Web.xml Parameters

The following are recommendations to secure TIBCO MFT Internet Server using the web.xml parameters.

admincc-service-enabled

This parameter enables Command Center Admin API REST calls. The default value is True. Only Command Center supports "admincc" calls. Only if this parameter is set to True, the Command Center Admin (admincc) API REST calls can be used.

admin-service-enabled

This parameter enables Admin API REST calls. The default value is True. Both Command Center and Internet Server (if Admin server is enabled) support "admin" calls. Only if this parameter is set to True, the Admin (admin) API REST calls can be used.

ft-service-enabled

This parameter enables file transfer API REST calls. The default value is True. Only Internet Server supports "ft" calls. Only if this parameter is set to True, the file transfer (ft) API REST calls can be used.

TLSCipherSuite

This parameter defines the ciphers used by MFT in any SSL/TLS connection. If during the installation, you select Use Secure Ciphers Only, then this parameter will be filled in with secure ciphers.

When the FTP service is started, it will display all secure ciphers allowed. You can select any ciphers from this list to be added to this parameter. Multiple ciphers should be delimited with a comma. This parameter applies to FTPS (FTP over SSL) and Platform Server SSL connections only. HTTPS connections use the parameters in the server.xml ciphers parameter.

TLSProtocols

This parameter allows you to define the TLS protocols that will be supported by FTPS and Platform Server SSL. The valid values are: TLSv1, TLSv1.1, and TLSv1.2.

By default, any TLS protocol is allowed. Before changing this parameter, make sure that all FTPS and Platform Server clients and servers support the defined TLS protocol. This parameter applies to FTPS (FTP over SSL) and Platform Server SSL connections only. HTTPS connections use the parameters in the server.xml SSLEnabledProtocols parameter.

SSHCipherSuite

Allows you to define the ciphers supported by MFT SFTP client and servers. When the MFT SFTP service is started, it will display all SSH ciphers allowed. You can select the ciphers that you want to support. Multiple ciphers should be delimited with a comma.

SSHKeyExchange

Allows you to define the SSH key exchange algorithms supported by MFT SFTP client and servers. When the MFT SFTP service is started, it will display all SSH key exchange algorithms allowed. You can select the key exchange algorithms that you want to support. Multiple key exchange algorithms should be delimited with a comma.

Note: By default the diffie-hellman-group1-sha1 protocol has been removed by MFT, since it was vulnerable to the Logjam attack. Some old SFTP clients and servers require this parameter, so there are times when you need to update this parameter to include this key exchange algorithm. You must include all key exchange algorithms that should be supported.

SSHDigestSuite

This Allows you to define the digest (hash) suites supported by MFT SFTP client and servers. When the MFT SFTP service is started, it will display all SSH digests allowed. You can select the digests that you want to support. Multiple digests should be delimited with a comma.

PasswordHashNew

This parameter allows you to define the password digest used by MFT. You should use the defined value SHA=256.

UnsecuredHTTPSupport

The default value No will not allow HTTP support. Only HTTPS will be accepted. Set this value to Yes only if you require HTTP support.

Note: When using HTTP, there will be no encryption of credentials or data.

AllowedReferersForXferNavigation

This parameter adds HTTP referrer checking to the JSP pages that are used to navigate the directory tree structure. In addition to the URL, you should also add the loopback address. This parameter is defined in the web.xml file. This parameter only needs to be set in TIBCO MFT Internet Server instances. It is ignored in Command Center.

AllowedReferersAdminJSP

This parameter adds HTTP referrer checking to the admin JSP pages. In addition to the URL, you should also add the loopback address. This parameter only needs to be set in Command Center instances and in TIBCO MFT Internet Server instances where the admin service is installed.

DisplayFTPBanner

This parameter defined whether MFT will display FTP and SFTP banners. If this parameter is set to Yes, the admin Configure SSH Server and Configure FTP Server pages allows you to define the banners or welcome message displayed.

Anonymous

This parameter allows you to define whether user anonymous can be used without authenticating the password. If you enter the value anonymous in this parameter, you must also create a user called anonymous. Since the password is not validated, you should not give user anonymous access to any secure file or folders.

Redirect HTTP to HTTPS

Uncomment the following parameter from the web.xml file. This will automatically redirect HTTP requests to the HTTPS port.

<!-user-data-constraint>
     <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint->

SecurityFilter

This parameter helps to prevent framing and Clickjacking attacks. It indicates whether or not a browser should be allowed to render a page in a frame, iframe or object.

The value SAMEORIGIN will allow the browser to use the page in a frame as long as the server including it in a frame is the same as the one serving the page. By setting SecurityFilter to DENY, all attempts to load the page in a frame will fail. The default is SAMEORIGIN.

ChangedPasswordEmailEnabled

This parameter defines whether an email is sent to a user when the user changes the password. We suggest setting this parameter to Yes to notify the user that the password has been changed.

Contents

Index

Search Results