Network fields

This section describes how to manage network and network protocol resources.

Fields

A network definition is comprised of the following fields. These are set by default, but can be changed.

Interface

Indicates the entity type through which connections can be established.

  • Any: Receive incoming calls on all available addresses.
  • Any IPv4 | Any IPv6: Use one of these options to define interfaces that can accept requests directed exclusively to all existing IPv4 addresses or IPv6 addresses, respectively.
  • Address: The address value allows you to define a specific address for Transfer CFT communication. For example, if your host has several IP addresses, you may want to reserve a specific address for the Transfer CFT. To do this select Address, and then enter the address to use for communication. You can enter an IP address or a host name, which is mapped to the designated IP address. Once set, Transfer CFT only accepts requests intended for the defined address.
Only one interface can be managed in Central Governance.

You can link an interface to up to three network protocol definitions, one for each of the following types: TCP, pTCP and UDT. Two of these, pTCP and UDT, are used specifically for file transfer acceleration (see About transfer acceleration).

Network protocols

Protocols are the access points to Transfer CFTs from the network. There is at least one network protocol per Transfer CFT.

Note If you remove, disable, or modify certain Transfer CFT network protocols and protocol configurations when they are used in a flow, a warning message indicates that the modification has an impact on one or more flows. If you confirm the configuration change, the affected flows are recalculated to reflect the new status.
Note Acceleration is supported on all Transfer CFT platforms except z/OS and IBM i.

Use TCP < Yes | No >

To use TCP as a network protocol, select Yes. Setting this option to No triggers a confirmation message indicating the impact of removing the protocols and communication profiles linked to this particular network.

You must define at least one network protocol to establish basic network communication.

Status

Indicates whether the displayed network protocol is active. To activate a network protocol, set Status to Active.

To deactivate a network protocol without losing the defined protocols and communication profiles, set the status to Inactive. This option sets all protocols and communication profiles linked to this network to an inactive state.

You must set at least one network protocol to Active to establish basic network communication.

Interface out

Interface on which outgoing calls occur.

Ports out

Define up to 16 comma-separated port ranges that can be used by Transfer CFT for outgoing calls, for example "5000-6000, 7251-8000". If you leave the field blank, the default value is used.

Number of connections

Indicates the maximum number of simultaneous connections that Transfer CFT can establish on a given network resource.

Use < pTCP | UDT >

To create a network protocol, select Yes for Use <network type>. Setting this option to No triggers a confirmation message indicating the impact of removing the protocols and communication profiles linked to this particular network.

You must set at least one network protocol to Yes to establish basic network communication.

Protocols

The protocols table lists the defined protocols for the Transfer CFT along with the Status, Type, Network protocol, Port, and Enable SSL/TLS. You can use the Protocols buttons to add, remove, or copy a protocol. When copying an existing protocol, select only one protocol at a time. The pin/lock icon indicates that the protocol came from a policy.

Note   Modifying a Protocols definition triggers changes in the related communication profile. A message displays when you save a modification, warning of the impact.

To add a protocol, click Add PeSIT or Add SFTP, and complete the fields listed below. Once you complete the definition, you can save the definition; the floppy disk icon indicates it is saved, but not deployed.

Name

Enter a unique Name for the protocol. You cannot modify this field after saving. To rename, copy the protocol and rename prior to saving and deploying.

Status

Indicates whether the displayed protocol is active. To activate the protocol, set Status to Active (this attaches it to the CFTPARM).

Note   You cannot activate a protocol that is linked to an inactive network protocol (you must first activate the related network protocol).

Mode

  • Both - A bi-directional protocol definition, meaning you can use it as a client or server.
  • Server - A passive server
  • Client - A requester (with no defined port)

Type

The protocol type is applied to the selected option. You cannot modify the type once set.

Note   Select the type Both if you plan to use acknowledgments.

Port

The listening port (SAP) when you set Type to either Server or Both.

This setting defines the ports where Transfer CFT is listening for connections, and is a mandatory parameter in Central Governance.

