1 Installation and Upgrades

1.a Installation Instructions: The Quickstart Guide

The FileCatalyst Server QuickStart Guide is available on the main FileCatalyst web site for download (or here if you are viewing this user guide after installing the software). The Quick Start Guide provides overview instructions on how to quickly install the Server application (Windows).

The contents of the Quick Start Guide will not be duplicated here.

For command-line installs on headless Linux, please see the Administration via Command Line section of this document, and the Install as a Service section.

1.b Software upgrades

Upgrading FileCatalyst Server requires a sequence of steps be taken based on the installation platform. Some steps are optional (to safeguard configuration data in case of a rollback), but should be followed to ensure the smoothest upgrade experience.

Windows

  1. Stop the FileCatalyst Server.
    If you are running FileCatalyst Server stand-alone (from "Start" menu), please select the "Exit Administration" option in the file menu.

    IF you are running the server as a service, please open up the Windows Services and stop the process from running (default name is "FileCatalyst Server").
  2. Backup configuration files.
    If upgrading from v3.0.1 or less, you should copy the following configuration files into an "upgrade" folder.
    • fcconf.conf
    • authentication.xml
    • ipfilters.xml
    • users.xml
    If upgrading from v3.1, the following files & directories should be copied into an "upgrade" folder before running the new installer:
    • fcconf.conf
    • ipfilters.xml
    • .fcdb/

    Note: Starting in v3.1, the authentication.xml and users.xml information is now stored in an internal database file in the directory ".fcdb/".

    If upgrading from 3.0.1 or older to 3.1 or later, the Server will automatically import the users. If a user is missing correct authentication, the server will generate a new random password. Until the administrator sets the password to a known value, these users will not be able to log in. The server admin will display a list of reset users on the start up after the import.
  3. Run the installer (install_fc_server.exe).
  4. Restart the FileCatalyst Server application (either as a service or standalone).

Linux/Unix

  1. Stop the FileCatalyst Server.
    If you are running the FileCatalyst Server stand-alone (i.e. running fc_server.sh or fc_server_console.sh script), you need to shut FileCatalyst Server down before executing an upgrade. The following commands can be done to shut the service down and verify that processes are not running.
    • Execute the command "fc_server_shutdown.sh".
    • Verify the service is down by running the command: ps -ef | egrep -i "filecatalystserver"
    If you are running the FileCatalyst Server as a service, you need to shut it down using one of the following commands:
    • Linux: service fcserver stop
    • Solaris: svcadm -v disable fcserver
  2. If you have installed the service you must run the service_wrapper/uninstall.sh script to ensure that the application is completely uninstalled.
  3. Backup configuration files.

    If upgrading from v3.0.1 or less, you should copy the following configuration files into an "upgrade" folder.

    cd /opt/utechsoft/server/
    mkdir ./upgrade
    cp fcconf.conf ./upgrade
    cp authentication.xml ./upgrade
    cp ipfilters.xml ./upgrade
    cp users.xml ./upgrade

    If upgrading from v3.1, the following files & directories should be copied into an "upgrade" folder before running the new installer:

    cd /opt/utechsoft/server/
    mkdir ./upgrade
    cp fcconf.conf ./upgrade
    cp ipfilters.xml ./upgrade
    cp -Rp .fcdb ./upgrade
    cp ./service_wrapper/fc_env ./upgrade

    Note: Starting in v3.1, the authentication.xml and users.xml information is now stored in an internal database file in the directory ".fcdb/".

    If upgrading from 3.0.1 or older to 3.1 or later, the Server will automatically import the users. If a user is missing correct authentication, the server will generate a new random password. Until the administrator sets the password to a known value, these users will not be able to log in. The server admin will display a list of reset users on the start up after the import.
  4. Unpack the software. gunzip ./fc_server.tar.gz
    tar -xvf ./fc_server.tar
  5. Copy back the files settings overwritten by tar bundle cp ./upgrade/fcconf.conf .
    cp ./upgrade/fc_env ./service_wrapper/
    Other files ("ipfilters.xml" and ".fcdb/" directories) should not be overwritten by tar bundle.
  6. If you are running as a service you must rerun the service_wrapper/install.sh script to reinstall the service.
  7. Restart the FileCatalyst Server application (either as a service or standalone).

1.c Silent install on Windows


  1. To generate the settings file,run the installer from the command with the SAVEINF flag and the destination file for the settings. install_fc_server.exe /SAVEINF="settings.inf"
  2. Copy the installer and the generated file to the machine where you would like to perform the silent install.
  3. Run the installer from the command line with LOADIINF flag and specified settings file. install_fc_server.exe /VERYSILENT /LOADINF="settings.inf"

1.d Uninstalling FileCatalyst Server

Windows

  • Shut down all the standalone applications
  • Open ‘Services Manager’ by clicking on ‘Start’, search for services.msc, and then run that application
  • Locate the FileCatalyst Server module and stop the service
  • Open ‘Control Panel’ then navigate to ‘Programs and Features’. 
  • Click on the FileCatalyst Server and hit ‘uninstall’. 
  • Click the 'yes' option when prompted

Silent uninstall on Windows

  • Open a command prompt and navigate to the install directory of the product you wish to uninstall.
  • Run the uninstaller from the command line with the VERYSILENT flag. unins000.exe /VERYSILENT"
  • Note that if you have installed multiple versions in this directory, the number at the end of the exe may have been incremented

MacOSX

  • Quit the application and stop the FileCatalyst service by using ‘System Preferences’ located under the Apple menu
  • Locate FileCatalyst Server and stop the service
  • To uninstall the service, open ‘System Preferences’, find the FileCatalyst Server service module, right-click on it and click ‘remove from pane’
  • From the ‘Finder’ window, click on ‘Applications’, find  FileCatalystServer.app, right-click on it and delete it
  • From the ‘Finder’ window, click on ‘Applications’, find  FileCatalystServerAdmin.app, right-click on it and delete it
  • Use ‘Finder’ to access the Library folder, open ‘Application Support’ and delete the FileCatalyst folder (path e.g. '/Library/Application Support/FileCatalyst' or '/Users/<username>/Library/Application Support/FileCatalyst')

Linux

Note: You may need admin access to perform some of these commands

  • If you are running the FileCatalyst Server stand-alone (e.g. running fc_server.sh or fc_server_console.sh script), you need to shut down the FileCatalyst Server  
  • Open a new Terminal window
  • Navigate to the folder where your server is installed (e.g. /opt/utechsoft/server/) 
  • Execute the command "./fc_server_shutdown.sh"
  • Verify the service is down by running the command ps -ef | egrep -i "filecatalystserver"
  • If you are running the FileCatalyst Server as a service, stop the service by using the appropriate command needed for your version of Linux in the terminal window (Ubuntu e.g. "service fcserver stop")
    • Remove the service by navigating to service_wrapper folder located within the server folder (e.g. /opt/utechsoft/server/service_wrapper)
    • Run ./uninstall.sh
  • You can now remove the folder structure by using rm -rf  <path to the server directory>  (e.g. rm -rf /opt/utechsoft/server)

2 Managing Users, Groups, and Virtual Files/Folders

2.a Overview

Users Overview

FileCatalyst Users live at the application layer, and are managed by our internal database. Unlike standard UNIX FTP servers, you do not need to create a user at the OS level in order to utilize FTP access. If the user also exists on the operating system however, FileCatalyst Server can authenticate the user using external directory services such as Active Directory, LDAP or PAM.

