete them from the group (but not from the Shares application).

Shares Accounts 49

Tab Description

When you click the Edit link, you will be taken to DS group's configuration page. Please

refer to the topic Setting Permissions for Individual DS Groups for details on modifying a DS

group's settings.

Security Under the Security tab, you can update the following settings:

• Disable the user's account. Note that if you disable this user's account on this screen,

then the user will not be able to log into Shares even if he or she belongs to a group or

directory that has access permissions.

• Explicitly allow the user to log into the Shares application.

• Explicitly make this user an Administrator.

• Allow the user to log into the API (which means that even if the user does not have

BROWSE permissions, he or she can still perform transfer and file operations).

• Set an account expiration date.

50 Shares Accounts

Tab Description

SharesClick the Add Share link to authorize specific shares for the DS user to access. Note that if

this user belongs to a DS group, and the group has access to a share, then that share will be

listed here (i.e., permission to access the share is "inherited" from the group). The same is

true if the entire directory has access to this share.



Shares Accounts 51

Tab Description

After authorizing a share, you can modify the DS user's permissions for browsing, transferring

and performing file operations within it. Note that the default permission is browse only. If

browse is not selected, the DS user will only be able to access functions if he or she has

been made an API User (see Security tab description above). To edit these permissions or

de-authorize the DS user's access to the share, click the edit link.

From here, select (checkmark) permissions that the DS user has for the authorized share.

For example, the user in our office example is only allowed to download and browse the

marketing share; however, he cannot upload content or perform any file operations within the

share.



PreferencesSelect a timezone and input any comments.

52 Shares Accounts

Tab Description

Transfer SettingsImplement transfer settings/restrictions specifically for this DS user. In doing so, you will be

overriding Share's app-wide transfer settings and DS group and/or directory settings.


Shares Accounts 53

Tab Description


node's settings.


























ActivityView and search for Shares activity by this user.

54 Shares Accounts

Tab Description

Configuring Local GroupsSetting up Shares local groups.

Administrators can create Shares local groups, in which all users who belong to the group will have the same Shares

access permissions and will belong to the Local Database (rather than a directory service). To add a new local group,

log in to Shares and go to Admin > Accounts > Groups > New .

You will first be prompted to input the new local group's Name.

Shares Accounts 55

Once you create the local group under its new name, you will be directed to the Group screen, which displays following

six tabs:

From this screen, you can configure specific settings for your new local group.

Tab Description

DetailUpdate the local group's name, or delete the group from the Shares application.

56 Shares Accounts

Tab Description

MembersAdd members to the local group by selecting local users from the drop-down list. Note that

you will only see local users who have been added to Shares (e.g. the Shares admin or other

users that you have set up through the Shares UI).

IMPORTANT NOTE: You will not be able to add DS users to a local group; only local

users. You may configure DS groups by going to the Shares Directories screen (viewable

via Admin > Accounts > Directories ).

After adding a member to your local group, you may click the Edit link to modify the user's


When you click a user's Edit link, you will be taken to the individual user's configuration

page. Please refer to the topic Configuring Local Users for details on modifying a local user's

settings.

Shares Accounts 57

Tab Description

SecurityThis tab allows you to configure specific security settings for all members of the group,

including whether or not all members of the group can log into Shares, as well as if all the

groups are administrators.

• If you select (checkmark) Login, then all users in this group can log into Shares. If left

unchecked, you may give individual users access to log in.

• If you select (checkmark) Admin, then all users in this group have Administrative

permissions. If left unchecked, you may give individual users administrative access.

To configure users' security settings from their individual account pages, please refer to the

topic Configuring Local Users for details.

SharesClick the Add Share link to authorize specific shares for the members of this group to access.

58 Shares Accounts

Tab Description



After authorizing a share, you can modify the group's permissions for browsing, transferring

and performing file operations within it. Note that the default permission is browse only. To

edit these permissions or de-authorize the group's access to the share, click the edit link.

From here, select (checkmark) permissions that group members have for the authorized

share. For example, the video editors in our office example are allowed to browse, download

and upload video content; however, they cannot perform any file operations within the share.



Shares Accounts 59

Tab Description

Transfer SettingsImplement transfer settings/restrictions specifically for members of this group. In doing so,

you will be overriding Share's app-wide transfer settings just for this group. To configure

transfer settings just for this group, start by clicking the Override these settings button

(which will enable the input boxes).

Now, you can configure your own transfer settings for this group.

60 Shares Accounts

Tab Description



node's settings.













Shares Accounts 61

Tab Description














Click the Save button to keep your new settings. You may also click the Use Inherited

Settings button to return to the app-wide transfer configuration.

ActivityView and search for activity by members of this group.

Configuring Local UsersSetting up local Shares users.

