Common Configuration Parameters

The following table lists parameters (in alphabetical order) that are used to configure all transfer requests.

Parameter Description
AccessControlConfig Defines the path to the AccessControl.cfg in the $CFROOT/config directory.

You can change the default directory for a file based on the USERID, NODE, or IPADDR parameters on responder transfer requests only.

For more information, see Access Control.
AdminGroup Defines the group name that holds users who can configure nodes, profiles, and responder profiles, as well as view audit records from all users.
AliasConfig Defines the path to the CfAlias.cfg file in the $CFROOT/config directory.

You can use an alias file name based on the USERID, NODE or IPADDR parameters for responder transfer requests only.

For more information, see CfAlias.

AuditTempErrors Defines whether all transfer attempts or only the final attempt is logged.
BrowseGroup Defines the group name that holds users who can view audit records from all users.
Note: If this group exists, then users who are not in the specified browse group can only view transactions that they conducted.
CfgPostProc Defines the name of the file that holds the postprocessing configuration.

For more information, see Configured Post Processing.

ConfigDirectory

Defines the path to a directory with all configuration files (with exception of config.txt file). By default, this is the $CFROOT/config folder. This might be different in HA mode, or in docker container environment.

Note: Config.txt is always located in $CFROOT/config, regardless of ConfigDirectory value.
CRC Defines whether to perform a CRC check.

The valid values are N or Y.

CyberMgrPortLocal Defines the local port of CyberMgr. The default port number is 46678.
CyberMgrTraceLevel

Defines the trace level of CyberMgr. Valid values are Y, N or Detailed. The default value is N.

CyberMgrTraceLevel: Y {N, Yes|Y, Detailed|D}

CyberMgrTracePath

Defines the path of the trace file of CyberMgr. The default path is /mftps/trace/Responder.

Encode Defines how file names are translated when sent to or received from the remote Platform Server or Internet Server. Valid values are:
  • N: File names contain standard Latin characters and will not be converted to UTF-8.
  • A valid coded character set: tells Platform Server to convert the file names from this character set to UTF-8.

When this parameter is set to a value other than N, the data is converted from this character set to UTF-8. TIBCO MFT Platform Server then sends the UTF-8 file name to the target system where it is converted back to the characters set defined on that Platform Server or Internet Server.

For example, if you have file names with Korean characters, then you should set this parameter to the character set of the local UNIX machine.

Encode : EUCKR

Note: Encode works same way as iconv Unix command. Encode works only for the FileNames. It is not applicable to the file data.
FailureSubject

Defines the email subject for a failed transfer.

The valid values are N or any string value. The default value is N.

FromAddress Defines the value of the From field in the email notification.
HADirectory

HADirectory: /mnt/HADir { N, DirName }

This parameter defines the directory where the HA files are located. All systems that want to be in the same HA Cluster must have access to this directory.

HACyberMgrPrimary

IpName/Address:Port

This parameter will appear in config.txt only if you have converted to HA mode. It defines the Primary CyberMgr Rpc Server host:port.

Note: It is very important that the values are identical on all machines participating in an HA cluster.
HACyberMgrSecondary

IpName/Address:Port

This parameter will appear in config.txt only if you have converted to HA mode. It defines the Secondary CyberMgr Rpc Server host:port.

Note: It is very important that the values are identical on all machines participating in HA cluster.
LogAdminFileName

Defines the name of the log admin message file. Valid values are N and file name. The default path and name is
/mftps/log/admin/Admin.txt.

One file is created per day, in the format of Admin.txt.YYYYMMDD.

LogDirectoryTransfers Defines whether to log cfdir requests when doing directory transfers.

The valid values are Y, N or Errors. The default value is Y. Errors means the cfdir request is logged only when an error occurs.

LogEventFileName Defines the name of the file that holds the transaction history log. When running in a container, this parameter should point to a file in persistent storage.

By default, the log file is $CFROOT/log/Log.txt.

One file is created per day in the format of Log.txt.YYYYMMDD.

LogMessageFileName

Defines the name of the log message file. Valid values are N and file name. The default path and name is: /mftps/log/message/Message.txt

One file is created per day, in the format of Message.txt.YYYYMMDD.

