SecureTransport 5.2.1 Release Notes

New features and enhancements

Axway Installer - Consistent with Axway 5 Suite, the Axway Installer installs and uninstalls SecureTransport 5.2.1. A future release will use the Axway Installer for upgrades.

Audit log - A new audit log records changes made to the SecureTransport configuration. Using the Audit Log page of the Administration Tool, an administrator can view, compare, and export log entries and add or update comments for changes the administrator made. Many Administration Tool pages include a Last Modified link that you can use to display in the audit log the entry that records the last change for that page.

Support tool - The support tool collects information about SecureTransport and its host operating system and saves it in a support information file that you can send to Axway Global Support to help them diagnose an issue.

Transfer log and server log data in separate external databases - When SecureTransport Server uses an external Oracle database, the administrator can direct transfer log (file tracking) data and server log data to different databases from the one used for the rest of the SecureTransport configuration and data.

New web service APIs - Version 1.1 of the SecureTransport web service APIs adds the AuditLogResource, ClusterNodeResource, ConfigurationProfilesResource, and LogsResource to the administrator resources. For more information, see the online resource descriptions.

CTR ciphers - The SSH client and server support CTR ciphers.

PeSIT metadata - SecureTransport includes PI 61 and PI 62 with routed transfers. SecureTransport retains the values of many PeSIT PI codes with a received file as metadata which can be used in the value of the User Message Send field.

Fixed issues

External ID Description
4.9.2 SP2
Patch 57
If a PGP-encrypted file has a last-modified date in the future, when SecureTransport decrypts the file, it sets the last-modified date of the decrypted file to that future date. In some cases, this causes the operating system to set the last-modified date of the file to a date in the distant past.
4.9.2 SP2
Patch 59
SecureTransport virtual users can access files outside their home folders by specifying an unresolved path name that used the ".." path traversal characters to access a parent directory.
4.9.2 SP2
Patch 60
A delegated administrator can elevate the privileges of a child delegated administrator to the Master level administrator by altering HTML and can create Master level administrator with the same name as its root parent. A delegated administrator with read-only rights can not export accounts.
4.9.2 SP2
Patch 61
When an account with an expired password tries to log in to SecureTransport using HTTP or FTP, one internal session is not released until the Transaction Manager is restarted.
4.9.2 SP2
Patch 64
Saving and updated delegated administrator takes a very long time if there are many delegated administrators.
5.0 Patch 47

If you create and save a Connect:Direct transfer site using a site template with placeholders in some field values and other values blank, the SecureTransport Administration Tool displays "An Unexpected Error Occurred!" when you tried to open the transfer site.

The Administration Tool displays passwords in Connect:Direct site templates in plain text. This is a security vulnerability because all administrators can see the passwords.

The Administration Tool displays the password for Connect:Direct, SSH, FTP, HTTP transfer sites in plain text into the HTML page source code. This is a security vulnerability, because all administrators can see the password.

If the Local server user name field is left blank in a Connect:Direct transfer site without a site template, authentication fails with a NullPointerException.

5.0 Patch 51 In extremely high server loads in a large enterprise cluster, cluster nodes delay their communication which leads them to separate and Coherence to lose part of its cache data. When some of the cache data is lost DefaultTaskProcessor execution throws a NullPointerException in the end of each event processing and accumulates a many log records in the Oracle database.
5.0 Patch 52

In rare cases due to a race condition, transfers fail to complete due to a NullPointerException while SecureTransport reads file-based server configuration. SecureTransport reports "Inprocess agent execution has failed" errors and throws errors when starting services from the command line.

In rare cases, a transfer might fail to complete due to a NullPointerException in com.tumbleweed.st.datasource.dom.method.
GetSingleElement.process
. File tracking reports "In Progress" status.

SecureTransport leaves some transfers with a "In Progress" status in File Tracking when they have been terminated before the client has transferred any data.

5.0 Patch 53

When a temporary network problem occurs between the nodes in a large enterprise cluster, the cluster state does not restore correctly and the Administration Tool fails to update certificates, configuration options, and others objects.

A node removed from the large enterprise cluster can still be assigned events by other nodes for some time after it is removed. This behavior can cause transfers to stay in progress in the File Tracking page and problems with the server-initiated transfers.

A SecureTransport process in a large enterprise cluster can stop processing when the database stops accepting log messages and a queue fills up.

5.0 Patch 54 When an account is created without a password and an administrator attempts to modify the account to use a password, the Administration Tool displays the error message,"A user with ID userID could not be found" and the changes are not saved.
5.1 SP2 Patch 3

When using the "Axway Box and Stripe in Blue" HTML template, the user can delete only one file during a single login session.

When using the SecureTransport Default HTML template, the user cannot change the password if the first attempt fails. The session is terminated on the second attempt and the user has to log in again.

When using the Rich Internet Client HTML template without Java installed, the user can upload only one file during a single login session.

5.1 SP2 Patch 5 A server-initialed file transfer from an SSH transfer site fails when a send option specifies a file move or rename on the remote system and the target file exists.
5.1 SP2 Patch 6

An HTTP server-initiated file transfer to a remote SecureTransport Server does not send the file if a file with the same name exists on the remote server, even if the file has a different size or content.

An HTTP server-initiated file transfer from a remote SecureTransport Server always downloads files.

