Using the web browser user interface

As of Transfer CFT 3.6, Transfer CFT features a web browser user interface. You can use this interface to configure, track and manage transfers, and consult the  log. The following sections describe the steps you must perform before you can start using this user interface.

The Transfer CFT user interface requires secure SSL/TLS communication between the browser and the REST server, and for the REST API option to be enabled. If you performed a custom installation without these options, you must perform the following steps before connecting to the user interface.

  1. Configure the REST API server.
  2. Set the Certificate Authority on the client side.

Supported browsers

The user interface requires a web browser such as:

  • Google Chrome
  • Microsoft Edge version 41
  • Firefox (without keyboard shortcuts)

If there is a specified version, it is the minimum version for that browser.

Connect to the user interface

Start the Copilot server before connecting as the REST API server is a Copilot service.

The user that starts the Copilot server must have write permission for the Transfer CFT CFTCOM, CFTPART, CFTPARM, and CFTPKI data files.

  1. Start the Copilot server: copstart
  2. In your web browser, enter the URL using the following format: https://<copilot_server_host>:<RestApi_port>/cft/ui/
  3. Example
  4. https://10.128.14.139:1768/cft/ui/
  5. Enter your user name and password (depends on the authentication method set on the server).
  6. The Transfer CFT interface displays. To use shortcuts, see Keyboard shortcuts. You are now ready to configure and create flows.

Limitations

The following functions are presently not supported:

  • Running the UCONF reconfig command
  • When in a UNIX environment, you cannot use an LDAP user to connect to the web-based user interface.
  • The log has a maximum display of 10,000 records. If your log exceeds this value, only the most recent 10,000 display.

Configure the REST API server

  1. Enable the Copilot REST API if you did not do so during installation.
  2. CFTUTIL uconfset id=copilot.restapi.enable, value=yes
  3. Optionally, you can change the REST API server port as follows (default 1768):
  4. CFTUTIL uconfset id=copilot.restapi.serverport, value=<new port>
  5. You require a secure SSL/TLS communication between the client (REST or browser) and the REST server. When using Central Governance, the REST API server automatically uses the SSL business certificate generated during the registration; there is no need to perform this step. This certificate is stored in the internal PKI base and is identified by the Transfer CFT instance ID (uconf:cft.instance_id).
  6. Otherwise, use UCONF to set the following Copilot parameters to configure the SSL certificate.
  7. CFTUTIL uconfset id=copilot.ssl.SslCertFile, value=<ssl pkcs12 certificate for copilot>

    CFTUTIL uconfset id=copilot.ssl.SslCertPassword, value=<ssl pkcs12 certificate password>

  8. These parameter settings are described in Install a certificate on the server side.
  9. Specify the authentication method, as the client must provide credentials (user/password) to the REST server. Set the UCONF the copilot.restapi.authentication_method parameter.
  10. Example
  11. CFTUTIL uconfset id=copilot.restapi.authentication_method, value=system

Authentication methods

The supported authentication methods are:

Authentication method copilot.restapi.authentication_method Details
Operating system system

The user/password is checked against the operating system.

Note We strongly recommend that you set copilot.misc.createprocessasuser=yes when using the system option.

On Unix, you must use cftsu to create users. Refer to Using system users UNIX for detailed instructions.

Access Management am

This methods uses an indirection towards the Access Management system. The user/password is checked by the configured access management system: Flow Manager, PassPort AM, or internal AM.

 

On Transfer CFT z/OS systems

If you are additionally using am.type=cft, you must define the CFTTOKEN resource to connect to the Transfer CFT user interface.

To do this. use the updated JCL templates delivered with Transfer CFT 3.6 SP4 and higher:

  1. Modify the H84SAFDF, H85SAFPR, and H87SECEN JCLs to include the CFTTOKEN resource.
  2. Execute these JCL before connecting to the user interface.

xfbadm database

(UNIX and HP NonStop only)

xfbadm

The user/password is checked using the xfbadm base (see the xfbadmusr and xfbadmgrp utilities).

REST API server authentication method

Note 1. If copilot.restapi.authentication_method = system, then your access management type must be set to either am.type= none, or both am.type=internal and am.internal.group_database = system.
Note 2. If copilot.restapi.authentication_method = xbfadm, then your access management type must be set to either am.type= none, or both am.type=internal and am.internal.group_database = xbfadm.

Set the Certificate Authority on the client side

For security purposes, you must import the CA that corresponds with the server side certificate.

When using Central Governance

The REST API server automatically uses the SSL business certificate generated during the registration. This certificate is stored in the internal PKI base and is identified by the Transfer CFT instance ID (UCONF cft.instance_id parameter). You must import the matching Certificate Authority to your web browser certificate store.

When you are not using Central Governance

You must import the Certificate Authority that corresponds with the certificate that you defined previously (Step 3) to your web browser certificate store.

You are now ready to connect to the user interface. If you encounter errors, please see the Troubleshooting section.

Limit the number of failed login attempts

Transfer CFT provides brute force protection for logging on the Transfer CFT UI, REST API, Copilot, or Web Services when using either the system mode or xfbadm mode (UNIX) authentication. That is, it limits the number of login failure attempts, where both the user and the password are checked to avoid brute force attacks.

For other authentication methods, such as PassPort and LDAP, no check is made. You must manage that in the Password Policy of those external tools.

You can use the following UCONF parameters to manage this option:

  • copilot.general.login_failures_fname: A file that stores data shared between Transfer CFT and Copilot.
  • copilot.general.max_login_failures: An integer that sets the maximum number of login failures for a user (default is 3, and 0 disables this option).
Note In a multi-host environment, an attacker may have up to the copilot.general.max_login_failures * <number of host> tries before the user is locked if the file is not in a directory shared by all hosts.

When the maximum number of login failures is reached, the user account is locked for 30 seconds.

Platform specifics

  • On IBM i systems, there is no action if the password is incorrect as the system offers methods that you can rely on to avoid brute force attacks (the system value is QMAXSIGN).
  • On z/OS systems, only the inherent system protection is available (refer to the RACF suboperand REVOKE for the PASSWORD option).
  • On OpenVMS systems, only existing system protection is available.

If you encounter issues when trying to connect to the user interface, please refer to Troubleshooting the user interface.

Keyboard shortcuts

Keyboard shortcuts provide a way to navigate the user interface from the keyboard. Begin by using ALT + H to display the shortcuts. You can then move through the UI, using ALT + the object abbreviation key (e.g. Alt + T for transfers) as displayed in the UI.

  • ALT + H: Displays available shortcuts
  • From the New [Transfer] page, for example, press Enter to begin a new request.
  • To navigate across the page using keyboard shortcuts, use Tab to move to the next field, or Shift + Tab to go back.
Note Keyboard shortcuts on Firefox are largely nonfunctional.

User interface prerequisite when using "cft" access management

On z/OS systems only

If your Transfer CFT z/OS uses “cft” access management (am.type=cft), you must define the CFTTOKEN resource in order to connect to the Transfer CFT user interface. To define the token resource, modify the H84SAFDF, H85SAFPR, and H87SECEN JCLs using templates provided in the Transfer CFT 3.6 SP4 delivery. Be certain to execute these JCLs before connecting to the user interface.

Related Links