Connect to the deprecated Transfer CFT UI (Copilot UI)

You can use this interface to track and manage transfers, consult the log, and configure Transfer CFT. This section describes how to connect to the Transfer CFT user interface (UI) from a URL. This user interface is based on Java technology that requires a Java run-time at client side. You can use this interface to track manage transfers, as well as configure Transfer CFT.

You require Java version 7 or 8 to use the former Transfer CFT UI (Copilot UI).

  1. Open an Internet browser.
  2. Enter the URL in the following format:

http://<copilot_server_hostaddr>:<uconf:copilot.general.serverport>/index.html

Where:

  • <copilot_server_hostaddr>: is the local host name or IP address of your Copilot server and can be replaced by the server host name
  • <uconf:copilot.general.serverport>: is the Copilot server port
  • The browser displays the login screen. After accessing the Transfer CFT UI, you can add the URL to your Bookmarks.
  1. Enter your user name and password. The connection method depends on the selected type of user authentication (system, PassPort, etc.).
    NoteOn Windows systems, you can use the format user@domain, but domain cannot contain a dot extension (for example, user@domain.com).

You can alternatively connect to the Transfer CFT UI in HTTPS using the format:

https://<copilot_server_hostaddr>:<uconf:copilot.general.serverport>/index.html

To use HTTPS you must perform the certificate operations described below in Install a certificate on the client side.

Additionally, see the Manage the Copilot server for the server side prerequisites.

Copilot server authentication method

The Copilot server authentication method differs slightly when working in an IBM i environment. Please refer to the Transfer CFT IBM i Installation Guide for details.

Limit the number of failed login attempts

Transfer CFT provides brute force protection for logging on the Transfer CFT UI, REST API, Copilot, or Web Services when using either the system mode or xfbadm mode (UNIX) authentication. That is, it limits the number of login failure attempts, where both the user and the password are checked to avoid brute force attacks.

For other authentication methods, such as PassPort and LDAP, no check is made. You must manage that in the Password Policy of those external tools.

You can use the following UCONF parameters to manage this option:

  • copilot.general.login_failures_fname: A file that stores data shared between Transfer CFT and Copilot.
  • copilot.general.max_login_failures: An integer that sets the maximum number of login failures for a user (default is 3, and 0 disables this option).
Note In a multi-host environment, an attacker may have up to the copilot.general.max_login_failures * <number of host> tries before the user is locked if the file is not in a directory shared by all hosts.

When the maximum number of login failures is reached, the user account is locked for 30 seconds.

Platform specifics

  • On IBM i systems, there is no action if the password is incorrect as the system offers methods that you can rely on to avoid brute force attacks (the system value is QMAXSIGN).
  • On z/OS systems, only the inherent system protection is available (refer to the RACF suboperand REVOKE for the PASSWORD option).
  • On OpenVMS systems, only existing system protection is available.

Install a certificate on the client side

Windows

On Windows, there are two ways to install a certificate on the client side - using the Windows certificate, or the Java keystore.

UNIX

On Linux, using the Java keystore is the only option.

Install a certificate in the Windows keystore

  1. In Windows Explorer, navigate to your certificate and right-click.
  2. Select the Install certificate option.
  3. Follow the screen instructions. Windows automatically imports the certificate to its keystore in the Intermediate certificate authorities folder.

Alternative method

  1. In Internet Explorer, select Tools > Internet Options.
  2. In the Content tab select the Certificate button.
  3. Select Import, which starts the Certificate Import Wizard.
  4. Click Next, and Browse to your certificate.
  5. Follow the screen instructions. Windows imports the certificate to its keystore.

Install a certificate in the Java keystore

The Java keystore is a file located at ~/jre/lib/security/cacerts. The default password for this keystore is “changeit”.

Use the keytool command as follows to import your certificate into the Java keystore:

keytool importcert

   -trustcacerts

   -alias AXWMFTCA

   -file YourCertificate

   -storepass changeit-keystore <keystore>

Specify the keystore to use on the client side by customizing HTML files

The HTML files used by the Copilot server to be accessed by a browser are:

  • runtime/wwwroot/admin.html
  • runtime/wwwroot/index.html

These files contain a parameter SSL_KEYSTORE, which are modifiable. The default value for this parameter is “Windows”, and the only other possible value is “” (empty string).

The following table shows used keystore depending on the SSL_KEYSTORE value and operating system.

SSL_KEYSTORE value

Windows

Linux

“Windows”

Windows keystore

Java keystore

“” (empty string)

Java keystore

Java keystore

Troubleshooting

Cannot connect to Copilot through an SSL connection when FIPS is enabled

This issue occurs if you set the UCONF copilot.ssl.sslcertfile parameter to a PKCS12 certificate that does not comply with the FIPS standard. Certificates in PKCS12 format are encrypted by default using the 40-bit RC2 algorithm, which is not FIPS compliant. To remedy:

In OpenSSL use the pkcs12 -descert option to encrypt the PKCS12 certificate to triple DES (RC2-40). For example:

pkcs12-export -in <your server cert>.pem -inkey <your server key>.pem -out mycert.p12 -descert

Related Links