5.1 SP2 Patch 7 SecureTransport does not report a server-initiated file transfer that use a custom protocol to Axway Sentinel. The server log reported "Secure Transport failed to send TO_EXECUTE notification to Synchrony Sentinel server" and "Unable to generate a cycle id with type DEFAULT."
5.1 SP2 Patch 8 When a real user without write permission to the xferlog file is mapped to a virtual user, SecureTransport fails to log server-initiated transfers for this user in the transfer log (xferlog) and reports a null pointer exception in the server log.
5.1 SP2 Patch 9 When an FTP client attempts to download (FTP GET) a file that does not exist, the SecureTransport FTP Server responds incorrectly with a 553 return code (Permission denied).
5.1 SP2 Patch 10 When custom applications use custom values for the "subscription anchor," SecureTransport overwrites the value to a default value of <subscriptionFolder>:<accountId> during creation and update of the subscription.
5.1 SP2 Patch 11 After the configuration changes described in KB 72181 (https://support.axway.com/kb/72181) are applied, the Admin service fails to start.
5.1 SP2 Patch 12 SecureTransport does not replicate objects created using the Java API from the primary server to the secondary servers in a standard cluster.
5.1 SP2 Patch 13 When an FTP client attempts to download (FTP GET) a file that does not exist, the transfer status is reported as in progress in Administration Tool File Tracking page.
5.1 SP2 Patch 14 SecureTransport executes a scheduled recurring server-initiated pull (upload) when a previous instance of the pull is still running.
5.1 SP2 Patch 15 In an installation that uses an external Oracle database, a call to the SecureTransport Java API to update an Account that specified the default HTML template path fails with a validation error.
5.1 SP2 Patch 16 When a SecureTransport installation that uses the external Oracle database has very many (for example, thousands) virtual user accounts, searching for an account can take too long or time out.
5.1 SP2 Patch 20 When SecureTransport sends a file over PeSIT in Binary Fixed mode, SecureTransport adds NULL characters at the ends of some records in the file.
5.1 SP2 Patch 21 In a cluster implementation, the schedule in a subscription to an application is lost when the subscription is opened and saved.
Cases 600328 & 643407
(fixed in 5.1 SP3)
When an SSH client uploads a file and supplies a UID and GID in the SSH_FXP_OPEN packet, SecureTransport uses the supplied UID and GID instead of the account's UID and GID.
Case 626523
(fixed in 5.1 SP3)
When SecureTransport decrypts an uploaded file before sending it to a subscription to a Standard Router application, the unencrypted file is stored in an accessible directory.
Case 628936
(fixed in 5.1 SP3)
The Admin.Port server configuration parameter is global, so different servers in a cluster cannot have different values, and it is not possible to serve the Administrative Tools on different IP addresses from different servers in a large enterprise cluster.
Case 636078
(fixed in 5.1 SP3)
The log rotation script on a SecureTransport server that uses an external Oracle database references a MySQL program.
Case 641283
(fixed in 5.1 SP3)
Administration Tool pages open slowly and sometimes fail to open.
Case 643123
(fixed in 5.1 SP3)
When an asynchronous receipt receiver is configured in the AS2 settings, the status of a transfer might not be displayed correctly in File Tracking when SecureTransport does not receive the AS2 asynchronous receipt correctly.
Case 645196
(fixed in 5.1 SP3)
The behavior of a Folder Monitor transfer site does not change when the account is enabled or disabled.
Case 647329
(fixed in 5.1 SP3)
The Administration Tool File Tracking page response is very slow.
Case 647655
(fixed in 5.1 SP3)
Files in WEB-INF directories that should not be accessible can be displayed in a browser.
Case 648538
(fixed in 5.1 SP3)
Uploading a folder using FileZilla and SFTP fails if the folder does not already exist in the SecureTransport destination.
Case 649185
(fixed in 5.1 SP3)
The SecureTransport server log displays very many WARN error about a duplicate non-proxy host entry, even if there is only one host listed under Direct connection to following hosts.
Case 649655
(fixed in 5.1 SP3)
When encryption is used with the AS2 protocol, SecureTransport does not set DXAGENT_RAWSOURCE correctly.
Case 649668
(fixed in 5.1 SP3)
If a user logs in using a user name with one or more trailing space characters, SecureTransport treats this as a different active user and allocates another account license to that user.
Case 649787
(fixed in 5.1 SP3)
Using the browser Back button followed by further navigation in the Administration Tool can produce an "Access Denied! You are not allowed to access requested page" message.
Case 650085
(fixed in 5.1 SP3)
It is possible to see passwords in some of the transfer sites and in site templates in plain text by viewing the HTML source of the Administration Tool page in the browser. This is a security vulnerability because all administrators can see the passwords.
Case 653440
(fixed in 5.1 SP3)
SecureTransport cannot import an account if it uses a certificate from the Local Certificates store in one of its transfer sites and if the account was previously imported and deleted.
no ID
(fixed in 5.1 SP3)
Once the SMTP password is set in the SMTP Configuration, it cannot be cleared.
no ID
(fixed in 5.1 SP3)
SecureTransport 5.1 allows password authentication with Client Certificate Authentication is set to Mandatory for SSH.
no ID
(fixed in 5.1 SP3)
If a user with an expired password tries to log in to SecureTransport, SecureTransport does not release the session memory.
no ID
(fixed in 5.1 SP3)
Server-initiated HTTP(S) transfers from SecureTransport to a WebSEAL proxy fail in some cases.
5.1 SP3 Patch 1 After uploading files using the SFTP protocol, the Transfer Log Maintenance application terminates with an error in the server log from the TM reporting a NullPointerException in the TransferLogMaintAgent.
5.1 SP3 Patch 2 When the path name of a user's home folder includes a symbolic link, the user cannot log in to SecureTransport.
5.1 SP3 Patch 3 SecureTransport does not perform a remote post-transmission action (PTA) when a failed transfer that was initiated by the SendToSiteAgent is resubmitted.
5.1 SP3 Patch 4 SecureTransport does not close the connection or delete the related event when a server-initiated SSH pull does not complete.
5.2 Patch 1 When a Web Access Plus user downloads a file from a folder specified in a Shared Folder application, Web Access Plus displays an error and the transfer status remains in progress in the File Tracking page.
5.2 Patch 2 When the client browser is configured to use a proxy, Web Access Plus HTTP transfer operations do not work as expected.
5.2 Patch 3

When SecureTransport receives and sends a file using PeSIT, the record structure might be lost.

