Security Parameters

Security parameters affect the security of the MFT instance.

The following table lists the security parameters:

Parameter Default Description
AllowedReferersAdminJSP By default, referrer URL checking is not performed. Defines the referrer URLs supported by MFT.

Defining referrer URLs provides an additional layer of security to MFT.

This parameter is used by the administrator JSP pages. You can define multiple URLs separated by commas.
Note: You should enter the URL for this MFT Server.
AllowedReferersForXferNavigation By default, referrer URL checking is not performed. Defines the referrer URLs supported by MFT.

Defining referrer URLs provides an additional layer of security to MFT.

This parameter is used by the file transfer client. You can define multiple URLs separated by commas.
Note: You should enter the URL for this MFT Server.
Anonymous No default Defines users that can log in without password validation.

Make sure that these users have limited file transfer authorization. More importantly, make sure that these users do not have any administrator rights.

BCFipsMode False Defines whether MFT uses BouncyCastle FIPS mode. The default value of False indicates that MFT is not running in FIPS mode, while True indicates that MFT is running in FIPS mode.
Warning: This value should never be changed manually. The fips.bat and fips.sh scripts set this value.
BCProvider No default Defines the BouncyCastle security provider.

Use the default value unless you are instructed by TIBCO Technical Support to change this.

ChangedPasswordEmailEnabled No

Defines whether an email is to be sent to a user when the user changes their password.

Valid Values:
  • Yes: Sends an email to the user when a user changes their password.
  • No: Does not send an email to the user when a user changes their password.
HTTPOnlyCookies True If set to True, all cookies created by MFT have the HTTPOnly attribute set. By default, HTTPOnly is set for MFT generated cookies. There are a few cookies that do not have HTTPOnly set because the JavaScript requires these cookies. The cookies that do not have HTTPOnly set, do not contain any privileged or sensitive information.
HTTPSCertAuthField None Allows you to override the Certificate field that contains the user ID. By default, MFT matches the certificate against the HTTPS public keys defined for users. The web.xml file has a commented value that shows how to use "SAN:OtherName:PrincipalName" as the user ID.
InstallAdminService Set during installation Defines whether the Administrator service is installed on an Internet Server instance.

If the Administrator service is installed, this parameter is set to YES. If you set it to NO, Administrator service requests for this Internet Server fail.

Note: If the Administrator service for the Internet Server instance is not installed and is set to NO by the installer, setting this parameter to YES is ignored.
LoadBalancerIPAddressList No default

For HTTP requests that go through a load balancer, MFT uses the HTTP header X-Forwarded-For IP address as the IP address of the incoming request when the actual IP address matches one of the addresses defined by this parameter.

You can define multiple Load Balancer IP addresses by separating them with a semicolon.

PasswordHashNew SHA-256 Defines the hashing algorithm used when a user password is changed or a new user is created.

Because this password is a hash, it cannot be decrypted.

PrivacyPolicyURL No default Defines the URL of the privacy policy link that is added to the footer of each browser page.

When no value is defined, the footer does not contain a privacy policy link.

When any value is defined, the View Privacy Policy link is displayed on the footer of each page. You can click this link to open a privacy policy page.

Note: MFT does not provide a privacy policy page. You must define a privacy policy page that is opened by the View Privacy Policy link.
SessionTimeOut 30 Defines the session timeout in minutes for active SFTP connections and FTP control connections.

If the connection is inactive for longer than the defined timeout, the next request fails.

The HTTP timeout is set by the SessionTimeOut parameter configured in the web.xml file located in the <MFT_Install>\server\conf directory.

SmtpTLSEnabled false Defines whether SSL/TLS is used when communicating to an SMTP server.

The value of false indicates that SSL/TLS are not used.

The value of true indicates that the SMTP communication are performed using SSL.

SSHSecurityLevel No default Controls the SSH security level. Based on this setting, cipher/hash/key is automatically chosen.

The valid values are: Weak, Strong, Paranoid. (Any other value can also be specified as this parameter is not set. )

If this value is specified, the original settings for SSHCipherSuite, SSHKeyExchange, SSHDigestSuite are ignored. If this value is not specified, there is no change.
Note: This setting is quite strict and many clients might stop working at the Strong or Paranoid level.
UnsecuredHTTPSupport NO Defines whether HTTP requests are accepted.

The default value of NO indicates that HTTP requests are not accepted. When it is set to YES, HTTP requests are accepted if an HTTP connector is defined.