FileCatalyst users by default are jailed to their home directories. This security feature ensures that a user cannot see data which does not belong to them (i.e. cannot see "C:\Windows") .

Example: Bob has a home directory of "D:/data/bob/". They can only see files within this directory structure when logged into the server. Files outside of the home directory are inaccessible (cannot modify files in C:/Program Files/ for example).

User jailed in home directory by default.

If you require more flexibility (i.e. user needs to access more than one mount point, or more than one user needs to collaborate on work together), you need to enable Virtual Files/Folders.

Virtual Files/Folders Overview

Virtual Folders allow an administrator to create multi-pathed home directories, and give flexibility to allow users access to directories they need access to. Virtual Files allow an administrator to give access to specific files outside of the users home directory.

Example: Bob requires access to project files stored in "Y:/DEV" in addition to files in his home directory.

On the server, we can create a Virtual Folder (i.e. "project1" with a path "Y:/DEV//"). Once this is done, the Virtual Folder can be assigned to the user, where it will appear as a mounted subdirectory inside his home directory. Note that these labels will be case insensitive on a Windows machine. (i.e. "project1" is the same as "PROJect1")

Multiple Virtual Files and Folders may be assigned to a user, each with assigned permissions.

User jailed in home directory by default.

In this example, a new subdirectory "/project1/" would be visible from Bob's user home, which can access files stored under "Y:/DEV/".

User Groups Overview

For larger and more complex configurations, user groups are available. These allow administrators to easily map drive access to organizational roles (example: IT staff needs access to backups), and allow users to be assigned to one or more groups.

User jailed in home directory by default.

When assigning Virtual Files or Folders to either Users or Groups, permissions may also be granted. If multiple paths exist to a file or folder (example: John sees folder "project1" both through "IT" and "development" group), permissions are stacked for each access a user has to that file or folder.

Permission Overview

As the user (and groups and virtual files/folders) are contained in the application layer, permissions a user has to their files and directories are handled in the FileCatalyst Application as well.

There are 10 permissions assigned either to the user (used when accessing content in their home directory) or to virtual files/folders (either directly assigned to the user or via group relationships). 5 apply to files, 5 apply to folders.

File Permissions

Download Files

If selected, the user has the ability to download files from the server.

Note: Upload with Incremental Delta's requires download permission as part of the RSYNC algorithm (signature files).

Upload Files

If selected, the user has the ability to upload files to the server. This does not indicate that they can modify or overwrite files if they already exist.

Note: Download with Incremental Delta's requires download permission as part of the RSYNC algorithm (signature files).

Modify/Overwrite Files

If selected, the user is given permission to upload files, as well as modify existing files by overwriting, or performing file operations (chmod, etc).

Note: Some features require modify/overwrite permissions:

  • HTTP upload transfers need this enabled, as HTTP blocks are appended to a file and are considered "modified" rather than an original upload.
  • Transfers using auto-resume as an option require modify to be enabled, as resuming a partially transferred file is considered modification of an existing file.
Delete Files

If selected, the user is able to delete files from the server.

Rename Files

If enabled, the user is able to rename existing files on the server.

Note: Upload transfers with temporary filenames requires rename permissions to be enabled.

Folder Permissions

List Directories

If enabled, the user is given permission to browse the file system, and get directory and file listings. This is required for FileCatalyst HotFolder's download option to work correctly.

Create Directories

If selected, the user will be able to create new directories on the server.

Modify Directories

If selected, the user is given permission to create new directories, and modify existing directories (chmod, etc)

Delete Directories

If selected, the user is permitted to delete existing directories from the server.

Rename Directories

If enabled, the user is able to rename existing directories.

2.b User Manager

Main User Screen

FileCatalyst Server uses a user-based permissions system which allows administrators to create and manage user accounts for all users of the system. The user menu allows administrators to add, edit, or delete existing user accounts. Each user also has a Connect link which provides access to the Quick Connect functionality.

Accounts that are faded indicate they are not active, either because they have been disabled or have expired. The red anonymous account is disabled by default. By enabling this account, it allows users to anonymously access the system, with no password required.

Creating a New User

To create a new user, click the "New" button and follow the steps in the wizard. You will be prompted to specify a username, password, permission settings, and account information before the user is added to the system.

Managing Existing Users

To edit, or delete existing users, right click and select the appropriate option, or click the “Delete” or “Edit” text inside the panel.

Search Existing Users

To bring up the find window in the user list, select the menu item "Actions -- Find User", or press "ctrl-f".

2.c User Authentication

Edit User Screen

Username

The username of this account, used to authenticate with the server.

Change Account Password

To change the account password, click the change account password button and fill out the required fields.

Note: User passwords are stored on the FileCatalyst Server for users created by the administration tool. Changing a password for an existing user will modify the encrypted password entry in the database.

Users created by auto provisioning (LDAP and Database) have passwords stored in the remote authentication service. As FileCatalyst supports LDAP in read only mode, password changes on users will not modify the LDAP repository but place a password entry on the local file only.

2.d User Information

Edit Info Screen

Full Name

The full name of the user to whom this account is assigned (optional)

Email Address

The email address of the user to whom this account is assigned (optional)

2.e Account Settings

Edit Settings Screen

Disabling User Accounts

By deselecting the "Account Enabled" checkbox, the user will be unable to log on to the server or access any files or directories.

User Home Directory

The home directory of the user is the root directory to which they will have access. For example, if the user's home directory is specified as C:\Users\MyUsername\, they can access the MyUsername folder, and anything below it (i.e. C:\Users\MyUsername\MyNewDirectory)

Force File Ownership (Upload Only)

By selecting the "Force File Ownership" checkbox, all files transferred to the user will have their operating system user ownership set to the value specified. If the "Use user login" checkbox is selected, the FileCatalyst user's current username will be used instead of the specified value.

Note 1: On Linux, an additional field allows configuring group ownership.

Note 2: Force File Ownership is currently only supported with internal file systems. All external file system transfers will not have their file ownership changed to the configured value.

Note 3: If the Maintain UID/GID system property is enabled, the user and group data will be updated to accept user and group identifiers. Please note that this functionality is only on Linux operating systems.

Account Expiry

To specify an account expiry (a time and date at which the account will no longer be active), ensure the "Enable Account Expiry" checkbox is selected and enter the time and date in the applicable field.

Disk Write IO Test

Commands the server to perform a sequential write operation to the user's home directory. Using a small file size will likely demonstrate only system/hardware cache availability. Select a larger file size to test and show true disk write speeds.

A maximum timeout value (seconds) can be set to ensure that the I/O test stops after a specified time. If the test was not able to complete when the timeout expires, the last speed before stopping will be returned, and all I/O resources will be released back to the server.

NOTE:The test creates a temporary file on the disk. Ensure that enough space is available for the test.

2.f User Permissions

Edit Permissions Screen

Permissions details can be found here.

Read/Write

Shortcut that selects all permission for the user for both files and folders.

