Central Governance registration concepts

This topic describes the Transfer CFT to Central Governance registration process.

There are several types of exchanges that occur between Central Governance and Transfer CFT. The first exchange is registration, which begins when CopilotTransfer CFT UI initiates a request to connect with Central Governance.

The registration is performed on a SSL connection using simple authentication. Further exchanges - the heartbeat, and certificate renewal - are performed on a SSL connection using mutual authentication, as described in Central Governance exchanges.

Refer to the Central Governance1.1.3 User Guide for more information on registration processes, such as registration approval.

Registration exchange overview

Copilot submits registration and Central Governance sends certificates by way of response.

Step overview

Starting Copilot after installation begins the connection and registration process with Central Governance. This section describes the general steps that occurs during the registration process, and the impact on the configuration.

Note Transfer CFT requires the Central Governance shared secret to register. See the Central Governance documentation for details.

1. Copilot connects to Central Governance and submits its registration.

  • Copilot sends a registration request through a simple authenticated SSL connection and submits its registration. Copilot authenticates the Central Governance server using the CA certificate pointing by the uconf:cg.ca_cert_id parameter. The registration request contains:
    • Information about the Transfer CFT instance, including its instance name, host, port and version.
    • Two Certificate Signing Requests (CSRs) for Central Governance to process.
    NoteIf you use an intermediate certificate as a governance CA certificate, you must add the root CA certificate that signs this intermediate certificate in the Transfer CFT PKI database.

2. Central Governance sends the SSL certificates to Transfer CFT.

Central Governance processes the CSRs and returns two SSL certificates, one dedicated to governance exchanges and the other one dedicated to business exchanges (meaning: used for securing file transfers between the registering Transfer CFT and all other Managed File Transfers).

Both certificates are stored in the internal PKI base using the following identifiers:

  • <uconf:cft.instance_id>_GOV for the governance certificate;
  • <uconf:cft.instance_id> for the business certificate.

3. Copilot sends the first heartbeat over a mutual authenticated SSL connection.

4. The Transfer CFT configuration is updated and returned to Transfer CFT.

During the registration process Central Governance receives the current configuration of Transfer CFT and changes it accordingly to Central Governance rules.

Registration completes with Transfer CFT appearing in the Central Governance product list with the status of "Started" or "Stopped".

Configuration updates

During the registration process Central Governance receives the original Transfer CFT configuration and updates it so that Transfer CFT is configured to:

  • Connect to Central Governance using the Central Governance mutual authentication port
  • Use Central Governance for access management
  • Use Central Governance for transfer monitoring
  • Use its own internal PKI

These changes create two security profiles (CFTSSL) for Transfer CFT, one client and one server, named SSL_DEFAULT.

Re-register with Central Governance

In the above registration scenario, when the Central Governance sends the SSL certificates to Transfer CFT (step 2), the uconf:cg.registration_id parameter is set to a positive integer. If an error occurred during steps 3 or 4, the registration process ends in error. To repeat the registration, perform the following steps:

  1. Stop Transfer CFT.
  2. Stop Copilot.
  3. Set the uconf:cg.registration_id to its default value (-1) using the command:
    • CFTUTIL uconfunset id=cg.registration_id
  4. Start the Transfer CFT Copilot. Copilot starts the registration process.

Customize the SSL certificate Distinguished Name (DN)

To override the business certificate's Distinguished Name (DN), which is generated during the Central Governance registration or certificate renewal, set the UCONF parameter cg.certificate.business.csr_dn to the custom value. The default is O=Axway,OU=MFT,CN=%uconf:cft.full_hostname%. Remember to separate tokens by a comma.

uconfset id=cg.certificate.business.csr_dn, value='O=MyCompany,OU=MFT,CN=%uconf:cft.full_hostname%'

A best practice is to customize the certificate DN prior to registration. However, if you are customizing the certificate DN after the Transfer CFT registration, you can force an immediate renewal or wait for the automatic renewal as described in SSL certificate renewal.

Override the default policy

You must set the UCONF parameter cg.configuration_policy if you want to override the default policy applied by Central Governance when you register a Transfer CFT in Central Governance.

Related Links