Installation and Configuration

After you have installed TIBCO MFT Platform Server for UNIX, you must configure security-related parameters mentioned in the following sections based on your requirements:

config.txt Parameters

There are a variety of config.txt parameters that affect security mentioned in the following sections. For a detailed description of these parameters, see the "Configuration Parameters" in TIBCO® Managed File Transfer Platform Server for UNIX Installation and Operation Guide.

config.txt Security Parameters

Parameter Description
SecurityPolicy

Defines the security policy for the Platform Server started task. You can configure the following values:

NONE: No security policy is defined.

FIPS140: STC is FIPS140 compliant.

HIPAA: HIPAA rules requiring encryption are followed.

ClientVerification

For TLS/SSL transfer, client certificates are required.

AllowRoot

Defines whether responder transfers can run under root. You can configure the following values:

All: Allow transfers to run under root.

N: Do not allow transfers to run under root.

Password: Allow transfers to run under root if the root password is defined. The default value of N is recommended.

PamAuth Defines whether PAM authentication is used. Support for root installations only.
SemaphoreMaxWaitTime Defines how long CyberMgr waits to complete. You may need to raise this value on high volume systems if you find that audit records (log.txt) are not being written.
RpcSynchIntervalHA Defines the time range between the RPC client and RPC server that is honored. HA requires that the time is synchronized on RPC clients and RPC servers. If the times are not synchronized, you may need to increase the sync interval. This parameter is only needed when running in HA.
SSLEnabledProtocols Defines the SSL/TLS protocols that are used. This parameter is defined in both the SERVER and CLIENT sections of the config.txt file.
Ciphers Defines the SSL/TLS ciphers that are used. This parameter is defined in both the SERVER and CLIENT sections of the config.txt file.
Umask_Default Defines the UNIX umask applied to the newly created files on the server. This is used for responder transfers only.
Uperm_Default Defines the UNIX permissions set for newly created files on the server. This is used for responder transfers only.
CheckCRL Defines whether CRL is checked for SSL/TLS transfers.
CAPath Defines the path where the CRL checking looks for the hashed file names.
AccessControlConfig Defines the fully qualified path of the Access Control Config files.
AliasConfig Defines the fully qualified path of the Alias Config files.
RunCyberRespAsNonRoot Defines whether you can run the CyberResp daemon as a non-root user.

Responder Profile Password Rule Parameters

These parameters define the rules used when responder profiles are created. These rules apply to responder passwords created by the cfrprofile utility or through Command Center.

Parse Commands

These parameters define how an argument should be parsed. For a detailed description of these parameters, see the "Common Configuration Parameters" in TIBCO® Managed File Transfer Platform Server for UNIX User's Guide.

Communication Parameters

These parameters allow you to set the Adapter IP address that Platform Server uses when establishing TCP connections. You can set different Adapter IP address parameters for IPv4 and IPv6 and for Listen(Responder) and Connect(Initiator).

Group Class Checking Parameters

Parameter Description
AdminGroup Defines users that can create node definitions, user profiles, and responder profiles. Users can also inquire on completed transfers executed by any user.
BrowseGroup Defines users that can inquire on completed transfers executed by any user.
TransferGroup Defines users that can execute transfers initiated by Command Center.
StrictGroupChecking Defines users that are granted rights assigned by membership in the group, if a group is not defined. This parameter defines whether requests should be denied if the group is not defined.

Miscellaneous Parameters

Parameter Description
RequiredNodeDefinition

Allows you to require pre-defined nodes for initiator and responder requests. This parameter is defined in two places:

SERVER: for Responder Transfers

CLIENT: for Initiator Transfers

ResponderProfile Sets the default that defines whether responder profiles are required. This parameter can be overridden by node definitions.
AcceptVerifiedUser We suggest using the default value of No.

Node Parameters

There are a variety of node parameters that affect security. For a more detailed description of these parameters, see the "Transfer Using Nodes" section in TIBCO® Managed File Transfer Platform Server for UNIX Installation and Operation Guide.

Security Parameters

Parameter Description
SecurityPolicy

Allows you to override the config.txt setting for transfers to this node.

ResponderProfile

Overrides the config.txt Responder Profile setting when running in root mode. For non-root mode, responder requests always validate against responder profiles.

AcceptVerifiedUser We suggest using the default value of No.
Encrypt Defines the default encryption for initiator transfers with this node.
CommandSupport Defines whether requests from this IP Address supports Command Center functions.
TLS Defines whether communication to this node should be through TLS or Tunnel communication.