SecureTransport might skip empty records during a PeSIT server-initiated pull or a client-initiated upload.

When a server-initiated PeSIT pull uses checkpoint restart functionality, the size of the received file is less than the size of the sent file.

SecureTransport sometimes fails to record changes to file attributes that it maintains.

5.2 Patch 4 The SecureTransport web clients display files and folders with names that start with "." when listing directory content.
5.2 Patch 6 If a subscription is configured to retrieve files from a Folder Monitor transfer site with the Make Scheduled Folder Monitor Subscription option selected and a schedule configured, the transfer fails with the error, "Missing configuration setting DXAGENT_SITE_TARGET."
5.2 Patch 7

After a custom application is implemented and deployed in SecureTransport:

  • The Create Application button on the New Application page and the Save Application button on the Application Details page do not return control to the Applications page.
  • The Add and Save buttons on the Subscription panel of the User Account page do not return control to the Subscriptions list.
5.2 Patch 9

If administrator password settings require administrators to change their passwords and an administrator tries to log in with the wrong password, SecureTransport does not allow the administrator to log in subsequently with the correct password.

SecureTransport displays "Invalid username or password" for all failed logins to the Administration Tool.

5.2 Patch 10 SecureTransport does not close file descriptors used when files are uploaded or downloaded with repository encryption enabled. If the number of open files descriptors exceeds the operating system limit the Transaction Manager terminates with an OutOfMemory error.
5.2 Patch 11 PGP decryption is attempted and fails when an unencrypted file is uploaded to a subscription folder and the subscription has Decrypt PGP File As selected and has Require Trusted Signature and Require Encryption deselected.
5.2 Patch 12 When a Web Access Plus session times out and the user tries to perform an action, the web browser prompts the user for credentials, sends them to the server, the session continues, and the action is performed.
5.2 Patch 13 SecureTransport does not save the settings in the Receipts section of an AS2 transfer site.
5.2 Patch 14

SecureTransport does not use the network zone configured in an AS2 transfer site and connects directly to the partner AS2 server.

When the Enable FIPS Transfer Mode option in an AS2 transfer site is deselected after being selected, the change is not saved.

5.2 Patch 15 A SecureTransport user associated with a real Windows account and with a home folder on a network share cannot log in to SecureTransport.
5.2 Patch 16

When SecureTransport acts as a hub for store and forward PeSIT transfers, the PI 99 (service message), PI 61 (original sender ID) and PI 62 (final destination ID) values ware not routed.

When SecureTransport reports a PeSIT transfer to Axway Sentinel, the resulting report is inconsistent with the report from Axway Transfer CFT for the same transfer.

5.2 Patch 17 SecureTransport Edge directs all incoming FTP connections to the primary SecureTransport Server in an active/active cluster.
5.2 Patch 18

When a user logs in and attempts to download a file using Web Access Plus from a SecureTransport Server running on Windows, the file stays in the "Waiting" state in the Web Access Plus Transfer Queue and SecureTransport reports an "Unable to fetch metadata for file" error in the server log.

A web service API call to the FilesResource to get file metadata from a SecureTransport Server running on Windows fails.

5.2 Patch 19 When the Internet Explorer security setting, Include local directory path when uploading files to a server is enabled, the name of a file uploaded to SecureTransport includes the full local path. This is not the case for SecureTransport 5.1.
5.2 Patch 20 SecureTransport ignores the values of the Users.LoginNames.normalizedCaseInsensitive
Username
and the Users.LoginNames.virtualUserCase
Sensitive
server configuration parameters for virtual users.
5.2 Patch 21 LDAP authentication fails on Windows for a user who does not have an applicable account template but has an applicable home folder prefix.
5.2. Patch 22 If a Web Access Plus user enters "../" one or more times in a file name to rename a file in the home directory to move it to the parent directory or to a directory above the parent directory in the file system hierarchy, the file to be renamed is deleted.
5.2 Patch 23 SecureTransport Server 5.2 on Windows does not operate correctly after applying Patch 1. The execution of external agents fails and SecureTransport reports the following error in server log: Could not get file path for command c:\Program Files (x86)\Tumbleweed\SecureTransport\STServer/bin/utils/run as: c:\Program Files (x86)\Tumbleweed\SecureTransport\STServer\bin\utils\run as does not exist.
5.2 Patch 24 The HTTP service stops every day at 23:59.
5.2 Patch 25 When one of SecureTransport Server and SecureTransport Edge runs on a UNIX-based operating system and the other runs on Windows, a user cannot log in using HTTP.
5.2 Patch 26 A user running Web Access Plus in Internet Explorer 8 cannot delete the last entry from the transfer queue.

For information about fixed issues, refer to the latest Readme for SecureTransport.