Administrators can create Shares user accounts that will automatically added to the local database (not a directory

service). For DS users, please refer to the topic Configuring DS within Shares. Once a local user is created, he or

she can be added to a local Shares group. To add a new local user, log in to Shares and go to Admin > Accounts >

Users > New .

62 Shares Accounts

You will be prompted to input the following details:

• First Name

• Last Name

• Username

• Email Address

• Initial Login action (you can either send a login link that takes the user to the set-password page, or set a temporary

password on the user's behalf).

Once you create a local user, you will be directed to the User screen, which displays seven tabs:

Shares Accounts 63

Tab Description

DetailUpdate the local user's name, username and email address. You may also delete the local

user from the Shares application.

Member ofAdd this user to a local group by selecting one from the drop-down list. You will only see local

groups that have been added to Shares (i.e. local groups that you have set up through the

Shares UI).

IMPORTANT NOTE: You will not be able to add local users to a DS group; only local

groups. For instructions on configuring DS users, see the topic Configuring DS within

Shares.

64 Shares Accounts

Tab Description

After adding a local user to a local group, you may click the Edit link to modify the group's


When you click the Edit link, you will be taken to local group's configuration page. Please

refer to the topic Configuring Local Groups for details on modifying a local group's settings.

Security Under the Security tab, you can update the following settings:

• Send the user a password reset link

• Disable the user's account. Note that if you disable this user's account on this screen, then

the user will not be able to log into Shares even if he or she belongs to a group that has

group access permissions.

• Explicitly allow the user to log into the Shares application.

• Explicitly make this user an Administrator.

• Allow the user to log into the API (which means that even if the user does not have

BROWSE permissions, he or she can still perform transfer and file operations).

• Set an account expiration date.

• Set a temporary password.

Shares Accounts 65

Tab Description

SharesClick the Add Share link to authorize specific shares for the local user to access. Note that if

this user belongs to a local group, and the group has access to a share, then that share will

be listed here (i.e., permission to access the share is "inherited" from the group).



66 Shares Accounts

Tab Description

After authorizing a share, you can modify the user's permissions for browsing, transferring

and performing file operations within it. Note that the default permission is browse only. If

browse is not selected, the user will only be able to access functions if he or she has been

made an API User (see Security tab description above). To edit these permissions or de-

authorize the user's access to the share, click the edit link.

From here, select (checkmark) permissions that the user has for the authorized share.

For example, the user in our office example is only allowed to download and browse the

marketing share; however, he cannot upload content or perform any file operations within the

share.

Shares Accounts 67

Tab Description



PreferencesSelect a timezone and input any comments.

Transfer SettingsImplement transfer settings/restrictions specifically for this user. In doing so, you will be

overriding Share's app-wide transfer settings and group settings (if the user belongs to a

group).

68 Shares Accounts

Tab Description



node's settings.















Shares Accounts 69

Tab Description












ActivityView and search for Shares activity by this user.

70 Using Shares

Using SharesIncludes node, share and search functionality.

Overview of Nodes, Shares and UsersShares' node, share and authorization capabilities.

Before proceeding with an administrative function review, it's important to understand Shares' node, share and

authorization capabilities. The Shares application is capable of managing one or more “transfer nodes,” which can

be local or remote file systems, or EC2 instances with or without S3. These transfer nodes are accessed using the

Aspera “Node API,” which is activated by the Enterprise Server 3.0+ license. Note that if your node is intended for use

with S3, then your license must be S3-enabled. Each node can contain one or more "shares." A share is effectively a

directory on a node, which can be browsed, uploaded to, downladed from, etc. Users can be authorized for any subset

of operations on a share, and can only view buttons for the opperations that they are authorized to perform. Now, let's

take a closer look at administrative capabilities. Please refer to the table below.

Managing Nodes, Shares and Users

Administrative

Capability

Description

Node

Administration• Nodes are only visible to administrators.

• All administrators have the same level of privileges for all nodes.

• Administrators can create, edit and delete nodes.

• The Shares application requires user authentication to access the node.

Share

Administration• Only administrators can create, edit and delete shares.

• Only admins can changes share authorizations (access control).

• All administrators have the same level of privileges for share administration for all shares.

Authorization • Only administrators can change share authorizations.

• Precedence:

• Authorizations can be granted to users, groups and directory services.

• Authorization at the user level applies takes precedence over the user's group and/or

directory service authorization (if applicable).

• In the absence of user-level authorization, a user is granted the “union” of all authorizations

for the user's groups and directory services (if applicable).

• Administrators can view, edit and remove authorizations.

