Gateway 6.17.3 User Guide Save PDF Selected topic Selected topic and subtopics All content Axway Gateway documentation What's new in this version Gateway 6.17.3 SP10 What's new Refer to Option to set the selection order of the Key Exchange Algorithm : client or server preferred order. Security guide > Managing SSH Security Profiles > Key exchange algorithms (requires login) Connection Limiter option in Secure Relay , relating to Gateway. User guide > Configuring Secure Relay advanced options Gateway 6.17.3 SP9 What's new Refer to Gateway supports multiple PKI structures, as well as easy certificate renewal across all levels of the certification path. Security guide > Managing TLS (requires login) Local certificates on negotiated cipher: only if compatible Security guide > Managing TLS > Certification path building mode Gateway 6.17.3 SP5 What's new Refer to Gateway now offers a mechanism to protect against Cross-Site Request Forgery (CSRF) attacks Using HTTP in server mode For Virtual File Directories, you can set a limit to the number of concurrent listings for each protocol User guide > VFD concurrent listing Gateway's response for a non existing file can be switched from an empty listing to 550 (Request action not taken). To configure this behavior you can set peluconf [ft_ftp] alter_list_response parameter to 1 Gateway 6.17.3 SP4 What's new Refer to SFTPv6 protocol can now be disabled through configuration at remote site level. New Remote Site: SFTP tab Site objects: Parameters List HTTP authentication protocols NTLM and NTLMv2 are now supported for Gateway Client. Using HTTP in client mode Gateway 6.17.3 SP3 What's new Refer to X-Priority SMIME headers now have alphanumeric values starting with the 1902 SEPAMAIL standard. Numeric values are encoded as 1 = HIGHEST, 2 = HIGH, 3 = NORMAL, 4 = LOW, 5 = LOWEST. Managing partners > ... > New Remote Site: SMTP tab Managing partners > ... > Site objects: Parameters List Gateway 6.17.3 SP2 What's new Refer to Improved cache for Passport: Gateway can be configured to cache user authentication and privileges when PassPort AM is configured as access manager. Configuring connectors You can set a policy to archive audit files automatically Managing audits > Viewing and managing Audit New option to avoid restart on broken statuses caused by vital processes Messages and codes > Process Monitoring messages (GC) Gateway now chooses local certificate only if its key is compatible with the key exchange algorithm of the negotiated cipher. You can thus configure a security profile with multiple certificates, to use connections with different requirement levels: old software that only supports RSA ciphers, as well as new software supporting elliptic curve cryptography. Security guide > Managing TLS > Certification path building mode Command line option to disable the use of MD5 hash algorithms Security guide > TLS Cypher suites Security guide > Using SSH Delete only temporary files when purging, option to keep mailbox record Managing transfers > ... > Working with Purge Models (command line) Managing transfers > ... > Viewing and managing Mailbox contents To preserve security, the Browse button has been removed from Navigator. All references to the Browse button removed in documentation. Gateway supports SFTP versions 0, 1, 2, 3 and 6 Protocols > SFTP protocol Gateway 6.17.3 SP1 What's new Refer to Documentation To protect the security of your data, documentation content previously contained in the User guide under the Managing security chapter has been moved to the Security guide > Security administration. The reason is that access to the Security guide is restricted on the internet to users with Axway IDs, which excludes malevolent hackers looking for insights into any sensitive information. Security guide > Security administration (requires a login) The connection to Integrator/XIB can be secured using TLS Configuration > Configuring connectors Gateway 6.17.3 What's new Refer to TLS extensions: When connecting as a client, Gateway uses the host name of the remote partner as the value for the Server Name Indication extension, as specified by RFC6606 from the IETF. See restrictions: Security guide > SSL and TLS protocols > TLS Extensions Native support for 64-bit architecture on AIX and Windows Installation guide > Installation prerequisites SWIFT: Compliance with SWIFT CSP Multiple backup sites for SwiftNet remote