PQFDirectory

Defines the directory where the PQF files are stored. PQF files store transfer restart information when a transfer fails and can be restarted. When running in HAMode, this parameter must define persistent storage that is accessible to all Platform Server instances in the HA cluster. Otherwise, transfer restart may fail.

SecurityPolicy Defines whether TIBCO MFT Platform Server complies with any security policy on send and receive transfers.

  • HIPAA: this setting requires TIBCO MFT Platform Server to comply with HIPAA (Health Insurance Portability and Accountability Act) standards. The standards require all file transfers to use encryption key length that is 128 bits or greater.
  • FIPS140: this setting requires TIBCO MFT Platform Server to comply with FIPS (Federal Information Processing Standard). This requires that all file transfers to use SSL with an encryption type of Rijndael (AES) which uses a key length of 256 bits. This is a Government standard that certifies cryptographic modules used for the protection of sensitive but unclassified information and communications in electronic commerce within a security system.
  • None: no security policy is enforced.

Note: If you initiate a transfer using DES encryption, which is not allowed for either HIPAA or FIPS-140, the encryption is overridden with a certified encryption method. If you are using HIPAA, a prompted message is displayed informing you the encryption is changed to Blowfish Long. If you are using FIPS-140, you receive a prompted message informing you the encryption is changed to Rijndael (AES).

Note: If the SecurityPolicy is set to FIPS140, all CyberResp daemons must be restarted.

SemaphoreKey Defines the key used to create a semaphore.

If there are several transfers going on simultaneously, the output statements from different transactions can overwrite each other. This situation can be prevented by using a semaphore that synchronizes access to the Log.txt file.

The valid values are decimal numbers between 1 and 2147483647 or hexadecimal numbers between 0x00000001 and 0x7fffffff. Hexadecimal numbers must be prefixed with 0x.

SemaphoreMaxWaitTime

Defines how long to wait if the lock is taken by another thread. Checking the semaphore (also known as "lock") by each thread is done at 0.25 sec intervals upto the configured SemaphoreMaxWaitTime. If you have a high-volume transfer environment and consider that some logging requests might be ‘lost/not logged’ because the maximum wait time has passed and the Log.txt file is still taken by other threads, you should gradually increase the value. Valid values are from 10 - 120 seconds (2 minutes). The default value is 20 seconds.

To reset SemaphoreMaxWaitTime value without recycling CyberMgr:

  1. Open the config.txt file and change the value.

  2. Enter cfinq mgr=u to tell CyberMgr daemon to reset the SemaphoreMaxWaitTime value.

SMTPServer Defines the name of the email server and the port that is used to send out email notifications.

The format to define the port is:

your.smtp.server:port

If the port is not defined, it defaults to port 25.

Example:

your.smtp.server:25

StrictGroupChecking

Defines if strict group checking is required. If you want to deny certain requests when ‘cftransfer’ and ‘cfbrowse’ group were not created, then turn on this parameter. The default value is N.

Subject Defines the subject line of the email notification.

The maximum length of the defined value is 256 characters.

SuccessSubject

Defines the email subject for a successful transfer.

The valid values are N or any string value. The default value is N.

TraceGroupMember

Defines whether to trace all system calls that check whether or not user is a member of a certain group. Set this parameter only when directed to by TIBCO Support.

The valid values are:

  • N: tracing is not turned on. This is the default value. There might be a lot of system calls so tracing should be done only 'on demand'.

  • Y: tracing is turned on and all system calls issued to determine a user's membership group are taced in log/admin or log/message PCI files.

TransferGroup Defines the group name that holds users who can conduct platform to platform file transfers initiated from Command Center.

Note: If this group does not exist and a transfer request comes in from Command Center, the transfer can succeed. If the group does exist and the end user account being used for a file transfer initiated from Command Center is not a member, the transfer fails.

TransnumFileName

Defines the file name where the current transaction number is stored. Platform Server uses this file to generate the transaction ID when a transfer is started. This parameter must be set when running in a container because this file must be saved in persistent storage. Otherwise, you should use the default value. When running in a container, this parameter should point to persistent storage.

VRefreshInterval

Defines the visbility refresh interval for CyberMgr. The default value is 10 seconds. 0 seconds turns off the visibility.

By default, this is turned off. To turn it on, set it to 10 seconds or higher.

