Differences

This shows you the differences between two versions of the page.

--- cloudappliance/sftpsetup [2020_01_14 08:30] – dan
+++ cloudappliance:sftpsetup [2024_03_05 19:09] – steven
@@ Line 1: / Line 1: @@
-# FTP/SFTP Configuration
+# CloudFTP, CloudSFTP and CloudFTPS Configuration
-##### last updated: Nov. 12, 2019
+##### last updated: July 19, 2021
-The File Fabric Appliance and SaaS support a number of protocol gateways allowing applications to natively access the File Fabric using FTP/FTPS, SFTP or WebDAV. These are ideal for retrofitting existing applications for object storage.
+<WRAP center round important 100%>
+Starting with version 2106 of Access Anywhere, CloudFTP is provided as a containerised service.  For updated documentation including migration instructions, please see [[/cloudappliance/ftp-ftps-sftp-configuration-2106|this page]].
-This document covers the configuration of the appliance FTP/SFTP and FTPS gateways. For information on the configuration of clients see [[cloudftp]].
+</WRAP>
-Applies to:
- * Enterprise File Fabric Appliance
+Access Anywhere supports a number of protocol gateways allowing applications to natively access Access Anywhere using FTP/FTPS, SFTP or WebDAV. These are ideal for retrofitting existing applications remote access to Nasuni storage.
+This document covers the configuration of the appliance FTP/SFTP and FTPS gateways. For information on the configuration of clients see [[/cloudftp]].
 See also:
- * [[cloudftp]]
+ * [[/cloudftp]]
- * [[cloudappliance/appliance-troubleshooting|]]
+ * [[/cloudappliance/appliance-troubleshooting|]]
 <WRAP center round info 100%>
-CloudFTP and the File Fabric's other protocol gateways allow your client program to work with the File Fabric using the enabled protocol. Communication between the File Fabric and the underlying storage, however, still occurs using the storage protocol as implemented by the specific connector used to connect the File Fabric to the storage.
+CloudFTP and Access Anywhere's other protocol gateways allow your client program to work with Access Anywhere using the enabled protocol. Communication between Access Anywhere and the underlying storage, however, still occurs using the storage protocol as implemented by the specific connector used to connect Access Anywhere to the storage.
-For example, you may upload a file to SwiftStack through the File Fabric storage using the File Fabric's CloudFTP gateway, but the File Fabric will upload the file to the SwiftStack storage using the Swift protocol.  This means that the settings you chose when you attached the SwiftStack storage to the File Fabric will be used.
+For example, you may upload a file to SwiftStack through Access Anywhere storage using Access Anywhere's CloudFTP gateway, but Access Anywhere will upload the file to the SwiftStack storage using the Swift protocol.  This means that the settings you chose when you attached the SwiftStack storage to Access Anywhere will be used.
 Continuing with our example, if the file you are uploading is larger than the storage's single object size limit (often 5GB) then you will need to have either static large objects or dynamic large objects enabled in the provider settings.  Otherwise the upload will fail.
@@ Line 27: / Line 27: @@
 <WRAP center round info 100%>
-Setting the domain name during [[cloudappliance:applinstallation|Appliance Installation]] allows **FTP** and **FTPS** to be be accessed through the domain name.  To access the File Fabric using **SFTP** through CloudFTP when using a File Fabric version before v1906.04, you must first manually reset the value of the serversme variable in /var/www/smestorage/ftpserver/sftpserver/sftpserver.conf to the File Fabric's domain name.
+Setting the domain name during installation allows **FTP** and **FTPS** to be be accessed through the domain name.  To access Access Anywhere using **SFTP** through CloudFTP when using a Access Anywhere version before v1906.04, you must first manually reset the value of the serverNAA variable in /var/www/smestorage/ftpserver/sftpserver/sftpserver.conf to Access Anywhere's domain name.
-Additionally, you may find that it is necessary to regenerate the File Fabric's SFTP RSA keys before using **SFTP** to access the File Fabric with CloudFTP.  Instructions for doing that can be found later in this document.
+Additionally, if you are installing or upgrading to v2006 or v2006.01 you need  to regenerate Access Anywhere's SFTP RSA keys before using **SFTP** to access Access Anywhere with CloudFTP.  Instructions for doing that can be found later in this document.
 </WRAP>
@@ Line 51: / Line 51: @@
 ## Enabling the Service
-The File Fabric's FTP/FTPS/SFTP service may not be enabled on installation.  To ensure that it is turned on and enabled, log in as smeconfiguser then become root and enable and start the service:
+The Access Anywhere's FTP/FTPS/SFTP service may not be enabled on installation.  To ensure that it is turned on and enabled, log in as smeconfiguser then become root and enable and start the service:
 ```
@@ Line 57: / Line 57: @@
 systemctl enable cloudftp
 systemctl start cloudftp
+```
+## Disabling the Service
+To disable Access Anywhere's FTP/FTPS/SFTP service, first log in as smeconfiguser and then become root. The following commmands stop the service and then mark it as disabled so it does not start on reboot.