Read Only

Shortcut that selects only File Download and Folder List permissions.

Write Only

Shortcut that selects permissions normally required for a user which only needs to upload files to the server.

Clear

Removes all permissions to the user.


2.g Bandwidth / Quota

Edit Quota Screen

Priority

This setting determines how much bandwidth will be allocated to a connected user in proportion to other connected users. The possible settings are High, Medium, and Low. The weight of each priority is 10, 5, and 1 respectively. The combined weights of all connected users are added together, and divided into the total available bandwidth of the server. The result is then multiplied by the weight of the user to determine the actual allocated bandwidth. For instance, if there is a high priority user and a low priority user connected, and the server is licensed for 100 Mbps, then the total priority is 11. Divided into 100000, this gives 9090.09 Kbps. This means the low priority user will get 9.09 Mbps, and the high priority user will get 90.91 Mbps.

If only one user is connected, they will be allocated all available bandwidth.

Bandwidth

This setting determines the maximum bandwidth for a particular user, regardless of what is allocated to them via the priority settings. (Note that when there are multiple connections to the FileCatalyst Server from the same user account, bandwidth allocation is distributed evenly among all sessions using that account.)

This setting is useful if the available bandwidth of the end user is known to be a particular value. This ensures that all UDP transfers will never exceed that value. Although the end user also has the option to specify the maximum bandwidth on the client side, this might be easier.

If the calculated bandwidth based on priority is higher than the maximum value specified in this setting, the difference will be re-allocated to all other connected users.

This setting helps maintain fairness and still make optimal use of available bandwidth.

Note on slower bandwidth settings (most noticeable below 100Kbps) it may be necessary to lower the packet size of the udp transfers to get a tighter control over the limit due to the granularity effect packet size has on bandwidth throttling.

Daily Quota (Upload Only)

This setting ensures that a user cannot upload more than the specified value in KB on a given day. A day is determined by the date settings on the server machine. Note that this is not a disk usage quota, but a fair usage quota. A user who has exceeded their quota is not necessarily blocked from transferring; however priority is always given to users with daily quota remaining.

For example, if all currently connected users have exceeded their daily usage quota, all transfers may proceed with no restrictions. The instant a user (lets call them userX) who has not exceeded their daily usage quota connects, all users who have previously exceeded their quota will be prevented from transferring while priority is given to userX. Once userX exceeds their daily usage quota, all users will again be able to transfer without restrictions.

The administrator may reset Daily Usage by clicking the Reset button.

2.h Virtual Files/Folders

Virtual Folders allow an administrator to select a secondary path to which a user may browse into and transfer files outside of their home directory. Virtual Files allow the administrator to give access to specific files outside the users home directory. To the end-user, these files and folders will appear as either a simple subdirectory structure they can CD into, or a file in their home directory root. Virtual Files/Folders can point to anywhere the server can access, including alternate local drives ("D:/") or an accessible UNC paths ("\\10.1.1.3\datadrive\").

Virtual Folder List

Note: It is always recommended to utilize UNC paths rather than mapped drives on a Windows environment if the FileCatalyst Server is going to be run as a service.

New

Launch the Virtual File/Folder Wizard.

Browse

Open up the native browser to explore the virtual file/folder location (only available Remote Admin running on the server).

Edit

Modify the Virtual File/Folder, including assigning it to either Users or Groups.

Delete

Remove the Virtual file/Folder. Will remove all assigned references to Users and Groups.

2.i Creating Virtual File/Folder

Creating a Virtual File/Folder

Label

This represents the sub-directory or file name a user will see in their home directory when logging into the system.

In the example above, if the user performs a "cd roadmap" upon logging into the system, they would be redirected to the contents of "I:/future/".

Description

Description of the file or folder. Useful for administrators to recognize the purpose of the virtual file or folder.

Physical Path

Physical disk location on the server where this virtual file or folder is pointing. This can be a local file or full UNC path (i.e. "\\10.1.1.1\dir\").

2.j Assigning Virtual Files/Folders to Users and Groups

There are three different avenues you can take to assign Virtual Files/Folders:

  • Edit the Virtual File/Folder directly by first navigating to the File/Folder List (shown below).
  • Assign a Virtual File/Folder to a group by editing User Groups.
  • Assign a Virtual File/Folder to a user by editing a User.

Each has advantages -- editing the Virtual File/Folder directly, you can assign it to all Users and Groups in one screen. On the other hand, assigning it by editing a User allows you to see if the Virtual File/Folder is already assigned to the user via a group assignment.

Editing a Virtual File/Folder from the Virtual File/Folder List

Once a Virtual File/Folder has been created, you can then edit it and start assigning it to either Users directly or to User Groups. Permissions the User and Group have to the Virtual File/Folder can be selected as it is assigned, or can be edited afterwards.

Assigning Virtual Folders to Users and Groups

Note: Permissions stated as "ADV" fall outside of basic configuration of READ or ALL (read-write). Details can be viewed by selecting the permission link on the list.

Note: Changes to the User or Group list is modified immediately on the FileCatalyst Server database. The standard Apply and Cancel (where modifications wait for administrator confirmation) does not apply here.

Editing a User to assign Virtual Files/Folders

By editing a User and selecting the "Files/Folders" tab, you can also have a look at what Virtual Files/Folders a User can have access to. This also allows an administrator to quickly see not only what file and folders a user has access to, but what permissions are granted either directly or via groups which a user is assigned to.

Assigning Virtual Files/Folders to a User

Note: A star '*' next to READ/ALL/ADV indicates that multiple permissions are granted to the user either by direct assignment of a folder or through various groups, and that these are the sum total of the permissions granted to the user.

It is possible to assign a Virtual File/Folder to a User even if they already have permission to access the folder via a User Group.

It is not possible from this panel to remove assignment of a Virtual File/Folder from a User if assignment is granted via a User Group. The administrator needs to modify either the group access to a Virtual Folder or this User's access to Groups.

2.k User Groups

User Groups allow easier management of Virtual Files/Folders by joining common access and permissions granted to multiple users on a team to be controlled in a single location.

User Group List

New

Launch the User Group Wizard.

Edit

Modify the User Group, including assigning Users or Virtual Files/Folders to the Group.

Disable/Enable Group (right click option)

Disable the User Group. Allows an administrator to temporarily restrict access that a group provides without permanently removing the group's configuration.

Delete

Remove the User Group.

2.l Creating User Groups

User Groups

Group Name

Unique name on the FileCatalyst system to represent the Group. This is the name which will appear when provisioning a Virtual File/Folder to the Group or assigning a User to a Group.

Group Description

Description of the User Group. Useful for administrators to recognize the purpose of the group.

2.m Editing Groups

Once a User Group has been created, you can start assigning Users to the Group, and configure Virtual Files/Folders to be accessible to the Group.

Assigning Users to a Group

Assigning Users to Groups

Assigning Virtual Folders/Files to Groups

Assigning Virtual Folders to Groups

Note: Permissions stated as "ADV" fall outside of basic configuration of READ or ALL (read-write). Details can be viewed by selecting the permission link on the list.

2.n Authentication Services (LDAP, RDBMS, PAM)

In addition to the internal user definitions, FileCatalyst Server allows the integration of LDAP servers for user management. This allows easy integration into existing corporate infrastructures, and allows users already defined in a corporate environment to be auto-provisioned.

