Activate Central Governance connectivity

Central Governance simplifies the management of Transfer CFT and provides identity and access management, certificate security services, monitoring, alerting, and web dashboard services. Central Governance replaces possible existing services from earlier Transfer CFT installations that required implementing and configuring multiple products, such as Transfer CFT Navigator, PassPort, Composer, and Sentinel.

You can perform this activation procedure only after completing an upgrade or migration to Transfer CFT 3.2.

Overview

There are two ways to activate Transfer CFT to Central Governance connectivity following an upgrade procedure:

Additional information and tasks:

Automatically activate connectivity

UNIX/Windows

The automatic activation is only available in UNIX/Windows. Please refer to the Manually activate connectivity below for z/OS or IBM i instructions.

This section describes how to run the installer in configure mode to enable Central Governance connectivity.

Note If running in Windows, the same user who performed the initial installation (or same type of user) must start the installer.

Prerequisite

You must set the UCONF parameter cg.configuration_policy if you want to override the default policy applied by Central Governance when you register a Transfer CFT in Central Governance.

Procedure

  1. Stop Transfer CFT and Copilot.
  2. Start the installer's configure mode.

GUI

  • UNIX: configure.sh –m gui
  • Windows: In Windows Start menu, select Axway Software > Axway [installation name] > Configure

Console

  • UNIX: configure.sh –m console
  • Windows:
    • configure32.exe –m console
    • configure64.exe –m console
  1. In the installer screen, select Configure your existing installation.
  2. Enter the license key if required.
  3. Accept or modify the UI server and service mode screen values.
  4. In the Governance Mode screen, select Central Governance.
  5. In the CG connectivity screen, enter the Central Governance values. For Transfer CFT z/OS installations, see Use compliant characters for the shared secret on .   See Governance options for details.
  6. Click Next and complete the configure procedure.
  7. Once completed start Copilot, which automatically completes the registration process.

You can check in Central Governance to see that the Transfer CFT displays in the Product List.

Manually activate connectivity

All OS

This section describes how to manually modify the Transfer CFT configuration to enable Central Governance connectivity in command line.

Prerequisites

  1. Stop Transfer CFT and Copilot if running.
  2. Enabling Central Governance connectivity after an upgrade implies replacing any standalone connectors. Therefor, prior to connecting to Central Governance deactivate all previously activated connectors, for example PassPort AM, PassPort PS, and Sentinel.
  3. CFTUTIL uconfunset id=am.type

    CFTUTIL uconfunset id=sentinel.xfb.enable

    CFTUTIL uconfset id=pki.type, value=cft

    Note When running in a z/OS environment you must additionally set the am.passport.superuser with the user that will start the Copilot server.
  4. Ensure that all UCONF values used to identify a Transfer CFT instance are defined. These parameters include:
    • cft.full_hostname
    • cft.instance_id
    • cft.instance_group

    Use the format:

    CFTUTIL uconfset id=cft.instance_id, value=<cft_id>

You must set the UCONF parameter cg.configuration_policy if you want to override the default policy applied by Central Governance when you register a Transfer CFT in Central Governance.

Procedure

The manual procedure consists of the following steps, which are detailed below:

  1. Include certificates in the PKI database.
  2. Set the UCONF parameter values for Central Governance.
  3. Enable Central Governance.
  4. Start Copilot.

Include certificates

You must include the certificate authority that is used to validate communication with Central Governance in the PKI database. You can personalize this certificate on the Central Governance side, so be sure to use the correct iname in the pkicer command.

You can use any ID for this certificate. Transfer CFT uses the certificate ID defined in UCONF to communicate with Central Governance.

Note Modify the filename syntax to accommodate your specific platform.

PKIUTIL pkicer  id = 'CG_CA',

        iform    = 'PEM',

        iname    = '$CFTPKIDIR/passportCA.pem',

        itype    = 'ROOT',

        pkifname = '$CFTPKU',

        pkipassw = 'CFT',

        state    = 'ACT',

        mode     = 'CREATE'

After inserting the correct certificate in the PKI database, define the UCONF variable cg.ca_cert_id. This value is required so that Transfer CFT knows which certificate to use when communicating with Central Governance.

CFTUTIL uconfset id=cg.ca_cert_id, value='CG_CA'

Set UCONF values

Use the Central Governance installation values for the following UCONF settings. Transfer CFT uses these values to identify Central Governance.

  • cg.host
  • cg.port
  • cg.mutual_auth_port
  • cg.shared_secret

Use the format:

CFTUTIL uconfset id=cg.host, value=<host_value>

Use compliant characters for the shared secret

When setting the Central Governance "shared secret" during a Transfer CFT z/OS installation, translation issues may occur if you use certain characters. For example, if you enter !SECRET (using code page IBM1147) the shared secret is translated to §SECRET during the Central Governance registration. Therefore, you must use compliant characters in the shared secret value when working in a z/OS environment.

Enable Central Governance

CFTUTIL uconfset id=cg.enable, value=yes

Register

Start the Transfer CFT Copilot to trigger an automatic registration with Central Governance.

You can check in the Central Governance Product List to confirm that the registration was successful.

Connect to a different Central Governance system

If Transfer CFTwas previously registered on a Central Governance system but you now want to register it on a different one, perform the steps in Manually activate connectivity and as a final step, prior to starting Copilot, reset the Central Governance registration id.

CFTUTIL uconfunset id=cg.registration_id

For troubleshooting issues refer to Troubleshooting: Installation and registration .

Use former configuration objects

In Central Governance you can use the Legacy Flows feature to view and use an imported configuration. For more information, please refer to the Central Governance documentation.

View managed features

After successfully upgrading and activating Central Governance connectivity, you can manage the following Transfer CFT features from Central Governance. The "Supported but not configurable" column lists features that you can retain, though you cannot manage them from the Central Governance interface.

Feature  Manage using Central Governance Supported but not configurable using Central Unified Flow Management
Folder monitoring yes (1) yes
Multi-node architecture no yes
CRONJOB no yes
Exits no yes
Network features
IPv6 yes yes
pTCP (UNIX/Windows only) yes yes
UDT   (UNIX/Windows only) yes yes
SOCKS no yes
Heartbeat embedded yes
Interoperability
Secure Relay no yes
TrustedFile no

yes

(Not available on IBM i)

PassPort AM embedded no (2)
PassPort PS no yes
Sentinel embedded yes
Composer no no
Protocols
PeSIT yes yes
ODETTE no yes
EBICS no yes
  1. IBM i and z/OS only support folder monitoring on UNIX file systems.
  2. If you perform a migration or upgrade from a previous version, you must migrate your PassPort AM.

Related Links