RpcSynchIntervalHA

Defines the time range that is out of sync between RpcServer (aka CyberMgr) and any other client app (like CyberResp cfinq, cfsend/cfrecv, and so on) on another HA cluster machine. The rpc call fails with an error "rpc security time failure" when the time is out of sync between the RPC client and the CyberMgr machines.

The supported range is 30 seconds to 86400 seconds. The default value is 60 seconds.

RpcSynchInterval: 60 { # of sec, 0 turn off time synch }

RpcMaxWaitConnectTimeHA

RpcMaxWaitConnectTimeHA: 1 { # of sec, 0 unlimited wait connect }

This parameter controls for how long any RPC client waits to connect to CyberMgr.

Note: Each RPC call consists of two parts: connect to server; if successful, then issue the actual call.
RpcMaxMaitMonnectTimeHA controls only the first part, connect to CyberMgr.
The actual calls have their own Timeout value, which we have set based on the importance of the call.
RPC calls to get TransactionNumber and log transfer record have a timeout of 60 seconds.
All other RPC calls have a timeout of 10 seconds.

Password Rules for Responder Profile

# Password Rules for Responder Profile
PasswordRuleChecking:          N                         { Y, N }
PasswordRequireUpperAndLower:  N                         { Y, N }
PasswordMinLength:             8                       { 3 - 64 }
PasswordMinUnique:             3        { 0 - PasswordMinLength }
PasswordMinLetters:            3        { 0 - PasswordMinLength }
PasswordMinNumber:             0        { 0 - PasswordMinLength }
PasswordMinSpecial:            0        { 0 - PasswordMinLength }
Parameter Description
PasswordRuleChecking

Defines whether to enable password rule checking for the remote password of the responder profile.

The valid values are:

Y: password rule checking is enabled.

N: password rule checking is disabled. N is the default value.

PasswordRequireUpperAndLower

Defines whether the remote password of the responder profile must include uppercase and lowercase characters.

The valid values are:

Y: requires uppercase and lowercase characters in the remote password.

N: does not require uppercase and lowercase charcters in the remote password. N is the default value.

PasswordMinLength Defines the length of the remote password of the responder profile. The password length can be between 3 - 64 characters. The default value is 8 characters.
PasswordMinUnique Defines the minimium number of unique characters in the remote password of the responder profile. Valid values are from 0 - PasswordMinLength. The default value is 3 characters.
PasswordMinNumber Defines the minimum number of numeric characters in the remote password of the responder profile. Valid values are from 0 - PasswordMinLength. The default value is 0.
PasswordMinLetters Defines the minimum number of letters (A-Z and a-z) in the remote password of the responder profile. Valid values are from 0 - PasswordMinLength. The default value is 3.
PasswordMinSpecial

Defines the minimum number of special characters in the remote password of the responder profile. Valid values are from 0 - PasswordMinLength. The default value is 0.

Note: If you are upgrading from a version prior to version 8.0.0 into the same $CFROOT directory, the password validation parameters are added automatically.

Parse Commands

# Parse Commands
protect_cctransfer:            exec                { none|reject|exec }
protect_cfdir:                 reject              { none|reject|exec }
protect_fusutil:               reject              { none|reject|exec }
protect_receivedir:            exec                { none|reject|exec }
protect_rcmd:                  reject              { none|reject|exec }
protect_ppa:                   token               { none|token|exec  }
protect_cfgpostproc:           token               { none|token|exec  }
rejectcmdcharacters:           ;&|              { up to 10 characters }
Parameter Description
protect_cctransfer

Defines the processing performed when MFT Command Center initiates a Platform Server Transfer to Platform Server for UNIX.

The valid values are:

Parameter Value Description
none No additional parsing is performed when Platform Server executes a system command.
reject

If a command to be executed includes any of the characters defined by the rejectcmdcharacters parameter, the command terminates with an error.

exec

The command to be executed calls the exec function. This call does not allow multiple commands to be executed in a single command string.

The exec option supports up to 100 command line parameters.

The default value is exec.

protect_cfdir

Defines the processing performed when a cfdir request is received. A cfdir request prompts Platform Server to return a directory list or the status of a file or directory.

The valid values are:

Parameter Value Description
none No additional parsing is performed when Platform Server executes a system command.
reject

If a command to be executed includes any of the characters defined by the rejectcmdcharacters parameter, the command terminates with an error.

exec

The command to be executed calls the exec function. This call does not allow multiple commands to be executed in a single command string.

