Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

Requirements

  • Windows Server 2012 R2 (or Windows 8.1) and later

  • NGINX web server (1.20 and later)

  • PostgreSQL database (11 and later)

  • UDMG distribution files for the different modules:

    • UDMG Admin UI

    • UDMG Authentication Proxy

    • UDMG Server (Waarp Gateway)

    • UDMG Agent Proxy

Installing and Configuring the Components

PostgreSQL Database

  1. Create a blank database on the server. An already existing database can be used, but this is not recommended.

  2. Add a user that will be used as the owner of the related tables but also to authenticate with the server.
    In order to install or perform upgrades, this database user will require DDL (Data Definition Language) permission in the database during the installation or the upgrade.
    Once the install or upgrade has been completed successfully, the configured database user requires only DML (Data Manipulation Language) permissions.

Here is how to configure the database for a local installation where the database server is on the same host. For multi-node installation please refer to your database administrator.

Note: The following steps require Administrator privilege, be sure that you have the correct access before continuing.

  • Install a PostgreSQL database server.

  • Once the installation is complete, initialize the PostgreSQL database.

  • Start the PostgreSQL Server:

For eaxmple, from the Service Management Console management:

  • Create a user for UDMG Waarp Gateway

Login as PostgreSQL user, start the PostgreSQL Console (psql) and create the database user:


postgres=# create database mft_waarp_gateway;
CREATE DATABASE
postgres=# create user mft_waarp_gateway_user with encrypted password 'mft_waarp_gateway_password';
CREATE ROLE
postgres=# grant all privileges on database mft_waarp_gateway to mft_waarp_gateway_user;
GRANT

Finally change the pg_hba.conf, to allow database connection with password. For example, for a system where the database server is on the same host as the UDMG server, by changing this line from:

host all all 127.0.0.1/32 ident

to:

host all all 127.0.0.1/32 md5

The exact configuration depends on the OS and database version, on the preferred security settings, and on the system architecture.

The location of the pg_hba.conf can be returned by PostgreSQL Console (psql):

postgres=# SHOW hba_file;

NGINX Server

Note: The following steps require root privilege, be sure that you have the correct access before to continue.

  • Install a NGINX Server (nginx for Windows).

  • Run the following command to check the main NGINX configuration file:

C:\MFT\nginx-1.23.0> nginx -t
nginx: the configuration file C:\MFT\nginx-1.23.0/conf/nginx.conf syntax is ok
nginx: configuration file C:\MFT\nginx-1.23.0/conf/nginx.conf test is successfully

Create a directory under the configuration folder called "enabled" and add an include directive in the main configuration file inside the http section. For example

http {
include mime.types;
default_type application/octet-stream;

include "C:/MFT/nginx-1.23.0/conf/enabled/*.conf"

  • Create a configuration file mft.conf under this directory (normally C:\MFT\nginx-1.23.0\conf\enabled):

upstream mft_auth_proxy {
 # MFT Auth Proxy Configuration
    server        localhost:5000;
}

server {
    listen        8080;
    server_name   localhost;

    access_log    logs//mft.access.log;

    location /service/ {
      proxy_pass  http://mft_auth_proxy/;
    }

    location / {
        try_files $uri $uri/ /index.html;
        root      mft;
    }
}

  • Validate that the configuration is correct with the following command:

C:\MFT\nginx-1.23.0> nginx -t
nginx: the configuration file C:\MFT\nginx-1.23.0/conf/nginx.conf syntax is ok
nginx: configuration file C:\MFT\nginx-1.23.0/conf/nginx.conf test is successfully

  • Create the Root directory under the NGINX main directory called mft:

C:\MFT\nginx-1.23.0> mkdir mft

  • Start NGINX

# start nginx

  • Check that the HTTP server was started and is running, for example with the curl command:

C:\>curl.exe http://localhost:8080
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.23.0</center>
</body>
</html>

This error (403) is excepted, since we don't have any asset deployed.

Note: for configuring HTTPS and HTTP redirection, please refer to the web server documentation.

UDMG Admin UI

  • Uncompress the tar file for MFT Admin UI, under the directory that we created during the configuration.