Known issues

Installation, upgrade, and uninstallation

  • After upgrading directly from SecureTransport 4.9.2 SP2 to SecureTransport 5.2, dynamic cluster synchronization fails and reports "A synchronization problem occurred. Please see the Server Log for more information. You must synchronize the cluster manually!" Manual synchronization also fails, but without an error message on the Cluster Management page. In both cases, the warning in the server log states, "Certificates does not conform to algorithm constraints."
  • This error occurs when there is a certificate in the certification path (certificate chain) which is signed with the MD2RSA algorithm. To avoid the error, request a new certificate from your CA issuer and specify that no certificate in the certification path should use MD2 as its signature algorithm.
  • Installation or uninstallation on Windows might fail or hang the system if the <FILEDRIVEHOME> directory or any file in it or in any subdirectory is in use. Before uninstalling the SecureTransport Server on Windows platform, make sure that no SecureTransport resources such as files are in use.
  • Before performing Legacy System Import, stop all SecureTransport services except the database and admin services. To do this, perform the following steps:
    1. Stop all SecureTransport services using the <FILEDRIVEHOME>/bin/stop_all command.
    2. For SecureTransport instances running on MySQL, start the database service using the <FILEDRIVEHOME>/bin/start_db command.
    3. Start admin service using the <FILEDRIVEHOME>/bin/start_admin command
  • After Legacy System Import, if the Streaming.TrustedAliases server configuration parameter contains the ca alias, some services might fail to start.
  • This is because Legacy System import does not replace the Internal CA (with alias ca) of the SecureTransport instance, but instead imports it as ca-old-<Serial number of the old Internal CA>. As after the import the certificates of the services are signed by the old CA and the streaming protocol trusts certificates signed by the original CA (as specified by the Streaming.TrustedAliases), the TransactionManager will reject connections from the daemons.
  • To fix the issue simply update the Streaming.TrustedAliases to contain the alias of the imported Internal CA (ca-old-<Serial number of the old Internal CA>).
  • When upgrading to SecureTransport 5.2.1, the upgrade process deploys the new installer at the same level as the SecureTransport installation folder without notifying you.
  • When upgrading from any version of SecureTransport before 5.2 to 5.2.1, the resulting encrypted SMTP password is invalid so that functions related to sending email fail.
  • Workaround: Reenter the SMTP password.

Configuration

  • After navigating in the Administration Tool including using the browser function to go back one page, the Administration Tool displays "Access Denied! You are not allowed to access requested page" and SecureTransport logs an error.
  • (Windows) If you create new Transaction Manager rules on a secondary server in a standard cluster, these rules are not deleted when configuration is synchronized from the primary server. Workaround: Create all new rules on the primary server so that they are synchronized correctly to the secondary servers in the cluster. If you do not, you must manually delete the new rules from the secondary server .
  • When three or more session using the SSH Tectia client are transferring files, the SecureTransport Server can stop responding. To improve performance when using the SSH Tectia client, change the values of the Ssh.RandomAccessUploads.enable and Ssh.RandomAccessDownloads.enable configuration parameters to true.
  • The SNMP log entries cannot be viewed using the Administration Tool. SNMP log messages are stored in the <FILEDRIVEHOME>/bin/logs/agent.log file. You can view this log file with your favorite text editor.
  • When attempting to export the server configuration, you cannot add directories to the list of files to be exported in export.conf. You must list each file you want to export in export.conf.
  • Some certificates might not be correctly added to the keystore when importing accounts. To work around this issue, perform the import but do not select the option Cancel Import on Error. SecureTransport generates a file that lists the rejected accounts and reports the file name when the import completes. Download the rejected accounts file and select it to import the accounts.
  • If you import the same CA more than two times, the list of trusted CA certificates in the Administration Tool displays two or more items with an alias of the form ca-old-<serialNumber>. All of these items link to the same certificate.
  • Importing exported accounts fails when the exported accounts include an account template with the same name as an existing account template but a different ID. The setting of the Duplicated Accounts option makes no difference. You can, however, import an account with the same name as an existing account but a different ID.
  • (Oracle database only) It is not possible to delete all dates from the holiday schedule.
  • After data migration, restart all services, including admin. If admin is not restarted, there might be inconsistency problems between the TM and admin caches.
  • When you create or edit an AS2 transfer site, the Request Receipts for all Transfers and related options are not saved.
  • The server configuration parameters include several Rbft.* parameters. You can ignore these parameters because they are not used.
  • If you import server configuration from a SecureTransport 4.9.2 SP2 system, lib/certs/private/secret is added to <FILEDRIVEHOME>/conf/export.conf.
  • If Internet Explorer 9 fails to display the Administration Tool Import or Export Accounts page, in Internet Explorer add the SecureTransport Server to the web sites to display in Internet Explorer 8 mode.
  • (Solaris) If the HTTP Server fails to start and the console or the <FILEDRIVEHOME>/var/logs/tools.log file includes a Cannot send configuration to daemon error, edit <FILEDRIVEHOME>/conf/configuration.xml and replace:
    • <HTTP port="9997">
      <Connection maxConnectionRetries="10" retriesInterval="1000"/>
      <Startup maxInitRetries="60" retriesInterval="1000"/>
      </HTTP>
      <FTP port="9996">
      <Connection maxConnectionRetries="10" retriesInterval="1000"/>
      <Startup maxInitRetries="60" retriesInterval="1000"/>
      </HTTP>
  • with:
    • <HTTP port="9997">
      <Connection maxConnectionRetries="20" retriesInterval="5000"/>
      <Startup maxInitRetries="20" retriesInterval="5000"/>
      </HTTP>
      <FTP port="9996">
      <Connection maxConnectionRetries="20" retriesInterval="5000"/>
      <Startup maxInitRetries="60" retriesInterval="1000"/>
      </HTTP>
  • If you convert an SecureTransport Server from the internal MySQL database to large enterprise clustering using an external Oracle database and the FTP and HTTP Server do not start, check <FILEDRIVEHOME>/conf/configuration.xml and delete the <Database_FTPDComponent> element and the <Database_HTTPDComponent> element if they are present. Make sure to delete the complete elements including the opening tags with attributes, the enclosed <Options> element, and the closing tags. The elements to delete appear as follows (with line breaks added here ):
    • <Database_FTPDComponent
        databaseType="mysql" host="127.0.0.1"
        jdbcDriver="com.mysql.jdbc.Driver"
        jdbcUrl="jdbc:mysql://${host}:${port}/st?user=${user}&amp;
        password=${password}&amp;characterEncoding=UTF-8&amp;
        useTimezone=true&amp;serverTimezone=UTC" password="" port="33061"
        user="root">
          <Options hibernate.c3p0.max_size="100" hibernate.c3p0.min_size="2"
           hibernate.c3p0.timeout="1800"
            hibernate.cache.use_minimal_puts="false"
            hibernate.cache.use_query_cache="false"
            hibernate.cache.use_second_level_cache="false"
            hibernate.dialect="org.hibernate.dialect.MySQLInnoDBDialect"
            hibernate.show_sql="false"/>
      </Database_FTPDComponent>
      <Database_HTTPDComponent
        databaseType="mysql" host="127.0.0.1"
        jdbcDriver="com.mysql.jdbc.Driver"
        jdbcUrl="jdbc:mysql://${host}:${port}/st?user=${user}&amp;
        password=${password}&amp;characterEncoding=UTF-8&amp;
        useTimezone=true&amp;serverTimezone=UTC" password="" port="33061"
        user="root">
          <Options hibernate.c3p0.max_size="100" hibernate.c3p0.min_size="2"
            hibernate.c3p0.timeout="1800"
            hibernate.cache.use_minimal_puts="false"
            hibernate.cache.use_query_cache="false"
            hibernate.cache.use_second_level_cache="false"
            hibernate.dialect="org.hibernate.dialect.MySQLInnoDBDialect"
            hibernate.show_sql="false"/>
      </Database_HTTPDComponent>
  • The configuration information to direct transfer log (file tracking) data and server log data to different databases is not saved when you export server configuration because it is stored in the configuration.xml file which is not exported. So that configuration is not transferred or restored when you import server configuration.