Two different types of LDAP databases are supported by FileCatalyst server: OpenLDAP and Active Directory. Both can support multiple context strings, allowing easy integration on even complex corporate structures. LDAP queries over SSL (ldaps://, default port 636) are supported for secure encrypted communication between the FileCatalyst server and the remote authentication service.

Note: FileCatalyst does not support the ldapi:// protocol, which is also known as StartTLS, where an LDAP connection is established first (ex. on port 389) and then it becomes protected via TLS. Be sure your TLS LDAP server is configured for the ldaps:// protocol.

Authentication Screen

Service Switch

The service switch defines which order FileCatalyst Server will query authentication services to validate a user/password pair. The syntax is similar to the nslookup switch on Unix systems, and is configurable by the Authentication Wizard ("Setup" button).

Acceptable values are combinations of:

"internalDB"
"OpenLDAP"
"ActiveDirectory"
"db"
"PAM"

Enable Auto-provisioning

If OpenLDAP or Active Directory has been selected as an authentication service, the administrator can configure the server to automatically create users which already exist in the remote authentication service the first time they attempt to log in. If this is disabled, users must be explicitly be created by an administrator before being granted access to the server.

User accounts that are auto provisioned will be created using settings listed under the User Defaults tab.

If auto provisioned users should use a home directory found in the LDAP service, the administrator must edit the fcconf.conf file and specify the name of the appropriate parameter (e.g. homeDirectory) using the key FCServer.server.config.LDAP.homedir.attribute

OpenLDAP and Active Directory Configurations

Any changes to LDAP configuration must be sent to the server first ("Apply" button) before they can be tested or used by FileCatalyst server. For step by step LDAP configuration and examples, start the Authentication Setup Wizard ("Setup" button).

Verify Directory Services Online

Tests if remote directory services (OpenLDAP and/or Active Directory) are currently on-line and available to the FileCatalyst server. Used primarily to verify that the port/IP have been properly configured.

Test Authentication

Test complete authentication process on the FileCatalyst server. Administrator must provide a username/password pair. Server logs during the authentication process are output to capture trace and error logs.

2.o Installing an SSL Certificate

To simplify the certificate installation process, steps 2-4 are best executed from within a Windows command line. In the examples, the certificate authority file used is "cacerts", which is part of the JVM/JRE directory as seen in step 2.

  1. Set up the LDAP server or Active Directory server with your certificate according to your organization's particulars.
  2. Copy the certificate authority file into the FileCatalyst Direct Server directory. Using default installation paths, your command will look like this:
    copy "c:\Program Files\FileCatalyst Server\jre\lib\security\cacerts" "c:\Program Files\FileCatalyst Server\"
  3. Copy the certificate file(s) onto the FileCatalyst Direct server directory. This must be an X.509 certificate format.  Note: For Active directory servers, the certificate is normally found on the root (c:\) directory. Example:
    copy "c:\mycertificate.crt" "c:\Program Files\FileCatalyst Server\"
  4. Import the LDAP server certificate key into authority file using Keytool, which is distributed with JAVA. Note: Replace values represented by <> brackets with appropriate values. The "alias" is arbitrary and can be any easy-to-remember value. You will be prompted for a keystore password. By default, cacerts has a password of "changeit". Example import command:
    "c:\Program Files\FileCatalyst Server\jre\bin\keytool.exe" -import -alias <myldapserver> -file <mycertificate.crt> -keystore "c:\Program Files\FileCatalyst Server\cacerts"
  5. Insert the authority file keystore into fcconf.conf. Open fcconf.conf in an editor and modify the appropriate line as follows:
    FCServer.server.config.LDAP.ssl.selfsignkeystore=c:/Program Files/FileCatalyst Server/cacerts

2.p Authentication Setup Wizard

Select Authentication Services

Select Services

One or more authentication services may be selected for FileCatalyst Server. If an OpenLDAP or Active directory server is selected, you have the additional option of enabling users found on these remote authentication services to be auto provisioned.

OpenLDAP

OpenLDAP in Wizard
OpenLDAP URL and Port

Enter the URL and Port Number of the server to connect to. The URL must start with "ldap://" or "ldaps://". By default, LDAP servers use port 389 for regular LDAP connections, and 636 for LDAP over SSL connections.

NOTE: Secure LDAP connections require a signed SSL certificate be installed on the LDAP server to function properly and securely. Though not recommended, the use of self-signed SSL certificates is possible. The SSL certificate file (.pem or .pkcs12) must first be transformed into a Java TrustStore file, and requires having the Java virtual machine on the FileCatalyst Server side accept the certificate as valid and trusted.

Once the certificate is a TrustStore, manually edit the FileCatalyst Server fcconf.conf file and add the following line:
FCServer.server.config.LDAP.ssl.selfsignkeystore=TrustStore.filename

Context Strings

Context strings are required for LDAP queries to uniquely identify a user in the repository. They are templates for the queries. The LDAP driver requires that curly brackets "{userinput}" exist in the context string, as these will be removed and replaced with the username during the login process. The FileCatalyst Server will try each context string, one at a time, until it finds one that works for the user being queried. Context strings are matched against configured LDAP dn values. Therefore, each context string must match the intended dn values exactly.
For example: If the LDAP server is configured with dn values formatted such as
dn: cn=victor,ou=People,dc=utechsoft,dc=com
where victor is a username, then the matching context string must be
cn={userinput},ou=People,dc=utechsoft,dc=com
Alternative dn formats may use a different RDN (relative distinguished name) syntax for the username instead of cn= (for example, uid=victor). Configure your context string(s) appropriately.

Multiple context strings (one per line) can be entered for LDAP queries to satisfy more complex organizations. Configuring specific distinguished names also allows organizations to limit access to the application to only a subset of users where required. To optimize performance it is best to list multiple context strings in order of most preferred or most prevalent matching strings first.

Active Directory

ActiveDirectory in Wizard
Active Directory URL and Port

Enter the URL and Port Number of the server to connect to. The URL must start with "ldap://" or "ldaps://". By default, LDAP servers use port 389 for regular LDAP connections, and 636 for LDAP over SSL connections.

ActiveDirectory Context Strings
Active Directory Context Strings

Context strings are required for Microsoft Active Directory to uniquely identify a user in the repository. The LDAP driver requires that curly brackets "{userinput}" exist in the context string to be replaced with the user name during the login process.

Values normally modified:

  • enter the user domain
  • enter the search base (identifies your organization)
  • fill in the security group (to limit access to subset of users)

Multiple context strings (one per line) can be entered for LDAP queries to satisfy more complex organizations. Security groups in Active Directory can optionally be entered to restrict access to FileCatalyst to a subset of users.

ActiveDirectory Context Strings
Active Directory Authentication Service Switch

This switch determines the order in which the authentication services are called. By default, FileCatalyst Server requires a positive authentication from only one authentication service to accept an incoming user connection.

