|
|
|
|
|
The MOVEit Transfer Configuration program is used to configure the MOVEit Transfer SSH server. (Users, groups, folder settings and the like are generally maintained through the Web Interface or MOVEit Transfer API.) Run the configuration program by choosing the Start menu shortcut MOVEit Transfer Config. This program uses a tabbed dialog to group the settings by function.
MOVEit Transfer SSH will immediately apply configuration changes the next time a new connection is received.
Exception: If a change is made to the SSH port, the MOVEit Transfer SSH service must be restarted for this change to take effect.
SSH Configuration
To export the MOVEit Transfer SSH public key, click the View button on the SSH tab of the MOVEit Transfer Config utility. The dialog will show you the key in two different formats. Select all the text in the window displaying the format you wish to export, press CTRL+C to copy the text, then save it into a text file of your choice.
HINT: The MOVEit DMZ SSH server key never changes, so it's probably worth the extra time to export both formats of the same SSH server key while you're in the dialog. If you save these off (perhaps on an internal server) you may never need to come back to the SSH tab again.
Server Keys
The Server Keys window shows the MD5 hash of the internally generated RSA 2048-bit server key. You cannot edit or remove this default key.
If your MOVEit Transfer configuration has multiple organizations, you may want to add a different server key for each organization. Doing so will make it easier to change only one organization’s server key without affecting other organizations.
The DSS key type provides digital signatures but not key exchange or encryption. With DSS, signature generation is faster than signature verification.
The RSA key types provide digital signatures, key exchange, and encryption. With RSS, signature verification is faster than signature generation.
After you select a key type and size, the Add SSH Server Key window displays:
This window shows the key details, including:
The new key adds to the Server Keys window.
To edit a key's name, select the key and click Edit.
To remove a key, select the key and click Remove.
To make a key the default SSH server key, select the key and click Default. The current default key will be renamed to "OldDefault-year-month-day_xxxxxx" and the name of the key you have selected will be renamed "default."
Alternate Bindings
If your MOVEit Transfer system has multiple organizations and it allows duplicate usernames across organizations, you can direct users to the IP address of their specific organization during signon by adding an alternate binding. You can also assign a unique server key to an organization so that any changes you make to that server key will affect only that organization.
Alternate Bindings lets you associate a Server IP, Server Key, and Organization.
The Add SSH Alternative Binding dialog displays.
The new binding adds to the Alternate Bindings window.
To edit the Server IP, Server Key, and Organization of a binding, select the binding and click Edit.
To remove a binding, select the binding and click Remove.
The MOVEit Transfer SSH server diagnostic log settings can be changed on the Status tab of the configuration utility. See the Configuration Utility document for more information about this tab.
The MOVEit Transfer SSH server communicates with MOVEit Transfer using the Machine URL configured on this tab. See the Configuration Utility document for more information about this tab.
The encryption and hashing algorithms that the MOVEit Transfer SSH server uses can be configured on the SSH Ciphers Tab. (The encryption and hashing algorithms used by the MOVEit Transfer SSL servers - both HTTPS and FTPS - are also configurable.)
This tab lets you select the ciphers and hash functions used to secure the SSH connection.
For FIPS and PCI compliance, you may need to prevent the use of weak ciphers. For example, a PCI audit may flag the use of ciphers, such as MD5 and MD5-96. FIPS-approved cryptographic methods for SSH include (as of September 2015) 3des-cbc, aes128-cbc, aes192-cbc, and aes-256 ciphers with hmac-sha2-512, hmac-sha2-256, hmac-sha1, hmac-md5, hmac-sha1-96, and hmac-md5-96 as the approved hash functions.
Note: Both the client's and the server's preferences are taken into consideration when choosing the actual cipher and hash function for a given session. There must be a common cipher and hash function on both sides or there will be an error.
The SSH Ciphers section allows you to choose which ciphers are permissible, and their order of preference. By default, all ciphers are enabled.
Select the Enabled check box to disable a selected entry or to enable an unselected entry.
Entries closer to the top of the list are given preference over entries lower down. Use the arrow buttons to move entries up or down in the list. Even if you must permit weak ciphers or hashes, you should always put the stronger ones at the top of the list.
The SSH Hash Functions section allows you to choose which hash functions are permissible, and their order of preference. By default, all hash functions are enabled.
Select the Enabled check box to disable a selected entry or to enable an unselected entry.
Entries closer to the top of the list are given preference over entries lower down. Use the arrow buttons to move entries up or down in the list.
Certain clients may want to know which algorithms the MOVEit Transfer server supports, so this section provides a complete list.
Many SSH clients can also obtain this information from MOVEit Transfer just by connecting because the SSH protocol requires the server to list which modes it supports. There is no security reason to keep this information private.
MOVEit Transfer SSH server supports the following encryption algorithms.
MOVEit Transfer SSH server supports the following (keyed) hash algorithms.
MOVEit Transfer SSH server supports the following on-the-fly compression algorithms.