C:\MFT\nginx-1.23.0\mft> tar -x -f mft_admin_ui-<version>.tar

  • Validate that the service is working properly with curl

C:\>curl.exe http://localhost:8080 -I
HTTP/1.1 200 OK
Server: nginx/1.23.0
Date: Thu, 07 Jul 2022 17:53:09 GMT
Content-Type: text/html
Content-Length: 7788
Last-Modified: Fri, 01 Jul 2022 13:58:15 GMT
Connection: keep-alive
ETag: "62befd77-1e6c"
Accept-Ranges: bytes

or with the browser: 

UDMG Server

  • Create the configuration file C:\MFT\MFT Gateway\server.ini with the following parameters:

[global]
; The name given to identify this gateway instance. If the the database is shared between multiple gateways, this name MUST be unique across these gateways.
GatewayName = mft_waarp_gateway

[paths]
; The root directory of the gateway. By default, it is the working directory of the process.
; GatewayHome = /home/mft

; The directory for all incoming files.
; DefaultInDir = in

; The directory for all outgoing files.
; DefaultOutDir = out

; The directory for all running transfer files.
; DefaultTmpDir = tmp

[log]
; All messages with a severity above this level will be logged. Possible values are DEBUG, INFO, WARNING, ERROR and CRITICAL.
Level = DEBUG

; The path to the file where the logs must be written. Special values 'stdout' and 'syslog' log respectively to the standard output and to the syslog daemon
; LogTo = stdout

; If LogTo is set on 'syslog', the logs will be written to this facility.
; SyslogFacility = local0

[admin]
; The address used by the admin interface.
Host = 0.0.0.0

; The port used by the admin interface. If the port is 0, a free port will automatically be chosen.
Port = 18080

; Path of the TLS certificate for the admin interface.
; TLSCert =

; Path of the key of the TLS certificate.
; TLSKey =

[database]
; Name of the RDBMS used for the gateway database. Possible values: sqlite, mysql, postgresql
Type = postgresql

; Address of the database
Address = localhost

; The name of the database
Name = mft_waarp_gateway

; The name of the gateway database user
User = mft_waarp_gateway_user

; The password of the gateway database user
Password = mft_waarp_gateway_password

; Path of the database TLS certificate file.
; TLSCert =

; Path of the key of the TLS certificate file.
; TLSKey =

; The path to the file containing the passphrase used to encrypt account passwords using AES
; AESPassphrase = passphrase.aes

[controller]
; The frequency at which the database will be probed for new transfers
Delay = 5s

; The maximum number of concurrent incoming transfers allowed on the gateway (0 = unlimited).
; MaxTransferIn = 0

; The maximum number of concurrent outgoing transfers allowed on the gateway (0 = unlimited).
; MaxTransferOut = 0

  • Install the binaries under C:\MFT\MFT Gateway as waarp-gatewayd and waarp-gateway

UDMG Authentication Proxy

  • Create the configuration file C:\MFT\MFT Auth Proxy\config.toml with the following parameters:

# Proxy Configuration
[proxy]
# Enable Auto Recover
recover = true
# Enable Cors
cors = true
# Enable  Request Track ID
tracker = false
# Enable Logguer
logger = true
# Listen Port
port = "5000"
# Listen IP 
inet = "127.0.0.1"

# Local
[service.local]
# MFT Waarp Gateway Listen Protocol
protocol = "http"
# MFT Waarp Gateway Hostname or IP
hostname = "localhost"
# MFT Waarp Gateway Port
port = "18080""

  • Install the binary under C:\MFT\MFT Auth Proxy called mft_auth_proxy_server.exe

Configuration for LDAP Authentication

The UDMG Authentication Proxy is capable to use a LDAP Service to authenticate users for UDMG Admin UI:

# Proxy Configuration
[proxy]
# Enable Auto Recover
recover = true
# Enable Cors
cors = true
# Enable  Request Track ID
tracker = false
# Enable Logguer
logger = true
# Listen Port
port = "5000"
# Listen IP 
inet = "127.0.0.1"

# Service with LDAP Authentication
[service.mft]
# MFT Waarp Gateway Listen Protocol
protocol = "http"
# MFT Waarp Gateway Hostname or IP
hostname = "localhost"
# MFT Waarp Gateway Port
port = "18080"

# This option is breaking glass option for admins, they will not reach the LDAP service during the Auth Stage
admins = ["admin"]

# User for Sync Password Between Ldap and Proxy
[service.mft.credential]
# Pre - Setup user under MFT Waarp Gateway
username = "ldap_sync"
password = "ldap_password"

# LDAP Configuration
[service.mft.auth.ldap]
# LDAP Server DC with OU
dn = "ou=users,dc=stonebranch,dc=com"
# LDAP Server FQDN or IP
hostname = "myldap.server.fqdn.com"
# LDAP Server pORT
port = "1389"

The LDAP replication requires a user with permission for creating and updating users. For example to create the 'ldap_sync' user with the command line interface:

waarp_gateway user add -u ldap_sync -p ldap_password -r 'U=rw'
In case of successful authentication on the LDAP, the user is created with default read permission in the internal UDMG database if it does not exist. Otherwise the credentials are updated in the database to allow for authentication on the REST and CLI interfaces.