+```
+systemctl stop cloudftp
+systemctl disable cloudftp
 ```
 ## Using an Additional Subdomain
-CloudFTP can be accessed using the File Fabric's FQDN.  Some customers may choose to create an additional FQDN for use by FTP clients, for example //ftp.myfilefabric.com//.
+CloudFTP can be accessed using Access Anywhere's FQDN.  Some customers may choose to create an additional FQDN for use by FTP clients, for example ftp.myfilefabric.com.
-Since version 1901, File Fabric license keys have been bound to the FQDNs by which the File Fabric is accessed.  Before client programs can use the additional FQDN, you must obtain from SME Support a license key in which the FQDN has been encoded, and install that key on your File Fabric.
+Since version 1901, Access Anywhere license keys have been bound to the FQDNs by which Access Anywhere is accessed.  Before client programs can use the additional FQDN, you must obtain from Support a license key in which the FQDN has been encoded, and install that key on your Access Anywhere.
 ## FTP Services
@@ Line 78: / Line 88: @@
 systemctl restart cloudftp
 ```
+(Use stop, start or restart depending as appropriate.)
 ## Advanced FTP/FTPS Setup
-Systems publicly exposing FTP based protocols might need additional setup to meet the needs of security administrators. Common changes are detailed below, for advanced changes contact SME Support.
+Systems publicly exposing FTP based protocols might need additional setup to meet the needs of security administrators. Common changes are detailed below, for advanced changes contact Support.
+### FTP configuration file
+<WRAP center round info 100%>
+This document may not list all of the supported variables for FTP configuration, and your FTP configuration file may not have entries for all of the supported variables.  The complete list of variables with the default value for each can be found in:
+/var/www/smestorage/ftpserver/ftpserver_template.conf
+Depending on your requirements you may need to add variables to your configuration file.
+</WRAP>
-### FTP configuration files
-To access the ftp configuration files log into the File Fabric as
+To access the ftp configuration files log into Access Anywhere as
 smeconfiguser and elevate to root using the command:
@@ Line 94: / Line 113: @@
 ```
-The file ftpserver.conf contains all FTP, FTP w/TLS, and FTPS settings.
+The file ftpserver.conf contains many FTP, FTP w/TLS, and FTPS settings.
 It can be found at:
@@ Line 102: / Line 121: @@
 ^ Settings                              ^  Details  ^
-| ftp\_server\_ip=xxx.xxx.xxx.xxx        |IP address of File Fabric|
+| ftp\_server\_ip=xxx.xxx.xxx.xxx        |IP address of Access Anywhere|
-| ftp\_server\_host=perf.smestorage.com  |FQDN of File Fabric|
 | port=21                                |Default port for FTP|
 | FTPISport=990                          |Default port for FTPS|
-|serversme=perf.smestorage.com          |FQDN of File Fabric|
+|serversme=perf.smestorage.com          |FQDN of Access Anywhere|
 |debug=100                               |Debug level|
 |countprocesses=20                       |Max processes|
@@ Line 114: / Line 132: @@
 |pathToSSLkey=/etc/pki/tls/private/localhost.key|Private key certificate|
 |pathToSSLcert=/etc/pki/tls/certs/localhost.crt |Public key certificate|
+|maximumlimitsizeupload=10737418240|Size limit in bytes for uploads|
+### Log File
+The Activity Log for CloudFTP and CloudFTPS can be found at:
+   /var/www/smestorage/ftpserver/ftpserver.log
 ### Changing Domain Name
-To access the ftp server via a custom domain name instead of the one configured for the appliance create an A or CNAME DNS record pointing to the IP address or domain name of the appliance. Any fully-qualified domain name can be used - the File Fabric FTP services do not validate.
+To access the ftp server via a custom domain name instead of the one configured for the appliance create an A or CNAME DNS record pointing to the IP address or domain name of the appliance. Any fully-qualified domain name can be used - Access Anywhere FTP services do not validate.
 ### Custom Certificates
@@ Line 125: / Line 150: @@
 properly signed certificate the process is as follows:
-.  Upload certificate public and private key to File Fabric, preferably
+.  Upload certificate public and private key to Access Anywhere, preferably
     in the following directories
@@ Line 140: / Line 165: @@
 ### FTP Passive Mode through NAT/PAT
-FTP Passive Mode requires that the FTP server sends the client the port and IP address of File Fabric. When File Fabric is secured behind a public firewall the internal IP address will most likely not match the public IP address. Set up passive mode as follows:
+FTP Passive Mode requires that the FTP server sends the client the port and IP address of Access Anywhere. When Access Anywhere is secured behind a public firewall the internal IP address will most likely not match the public IP address. Set up passive mode as follows:
 .  Add the following entry to ftpserver.conf
@@ Line 221: / Line 246: @@
 ### FTP / FTPS Scratch Space
-FTP & FTPS sometimes require scratch space.  Scratch space is need for example during an FTP stream from a camera or device that is recording live and does not yet know the size of the file.  As such scratch space must be larger than the largest filesize that will be permitted.