• Users can be authorized for any subset of the operations on a share, where operations include

the following:

• Browse

• Upload

Using Shares 71

Administrative

Capability

Description

• Download

• Make directory

• Delete directory or file

• Rename

IMPORTANT NOTE: If a user is not granted “browse” access, but is allowed other operations,

then the user will not be able to access any controls through the UI.

Node FunctionsFunctions you can perform on a node.

Node Drop-down List

Once you have successfully created a node, it will appear under the NODES section on your Home page.


• Click the node's name to browse files on the node.

• Use the drop-down menu to the right of the node name to browse, edit, view shares, view admin activity or delete

the node.

72 Using Shares

These drop-down options are described in detail below.

Function Description

Browse node Please refer to the Section "Browsing a Node," below.

Edit Select Edit from the drop-down list to the right of the node's name. From the node's

Detail view, you can check the node's status by performing a test; verify its free

space; and delete the node completely. You can also change the details that you

provided during the configuration step (refer to "Node Configuration").

Shares Select Shares from the drop-down list to the right of the node's name. This is also

accessible from the node's Detail view (second tab). Here, you can view the name

and directory for each of the node's shares, as well as edit each share. When you

click Edit, you will be taken to the share's detail page, the functions of which are

described in this topic "Share Functions".

Admin Activity Select Admin Activity from the drop-down list to the right of the node's name. This

is also accessible from the node's Detail view (third tab). You will see a list of all

admin activity that has occurred on the selected node. You may also search for

activity based on tagged events or a date range.

Delete Select Delete from the drop-down list to the right of the node's name. This is

also accessible from the node's Detail view (link at the bottom of the page). This

function deletes the node from the Shares application.

Browsing a Node

When you browse a node, you will be able to see all directories that exist on that node.

Using Shares 73

You can also search for a directory name (using simple or advanced search) and sort the directory list. The following

buttons enable you to perform actions on a directory or directories.

• Bookmark: Create a shortcut to the selected (checkmarked) directory. If you do not check any directory, then the

bookmark will be the node's root directory.

• Download: Download the selected (checkmarked) directory or directories using the Aspera Connect browser

plugin.

• Upload: Upload a file or folder from another machine to this node using the Aspera Connect browser plugin.

• Delete: Delete the selected (checkmarked) directory or directories.

• New Folder: Create a new directory on the node.

• Rename: Rename an existing directory on the node.

• Create Share: Configure a new share for the selected directory (you can only select one directory at a time). Once

you click the Create Share button, you will be taken to the New Share page, which will be pre-populated with the

node and directory information. To complete the other fields, see the topic "Shares Configuration".

Share FunctionsFunctions you can perform within a Share (with the proper permissions).

Shares Drop-down List

Once you have successfully created a share, it will appear under the SHARES section on your Home page.


74 Using Shares

• Click the share's name to browse files on the share.

• Use the drop-down menu to the right of the share name to browse, view activity, make comments, edit, view

authorizations, view admin activity or delete the share.

These drop-down options are described in detail below.

Function Description

Browse share Please refer to the Section "Browsing a Share," below.

Activity Select Activity from the drop-down list to the right of the share's name. You will

see a list of all activity that has occurred on the selected share. You may also

search for activity based on tagged events or a date range.

Comments You can see, edit or delete any comments that have been made about the share.

You can also add your own comments.

Edit Select Edit from the drop-down list to the right of the share's name. From the

share's Detail view, you can check the share's status by performing a test; verify its

free space; and delete the share completely. You can also change the details that

you provided during the configuration step (refer to Share Configuration on page

29).

Authorizations Select Authorizations from the drop-down list to the right of the share's name.

This is also accessible from the share's Detail view (second tab). Here, you can

add, delete and change authorizations for this share. You may authorize users,

groups and directories by clicking the respective links.

Admin Activity Select Admin Activity from the drop-down list to the right of the share's name.

This is also accessible from the share's Detail view (third tab). You will see a list of

all admin activity that has occurred on the selected share. You may also search for

activity based on tagged events or a date range.

Delete Select Delete from the drop-down list to the right of the share's name. This is

also accessible from the share's Detail view (link at the bottom of the page). This

function deletes the share from the node within the Shares application.

Using Shares 75

Browsing a Share

When you browse a share, you will be able to see all files/directories within that share.

You can also search for a directory name (using simple or advanced search) and sort the directory list. The following

buttons enable you to perform actions on a directory or directories:

• Bookmark: Create a shortcut to the selected (checkmarked) directory. If you do not check any directory, then the

bookmark will be the share's root directory.

• Download: Download the selected (checkmarked) directory or directories using the Aspera Connect browser

plugin.

• Upload: Upload a file or folder from another machine to this share using the Aspera Connect browser plugin.

• Delete: Delete the selected (checkmarked) directory or directories.

• New Folder: Create a new directory on the share.