Reporting

  • When using SecureTransport large enterprise clustering, log entries are stored in the Oracle database. When runtime and system logs grow above millions of entries, exporting the log data from the Administration Tool might take up to a few hours to complete.
  • When a client-initiated transfer uploads a file as ASCII using SFTP, it is displayed as BINARY on the File Tracking page and in var/log/xferlog.
  • SecureTransport Edge: If you change the SOCKS Proxy server port from the Administration Tool (Operations > Server control) to a port that is currently in use, no error message is displayed and the entries in the relevant logs do not indicate that the port has been in use at the time of the change.
  • An error message is only displayed in the server console when you manually execute the <FILEDRIVEHOME>/bin/start_socks script and the port is in use.
  • When the time zone in SecureTransport is defined in a GMT+00:00 format, any daylight savings settings are not correctly applied. This can cause a one hour time difference between the time zone value in SecureTransport and the actual time. Use either GMT format without the time offset or use a local time format.
  • The Size entry field in the <FILEDRIVEHOME>/var/logs/xferlog log file shows the transferred file size (the literal number of sent or received bytes), not the actual file size in the way the file is stored in the file system. When the file is compressed or encrypted during the transfer, the transferred file size is displayed in the Byte Transferred field in the File Tracking page in the Administration Tool and might differ from the actual size of the file.
  • After performing a nightly rotation, SecureTransport does not move the following files:
    • as2d_tomcat*.log in <FILEDRIVEHOME>/var/logs/
    • admin_tomcat*.log in <FILEDRIVEHOME>/var/logs/admin
    • The tm_agent_error.log file is not rotated even when nightly rotation is enabled.
  • However, the admin can edit the FDH>/bin/rotate script and add the files manually.
  • If you delete or rename a file, a debug-level error message regarding the ARCHIVEFILE_UNIQUE_MODIFIER might appear in the Server Log. You can ignore the message and continue working.
  • With an installation that uses MySQL, you might experience an error when you attempt to view the history of a file that has been downloaded too many times, which results in a large file history.
  • To work around this problem, configure MySQL with an increased packet size. In the [mysqld] section of the file <FILEDRIVEHOME>/conf/mysql.conf, add the following line to increase packet size to 2 MB.
  • max_allowed_packet=2M
  • If the file history file is still too big, you can increase packet size accordingly.
  • When the Administration Tool server (admind) starts, it logs a severe item in <FILEDRIVEHOME>/tomcat/admin/logs/catalina.out that states "register definition failed." You can safely ignore this log entry.
  • The Server Usage Monitor page lists the PID for each action, but this value is not relevant because it is not the operating system process ID.
  • The audit log is not correctly filtered when using the Last Modified link. If the change associated with the Last Modified link took place more than 24 hours in the past and you click the link in the Search section of the audit log, 24 hours is displayed for the Time Interval, but all audited values are shown.
  • When you create a new user class, the audit log shows Update entries for all existing user classes. This is expected behavior because the order of all classes is changed.
  • If a user reaches the limit of failed authentications specified in the user account and SecureTransport locks the account, the change to the account is not recorded in the audit log and the last modified link for the account is not updated.
  • When you update a transfer profile, the audit log reports this action as "Transfer Profile created."
  • When services are shut down, an exception is recorded in the serverlog-fallback.log file stating that the STDBAppender Database Status Checkup Daemon was interrupted. This is expected behavior.

Performance

  • Under load, file upload and download speeds can differ.
  • Generating a new CA on a SecureTransport appliance can take more than 10 minutes when the value of securerandom.source in the file <FILEDRIVEHOME>/jre/lib/security/java.security is set to /dev/random.
  • You can improve performance by changing the value of securerandom.source to an empty string or /dev/urandom.
  • (Solaris) When SecureTransport runs on an Oracle Solaris system with many virtual cores, the TM Server makes many connections to the protocol servers and the performance of the protocol servers is reduced. To work around this issue, edit the <FILEDRIVEHOME>/bin/start_tm file and make the following change:
  • After the line:
    • JAVA_OPTS="-Dfile.encoding=utf8 $JAVA_OPTS"
  • add the line:
    • JAVA_OPTS="-DStreaming.numberOfConnections=number_of_cores $JAVA_OPTS"
  • where number_of_cores is the number of physical cores for the system.