Note   If you modify the Transfer CFT protocol port setting when it is used in a flow, a warning message indicates that the modification has an impact on one or more flows. See Configuration change management.

Network protocol

Indicates the network protocol to use. Only TCP is available with SFTP.

  • TCP - The Transmission Control Protocol (TCP), one of the core protocols of the Internet protocol suite (IP), is often called TCP/IP. TCP provides reliable, ordered and error-checked delivery of a stream of octets between programs running on computers connected to a local area network, intranet or the public Internet. It resides at the transport layer.
  • pTCP - The parallel Transmission Control Protocol (pTCP) is an end-to-end transport layer protocol that supports striped connections.
  • UDT - The UDP-based Data Transfer Protocol (UDT) is a high performance data transfer protocol designed for transferring large volumetric data sets over high-speed wide-area networks.

PeSIT security options

Enable security (PeSIT)

List of available security profiles or no security. If the protocol uses a secured connection (SSL), specify the security profile to use. Authentication is mandatory when using SFTP.

  • No - No security.
  • Yes - Displays drop-down list:
    • Client/Server authentication - You can opt to use an existing private certificate, or upload a new private certificate
    • Select private certificate - Select from the drop-down list. You are prompted to enter a password. Note that password is not stored on server, its purpose is to decrypt the certificate.
      • Use an existing private certificate - Select the certificate alias from a list of known certificates usable for the server. The security profile is then displayed and cannot be modified.
      • Upload a new private certificate - Click Browse and navigate to the certificate on your system. The certificate must be a private PKCS #12 certificate.
      • File password - Enter the certificate password in the field. This is the password that must be used to decrypt the certificate. After saving the protocol definition, the decrypted certificate is encrypted again with the Central Governance "key for encryption" before storing.
      • Certificate alias - By default the field uses the PKCS #12 file name. To customize, enter a unique Name to identify the certificate.
      • Security profile - Enter a unique Name for the security profile (CFTSSL).

SFTP security options

Authentication is mandatory when using SFTP.

  • Server authentication - You can opt to use an existing private certificate, or upload a new private certificate
  • Select private certificate - Select from the drop-down list. You are prompted to enter a password. Note that password is not stored on server, its purpose is to decrypt the certificate.
    • Use existing private key - Select the certificate alias from a list of known certificates usable for the server. The security profile is then displayed and cannot be modified.
    • Upload new private key - Click Browse and navigate to the key file on your system. The file must be in PKCS #8 format.
    • Security profile - Enter a unique Name for the security profile (CFTSSL).
Note After uploading a certificate, you should save the entire configuration before editing the protocol or communication profile.

Communication profiles

A communication profile contains the details for making connections between clients and servers for data transfers. The profile types are based on the role of file transfer sender or receiver. For more information, see Communication profiles. You can use the Communication profiles buttons to add, remove, or copy a profile. When copying an existing profile, select only one communication profile at a time.

Note   Each communication profile is linked to a protocol definition. Modifying and saving a Protocols definition impacts the related communication profile. When this occurs, a message displays warning of the impact.
Note   Communication profiles are not deployed to Transfer CFT until they are deployed in a flow.

Server communication profiles

Provides the details for a client to transfer data via a protocol to the sender or receiver that acts as a server. To create a new profile, select Add server communication profile, enter a unique Name, and complete the following fields:

Status: A read-only field displaying the availability of the profile for use in flows. This value is derived from the status of protocol on which it is based.

Protocol name: A list of available protocols.

Protocol type: Inherited and non-editable protocol, which is used for this communication profile.

Public host: Fully qualified domain name or IP address of Transfer CFT accessed by internal or external network.

Public port: Server communication profile port.

Network protocol: A read-only display of the network protocol value.

Incoming connections: Defines the maximum number of sessions for incoming connections.

Outgoing connections: Defines the maximum number of sessions for outgoing connections.

Total connections: Defines the maximum number of communication sessions.