• Rename: Rename an existing directory on the share.

• Create Share: Configure a new share for the selected directory (you can only select one directory at a time). Once

you click the Create Share button, you will be taken to the New Share page, which will be pre-populated with the

node and directory information. To complete the other fields, see the topic Share Configuration on page 29.

Search FunctionalitySimple and advanced search features.

Within a Node, Share or your Accounts list (i.e. directories, groups and users), you can perform a keyword search.

Simple and Advanced Search for Shares and Nodes

Select a share or a node on your Home page, and then within the Name: box, input a keyword for your search. You

can also enable/disable the Search sub-folders option. Note that Shares appends any keyword that you enter with *.

Thus, if you enter the keyword "Dec", then the search will actually be performed as "*Dec*"and Shares will return any

string that contains this word.

76 Using Shares

To perform a keyword search and limit the number of results, use Advanced search. You can set the following filters:

• Size (minimum and/or maxiumum values). You can include the unit of measure as bytes, MB or GB.

• Last Modified (from date and/or to date). Select a date from the pop-up calendar.

Simple Search for Accounts (Directories, Groups and Users)

From the Admin tab, select Directories, Groups or Users (depending on what account type you would like to search

for). You will be prompted to input at least two characters for your search query.

Shares Administration 77

Shares AdministrationAdministrative features for configured nodes, shares and users.

MonitoringMonitoring activity, background jobs, and errors/warnings.

From the Admin menu, the following monitoring capabilities are available from the left-hand navigation menu:

• Activity

• Background Jobs

• Errors and Warnings

Activity

After clicking the Activity link, you can view all activity that has occurred on your Shares server. Reported activity

includes the following:

• Created nodes and shares

• Log ins

• File deletion

• Node status

Note that each reported activity event is accompanied by a tag. You can click the tag to find related activities.

78 Shares Administration

You may also peform an activity event search. Click the Search link and enter the requisite information.

Background Jobs

To view, start and/or delete background jobs that are running on your Shares server, click the Background Jobs link.

Errors and Warnings

To view and/or search for errors and warnings that have occurred on your Shares server, click the Errors and

Warnings link.

EmailConfiguring Shares email capabilities (SMTP, templates and variables).

From the Email menu, the following capabilities are available:

• Templates

• Variables

• SMTP

Templates

Shares comes pre-configured with notification templates, which are accessible via the Templates link. To view and/or

edit a template, click its hyperlinked name. When editing a template, you can configure both an HTML and plain-text

version, as well as insert Variables. If you would like to create a new template, you can easily do so by copying a pre-

configured template, and editing it as needed.

Variables

To create and/or edit variables to be inserted into your notification templates, click the Variables link. When creating or

editing a variable, you can configure both an HTML and plain-text version.


SMTP

To input your server's SMTP settings, select the SMTP option and complete the form, which requests the following

information:

• Server: SMTP server address

• Port: SMTP port

• Domain: Domain name

• Use TLS if available: Aspera highly recommends turning this setting on to secure your email server.

• Username: Email username

• Password: Email password

• From: The "From" email address, which you are required to set.

To debug your SMTP server settings, click Send Test Email. Once you have configured your SMTP server, you

can return to this page to view all Shares activity related to it (via the Activity tab). Each reported activity event is

accompanied by a tag. You can click the tag to find related activities.


You may also peform an activity event search. Click the Search link and enter the requisite information.

SecuritySystem-wide security settings.

Your user security configuration is critical to maintaining a secure Shares server. Under the Security link, you can set

the following options:

• Session timeout: Log users out after this many minutes of inactivity (1-480 minutes).

• Require strong passwords: Require passwords to be at least 8 characters and contain at least one uppercase

letter, lowercase letter, number and symbol.

• Password expiration interval: Reset Number of days before a user must change his/her password (1-720 or

blank).

• Failed login count: Reset Number of failed logins within Failed Login Interval that will cause account to be locked

(1-20).

• Failed login interval: Number of minutes within which Failed Login Count results in account being locked (1-60).

• Self registration: Determines if non-users can create or request user accounts. Choose between none (not

allowed), moderated (you must approve the account before it is created), and unmoderated (once a user

registers, his or her account will be automatically created). If you allow self-registration, the moderated setting is

recommeded for security.


MODERATED SELF-REGISTRATION NOTE: If users are allowed to self-register, then they will see a Request an

Account link on the login page. After a user clicks this link and completes the form, you (as the administrator) will be

prompted under Admin > Accounts > Self Registration to Approve, Deny or Delete his or her account. You may

also perform a status search for "New" accounts.

Other SettingsMiscellanous administrative settings.