sites. Gateway now allows up to 4 backup sites for each SWIFTNet remote site. Site objects: Parameters List Longer keys: maximum length of certificates with RSA keys imported in Gateway is raised to 8192 bits (formerly 4096). PEM and DER formats are supported. Only RSA-based signature algorithms are supported. Two hash algorithms are available and can be associated with RSA: MD5 and SHA-1. Security guide > Certificate Restrictions Security guide > Managing TLS Updated OpenSSL: Cryptographic operations now rely on OpenSSL version 1.0.2k JMS logging now supported by Apache Log4j 2 No longer supported in this version: ETEBAC 3 Client & Bank and ETEBAC 5 Client & Bank Infozip and infounzip tools Gateway 6.17.2 SP2 What's new Refer to Cipher suites configuration It is now possible to configure - both in GUI and CLI - up to 32 TLS ciphers in TLS security profiles (server and client). Security guide > Managing TLS Security Profiles Audit support Gateway stores the actions performed by users on the Gateway configuration (global and objects configuration) on a dedicated file, providing visibility of the changes done on the product. This functionality cannot be disabled. Managing Audit files Payload integrity You can enable the payload integrity check to assure that payload haven’t changed between the moment is has been received by Gateway and further actions: routing to Integrator or routing to a third party. The protocols for which the signature is computed in Gateway, for incoming transfers are: SWIFTNet, PeSIT and JMS. Security guide > Payload Security Gateway 6.17.2 What's new Refer to Encryption of password information in export files Security guide > Managing SSH Security Profiles (command line) Security guide > Managing TLS Security Profiles (command line) User guide > Importing and exporting objects ECDSA support with PassPort and XSR Termination ECDSA keys and certificates can now be used with PassPort and XSR Termination. Please make sure you use Passport 4.6 SP12 P2 and SecureRelayRA 2.7.0. Security guide > TLS cipher suites Improved cache for TLS sessions An improvement in TLS cache now allows the use of cache between control and data sessions on FTP. Certificate chain size on TLS The limit of chain size sent on TLS was increased from 16k to 64k. Native support for AIX-64 bit operating systems With this release, Gateway includes native 64-bit support for AIX Operating System. Besides the new installation package, a cross-platform migration tool is available to handle the Gateway 6.17.2 AIX 32-bit to Gateway 6.17.2 AIX 64-bit migration. Upgrade guide > Upgrading to 6.17 New signature for transfer user exits ExitXfer* (perl and C) To support passing custom user data in subsequent ssh exit calls and to be able to differentiate between ssh and tls context, the transfer exits ExitXfer* (perl and C) have a new signature. Signatures: refer to User guide > Customizing Gateway processes > User exits > External user exits Upgrade: Upgrade guide > Upgrading to 6.17 Length of file label PeSIT transfer parameter The limit for transfer parameter file label has increased from 80 chars to 256 chars. Refer to User guide > Managing transfers > Submitting transfers > Transfer requests > New Transfer Request: PeSIT tab Gateway 6.17.1 What's new Refer to Upgrade to Perl 5.24 Perl version 5.24.0 is required to compile the Perl exits or to run the Perl scripts. Refer to User guide > User interfaces > Online commands > Online commands in Perl Password authorizing operations on Gateway is secured The password used for authorizing operations on Gateway through commands (command line utility, exists, scripts) when access management is enabled is now stored in encrypted form. Security guide > Password management Gateway 6.16.1 What's new Refer to ECDSA keys support for SSH The ECDSA keys supported are the ones required by RFC5656 (nistp256, nistp384 and nistp521). The key exchange algorithm list has been updated with new entries specific to this key format. Security guide > SSH user exits ECDSA certificates support for TLS You can now import in Gateway ECDSA certificates. The supported curve format for ECDSA certificates are the ones specified in rfc4492 . Security guide > Managing Keys and Certificates in SSH New TLS ciphers support Next cipher suites are now available: DHE - ECDHE-RSA - ECDHE-ECDSA - AES-GCM Security guide > TLS cipher suites Weak ciphers disabled On the