Active Directory Limitations

The names of security principal objects can contain all Unicode characters except the special LDAP characters defined in RFC 2253. This list of special characters includes: a leading space; a trailing space; and any of the following characters: # , + " \ < > ;

Test LDAP Settings

Test LDAP Authentication

The complete authentication process is validated on the FileCatalyst server. Administrator must provide a username/password pair. Server logs during the authentication process are output to the dialog box to capture any issues with the login procedure. This is the preferred method of validating authentication services.

Multiple Disjointed Directory Services

For organizations with multiple ActiveDirectory or OpenLDAP servers, it is normally best practice to configure the directory services to point to each other, allowing one AD or OpenLDAP server to authenticate any user within the organization.

If this is not possible, FileCatalyst does have the ability to support multiple ActiveDirectory or OpenLDAP servers. This must be done by editing fcconf.conf and manually setting LDAP settings for additional LDAP server.

## Example shows two active directory servers being utilized for user authentication.
## Default "ActiveDirectory" values can be edited via GUI
## "ActiveDirectory01" values must be edited in the configuration file

## authentication switch
FCServer.server.config.user.auth=ActiveDirectory ActiveDirectory01 internalDB

## Default AD server. These values may be edited (as before) in the GUI
FCServer.server.config.LDAP.AD.url=ldaps://192.168.1.99
FCServer.server.config.LDAP.AD.port=636
FCServer.server.config.LDAP.AD.context.00=SECURITY_PRINCIPAL=TEST\\{userinput}SEARCH_FILTER=
(&(sAMAccountName={userinput}))SEARCH_BASE=dc=unlimitechSECURITY_GROUPS=FCUsers

## ActiveDirectory01. Name in authentication switch MUST START WITH either
##"ActiveDirectory" or "OpenLDAP" to be valid, plus an additional label ("01" in this example)
FCServer.server.config.LDAP.AD.01.url=ldap://10.1.1.99
FCServer.server.config.LDAP.AD.01.port=389
FCServer.server.config.LDAP.AD.01.context.00=SECURITY_PRINCIPAL=DOMAIN2\\{userinput}SEARCH_FILTER=
(&(sAMAccountName={userinput}))SEARCH_BASE=dc=unlimitechSECURITY_GROUPS=

RDBMS as Authentication Service

Organizations where user/password information in stored in relational database (i.e. MySQL, Oracle), FileCatalyst can be configured to utilize JDBC drivers and query user tables to validate user/password pair.

This must be done by editing fcconf.conf and manually directory services. Multiple databases may be utilized for authentication.

## Example shows a MySQL and Oracle servers being utilized for user authentication.

## authentication switch
FCServer.server.config.user.auth=db db01 internalDB
#
# FCServer.server.config.auth.db.authenticationquery=SELECT username FROM users WHERE username=
'{username}' AND password='{password}'
# FCServer.server.config.auth.db.jdbcpath=C:/Program Files/FileCatalyst Server/lib/
mysql-connector-java-5.1.8-bin.jar
# FCServer.server.config.auth.db.jdbcdriver=com.mysql.jdbc.Driver
# FCServer.server.config.auth.db.jdbcconnectionstring=jdbc:mysql://10.1.1.50:3306/schemaname
# FCServer.server.config.auth.db.jdbcuser=mydbuser
# FCServer.server.config.auth.db.jdbcpasswd=mydbpassword
# FCServer.server.config.auth.db.jdbcvalidationquery=SELECT * FROM mysql.db
# FCServer.server.config.auth.db.password_encrypt=false
#
# FCServer.server.config.auth.db.01.authenticationquery=SELECT * FROM schemauser.usertable WHERE username=
'{username}' AND password='{password}'
# FCServer.server.config.auth.db.01.jdbcpath=C:/Oracle/XEClient/jdbc/lib/ojdbc14.jar
# FCServer.server.config.auth.db.01.jdbcdriver=oracle.jdbc.OracleDriver
# FCServer.server.config.auth.db.01.jdbcconnectionstring=jdbc:oracle:thin:schemauser/system@10.1.1.46:1521/XE
# FCServer.server.config.auth.db.01.jdbcuser=schemauser
# FCServer.server.config.auth.db.01.jdbcpasswd=system
# FCServer.server.config.auth.db.01.jdbcvalidationquery=SELECT * FROM DUAL
# FCServer.server.config.auth.db.01.password_encrypt=true
authenticationquery

Provides FileCatalyst Server with the SQL used to determine if the supplied credentials are valid. The authentication query MUST contain {username} and {password} to properly function. NOTE: If the function returns a record, authentication is considered successful.

jdbcpath

JAR for the JDBC driver. This is provided by the database vendor.

jdbcdriver

Class name for the JDBC driver. These are provided by the database vendor.

jdbcconnectionstring

Database connection parameters. This includes server IP, Port, driver type, and database identifier.

jdbcuser

Database credentials required to log into the database.

jdbcpasswd

Database credentials required to log into the database.

jdbcvalidationquery

Performed to ensure that the JDBC connection is still up. This should be a quick running query that can be periodically run by the JDBC pool (for Oracle, you can use "select * from dual").

password_encrypt

Used when the user passwords are encrypted as an MD5 hash on the database already. Setting this value to true will enable the MD5 hash value to be sent over the JDBC connection in the query instead of the plain text password (default false).

OpenLDAP with Security Filters

Organizations that use an implementation of LDAP such as OpenLDAP or SunONE directory services can specify a security filter against which users will be authenticated. The authentication involves two steps. The first step is to make sure the user can bind with the username and password provided. The second step is to check if the user meets the security filter defined in the context.

To define a security filter, append SECURITY_FILTER at the end of the context string.

This must be done by editing fcconf.conf or manually entering it through the user interface.

# To enable security filtering searches, append SECURITY_FILTER={filter string}
at the end of the context string.
# {filter string} is to be replaced by the string you wish to filter users. Context 3, 4, and 5 will
show examples of this.
# EXAMPLES:
# FCServer.server.config.LDAP.open.context.00=displayName={userinput},dc=myCompanyName,dc=com
# FCServer.server.config.LDAP.open.context.01=mail={userinput},dc=myCompanyName,dc=com
# FCServer.server.config.LDAP.open.context.02=sn={userinput},dc=myCompanyName,dc=com
# FCServer.server.config.LDAP.open.context.03=displayName={userinput},dc=myCompanyName,dc=comSECURITY_FILTER=
(&(mail={userinput})(uid=100))
# FCServer.server.config.LDAP.open.context.04=mail={userinput},dc=myCompanyName,dc=comSECURITY_FILTER=
(&(mail={userinput})(cn=admin))
# FCServer.server.config.LDAP.open.context.05=sn={userinput},dc=myCompanyName,dc=comSECURITY_FILTER=
(&(mail={userinput})(admin=true))

Unix PAM as Authentication Service

When installing the FileCatalyst Server on a UNIX machine, you can configure the application to authenticate against the operating system using native PAM interface. This allows you to configure users either on the OS (/etc/passwd + /etc/shadow files) or point to another authentication system (i.e. NIS server).

Authentication switch should have the PAM in it to direct calls.

FCServer.server.config.user.auth=PAM internalDB
# - This setup means that user lookup is done using PAM first.
# - If the user is not found or password does not match, an additional search is
# performed on an the Files.
                    