The following configuration options are available under the Other menu on the Admin page:

• Background

• License

• Localization

• Logging

• Logos

• Messages


• Transfers

• Web Server

Background

Modify and/or reset the parameters (e.g. frequency, storage, etc.) that Shares checks when running background jobs.

License

View/or change your Shares license.

Localization

Configure your Shares server with your local timezone, date format and time format.

Logging

Configure whether logged events trigger a warning or an error.

Logos

Add, edit or delete a custom logo for your Shares Web UI.

Messages

Create a login page message for your users, as well as a home page (after being logged in) message.

Transfers

Configure your transfer settings, which include the following:

• Min connect version: This is the minimum version of the Aspera Connect browser plugin that can be used to

transfer with Shares. Must be in the form "X.Y" (e.g. 1, 1.2, 1.2.3, or 1.2.3.4).

• Upload target rate: For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use the node's settings.

• Upload target rate cap: For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use the node's settings.

• Download target rate: For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use the node's settings.

• Download target rate cap: For example, 1.5 Gbps, 500Mbps, 10 K, 3000. Leave blank to use the node's settings.

• Starting policy: Select the policy that will be enforced when the transfer starts, where policies include fixed, high,

fair and low. You can also select Inherit from node to use the node's settings. If fixed, the transfer will utilize a

fixed rate policy. Under this policy, the transfer will transmit data at a rate equal to the target rate (although this may

impact the performance of other traffic present on the network). If fair, the transfer will utilize a fair rate policy. Under

this policy, the transfer will attempt to transmit data at a rate equal to the target rate. If network conditions do not

permit that to be achieved, it will transfer at a rate lower than the target rate, but not less than the minimum rate.

• Allowed policy: Select the policies that are available to the user during the transfer. You can also select Inherit

from node to use the node's settings. For example, if the starting policy is fair, then you may allow them to change

between fair and low by selecting the fair and low option from the drop-down list.


• Encryption: Select from optional or AES-128. You can also select Inherit from node to use the node's settings.

• Encryption at rest: Required or optional. You can also select Inherit from node to use the node's settings. If

required, uploaded files must be encrypted during a transfer for the purpose of protecting them while stored on a

remote server. The uploader sets a password before uploading the file, and then the downloader is required to enter

that same password to decrypt the protected file.

Web Server

Configure your web server settings, including the host, port and whether or not SSL/TLS is enabled. Note that the

hostname (or IP address) inputted into the Host field will be used as part of the URL in Shares' emails to users. For

example, when an account is created for a user, that user will receive an email prompting him or her to reset the

password. This email contains a URL that points to whatever hostname or IP address is put in into the Host field.

84 Appendix

Appendix

aspera.conf for NodesEditing aspera.conf for your Enterprise Server node configuration.

The following section has been added to the aspera.conf file for configuring your node machine(s). The aspera.conf

file can be found in the following location:

OS Version File Location

32-bit Windows C:\Program Files\Aspera\Enterprise Server\etc\aspera.conf

64-bit Windows C:\Program Files (x86)\Aspera\Enterprise Server\etc\aspera.conf

IMPORTANT NOTE: Most of the settings shown below require that you restart the asperanoded service if you

change their values. To restart the asperanoded service, run the following command(s):

Windows 32-bit

C:\Program Files\Aspera\Enterprise Server\bin> sc stop asperanoded

C:\Program Files\Aspera\Enterprise Server\bin> sc start asperanoded

Windows 64-bit

C:\Program Files (x86)\Aspera\Enterprise Server\bin> sc stop asperanoded

C:\Program Files (x86)\Aspera\Enterprise Server\bin> sc start asperanoded

<server>

<server_name> 

your_hostname

</server_name>

<http_port> 

9091

</http_port>

<https_port> 

9092

</https_port>

<enable_http> 

false

</enable_http>

Appendix 85

<enable_https> 

true

</enable_https>

<cert_file> 

/opt/aspera/etc/aspera_server_cert.pem

</cert_file>

<max_response_entries> 

1000

</max_response_entries>

<max_response_time_sec> 

10

</max_response_time_sec>

<db_dir> 

/opt/aspera/var

</db_dir>

<db_port> 

31415

</db_port>

</server>

Setting Description Default Value

Server name Hostname or IP address. Note that you must

RESTART the asperanoded service (not

reload), as per the instructions above, to

implement any changes to this setting.

The hostname of the system

HTTP Port HTTP service port. Note that you must




9091

HTTPS Port HTTPS service port. Note that you must




9092

Enable HTTP Enable HTTP for the Node API services. Note

that you must RESTART the asperanoded

service (not reload), as per the instructions

false

86 Appendix

Setting Description Default Value

above, to implement any changes to this

setting.

Enable HTTPS Enable HTTPS for the Node API services.