new Gateway installations the weak ciphers are not present on TLS profiles. User will still have the possibility to enable them using a configuration option, [tls] enable_weak_ciphers set on ‘yes’, but this is strongly discouraged. Security guide > TLS cipher suites Secured the connection between Gateway and Sentinel using TLS Gateway can now use TLS when connecting to Sentinel. TLS connection is activated by default on new installations. You must make sure that Sentinel exposes a TLS-secured port, in order to have a successful connection between the two products. Configuring connectors Upgrade to OpenSSL version 1.0.2 For the cryptographic operations the OpenSSL version 1.0.2 is being used. Manually force Gateway to re-read PassPort PM Communication Protocol Profiles (DEA) Pelctl was extended with a new subcommand to invalidate all cache used for the communication with Passport PM, or to invalidate the cache per DEA (pelctl invalidate_tpm_cache). Changes should reflect immediately on incoming/outgoing exchanges. PassPort PM cache Gateway 6.16.0 What's new Refer to Managing TLS Security Profiles New commands to create and modify security profiles using the command line UI. Security guide > Managing TLS Security Profiles Security guide > Managing TLS Security Profiles (command line) Support for TLS 1.1 and 1.2 Configure and use TLS1.1 and TLS1.2 with Gateway Security guide > TLS cipher suites Discontinued support for CSR sample certificates Configuration: connectivity parameters Secure Relay IP filtering Configuring IP filtering on Secure Relay Master Agent, from Gateway, using black lists and white lists Configuring Secure Relay advanced options Configuring protocols: SAP parameters PassPort configuration Configuring Gateway's connector to PassPort for services: PKI, access management, partner management Axway PassPort PM connector Axway PassPort AM connector Axway PassPort PS connector Security guide > Working with PassPort AM Support for FIPS Configuring Gateway correctly to establish FIPS-compliant secure connections Security guide > About FIPS Links to documentation set for Axway Gateway 6.17.3: Installation -- User -- Unix Configuration -- Upgrade -- Interoperability -- Security, requires login -- Release Notes Related Links
Axway Gateway documentation What's new in this version Gateway 6.17.3 SP10 What's new Refer to Option to set the selection order of the Key Exchange Algorithm : client or server preferred order. Security guide > Managing SSH Security Profiles > Key exchange algorithms (requires login) Connection Limiter option in Secure Relay , relating to Gateway. User guide > Configuring Secure Relay advanced options Gateway 6.17.3 SP9 What's new Refer to Gateway supports multiple PKI structures, as well as easy certificate renewal across all levels of the certification path. Security guide > Managing TLS (requires login) Local certificates on negotiated cipher: only if compatible Security guide > Managing TLS > Certification path building mode Gateway 6.17.3 SP5 What's new Refer to Gateway now offers a mechanism to protect against Cross-Site Request Forgery (CSRF) attacks Using HTTP in server mode For Virtual File Directories, you can set a limit to the number of concurrent listings for each protocol User guide > VFD concurrent listing Gateway's response for a non existing file can be switched from an empty listing to 550 (Request action not taken). To configure this behavior you can set peluconf [ft_ftp] alter_list_response parameter to 1 Gateway 6.17.3 SP4 What's new Refer to SFTPv6 protocol can now be disabled through configuration at remote site level. New Remote Site: SFTP tab Site objects: Parameters List HTTP authentication protocols NTLM and NTLMv2 are now supported for Gateway Client. Using HTTP in client mode Gateway 6.17.3 SP3 What's new Refer to X-Priority SMIME headers now have alphanumeric values starting with the 1902 SEPAMAIL standard. Numeric values are encoded as 1 = HIGHEST, 2 = HIGH, 3 = NORMAL, 4 = LOW, 5 = LOWEST. Managing partners > ... > New Remote Site: SMTP tab Managing partners > ... > Site objects: Parameters List Gateway 6.17.3 SP2 What's new Refer to Improved cache for Passport: Gateway can be configured to cache user authentication and privileges when PassPort AM is configured as access manager. Configuring connectors You can set a policy to archive audit files automatically Managing audits > Viewing and