Configuration of PAM on the system requires several steps to prepare the operating system to accept calls from the FileCatalyst Server. Please refer to the JPAM_README.txt and RELEASE_NOTES.txt under the Unix ./jpam/ folder for details.

2.q User Defaults

User Defaults allows the administrator to pre-define what configuration values a new user shall have by default when created. These are a subset of the options presented when editing a user account.

User Defaults Screen

Account Settings

The Default User Home Directory Root specifies where user directories will be stored by default. Sub-directories using the username will be created from this location to separate user files. In the following example, a new user "joe" created would have his user files default to "C:/Program Files/FileCatalyst Server/data/joe/" directory.

Permissions

Select file and folder permissions that an account will have by default.

Bandwidth / Quota

The priority and volume of data (upload only) the user will be entitled to use by default.

Usernames

By default, the FileCatalyst Direct Server allows case sensitive usernames. A user identified as ‘bob’ is different than ‘BOB’ or ‘Bob’.

Microsoft Active Directory, on the other hand, is case insensitive; consequently, when AD authentication is coupled with auto-provisioning, duplicate entries are created. To solve this issue, you may configure FileCatalyst Server to force all user names to be case insensitive.

Note: When choosing to enable this feature, a user list purge is required on the server. This means:

  • All users will have their usernames converted to lowercase.
  • Duplicate users found on the system (‘Bob’, ‘BOB’, ‘bob’) will be removed from the system. When duplicate users are detected, the purge will try to keep the user with only lowercase characters if possible (‘bob’ in this case is preserved).
  • All existing connections must be dropped for the user list to be purged. Clients can connect after the purge is complete.

Note: To roll back changes:

  • Uncheck force username on GUI, and hit Apply
  • Stop FileCatalyst Direct Server
  • Replace the .fcdb\FCSERVER_DB folder with one from backup/database/<date of backup> where the date of backup is from before the conversion.
  • Start FileCatalyst Direct Server

At this point, you will have returned the user list to the state it was before the purge.

2.r Login Security

FileCatalyst Server can be configured to block user accounts and/or IP addresses which have been identified as having multiple consecutive failed login attempts. This includes consecutive failures which may have occurred before the relevant options are enabled by the administrator. When the limit is reached, login failures are recorded in the application log files. If the Monitoring Agent is configured, alarms are also sent out notifying that a User account or IP address has had multiple consecutive login failures.

FileCatalyst Server records the event and may enforce one of two actions:

  • Temporarily block logins for the account/IP (to prevent brute force attacks on user passwords).
  • Permanently block user accounts (or IP addresses using IP Filters).

Once user accounts have been blocked, they are “grayed out” in the Users section of the FileCatalyst Server interface. A link with the label “unblock” also appears, allowing the account to be re-enabled.

If the Monitoring Agent is configured, an additional alarm will be sent to alert the fact that accounts/IPs have been disabled.

Login Security Screen

User accounts

Default failure limit is set to 5 consecutive login failures. Account blocking is enabled by default for a 3 minute interval (180 seconds).

IP Addresses

Default failure limit is set to 50 consecutive login failures. IP blocking is disabled by default. Recommended 600 seconds (10 minute) timeout if set.

Note: It is recommended that the IP address limits be above those for specific user accounts to prevent a single user who forgot their password from blocking an entire remote office.

2.s Quick Connect

Once a user has been added to the File Catalyst Server, it is possible to use the connect option to transfer data between the file system and the user's directory.

Note: Quick connect from the Server uses 2 connections. One is for browsing and the other is used to transfer files.

To open the quick connect, click on the connect text inside the panel.

Main User Screen

In the connect dialog, you may navigate to the files you wish to move and the location you wish to move them using the directory trees, listings and path text fields. In order to transfer files, select the files or folders you wish to move and drag them across to the other side.

Quick Connect Screen

Once the transfer has begun, the progress and status of each file transfer is visible in the panel below the file listings.

Quick Connect Screen with Transfer

3 Advanced Settings

3.a Network

Advanced Settings Main

Bind to Server IP Address

FileCatalyst Server can bind server port to specific IP addresses hosted by the machine. By default, the server will try to bind (port 21) on all IP addressed assigned to the host.

In some situations the server will try and bind to an IP address that has not yet been initialized by the server. If you are experiencing this problem, you can add a bind timeout too allow for more time to establish a bind. To add this value, you must add the following new line to the fcconf.conf:

FCServer.server.config.bind.timeout=TIME

Replace "TIME" with the number of millisecond you wish to wait to establish a bind. The default is 30000.

Server Port

The port on which the server is listening for incoming connections. Clients connecting into this port should be aware that the data (including user/password) are non-encrypted, and can be intercepted on the network. This is maintained mostly for backwards compatibility with standard FTP. Default 21.

Secure Server Port

FTPS port, where connection data is encrypted using SSL. Default port 990. By default, a self-signed SSL certificate will be created at run-time by the application. Configuration of an alternate SSL certificate may be done by navigating to the Security panel.

Data Port Range

The port range which the server can use for data connections.

Masquerade Address

When FileCatalyst server is running on a private IP address, behind a NAT device, you must specify the public IP of the NAT device in order for FileCatalyst to allow connections from outside the NAT.

Bypass Masquerade Address for local connections

By default, the IP masquerade applies to all connections. However, it may be desirable to bypass the masquerade address for local connections. A local connection is considered one whose IP address is within the 192.168.*.*, 172.16-31.*.*, or 10.*.*.* ranges.

Idle Timeout

The amount of time (in seconds) to remain idle before automatically disconnecting a client. This value defaults to 300 seconds or 5 minutes. Note that in some cases the client may be executing long running processes such as an MD5 or delta calculation on very large files and thus it may be necessary to increase this value.

3.b Memory

Advanced Memory

Maximum Block Size

The maximum block size dictates to all clients uploading files what the maximum block size will be. The block size determines how much data will be stored and sent at one time from the transmitter to the receiver. For example, if the block size is 10MB (10240000 bytes) then 10MB of data will be sent before proceeding to the next 10MB of data. Generally the larger the block size the better the throughput due to less acknowledgments. A server with a larger amount of memory may have a larger maximum block size. Consideration should be given to how many concurrent transfers may be occurring at one time as the memory usage of the server may rise to the product of the maximum block size * the maximum sender threads * the number of concurrent connections.

Maximum Packet Size

The maximum UDP packet size that client applications can send to the server. Generally this should be less than the MTU of your network, usually 1500.

Maximum Sender Threads

In order to improve performance, FileCatalyst transmit clients can begin to send another block of data before the previous block has been acknowledged. This setting defines how many blocks can be started before waiting for all previous blocks to be acknowledged. This improves performance as it removes the down time between when the transmitter has sent an entire block and when the receiver has acknowledged the receipt of that block. The memory consumption on the server and the client will necessarily consume more memory the higher this value is set. The amount of memory will be the product of the number of threads and the block size. Since the overlap time can be quite small, sometimes only 0.5 seconds or lower, the memory usage may appear to increase then drop once the previous block has been acknowledged

Concurrent Connection Limit / Configure for High Server Load

When enabled, the server can set a maximum concurrent user limit below the value granted in the license.