Note that you must RESTART the

asperanoded service (not reload), as per

the instructions above, to implement any

changes to this setting.

true

Cert File Full pathname of SSL certificate (.pem and

existing support for .chain). Note that you

must RESTART the asperanoded service

(not reload), as per the instructions above, to


C:\Program Files OR Program Files

(x86)\Aspera\Enterprise Server\bin

\aspera_server_cert.pem

Maximum response

entries

Maximum number of entries to return in a

response. For this setting, you can perform a

reload operation using asnodeadmin (which

takes several seconds). The command is

asnodeadmin.exe --reload.

1000

Maximum response

time in seconds

Maximum amount of time to wait for a

long-running operation. For this setting,

you can perform a reload operation using

asnodeadmin (which takes several seconds).

The command is asnodeadmin.exe --

reload.

10

DB directory Path to the directory where the database

file is saved. Note that you must RESTART

the asperanoded service (not reload), as

per the instructions above, to implement any

changes to this setting.

C:\Program Files OR Program Files

(x86)\Aspera\Enterprise Server\var

DB port Database service port. Note that you must




31415

aspera.conf for S3

The example below displays how aspera.conf should be modified for AWS S3 transfers. Note that you must meet the

following prerequisites before modifying aspera.conf:

Appendix 87

• You (i.e. your username) have permissions to access the S3 bucket.

• You know your username's S3 Access ID and Secret Key.

<?xml version='1.0' encoding='UTF-8'?>

<CONF version="2">

<server>

<server_name>aspera.example.com</server_name>

</server>

<aaa>

<realms><realm><users>

<user>

<name>UserName</name>

<authorization>

<transfer>

<in>

<value>token</value>

</in>

<out>

<value>token</value>

</out>

</transfer>

<token>

<encryption_key>YourSuperSecretKey</encryption_key>

</token>

</authorization>

<file_system>

<access>

<paths>

<path>

<absolute></absolute>

<read_allowed>true</read_allowed> 

<write_allowed>true</write_allowed> 

<dir_allowed>true</dir_allowed> 

<restrictions> 

<restriction>s3://*</restriction>

<restriction>!azu://*</restriction>

</restrictions>

88 Appendix

</path>

</paths>

</access>

</file_system>

</user>

</users></realm></realms>

</aaa>

</CONF>

Docroot Restrictions for URI Paths

IMPORTANT NOTE: A configuration with both a docroot absolute path (docrooted user) and a restriction is not

supported.

The primary purpose of restrictions is to allow access to special storage (Amazon S3, Azure, etc.) for clients who have

their own storage credentials, as opposed to special storage docroots. Instead of using docroots in aspera.conf we

use a docroot restriction.

Configuration:

<paths>

<path>

<restrictions>

<restriction>s3://*</restriction>

<restriction>!azu://*</restriction> #The ! forbids azu:// access.

</restrictions>

</path>

</paths>

Restrictions can also be put in the default section, once for all users.

Functionality:

A docroot restriction limits the files a client is allowed to access (browse and transfer). Files are rejected unless they

match the restrictions (if any are present). Restrictions work for URI paths (e.g. s3://*) and are processed in the

following order:

1. If a restriction starts with "!", any files that match the rest of the wildcard template are rejected at that point.

2. If a restriction does not start with a "!", then any file that matches is kept.

3. If any non-"!" restrictions exist, and the file does not match any of them, the file is rejected.

4. Files that fail restrictions during directory iteration are ignored as if they didn't exist.

Setting up SSL for your Node(s)Communicating with Aspera Node(s) over HTTPS

Appendix 89

The Aspera Node API provides an HTTPS interface for encrypted communication between node machines (on Port

9092, by default). For example, if you are running the Faspex Web UI or the Shares Web UI on Machine A, you can

encrypt the connection (using SSL) with your transfer server or file-storage node on Machine B. Enterprise Server

nodes are pre-configured to use Aspera's default, self-signed certificate (aspera_server_cert.pem), located in the

following directory:

• (Windows 32-bit) C:\Program Files\Aspera\Enterprise Server\etc

• (Windows 64-bit) C:\Program Files (x86)\Aspera\Enterprise Server\etc

To generate a new certificate, follow the instructions below.

ABOUT PEM FILES: The PEM certificate format is commonly issued by Certificate Authorities. PEM certificates

have extensions that include .pem, .crt, .cer, and .key, and are Base-64 encoded ASCII files containing "-----BEGIN

CERTIFICATE-----" and "-----END CERTIFICATE-----" statements. Server certificates, intermediate certificates, and

private keys can all be put into the PEM format.