The exec option supports up to 100 command line parameters.

The default value is reject.

protect_cfgpostproc

Defines the processing performed when a configured Postprocessing command is executed.

The valid values are:

Parameter Value Description
none No additional parsing is performed when Platform Server executes a system command. You can add the ampersand sign (&) as the last character to prompt Platform Server to execute the command in the background. You can add the pound sign (#) as the last character to prompt Platform Server to wait for the system call to complete.
token

If a PPA or substitutable postprocessing token includes any of the characters defined by the rejectcmdcharacters parameter, the command terminates with an error.

The following PPA or configured postprocessing tokens lists some of the tokens:

  • File Name related (i.e. any token computed from a file name)

  • User Data

  • Process Name

exec The command to be executed calls the exec function. This call does not allow multiple commands to be executed in a single command string. You can add the ampersand sign (&) as the last character to prompt Platform Server to execute the command in the background. You can add the pound sign (#) as the last character to prompt Platform Server to wait for the exec call to complete. The exec option supports up to 100 command line parameters.

The default value is token.

protect_fusutil

Defines the processing performed when a fusutil request is received. A fusutil request prompts Platform Server to perform one of the following functions:

  • Deletes a file or directory

  • Renames file or directory

  • Returns whether a file exists

  • Creates a directory

The valid values are:

Parameter Value Description
none No additional parsing is performed when Platform Server executes a system command.
reject

If a command to be executed includes any of the characters defined by the rejectcmdcharacters parameter, the command terminates with an error.

exec The command to be executed calls the exec function. This call does not allow multiple commands to be executed in a single command string. The exec option supports up to 100 command line parameters.

The default value is reject.

protect_ppa

Defines the processing performed when a PPA command is executed.

The valid values are:

Parameter Value Description
none No additional parsing is performed when Platform Server executes a system command. You can add the ampersand sign (&) as the last character to prompt Platform Server to execute the command in the background. You can add the pound sign (#) as the last character to prompt Platform Server to wait for the system call to complete.
token

If a PPA or configured postprocessing token includes any of the characters defined by the rejectcmdcharacters parameter, the command terminates with an error. The following PPA or configured postprocessing tokens lists some of the tokens:

  • File Name related (i.e. any token computed from a file name)

  • User Data

  • Process Name

exec

The command to be executed calls the exec function. This call does not allow multiple commands to be executed in a single command string. You can add the ampersand sign (&) as the last character to prompt Platform Server to execute the command in the background. You can add the pound sign (#) as the last character to prompt Platform Server to wait for the exec call to complete. The exec option supports up to 100 command line parameters.

The default value is token.

protect_rcmd

Defines the processing performed when receiving a command other than cfdir or fusutil.

The valid values are:

Parameter Value Description
none No additional parsing is performed when Platform Server executes a system command. You can add the ampersand sign (&) as the last character to prompt Platform Server to execute the command in the background. You can add the pound sign (#) as the last character to prompt Platform Server to wait for the system call to complete.
reject

If a command to be executed includes any of the characters defined by the rejectcmdcharacters parameter, the command terminates with an error.

Note: You can use the ampersand sign (&) to tell Platform Server to execute the command in background.
exec The command to be executed calls the exec function. This call does not allow multiple commands to be executed in a single command string. You can add the ampersand sign (&) as the last character to prompt Platform Server to execute the command in the background. You can add the pound sign (#) as the last character to prompt Platform Server to wait for the exec call to complete. The exec option supports up to 100 command line parameters.

The default value is reject.

protect_receivedir

Defines the processing performed when executing a receive directory and Platform Server issues a "cfsend trytpe:c…" command to request a directory list.

The valid values are:

Parameter Value Description
none No additional parsing is performed when Platform Server executes a system command.
reject

If a command to be executed includes any of the characters defined by the rejectcmdcharacters parameter, the command terminates with an error.

exec

The command to be executed calls the exec function. This call does not allow multiple commands to be executed in a single command string.

The default value is exec.

rejectcmdcharacters

Defines the characters that are validated when reject or token is defined for a parameter. When one of these parameters is in a command or token, the command terminates with an error.

The valid values are up to 10 characters.

The default value is ;&|