File and folder names

  • When using wildcard characters with the HTTP/S protocol, be aware that SecureTransport does not support the following:
    • Using two wildcard characters in a single statement, such as:
    • ./fdx -l https://username:password@IP:port/1*1/*
    • Using ? as a wildcard character in the SecureTransport Command Line Client.
  • Some special characters are not supported in the file names when transferring files. SecureTransport does not support the use of the following special characters in the names of transferred files: <, >, |, :, ?, ~ (at the beginning of the file name), ", *, /, \, and %.
  • SecureTransport does not support the use of the following special characters in the subscription folder name when a Shared Folder application is created and an account is subscribed to the application: ., *, <, >, ?, ", \, |, :, and /.
  • These special characters cannot be used in names of accounts and account home directories except the \ and / characters when they act as separators between directories.
  • SecureTransport does not support the upload of files to a remote server running on a Windows platform if the filename contains any of the following characters: \, /, :, *, ?, <, >, and |.
  • Subscription folder names cannot use any of the following special characters: *, :, ", |, <, >, ?, and \.
  • However, the \ and / characters are allowed when they act as separators between directories.
  • When you browse for files using the Web Client, it will not display contents of directories or files that have the name /scripts, /html or /icons or any other alias listed in the Http.FdxAlias server configuration parameter.

Transfers

  • If there is no default network zone configured, ad hoc file transfers fail. Workaround: Configure a default network zone.
  • If the ad hoc Delivery Method for user is Custom with only one item selected in the Enrollment Types field and the Implicit Enrollment Type is Selected by sender, the ad hoc sender cannot send. Workaround: Select the same value in the Enrollment Types field and the Implicit Enrollment Type field.
  • When sending a large file from one SecureTransport Server to another SecureTransport Server using HTTPS, the transfer completes, but the sending server reports "Error during upload operation: Read timed out" and reties the transfer.
  • Workaround: Set the OutboundConnections.receiveTimeout server configuration parameter on the sending server to a value larger than the time the receiving server takes to compute the checksum of the transferred file.
  • When using the deprecated Axway Transfer CFT interoperation features, the File Tracking page reports the full path of a file transferred to Axway Transfer CFT when it should report only the file name.
  • Some previous version of LFTP do not succeed in transferring files to SecureTransport 5.2 using FTP with the SSL option (FTPS). Use LFTP 3.7.14, the supported version.
  • When using cURL to download a zero-size file, the file is not downloaded. This is a known issue with cURL.
  • Server-initiated transfers using the SSH protocol from SecureTransport to a FreeBSD 7.2 server fail because OpenSSH 5.1 is configured by default to support only public key and keyboard interactive authentication. To enable SSH transfers from SecureTransport to a FreeBSD 7.2 server using OpenSSH 5.1, make one of the following configuration changes:
    • Modify the SecureTransport SSH transfer site to use an SSH key for authentication and import the key in the FreeBSD system.
    • or
    • Configure OpenSSH on the FreeBSD system to allow the password authentication if this is permitted by your security requirements. To enable password authentication, edit /etc/ssh/sshd_config and set PasswordAuthentication yes and ChallengeResponseAuthentication no.
  • When you transfer a file over the HTTPS protocol using the SecureTransport Windows Client, the transfer may fail if the session timeout period set for the server is shorter than the time needed to calculate the checksum. This issue is most likely to occur when transferring large files, such as files larger than 1 GB.
  • To avoid file transfer failures, increase the session timeout configuration in the Session Timeout (seconds) field on the Setup > Miscellaneous page of the Administration Tool.
  • When a server-initiated file transfer uses SFTP in ASCII transfer mode and the file does not contain an end-of-line character sequence at the end of the file before the transfer starts, the end-of-line character sequence is automatically added to the end of the file during the transfer.
  • While using SecureTransport through a web browser, there is a limit on the size of files that can be sent (posted). Consult your web browser documentation for the specific limit.
  • Server-initiated transfers assign the user class solely based on the user account UID and GID. When the user class for the account is an EncryptClass based on a user name, the user class for the account may contain different values than those assigned to the account when the user logs in. This can cause files not to decrypt properly during a server-initiated transfer. Try setting the EncryptClass to use the UID and GID to prevent this issue.
  • If you are using SSH and the connection suddenly closes during a server-initiated transfer, you may see a Java IO Exception error message in the TM logs. This can occur when the server is under load and the option under Setup > SSH Settings > Maximum Number of Connections is set too low. Try increasing the number of connections to be higher than the peak number of concurrent SSH connections.
  • When using SFTP or SCP to perform SSH transfers to a directory that does not exist, the transfer fails and the connection closes, the client may not report an error or only report an error when the connection closes. Make sure the directory you are transferring files to exists before initiating the transfer.
  • The SmartFTP client uses the MDTM command which may cause an uploaded file in SecureTransport to display a date stamp different than the one sent by the client.
  • When your SecureTransport license is invalid, transfers will fail, but the messages in the tm.log file and in the File Tracking page do not indicate that the reason the transfer failed is because the license is invalid.
  • The SSH transfers that are logged in the xferlog use a different time format than the other protocol transfers. Other protocols use WWW MMM D, such as Mon Aug 6. SSH uses WWW MMM DD, such as Mon Aug 06.
  • When using AS2 to perform a server-initiated download with the Site Mailbox application type, the outbox folder does not get created until the user receiving the file logs into SecureTransport.
  • Windows platform: If you use UNC to create a user home directory, you might be unable to send or receive file transfers sent through the AS2 protocol. The Server Log page shows any error messages that occur in the TM Log. Make sure the appropriate permissions have been given to System, and the user account is mapped to a real system user with the appropriate permissions for the UNC directory.
  • Using the FTP or FTPS protocol to perform server-initiated transfers to mainframes that don't support the SYST command may not proceed properly.
  • When repository encryption is enabled, transfers that start from a non-zero file offset or that are out of sequence fail. Repository encryption only supports sequential transfers, and only supports starting at the beginning of the file.
  • Downloads over SSH fail when both repository encryption and random-access downloads are enabled. When using repository encryption, random-access downloads over SSH should be disabled.
  • Post-transmission actions specified as part of a subscription that fail during a transfer cannot be resubmitted or retried because they are not considered part of the transfer.
  • File Transfers using the Connect:Direct protocol fail if the file name contains non-ASCII characters.
  • In some situations when a server-initiated pull transfer is successfully executed but associated post transmission actions to be executed on the remote partner site fail, the Resubmit button is displayed and the status is Failed Subtransmission indicating the post transmission action failed. When you click the Resubmit button in this case, the transfer is resubmitted but this time it is shown as successful in the File Tracking page, even though the post transmission action is not executed and fails again.
  • If a service account is subscribed to Standard Router Application to push encrypted files and SecureTransport terminates during the encryption phase of the transfer, SecureTransport fails to recover the transfer when it restarts because the file has been renamed as part of the encryption process. An error in the Server log reports exit code 64 and a failure to rename the file.
  • If SecureTransport terminates during decryption of an encrypted file or other post-transmission action on file received by a server-initiated transfer, SecureTransport fails to recover the transfer when it restarts because the file has been moved to a different directory. In the decryption case, the encrypted file is in the destination directory, so you can decrypt it manually.
  • A server-initiated transfer from Ipswitch WS_FTP Server 7.5 that uses a * wildcard character to transfer multiple files that match a pattern might include other files. This is due to the way Ipswitch WS_FTP Server 7.5 processes the wildcard.
  • If you issue a cd command to a directory that does not exist when using the PSFTP client, it does not report the failure returned by SecureTransport. Subsequent transfers fail.
  • When a user with repository encryption enabled sends files using ad hoc file transfer, those files are not encrypted when they are stored in a package file in the package manager base folder.
  • Because of errors in third-party software, the following cipher suites do not work for FTPS and HTTPS transfers:
    • TLS_ECDH_RSA_WITH_RC4_128_SHA
    • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
    • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
    • TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    • TLS_ECDHE_RSA_WITH_RC4_128_SHA
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    • TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
    • TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
    • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    • TLS_ECDH_ECDSA_WITH_RC4_128_SHA
    • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
    • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
  • If you attempt to log out of an HTTP session while file transfers are active, the logout fails, but you do not receive an error message.
  • If the value of the Files to Send field or the Receive File As field in a transfer profile is an expression that evaluates to a unique value, PeSIT checkpoint restart does not work for that transfer profile.
  • If a user sends an ad hoc file transfer with and expiration of Never, the resulting ad hoc file transfer package is not removed from the SecureTransport Server file system when there are no more active reference to it.
  • When the lock on the processed file is not properly removed, a transfer fails with a transfer log entry that reports that com.tumbleweed.st.server.appframework.TransferLogAgent returned a -64 exit status.
  • Users cannot perform server-initiated AS2 transfers using the Transfers resource of the web service API unless their user account is subscribed to a Site Mailbox application.