1. Create a working directory

In a Command Prompt window (Start menu > All Programs > Accessories > Command Prompt), create a new

working directory as follows:

> cd c:\

> mkdir ssl

> cd c:\ssl

2. Copy openssl.cnf to your working directory

Enter the following commands in your Command Prompt window:

OS Version Commands

32-bit Windows > copy "c:\Program Files\Common Files\Aspera\common\apache\conf

\openssl.cnf" "c:\ssl\"

> cd c:\ssl

64-bit Windows > copy "c:\Program Files (x86)\Common Files\Aspera\common\apache\conf

\openssl.cnf" "c:\ssl\"

> cd c:\ssl

3. Enter the OpenSSL command to generate your Private Key and Certificate Signing Request

90 Appendix

In this step, you will generate an RSA Private Key and CSR using OpenSSL. In a Command Prompt window,

enter the following command (where my_key_name.key is the name of the unique key that you are creating and

my_csr_name.csr is the name of your CSR):

> openssl req -config "c:\ssl\openssl.cnf" -new -nodes -keyout my_key_name.key -

out my_csr_name.csr

Note that in the example above, the .key and .csr files will be written to the c:\ssl\ directory.

4. Enter your X.509 certificate attributes

After entering the command in the previous step, you will be prompted to input several pieces of information, which

are the certificate's X.509 attributes.

IMPORTANT NOTE: The common name field must be filled in with the fully qualified domain name of the server to

be protected by SSL. If you are generating a certificate for an organization outside of the US, please refer to the

link http://www.iso.org/iso/english_country_names_and_code_elements for a list of 2-letter, ISO country codes.

Generating a 1024 bit RSA private key

....................++++++

................++++++

writing new private key to 'my_key_name.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [US]:Your_2_letter_ISO_country_code

State or Province Name (full name) [Some-State]:Your_State_Province_or_County

Locality Name (eg, city) []:Your_City

Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your_Company

Organizational Unit Name (eg, section) []:Your_Department

Common Name (i.e., your server's hostname) []:secure.yourwebsite.com

Email Address []:[email protected]

You will also be prompted to input "extra" attributes, including an optional challenge password. Please note that

manually entering a challenge password when starting the server can be problematic in some situations (e.g., when

http://www.iso.org/iso/english_country_names_and_code_elements

Appendix 91

starting the server from the system boot scripts). You can skip inputting a challenge password by hitting the "enter"

button.

...

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

After finalizing the attributes, the private key and CSR will be saved to your root directory.

IMPORTANT NOTE: If you make a mistake when running the OpenSSL command, you may discard the generated

files and run the command again. After successfully generating your key and Certificate Signing Request, be sure to

guard your private key, as it cannot be re-generated.

5. Send CSR to your signing authority

You now need to send your unsigned CSR to a Certifying Authority (CA). Once completed, you will have valid,

signed certificate.

IMPORTANT NOTE: Some Certificate Authorities provide a Certificate Signing Request generation tool on their

Website. Please check with your CA for additional information.

6. (Optional) Generate a Self-Signed Certificate.

At this point, you may need to generate a self-signed certificate because:

• You don't plan on having your certificate signed by a CA

• Or you wish to test your new SSL implementation while the CA is signing your certificate

You may also generate a self-signed certificate through OpenSSL. To generate a temporary certificate (which is

good for 365 days), issue the following command:

openssl x509 -req -days 365 -in my_csr_name.csr -signkey my_key_name.key -

out my_cert_name.crt

7. Create the PEM file.

After generating a new certificate, you must create a pem file that contains both the private key and the

certificate. To do so, copy and paste the entire body of the key and cert files into a single text file and save

the file as aspera_server_cert.pem (before overwriting, be sure to back-up the existing pem file as

aspera_server_cert.old), in the following directory:

• (Windows 32-bit) C:\Program Files\Aspera\Enterprise Server\etc

92 Appendix

• (Windows 64-bit) C:\Program Files (x86)\Aspera\Enterprise Server\etc

8. Restart the node service.

You must restart (not reload) the Aspera node service after generating a new certificate. To do so, run the following

command(s):

Windows 32-bit

C:\Program Files\Aspera\Enterprise Server\bin> sc stop asperanoded

C:\Program Files\Aspera\Enterprise Server\bin> sc start asperanoded

Windows 64-bit

C:\Program Files (x86)\Aspera\Enterprise Server\bin> sc stop asperanoded

C:\Program Files (x86)\Aspera\Enterprise Server\bin> sc start asperanoded

Backup SharesInstructions on backing up Shares and its database.

To backup your Shares web application and accompanying database, follow the instructions below.

IMPORTANT NOTE: The file database.yml must be backed up manually. This file can be found in the directory

C:\shares\www\config\.