managing Audit New option to avoid restart on broken statuses caused by vital processes Messages and codes > Process Monitoring messages (GC) Gateway now chooses local certificate only if its key is compatible with the key exchange algorithm of the negotiated cipher. You can thus configure a security profile with multiple certificates, to use connections with different requirement levels: old software that only supports RSA ciphers, as well as new software supporting elliptic curve cryptography. Security guide > Managing TLS > Certification path building mode Command line option to disable the use of MD5 hash algorithms Security guide > TLS Cypher suites Security guide > Using SSH Delete only temporary files when purging, option to keep mailbox record Managing transfers > ... > Working with Purge Models (command line) Managing transfers > ... > Viewing and managing Mailbox contents To preserve security, the Browse button has been removed from Navigator. All references to the Browse button removed in documentation. Gateway supports SFTP versions 0, 1, 2, 3 and 6 Protocols > SFTP protocol Gateway 6.17.3 SP1 What's new Refer to Documentation To protect the security of your data, documentation content previously contained in the User guide under the Managing security chapter has been moved to the Security guide > Security administration. The reason is that access to the Security guide is restricted on the internet to users with Axway IDs, which excludes malevolent hackers looking for insights into any sensitive information. Security guide > Security administration (requires a login) The connection to Integrator/XIB can be secured using TLS Configuration > Configuring connectors Gateway 6.17.3 What's new Refer to TLS extensions: When connecting as a client, Gateway uses the host name of the remote partner as the value for the Server Name Indication extension, as specified by RFC6606 from the IETF. See restrictions: Security guide > SSL and TLS protocols > TLS Extensions Native support for 64-bit architecture on AIX and Windows Installation guide > Installation prerequisites SWIFT: Compliance with SWIFT CSP Multiple backup sites for SwiftNet remote sites. Gateway now allows up to 4 backup sites for each SWIFTNet remote site. Site objects: Parameters List Longer keys: maximum length of certificates with RSA keys imported in Gateway is raised to 8192 bits (formerly 4096). PEM and DER formats are supported. Only RSA-based signature algorithms are supported. Two hash algorithms are available and can be associated with RSA: MD5 and SHA-1. Security guide > Certificate Restrictions Security guide > Managing TLS Updated OpenSSL: Cryptographic operations now rely on OpenSSL version 1.0.2k JMS logging now supported by Apache Log4j 2 No longer supported in this version: ETEBAC 3 Client & Bank and ETEBAC 5 Client & Bank Infozip and infounzip tools Gateway 6.17.2 SP2 What's new Refer to Cipher suites configuration It is now possible to configure - both in GUI and CLI - up to 32 TLS ciphers in TLS security profiles (server and client). Security guide > Managing TLS Security Profiles Audit support Gateway stores the actions performed by users on the Gateway configuration (global and objects configuration) on a dedicated file, providing visibility of the changes done on the product. This functionality cannot be disabled. Managing Audit files Payload integrity You can enable the payload integrity check to assure that payload haven’t changed between the moment is has been received by Gateway and further actions: routing to Integrator or routing to a third party. The protocols for which the signature is computed in Gateway, for incoming transfers are: SWIFTNet, PeSIT and JMS. Security guide > Payload Security Gateway 6.17.2 What's new Refer to Encryption of password information in export files Security guide > Managing SSH Security Profiles (command line) Security guide > Managing TLS Security Profiles (command line) User guide > Importing and exporting objects ECDSA support with PassPort and XSR Termination ECDSA keys and certificates can now be used with PassPort and XSR Termination. Please make sure you use Passport 4.6 SP12 P2 and SecureRelayRA 2.7.0. Security guide > TLS cipher suites Improved cache for TLS sessions An improvement in TLS cache now allows the use of cache between control and data sessions on FTP. Certificate chain size on TLS The limit of chain size sent on