Authentication

  • If there are many trusted CA certificates installed in SecureTransport, the login page of the web client does not display. To avoid this issue, delete unused trusted CA certificates.
  • If LDAP authentication is set to mandatory and there is a virtual user account whose login name matches the login name of an LDAP user mapped to an account template, when that user logs in, the settings of the virtual account will be used instead of the settings in the account template. However, the use external password check-box must be selected in the account settings.
  • A SecureTransport user authenticated using LDAP cannot have Cyrillic characters in his user name.
  • If the personal certificates installed in your browser are not trusted by SecureTransport and you try to connect to SecureTransport's administrative interface, the server will return a message that there are no certificate authorities known for verification. Your browser will not handle this message accordingly and will display an error page, which does not provide details on why you cannot login. This can happen when you select the Enable administrator login using client certificates option, specify that the certificate is required, and choose the Accept certificates issued by any trusted issuer option.
  • SecureTransport does not support certificate authentication with a CuteFTP client. Logging in with a user name and a password when using CuteFTP is recommended.
  • The Ftp.Ssl.StrictRfc2228 parameter only turns on the AUTH TLS response code behavior, as shown in the following example:
  • 334 [off] > 234 [on] in response to AUTH TLS, where 234 is required by RFC 4217.
  • The USER response is now controlled by the new Ftp.Ssl.StrictRfc2228CertAuth parameter:
  • 230 [off] > 232 [on] in response to USER when PASS is not required, where 232 is required by RFC 2228.
  • After a Transaction Manager restart, users logged in to SecureTransport using a web client can continue without being required to log in again.
  • If a user attempts to log in to SecureTransport using HTTPS and a valid login certificate that does not belong to the user specified, SecureTransport ignores the user name and logs in the user associated with the certificate instead of the user named.
  • If Firefox is not configured to trust the CA that issued the HTTPS certificate or if the SecureTransport host name does not match the certificate DN, when you open a web client in Firefox, SecureTransport logs warnings and errors in the server log. You can ignore these log messages because SecureTransport and the web client work correctly.
  • When client certificate authorization is mandatory for FTPS and an FTP client attempts to log in without the required certificate, the error reported by SecureTransport 5.2 is different from the error reported by SecureTransport 5.1. SecureTransport 5.2 detects and reports an error in response to the FTP AUTH command and does not establish the SSL connection. SecureTransport 5.1 processes the AUTH command and establishes the SSL connection, but it detects and reports an error in response to the USER command.
  • If an FTP client fails to connect using FTPS and the server log reports warnings or errors in com.axway.st.server.ftpd.listener.nio.StFtpHandlerAdapter, set the Ftp.Ssl.StrictRfc2228 server configuration parameter to false and restart the FTP Server.
  • When you open a web client using Internet Explorer, the server log might include a warning of a possible truncation attack. You can ignore this log message because SecureTransport and the web client work correctly.

Access

  • UNIX platforms: SecureTransport does not support native Access Control Lists (ACL).
  • When an existing user account is locked (from the account editing page in Accounts > User Account) and the locked user attempts to log in to SecureTransport, an “empty” user session is incorrectly created.
  • A user can delete a symbolic link (symlink) to a directory even if the directory is not empty.
  • When trying to match the EncryptClass for a SiteMinder user, you need to use a wildcard such as ? or * after the user name, for example user1*.