Note The values set in the Central Governance UI take precedence over the partner values. If the fields are empty for the three connections parameters though, then the partner template values are used (and not the default value). However, if there is no partner template the default is used for each parameter.

Maximum number of retries: Defines the maximum number of retry attempts.

Number of retries: Defines the number of times a retry is attempted before increasing the time between retries.

Time between two retries: Defines the time in minutes between two retries. This value increases by one after the Number of retries is reached up to the Maximum number of retries value.

Limitation: If you are using a loop flow where both partners are using the same communication profile, there is no conflict for connections. However, if the source is using, for example, comm_profile1 and the target is using comm_profile2, and the connection parameters having differing values, then the last deployed value for a connection setting is taken into account.

PeSIT specific fields

Login: Enter a value to login on the protocol as defined in the Protocol type field. Central Governance uses the product name, in upper case, by default.

Password: Represents the password used in all flows using this communication profile and where the exchange protocol is PeSIT.

Enable security: A read-only field derived from the value set in the protocol. Click Display details for certificate information.

SFTP specific fields

Client authentication: Password or public key | Public key | Password.

Caution   See the upgrade section of the Central Governance Migration Guide for upgrade impact details.
Note After uploading a certificate, you should save the entire configuration before editing the protocol or communication profile.

Client communication profiles

Provides the details for the sender or receiver to connect via a protocol to the server. To create a client communication profile, select Add client communication profile, enter a unique Name, and complete the fields described below.

Note   You cannot use a PeSIT log-in for an acknowledgment that differs from the one used in the source server communication profile definition. The same is true for a certificate for an acknowledgment, meaning that the certificate you use must be the same as in the source server communication profile.

Status: A read-only field displaying the availability of the profile for use in flows. This value is derived from the status of protocol on which it is based.

Protocol name: A list of available protocols. However, you should not select a non-deployed protocol for a deployed flow. Doing so sets the flow to "Saved" instead of "Saved, not deployed”.

Protocol type: Inherited and non-editable protocol, which is used for this communication profile.

Network protocol: A read-only display of the network protocol value.

Incoming connections: Defines the maximum number of sessions for incoming connections.

Outgoing connections: Defines the maximum number of sessions for outgoing connections.

Total connections: Defines the maximum number of communication sessions.

Note The values set in the Central Governance UI take precedence over the partner values. If the fields are empty for the three connections parameters though, then the partner template values are used (and not the default value). However, if there is no partner template the default, 64, is used for each parameter. Lastly, if these values are defined for both the client and the server, the client values take precedence.

Limitation: If you are using a loop flow where both partners are using the same communication profile, there is no conflict for connections. However, if the source is using, for example, comm_profile1 and the target is using comm_profile2, and the connection parameters having differing values, then the last deployed value for a connection setting is taken into account.

PeSIT specific fields

Login: Enter a value to login on the protocol as defined in the Protocol type field. Central Governance uses the product name, in upper case, by default.

Password: Represents the password used in all flows using this communication profile and where the exchange protocol is PeSIT.

Enable security: A read-only field, unless SSL/TLS is enabled for the protocol. If you select a protocol with SSL/TLS is enabled, additional authentication and certificate fields display. Complete as described in Enable security (PeSIT). Click Display details for certificate information.

SFTP specific fields

Client authentication: Public key | Password. Depending on this choice, the following options differ.

  • Password

Login: Enter a value to login on the protocol as defined in the Protocol type field.

  • Public key

Login: Enter a value to login on the protocol as defined in the Protocol type field.

Client authentication: Select from the drop-down list:

  • Use existing private key - Select the certificate alias from a list of known certificates usable for the server. The security profile is then displayed and cannot be modified.
  • Upload new private key - Click Browse and navigate to the file on your system. The key must be a private PKCS #8 format.
  • File password - Enter the certificate password in the field. This is the password that must be used to decrypt the certificate. After saving the protocol definition, the decrypted certificate is encrypted again with the Central Governance "key for encryption" before storing.
  • Key alias - By default the field uses the PKCS #8 file name. To customize, enter a unique Name to identify the certificate.