1. Create a backup directory.

You must create a backup directory before proceeding to the next step. To do so, run the following command in a

command prompt:

> mkdir C:\backups

2. Run the backup command (in the context of the gem bundle).

To create your Shares backup, run the following commands in a command prompt:

> cd C:\shares\www

> bundle exec rake backup DIR=C:\backups

This will create a date-stamped file under your Shares backup directory. For example:

C:\backups\20120228142934

Lastly, copy this file to your backup machine.

Appendix 93

Restore SharesInstructions on restoring Shares and its database to a new machine.

To restore your Shares web application and accompanying database ON A NEW MACHINE (i.e. your backup server),

follow the instructions below.

IMPORTANT NOTE: These instructions assume that you have already perform the backup steps described in the

topic "Backup Shares."

1. Ensure that your Shares backup is available.

Verify that you have copied the Shares backup file to your new machine (see backup steps).

2. Follow the Shares installation instructions.

Install Aspera Shares on your backup server by following the instructions detailed in this manual's Installation

Chapter.

WARNING! Ensure that the Shares version you are installing (downloaded installers VERSION number) matches

that of your backup version. Do not attempt to install a new version of Shares and restore an older version from your

backup.

3. Stop Shares services.

You may stop Shares services within the Computer Management window, which is accessible via Manage >

Services and Applications > Services .

94 Appendix

The following services should be stopped:

• Aspera Nginx Service

• Aspera Delayed Job Service

• Aspera Web Services

4. Update database.yml.

Replace database.yml with the version of database.yml that you manually saved during the backup process.

5. Run the restore command.

To restore Shares, run the following command in a command prompt, where in this example,

• E:\aspera-shares-restore is the directory that the backup file is stored in on the new server.

Appendix 95

• 20120228142934 is the backup file's name.

> cd C:\shares\www

> bundle exec rake restore DIR=E:\aspera-shares-restore\20120228142934

6. Start Shares services.

You may start Shares services within the Computer Management window, which is accessible via Manage >

Services and Applications > Services .

The following services should be started:

• Aspera Nginx Service

96 Appendix

• Aspera Delayed Job Service

• Aspera Web Services

Uninstall SharesInstructions for uninstalling Shares from your system.

To remove Shares from your system, you must first stop its services from a command prompt.

> cd C:\shares\www\script\windows

> shares_uninstaller.bat

Then, uninstall the Shares application and MySQL from Control Panel > Add/Remove Programs or Control Panel

> Uninstall a Program (depends on your Windows version).

Technical Support 97

Technical SupportFor further assistance, you may contact us through the following methods:

Contact Info

Email [email protected]

Phone +1 (510) 849-2386

Request Form http://support.asperasoft.com/home

The technical support service hours:

Support Type Hour (Pacific Standard Time, GMT-8)

Standard 8:00am – 6:00pm

Premium 8:00am – 12:00am

We are closed on the following days:

Support Unavailable Dates

Weekends Saturday, Sunday

Aspera Holidays Please refer to our Website.

http://asperasoft.com/support/

http://www.asperasoft.com/en/support/contact_1/Contact_1

98 Feedback

FeedbackThe Aspera Technical Publications department wants to hear from you on how Aspera's user manuals can be

improved. To submit feedback about this manual, or any other Aspera product document, please visit the Aspera

Product Documentation Feedback Forum.

Through this forum, you can let us know if you find content that isn't clear or appears incorrect. We also invite you to

submit ideas for new topics, as well as ways that we can improve the documentation to make it easier for you to read

and implement. When visiting the Aspera Product Documentation Feedback Forum, please remember the following:

• You must be registered to use the Aspera Support Website at https://support.asperasoft.com/.

• Be sure to read the forum guidelines before submitting a request.

https://support.asperasoft.com/categories/20024688-product-documentation-feedback

https://support.asperasoft.com/categories/20024688-product-documentation-feedback

https://support.asperasoft.com/

Legal Notice 99

Legal Notice© 2012 Aspera, Inc. All rights reserved.

Aspera, the Aspera logo, and fasp transfer technology, are trademarks of Aspera Inc., registered in the United States.

Aspera Connect Server, Aspera Enterprise Server, Aspera Point-to-Point, Aspera Client, Aspera Connect, Aspera

Cargo, Aspera Console, Aspera Orchestrator, Aspera Crypt, Aspera Shares, the Aspera Add-in for Microsoft Outlook,

and Aspera faspex are trademarks of Aspera, Inc. All other trademarks mentioned in this document are the property

of their respective owners. Mention of third-party products in this document is for informational purposes only. All

understandings, agreements or warranties, if any, take place directly between the vendors and the prospective users.

Date post:	05-Jun-2020
Category:	Documents
Upload:	others
View:	22 times
Download:	0 times

Shares Administrator Guide 1.0 -...

Documents