PGP

  • If you use PGP Desktop for creating and encrypting with PGP keys, use version 9.0.3 or later. Using versions before 9.0.3 might result in failed decryption of BINARY PGP-encrypted files.
  • Some PGP clients allow the encryption of multiple files that results in a single encrypted .tar file. SecureTransport only decrypts the file and does not unpack (untar) it. The transferred file is a .tar file.
  • SecureTransport cannot verify the signatures of files signed with the RIPEMD-160 algorithm when using DSA/ElGamal keys.
  • The folder used to perform PGP data transformations must have the Create Directory or an equivalent permission. Check the NAS settings to verify the permissions.
  • If you specify a directory only in the Decrypt PGP File As or Encrypt File As fields for a post-transmission action, and the directory is empty, the directory is overwritten. If the directory is not empty and you did not specify a file name, the decrypted or encrypted files are not created in the directory.

Transaction manager

  • When creating a custom rule, make sure the rule name does not contain a space. For example, MyRule is valid, but My Rule is not.

Axway Sentinel integration

  • The Axway Sentinel dashboards supplied with SecureTransport 5.2 are designed to run on a Axway Sentinel installation that uses a MySQL database. They require customization to work with a different database.
  • If you change the file or path name of the Axway Sentinel integration overflow file and there are events in the existing file, SecureTransport does not send those events to Axway Sentinel.
  • If the Axway Sentinel integration is configured to pause all file transfers sent from and received by SecureTransport when the overflow file exceeds its maximum size and the overflow file does exceed its maximum size, a user who was logged in before file transfers were stopped can delete a file and no events are stored in the overflow file or sent from SecureTransport to Axway Sentinel.
  • When the Axway Sentinel integration is implemented for a SecureTransport high capacity deployment, events are sent independently to the Axway Sentinel server from the separate SecureTransport Servers. Because of different workloads on the different servers and event buffering in the overflow files, events for a transfer might arrive at the Axway Sentinel server out of order.
  • If you change a setting on the Axway Sentinel Events page of the Administration Tool and click Save, pending events stored in the overflow file might not be sent to Axway Sentinel correctly.
  • When a file transfer involves a post-transmission encryption action, the cycle ID reported to Axway Sentinel might be incorrect, resulting in missing cycle links.
  • SecureTransport reports PeSIT code PI 33 to Axway Sentinel as INDEXED instead of ORG_SEQUENTIAL.

Web Clients

  • When you rename a file with the name of an existing file using the FTP RENAME TO (RNTO) command, the existing file is overwritten without confirmation. When you rename a file to the same name, the file is deleted.
  • When you pause a file transfer using the SecureTransport Web Access Plus, two errors are reported to the server log:
    • ERROR HTTPD qtp1873539027-45 Error while uploading file to location: /
    • ERROR HTTPD qtp1873539027-45 Transfer interrupted while uploading file.
  • These messages do not represent real errors in the file transfer and can be ignored.
  • Before Web Access Plus loads, you might see the message The application requires an earlier version of Java. Do you want to continue? This message appears when there is more than one version of Java installed on the system. To prevent this message, open the Java Control Panel, enable the latest version of Java, and disable the previous versions.
  • If the Package Manager Base Folder is not configured correctly on the Ad Hoc Setting page, Web Access Plus displays an error message and the ad hoc file transfer functions do not work correctly.

Other

  • For the first manual synchronization of Standard Cluster, you must reenter the IP addresses of the secondary nodes and clear the browser cache. Subsequent manual synchronizations work without these additional steps.
  • When using Oracle Solaris in a standard cluster, remote bounce to the secondary machines might fail. To correct this problem, increase the values of the OutboundConnections.receiveTimeout and OutboundConnections.connectTimeout server configuration parameters.
  • Occasionally, the Transaction Manager terminates and reports an unhandled exception error (java.lang.ExceptionInInitializerError) when it is restarted in a large enterprise cluster. When this happens, start the Transaction Manager again.
  • If you use the Administration Tool to perform any action on a secondary server of a standard cluster during manual synchronization, the synchronization might fail with an unhandled exception and the warning, Error while transfering manual sync data to remote node in the server log.
  • If SSL encryption is mandatory for all user classes, SecureTransport allows logins to proceed unencrypted for HTTP and PeSIT.
  • Note: Patch 33 and Patch 44 from SecureTransport 5.0 are NOT merged into SecureTransport 5.2.1.
  • The SiteTemplate resource of the web service API is deprecated. Do not use it.

Documentation

This section provides additions and corrections to guides from the SecureTransport 5.2 documentation set that were not updated for SecureTransport 5.2.1.

Administrator's Guide and Administration tool online help

HTTP(S) transfer site

The image and text should have the new option button labels under Server Settings:

  • Specify partner using hostname (IP address) and port number
  • Specify partner using URL

There is no functional change.

Developer's Guide

Shell script using cURL

The command to run the shell script should be:

./AccountCreate.sh –name <account-name> -homefolder <account-home-folder>\
   -uid <uid> -gid <gid> \ -email <account-email> \
   -phone <account-phone-number> -key <filepath-to-ssh-key>

Web Client User's Guide

Client interfaces

If you have Java 1.6 or later, Web Access Plus is fully functional. If you have Java 1.5, you should upgrade to Java 1.6 or later.

Web Access Plus overview

Web Access Plus can create, rename, and delete folder and files on the local computer and files on the SecureTransport Server. It can also create and delete folders on the SecureTransport Server.

Support services

The Axway Global Support team provides worldwide 24x7 support for customers with active support agreements.
Email support@axway.com or visit Axway at support.axway.com.

 

Copyright © 2016 Axway. All rights reserved

 

Related Links