server.xml Parameters

The MFT installation creates an entry for the HTTP and HTTPS connectors in the following file:

<MFT-Install>/server/conf/server.xml

Here are some parameters in the server.xml that you can update to enhance security.
Parameter Description
allowHostHeaderMismatch This parameter defines whether the MFT server must reject requests that specify a host in the request line but specify a different host in the host header. This can occur when a customer is using the MFT File Transfer CLI (Command Line Interface) or has created an internal application using file: NonGUIApplet_0.0.0.1.jar or JavaApplet_0.0.0.1.jar.
The problem occurs when an older version of NonGUIApplet_0.0.0.1.jar or JavaApplet_0.0.0.1.jar is used. MFT releases prior to 8.2.1 do not set the header value correctly and transfers fail if the value is set to false. If the following are all true, then you can set this value to false:
  • You do not use the MFT FT File Transfer CLI.
  • You use the MFT FT File Transfer CLI, but are using the FT Command Line distributed with MFT V8.2.1 or above.
  • You have not created any file transfer applications using files NonGUIApplet_0.0.0.1.jar or JavaApplet_0.0.0.1.jar.
  • You have created file transfer applications using file NonGUIApplet_0.0.0.1.jar or JavaApplet_0.0.0.1.jar but you are using versions of these file from MFT 8.2.1 or above.
Valid values are:
  • false: MFT will reject requests where the header host name does not match the host in the request line. This will cause problems if older versions of the file transfer jar files (NonGUIApplet_0.0.0.1.jar or JavaApplet_0.0.0.1.jar ) are used.
  • true: MFT will accept requests where the header host name does not match the host in the request line. This will allow older versions of the file transfer jar files (NonGUIApplet_0.0.0.1.jar or JavaApplet_0.0.0.1.jar ) to be used.

    This is the default value for MFT 8.2.1, but may be changed to false in a future release.

clientAuth This parameter defines whether the MFT Server supports https certificate authentication. Valid values are:
  • false: Certificate authentication is not supported. This is the default value.
  • want: Certificates are requested from HTTPS client, but are not required. This is value that we suggest sign when you want to perform HTTPS Certificate Authentication.
  • true: Certificates are required for HTTPS requests. But MFT can still use certificate or password authentication, based on the System Configuration HTTPS Client Authentication Method parameter definition.
ciphers This parameter defines the TLS ciphers that are supported. The MFT installation fills in this field with secure ciphers. But you may want to limit the supported ciphers even more. For example, some customers remove CBC ciphers from the supported ciphers.
sslEnabledProtocols This parameter defines whether TLSV1.0, TLSv1.1, or TLSv1.2 is supported. By default, the MFT Server sets this parameter to TLSv1.2.