Note After uploading a certificate, you should save the entire configuration before editing the protocol or communication profile.

General

Maximum file access tasks

Number of file  access tasks that handle simultaneous transfers. The value must be lower or equal to the Maximum simultaneous transfers value. Default values are OS specific.

Maximum transfers for a task

Number of transfers handled per task before creating a new task. If you set this value in the policy to a value greater than the maximum value supported by the operating system, the deployed value is the OS maximum value.

Inactivity timeout

Available only on z/OS and when the option User for file access is set to Transfer CFT system account

Interval in minutes before an inactive task is closed.

Maximum simultaneous transfers

Indicates the maximum number of simultaneous connections Transfer CFT can have for a network resource.

You can use this parameter to optimize Transfer CFT bandwidth usage. For example, if Transfer CFT is being used as a relay or central connecting point, then you may want to set this parameter to a high value. Raising this value increases the CPU processing, disk I/O, and bandwidth consumption on the host machine, so check that the host machine has the necessary hardware capability.

Using a low value when Transfer CFT is acting as a relay can cause bottlenecks in the flow's execution. If Transfer CFT receives more transfer requests than authorized by this parameter value, the transfers are listed as described in Transfer list. These transfers are then acted on according to their priority, or when resources become available.

Additional conditions:

  • The license for Transfer CFT might impose restrictions that lower the configurable value.
  • The number of incoming and outgoing transfers is also defined at the transfer point level.

Disconnect timeout

Indicates the wait timeout for either a response to the protocol connection request, or to the transfer point connection, before disconnecting.

This parameter represents the timeout when waiting for a protocol request, which can be a connection or an interruption request.

At the protocol level, a connection request refers to the physical connection with the transfer point host. Once established, the transfer point Transfer CFT may not be responding. This could be due to the fact that the transfer point application is busy or has encountered an error.

An interruption request occurs if one of the Transfer CFT transfer points, for example CFT1, needs to interrupt the communication in response to a user action. The transfer point CFT1 can then use the time defined in the Disconnect timeout parameter for the network connection break. After this period of time, the originator of the abort request, CFT2, will initiate a network disconnect request.

If your Transfer CFT frequently communicates with transfer points that are slow to respond, for example due to heavy usage, you may want to increase the disconnect timeout value. Or, you may want to use a higher disconnect timeout value to allow abort requests from Transfer CFT to have enough time to be correctly processed at the transfer point. Alternately, if you interact with highly responsive transfer points, you can use a lower value. In most cases, the default value of 60 seconds is sufficient.

Attempts to restart transfer

Indicates the maximum number of times Transfer CFT attempts to restart a transfer.

This requester mode parameter indicates the maximum number of attempts for a transfer. An attempt begins at the moment the physical connection is established with the remote site.

You can tune this value in combination with the Disconnect timeout parameter. For example, you can set a low disconnect timeout, but define a certain number of retries if the transfer cannot be performed. See PeSIT Tuning.

IPv6 mode

Indicates the IPv6 resolution for hostnames when Transfer CFT is acting as a client, server, both, or none.

This setting defines how Transfer CFT manages Internet addresses and hostname resolution, and is operating system dependent.

  • Client: The host name used by Transfer CFT to connect to a host may refer to an IPv4 or an IPv6 address or a list of addresses of either type. If a name simultaneously refers to two different addresses, Transfer CFT will connect to the one available on the remote end.
  • Server: The host name used by Transfer CFT to listen for incoming connections can refer to both types of addresses or to a list of addresses of either type. If the name resolution request returns a list of addresses Transfer CFT listens for the first entry in the list. The order of returned addresses is not necessarily in any particular order, and is operating system dependent.
  • None: Because enabling IPv6 use for applications may have adverse effects if improperly configured, support for IPv6 is disabled by default. In this case, hostnames that are defined in the Transfer CFT configuration files are resolved only for IPv4 addresses. That said, you can directly enter IPv6 addresses in Transfer CFT configuration files, as the IPv6 mode parameter applies exclusively to hostname resolution.