+FTP and FTPS uploads sometimes require scratch space.  Scratch space is needed if the uploaded client cannot or does not tell CloudFTP the size of the file that will be uploaded, for example when the client is a camera that is streaming a live recording.  Many popular FTP clients don't inform the FTP server (CloudFTP in this case) of the size of the file that is being uploaded even when that information is available to them.
+Available scratch space should be large enough to accommodate the largest permitted upload file size multiplied by the number of permitted concurrent uploads (countprocesses * maximumlimitsizeupload).
 Scratch space defaults to the temp folder in /var/www/smestorage/tmp but can be changed by adding the following entry to ftpserver.conf and restarting the service.
@@ Line 231: / Line 259: @@
 ## Advanced SFTP Setup
-Systems publicly exposing SFTP based protocols might need additional setup to meet the needs of security administrations.  Common changes are detailed below, for advanced changes contact SME Support.
+### Log File
+The Activity Log for CloudSFTP can be found at:
+   /var/www/smestorage/ftpserver/sftpserver/log.txt
+Systems publicly exposing SFTP based protocols might need additional setup to meet the needs of security administrations.  Common changes are detailed below, for advanced changes contact Support.
 ### SFTP configuration files
+<WRAP center round info 100%>
+This document may not list all of the supported variables for SFTP configuration, and your SFTP configuration file may not have entries for all of the supported variables.  The complete list of variables with the default value for each can be found in:
+/var/www/smestorage/ftpserver/sftpserver/sftpserver_template.conf
+Depending on your requirements you may need to add variables to your configuration file.
+</WRAP>
-To access the ftp configuration files log into the File Fabric as smeconfiguser and elevate to root using the command:
+To access the sftp configuration files log into Access Anywhere as smeconfiguser and elevate to root using the command:
 ```
 su -
 ```
-The file sftpserver.conf contains all SFTP settings.  It can be found in:
+The file sftpserver.conf contains many SFTP settings.  It can be found in:
 /var/www/smestorage/ftpserver/sftpserver/
@@ Line 247: / Line 288: @@
 |ftp\_server\_ip=0.0.0.0|Interface addresses listening for sftp|
 |port=2200 |Default port for SFTP|
-|serversme=perf.smestorage.com|FQDN of File Fabric|
+|serversme=perf.smestorage.com|FQDN of Access Anywhere|
 |pathToKey=/etc/pki/tls/private/localhost.key|RSA Private Key|
 |pathToCert=/etc/pki/tls/certs/localhost.crt|RSA Public Cert|
@@ Line 264: / Line 305: @@
 ### SFTP custom FQDN
-To access the SFTP server via a custom FQDN instead of the system FQDN nothing needs to be done other than registering A or CNAME DNS records to point to the IP address of the File Fabric.  The File Fabric SFTP service does not check the FQDN and thus any FQDN can be used.
+To access the SFTP server via a custom FQDN instead of the system FQDN nothing needs to be done other than registering A or CNAME DNS records to point to the IP address of Access Anywhere.  The Access Anywhere SFTP service does not check the FQDN and thus any FQDN can be used.
 ### Regenerate SFTP RSA Keys
+<WRAP center round info 100%>
+If you are upgrading from a pre v2006 Access Anywhere that exposes  CloudSFTP, please read this section carefully.
+Starting with version 2006, CloudSFTP requires the type of certificates (keys) that are created when you follow the instructions in this section. The default certificate that was provided with earlier versions of Access Anywhere will not work with v2006 and above. We recommend that you create the new RSA key on one of your nodes and copy/apply the same key to your secondary nodes as well.
+Depending on their SFTP client software, when you replace the key your SFTP users may see a notification that the key has changed. You should replace the key well in advance of upgrading Access Anywhere to simplify issue analysis should there be a problem with the new key.
+</WRAP>
 It is recommended to generate new secure keys for the SFTP server.
@@ Line 273: / Line 324: @@
 ```
-cd /var/www/smestorage/ftpserver/sftpserver/
+cd /var/www/smestorage/
 ssh-keygen -t rsa -f "./ssh_host_rsa_key"    #(don't enter any passphrase)
 chown smestorage:smestorage ssh_host_*
@@ Line 281: / Line 332: @@
 Edit sftpserver.conf file and change the 2 lines as below:
 ```
-pathToKey=ssh_host_rsa_key
+pathToKey=/var/www/smestorage/ssh_host_rsa_key
-pathToCert=ssh_host_rsa_key.pub
+pathToCert=/var/www/smestorage/ssh_host_rsa_key.pub
 ```
@@ Line 336: / Line 387: @@
 ```
-Before moving on, open a new ssh connection to the file fabric using the new port number.  Ensure connectivity is functioning on the new port before closing the existing session or moving on.
+Before moving on, open a new ssh connection to Access Anywhere using the new port number.  Ensure connectivity is functioning on the new port before closing the existing session or moving on.
 ### Change SFTP port
@@ Line 352: / Line 403: @@
 max_download_speed=3145728
 max_upload_speed=3145728
+limitConnectionsForOneUser=5
 ```
+See list at the top of this page above for additional configuration settings.
 ### SFTP Scratch Space