As a general rule, very high latency and high bandwidth network conditions often see performance improvements by having higher number of sender threads or allocating larger block size each thread. With limited memory on a system and a large volume of concurrent users connecting, you can encounter situations where the Java Virtual Machine runs out of memory, and cannot accept new connections.

If this scenario is encountered, the solution can either decrease memory allocation each user consumes server-side (the button ‘Configure for High Server Load’ does this), or limit the number of concurrent users while maintaining high throughput links within available memory.

3.c UDP Resources

UDP Resources

When configuring the FileCatalyst server to achieve high speed levels (500Mbps - 10Gbps for a single connection), several optimizations must be done in order to make sure the system is able to utilize multiple cores of a server. These include configuring the number of reader threads per connection, packet processors (used for decoding AES packets on the receiver side), and the number of block writers.

# Reader threads

Number of threads PER CONNECTION spawned to read blocks off the disk and place them into the sender queue ready for transport. On the server, setting this value will only affect downloads. Most systems perform optimally when you configure only 1 thread to perform reading. There are two scenarios where this value should be moved up: when IO tests have shown that adding threads increases throughput for your storage device, or when utilizing high CPU load (more sender threads than CPU cores, or utilizing high CPU options such as AES encryption or LMZA compression), a single thread doing the block reads may be pushed down in priority and be CPU starved, causing a slowdown in transfer speeds. Multiple threads may help both of these scenarios. If your system is configured to accept 50+ concurrent connections, it is recommended to leave this value at the default settings (1) to minimize system resources.

Reader block size

By default, the block size used for each read operation is the same size specified by the client in the network block size. This can be adjusted for improved performance. Please run the advanced IO testing tool to see what works best for your system.

Packet processors

Packet processors are responsible for taking packets off the network socket, decrypting them, and preparing them for the block writers. When using AES at speeds greater than 200Mbps, it may be required to increase the number of packet processors on the receiving end to ensure multiple CPU's are utilized to decrypt the incoming data.

On the server, setting this value will only affect uploads. If downloading data from the server, similar settings should be set on the client applications.

# of Writer threads

Number of threads PER CONNECTION spawned to write blocks off the disk. On the server, setting this value will only affect uploads. Writer threads in FileCatalyst perform the following tasks:

  • Uncompress data block (if using on-the-fly compression)
  • Perform MD5 checksum on block (if using on-the-fly Verification)
  • Write block data to disk

For systems using LMZA compression or possibly high speed transfers (> 1Gbps), setting multiple block writers may allow higher performance for single high speed connections. If your system is configured to accept 50+ concurrent connections, it is recommended to leave this value at the default settings (1) to minimize system resources.

Writer block size

By default, the block size used for each write operation is the same size specified by the client in the network block size. This can be adjusted for improved performance. Please run the advanced IO testing tool to see what works best for your system.

These values should be modified only after running through some performance IO testing. See here for more details.

3.d Miscellaneous

Miscellaneous Advanced

Bandwidth

Unlimited bandwidth for FTP LAN Transfers

By default, LAN FTP connections are granted unlimited bandwidth to the server. This behavior can be disabled, restricting even non-latent FTP traffic to abide by the server license restriction.

Enable Bandwidth Limit

In some cases, it may be beneficial to impose a bandwidth limit on the FileCatalyst Server. To enable a global bandwidth limit, select the Limit maximum bandwidth option, and then specify the limit that you wish to have. Do note, that this limit cannot be negative, and cannot exceed the bandwidth limit on the current FileCatalyst Server license.

System Monitor

Toggles the FileCatalyst Server to allow File System Event Monitoring, a feature provided with the HotFolder to trigger notifications when the file system detects a change event on a user directory. If errors are occurring because the file system is not compatible (some mounted network file systems), you can disable the feature to prevent error messages from appearing in the logs.

Rotation Time

This setting allows you to rotate logs and reset quotas at a time other than midnight. This is useful in situations where your server is located in a different time zone than most of your clients. i.e. you could have the quotas reset at midnight for your clients, rather than midnight on your server.

File Post Processing

The server will attempt to execute the given script after each file upload is complete passing in the following parameters into the said script. <%U%> will be replaced with the user receiving the transfer. <%F%> will be replaced with the absolute path to the uploaded file. If <%F%> is not found, the server will append the absolute path. <%A%> will be replaced with either UPLOAD or DOWNLOAD.

For example: /scripts/postProcess.sh <%F%>

Note: currently this feature is disabled for archiving since it defeats the purpose of batching large groups of small files together only to send a post command to the server for each individual file transferred, incurring the overhead that auto zipping (and Auto Archiving in multi manager) hoped to avoid.

Sample Scripts

Windows sample, to go into a .bat file. This script simply reads the parameters and saves the values to a post_process.log file

echo %1 %2 %3 >> C:\Program Files\FileCatalyst Server\post_process.log

Unix sample, to go into a .sh file. This script simply reads the parameters and saves the values to a post_process.log file

echo $1 $2 $3 >> /home/adminuser/post_process.log

3.e Server Optimizations

Server Optimization Advanced

Disable Force Flush

By default, write operations automatically flush both data and meta data to file system for all IO calls. Disabling force flush allows Java to utilizes the OS file cache (RAM). This option is only visible in advanced mode.

3.f Server License

Server License Screen

Server License

More details about the server license can be viewed and modified in this area. License changes can also be applied from a remote admin to the server.

Note: For FileCatalyst Server installs located on cloud-based environments (eg: Amazon EC2), you may encounter an issue where the request string changes between machine restarts. If you encounter this issue, you should be able to resolve it by performing the following operations:

  1. Shutdown the FileCatalyst Server instance
  2. Open the configuration file and locate the "FCServer.server.config.cloud" parameter
  3. Set the value to true and restart the application
  4. Your application will start with a new request string that will persist through machine restarts.
    • With this new request string, you must relicense your FileCatalyst Server with a new license. Please contact your license provider and have them generate a new license for your instance.

3.g System Properties

Debug Screen

System Properties

This advanced feature is a tool for tech support to change Java VM System Settings on the fly, do not change any settings here without help from tech support. System properties are case sensitive. Please contact support before attempting to use these features.

Server may require a restart for these values to take effect.

`
System Property Product Default value Known values Description
filecatalyst.embedded.webserver.enable.cache All clients true true,false System property that determines whether or not browsers should be caching files that are supplied by the internal web server.