UDMG Agent Proxy

  • Create a directory C:\MFT\MFT Agent

  • Install the binaries as mft_agent_proxy_client and mft_agent_proxy_server

Agent Configuration

# ssh-keygen -t rsa -q -N "" -f /etc/mft/agent_proxy/agent
# ssh-keygen -t rsa -q -N "" -f /etc/mft/agent_proxy/client

If OpenSSH is not installed or not available, the PuTTY tool can be used instead.

Use PuTTYgen to generate a key pair for the agent, more detailled instructions can be found here: Using public keys for SSH authentication

After generating the key, export it with OpenSSH format:

  • Create a configuration file as C:\MFT\MFT Agent\agent\agent.toml

[agent]
# Listen IP Address
hostname = "0.0.0.0"
# Listen Port
port = "2222"
# SSH Priv Key
ssh_key = "agent"
# SSH Public Key
ssh_key_pub = "agent.pub"

# Service User
username = "mft"
# Service Password
password = "61ee8b5601a84d5154387578466c8998848ba089"

The password key will be used for the client authentication.

Client Configuration

  • Create a configuration file as C:\MFT\MFT Agent\client\client.toml

[client]
# MFT Agent Proxy Hostname or IP
hostname = "localhost"
# MFT Agent Proxy Listen Port
port = "2222"

# SSH Priv Key
ssh_key = "/etc/mft/agent_proxy/client"
# SSH Public Key
ssh_key_pub = "/etc/mft/agent_proxy/client.pub"

# Service User
username = "mft"
# Service Password
password = "61ee8b5601a84d5154387578466c8998848ba089"

# Default TTL to Connection Retry
ttl="5s"

# MFT Agent Client Admin API
[client.api]
# Listen Port
port="2280"

# MFT Waarp Gateway
[gateway]
# MFT Waarp Gateway Hostname or IP
hostname = "localhost"
# MFT Waarp Gateway Port
port = "18080"
# MFT Waarp Gateway Username/Password
username = "admin"
password = "admin_password"

The password key will be used for the client authentication.


Setup the Windows Services

UDMG Server

Open a PowerShell console and create a new service definition:

$params = @{
Name = "MFT Waarp Gateway Server"
BinaryPathName = '"C:\MFT\MFT Gateway\waarp-gatewayd.exe" server -c "C:\MFT\MFT Gateway\server.ini"'
DisplayName = "MFT Waarp Gateway Server"
StartupType = "Automatic"
Description = "MFT Waarp Gateway Server."
}
New-Service @params

  • Start the service and check the status:

Start-Service "MFT Waarp Gateway Server"

Be sure that the listen port and network interface is reachable by UDMG Authentication Proxy and UDMG Agent Client.

UDMG Authentication Proxy

  • Create a new service definition:

$params = @{
Name = "MFT Auth Proxy"
BinaryPathName = 'MFT_AUTH_PROXY_CONFIG=config.toml "C:\MFT\MFT Auth Proxy\server.exe"'
DisplayName = "MFT Auth Proxy server"
StartupType = "Automatic"
Description = "MFT Auth Proxy server."
}
New-Service @params

  • Start the service and check the status:

Start-Service "MFT Auth Proxy server"

Be sure that the listen port and network interface is reachable by NGINX Server.

UDMG Agent Proxy

Agent Proxy Server Service

  • Create a new service definition:

$params = @{
Name = "MFT Agent Server"
BinaryPathName = 'MFT_AUTH_PROXY_CONFIG=config.toml "C:\MFT\MFT Agent\server\server.exe"'
DisplayName = "MFT Agent Server"
StartupType = "Automatic"
Description = "MFT Agent server."
}
New-Service @params

  • Start the service and check the status:

Start-Service "MFT Agent Server"

Be sure that the listen port and network interface is reachable by UDMG Agent Client .

Agent Proxy Client Service

  • Create a new service definition:

$params = @{
Name = "MFT Agent Client"
BinaryPathName = 'MFT_AUTH_PROXY_CONFIG=config.toml "C:\MFT\MFT Agent\client\server.exe"'
DisplayName = "MFT Agent Client"
StartupType = "Automatic"
Description = "MFT Agent Client."
}
New-Service @params

  • Start the service and check the status:

Start-Service "MFT Agent Client"

Component Ports

Make sure that all the ports needed are open under your firewall configuration.

References

This document references the following documents.

Name

Location

PostgreSQL Client Authentication

21.1. The pg_hba.conf File

PostgreSQL Password Authentication

21.5. Password Authentication

  • No labels