TLS was increased from 16k to 64k. Native support for AIX-64 bit operating systems With this release, Gateway includes native 64-bit support for AIX Operating System. Besides the new installation package, a cross-platform migration tool is available to handle the Gateway 6.17.2 AIX 32-bit to Gateway 6.17.2 AIX 64-bit migration. Upgrade guide > Upgrading to 6.17 New signature for transfer user exits ExitXfer* (perl and C) To support passing custom user data in subsequent ssh exit calls and to be able to differentiate between ssh and tls context, the transfer exits ExitXfer* (perl and C) have a new signature. Signatures: refer to User guide > Customizing Gateway processes > User exits > External user exits Upgrade: Upgrade guide > Upgrading to 6.17 Length of file label PeSIT transfer parameter The limit for transfer parameter file label has increased from 80 chars to 256 chars. Refer to User guide > Managing transfers > Submitting transfers > Transfer requests > New Transfer Request: PeSIT tab Gateway 6.17.1 What's new Refer to Upgrade to Perl 5.24 Perl version 5.24.0 is required to compile the Perl exits or to run the Perl scripts. Refer to User guide > User interfaces > Online commands > Online commands in Perl Password authorizing operations on Gateway is secured The password used for authorizing operations on Gateway through commands (command line utility, exists, scripts) when access management is enabled is now stored in encrypted form. Security guide > Password management Gateway 6.16.1 What's new Refer to ECDSA keys support for SSH The ECDSA keys supported are the ones required by RFC5656 (nistp256, nistp384 and nistp521). The key exchange algorithm list has been updated with new entries specific to this key format. Security guide > SSH user exits ECDSA certificates support for TLS You can now import in Gateway ECDSA certificates. The supported curve format for ECDSA certificates are the ones specified in rfc4492 . Security guide > Managing Keys and Certificates in SSH New TLS ciphers support Next cipher suites are now available: DHE - ECDHE-RSA - ECDHE-ECDSA - AES-GCM Security guide > TLS cipher suites Weak ciphers disabled On the new Gateway installations the weak ciphers are not present on TLS profiles. User will still have the possibility to enable them using a configuration option, [tls] enable_weak_ciphers set on ‘yes’, but this is strongly discouraged. Security guide > TLS cipher suites Secured the connection between Gateway and Sentinel using TLS Gateway can now use TLS when connecting to Sentinel. TLS connection is activated by default on new installations. You must make sure that Sentinel exposes a TLS-secured port, in order to have a successful connection between the two products. Configuring connectors Upgrade to OpenSSL version 1.0.2 For the cryptographic operations the OpenSSL version 1.0.2 is being used. Manually force Gateway to re-read PassPort PM Communication Protocol Profiles (DEA) Pelctl was extended with a new subcommand to invalidate all cache used for the communication with Passport PM, or to invalidate the cache per DEA (pelctl invalidate_tpm_cache). Changes should reflect immediately on incoming/outgoing exchanges. PassPort PM cache Gateway 6.16.0 What's new Refer to Managing TLS Security Profiles New commands to create and modify security profiles using the command line UI. Security guide > Managing TLS Security Profiles Security guide > Managing TLS Security Profiles (command line) Support for TLS 1.1 and 1.2 Configure and use TLS1.1 and TLS1.2 with Gateway Security guide > TLS cipher suites Discontinued support for CSR sample certificates Configuration: connectivity parameters Secure Relay IP filtering Configuring IP filtering on Secure Relay Master Agent, from Gateway, using black lists and white lists Configuring Secure Relay advanced options Configuring protocols: SAP parameters PassPort configuration Configuring Gateway's connector to PassPort for services: PKI, access management, partner management Axway PassPort PM connector Axway PassPort AM connector Axway PassPort PS connector Security guide > Working with PassPort AM Support for FIPS Configuring Gateway correctly to establish FIPS-compliant secure connections Security guide > About FIPS Links to documentation set for Axway Gateway 6.17.3: Installation -- User -- Unix Configuration -- Upgrade -- Interoperability -- Security, requires login -- Release Notes