We recommend None when unsure whether your operating system is set up for IPv6.

The operating system must support IPv4 and IPv6 (if used) addressing as defined in the POSIX Protocol Independent API specifications.

Max number of SSL tasks

The maximum number of SSL tasks that can execute simultaneously.

Max number of transfers per SSL tasks

The maximum number of simultaneous network sessions guaranteed by an SSL task (default = 3). Above this number, a new task is created, if necessary.

SSL task inactivity timeout

Set the inactivity time, in minutes, of the SSL task. Beyond this value, the task is shut down. An SSL task is considered to be idle if it no longer manages any sessions.

Keep alive between transfers

The client and server timeout settings represent separate idle connection parameters when Transfer CFT is acting as a client or a server.

Client

Interval in seconds to maintain an active session between transfer activity on the client.

Server

Interval in seconds to maintain an active session between transfer activity on the server.

pTCP

See About transfer acceleration for information about using pTCP.

Number of parallel connections

Indicates the number of simultaneous connections that can occur in parallel.

Packet size

Indicates the pTCP packet size in bytes.

Buffer size

Indicates the internal acceleration buffer size in megabytes. This value should be greater than the number of connections multiplied by packet size. The stored buffer size value should be rounded to at most 3 decimal places, with no trailing zeros.

For example, for 16 connections and 4000 bytes the value would be 0.062 MB, if you round up to the nearest 0.001 MB.

UDT

There is one UDT instance per Transfer CFT.

Note that Transfer CFT 3.2.4 SP2 and higher supports the use of UDT with IPv6. See About transfer acceleration for information about using UDT.

Buffer size

Indicates the internal acceleration buffer size.

PeSIT Tuning

There is one PeSIT tuning instance per Transfer CFT.

Compression

Defines the use of file compression for Transfer CFT. Files can be compressed to reduce the size of the data that is transferred.

  • Yes: Authorizes use of compression for sending or receiving a file, which is then negotiated between the source and target. This implies the source and target use the same type of compression. Selecting compression indicates one or multiple types of PeSIT compression are used, which might include horizontal or vertical compression or both.
  • With horizontal compression, data are compressed horizontally to identical consecutive characters in the same row.
  • With vertical compression, data are compressed vertically to identical consecutive characters in the same column.
  • With both, data are compressed horizontally and vertically.
  • No: Do not use PeSIT file compression.

Consider using compression when the files are highly compressible, or if the network has an especially low bandwidth. Note that using compression leads to high CPU consumption.

Inactivity timeout

The network monitoring timeout, in seconds, excluding the protocol connection/disconnection break phase. The value 0 indicates an infinite amount of time.

For example, transfer points CFT1 and CFT2 are connected and multiple parallel transfers are occurring. If one transfer point, the local transfer point CFT1, does not receive an acknowledgement by the time indicated in the Inactivity timeout, it interrupts the connection with a diagnostic code indicating that the timeout was exceeded. This could be caused, for example, by high activity on the remote CFT2 transfer point.

You may want to adjust this parameter if you have a session that is open for an extended period of time.

The Inactivity timeout refers to the file protocol data connection that occurs after a PeSIT connection. This is not to be confused with the Disconnect timeout, which is a request during the actual PeSIT session.

Acknowledgment window size

Maximum number of synchronization points, without waiting for a response, that are authorized by the source/target. This value may be negotiated between Transfer CFTs or applications during the during connection phase.

The value 0 indicates that the synchronization point option is not used. The value 1 defines half-duplex transfers.

Data transferred between sync points

Indicate then internal size of data to transfer, in kilobytes, between two synchronization points. This value is negotiated with the transfer point timing. The value 0 indicates that there are no synchronization points.

 

Central Governance | Document Directory

Related Links