In networks with high amounts of latency, enabling this property will reduce the amount of time that it takes for web browsers to load the web-based resources after they have been successfully loaded for the first time.
java.io.tmpdir All blank File system path to a temp directory. The java.io.tmpdir system property indicates the temporary directory used by the Java Virtual Machine (JVM) to create and store temporary files. The default value is typically "/tmp", or "/var/tmp" on Unix-like platforms. On Microsoft Windows systems the java.io.tmpdir property is typically "C:\WINNT\TEMP". When creating zip archives, the FileCatalyst Server creates the archives in the java.io.tmpdir. If this is not desirable, the java.io.tmpdir can be set to a more suitable location.
lmza_dict HotFolder, Server 16 0-28 2n value for dictionary size (16 represents 64K dictionary)
7-ZIP library specifies the following in their documentation:
-d{N}: set dictionary - [0,28], default: 23 (8MB)
Default value was lowered to allow faster throughput per core and keep RAM requirements reasonable.
lmza_fb HotFolder, Server 8 Integer, 5-273 Change the value of LMZA fast bytes.
7-ZIP library specifies the following in their documentation:
-fb{N}: set number of fast bytes - [5, 273], default: 128
Default value was lowered to allow faster throughput per core and keep RAM requirements reasonable.
lmza_mf HotFolder, Server 1 0 (EMatchFinderTypeBT2), 1 (EMatchFinderTypeBT4) Set Match Finder. Default: bt4
7-ZIP library specifies the following in their documentation:
-mf{MF_ID}: set Match Finder. Default: bt4.
Default value was lowered to allow faster throughput per core and keep RAM requirements reasonable.
tc_masquerade_local_ssl.address Server false true, false Server switch to enable masquerade only if local, and only if SSL.
unlimited.core.filesystem.msab.readAheadBlocks Server 10 positive integer value When using the Azure Blob EFS provider, this value controls the maximum amount of data that will be pre-cached during sequential reads.
unlimited.core.filesystem.jclouds.readAheadBlocks Server 10 positive integer value When using the Dropbox, Google Cloud Storage, or Backblaze B2 EFS provider, this value controls maximum amount of data that will be pre-cached during sequential reads.
unlimited.core.filesystem.s3.maxReadAheadSize Server 20480000 positive integer value (bytes) When using the Amazon S3 EFS provider, this value controls the maximum amount of data that will be pre-cached during sequential reads.
unlimited.core.filesystem.s3.readAheadBlocks Server 10 positive integer value When using the Amazon S3 EFS provider, this value controls the number of blocks that will be pre-cached during sequential reads.
unlimited.core.filesystem.s3.usehttp Server false true, false When using the Amazon S3 EFS provider, setting this property to true will force the use of HTTP instead of the default HTTPS.
unlimited.core.filesystem.swift3.maxReadAheadSize Server 20480000 positive integer value (bytes) When using the Openstack Swift3 or Wasabi EFS providers, this value controls the maximum amount of data that will be pre-cached during sequential reads.
unlimited.core.filesystem.swift3.readAheadBlocks Server 10 positive integer value When using the Openstack Swift3 or Wasabi EFS providers, this value controls the number of blocks that will be pre-cached during sequential reads.
unlimited.core.filesystem.swift3.usehttp Server false true, false When using the OpenStack Swift3 EFS provider, setting this property to true will force the use of HTTP instead of the default HTTPS.
unlimited.core.io.ftptransfer.receive.bufsize HotFolder, Server 40960 Any positive integer value Use this value to control the size if the receive buffer (in bytes) for FTP transfers. This value also controls the size of storage write operations. Increasing this value may increase write performance, particularly when writing against object storage. This value should be kept in sync with the "unlimited.core.io.ftptransfer.transmit.bufsize" value on the transmit side of the FTP transfer.
unlimited.core.io.ftptransfer.transmit.bufsize HotFolder, Server 40960 Any positive integer value Use this value to control the size if the transmit buffer (in bytes) for FTP transfers. This value also controls the size of storage read operations. Increasing this value may increase read performance, particularly when reading object storage. This value should be kept in sync with the "unlimited.core.io.ftptransfer.receive.bufsize" value on the receive side of the FTP transfer.
unlimited.core.util.MD5.MAX_BUFFER_SIZE Server 4096000 Any positive integer value Use this value to control the size if the MD5 read buffer. A larger buffer may increase the speed of MD5 calculations, in particular when the file is located on a cloud storage backed EFS.
unlimited.fc.allowRestrictedCharacters All clients false true,false System property that allows filenames/paths to use characters restricted on windows.

Due to the fact you can never really know what OS is managing mounted network storage, we skip (and log the skip) file paths that would fail in windows.
unlimited.fc.blockBufferMultiplier Server 2 Any positive integer value Used in combination with unlimited.fc.blocksWrittenOutOfOrder. It controls the amount of block buffering. The amount of blocks buffered will be number of sender threads X this multiplier.
unlimited.fc.blocksWrittenOutOfOrder Server true true, false

Use this value to control how blocks are written to disk. If set to False, blocks will only be written in sequential order.

Warning: blocksWrittenOutOfOrder is considered a Labs feature as changing this value may have unexpected impact on other features. For example, setting this value to False will break congestion control.

unlimited.fc.database.maxActiveConnections Server, Central 8 Any non-zero integer value (negative or positive) Numerical value used to set the max number of active connections the internal SQL database can have. If no value is supplied then the default active connection amount of eight connections will be used. If a negative value is provided, the database will have no limit for active connections.
unlimited.fc.database.maxConnectionWaitTimeMillis Server, Central -1 Any non-zero long value (negative or positive) Numerical value used to set the amount of time that an idle database connection will wait for until it is exhausted. If no value is supplied then the default timeout value of -1 will be used. If a negative value is provided, then the database will never timeout an idle connection.
unlimited.fc.database.maxIdleConnections Server, Central 8 Any non-zero integer value (negative or positive) Numerical value used to set the max number of idle connections the internal SQL database can have. If no value is supplied then the default idle connection amount of eight connections will be used. If a negative value is provided, the database will have no limit for active connections.
unlimited.fc.delete_filesonly_after_transfer HotFolder false true, false When the HotFolder task uses the feature delete source files after transfer, it also normally removes the directory structure as well. This flag tells the HotFolder to maintain the source directory tree.
unlimited.fc.deployment.security.enforcement.strict All clients false true, false Strict SSL. This feature blocks SSL connections to the FileCatalyst server from being established if the server certificate is not trusted by your client. This feature is only applicable when SSL is enabled. When this is set to true on your client, the SSL certificate configured on the server must be trusted by your client. Your client must be stopped and restarted for this property to take effect.
unlimited.fc.deployment.security.enforcement.truststore All clients <not set> Path to truststore file Strict SSL - additional option. This setting is optional and only applicable when strict SSL is enabled. If you choose to provide a custom truststore file to assert the trust of the certificate you have configured in the server, you can specify the path to your truststore file with this property. If not set, the default truststore file provided by the your Java Runtime Environment is used. Your client must be stopped and restarted for this property to take effect.
unlimited.fc.diagnostics.captureHeapOnShutdown All false true, false This is an optional value that will generate a diagnostic when the application is shut down..
unlimited.fc.diagnostics.logSystemStats Server false true, false This will turn on system stats logging, logging cpu and memory useage on a one minute schedule, useful for troubleshooting.
unlimited.fc.diagnostics.maxOptionalFileSize All clients 200 Max size of logs pulled into diagnostics file in MB This is an optional value that can change the default maximum size of files pulled into the diagnostics zip file.
unlimited.fc.diagnostics.maxOptionalFileAge All clients 86400000 Max age of the last modified stamp on the file This is an optional value that can change the default maximum age of files pulled into the diagnostics zip file.
unlimited.fc.direct.disk_backed HotFolder, Server false true, false When performing transfers of very large file sets, the data must be loaded into memory. A 4GB heap can handle roughly 3 million files. In cases where increasing memory is not an option, setting this option to true will move the data structures to disk to save memory. In this case even a small heap is able to handled very large numbers of files. This will incur a performance hit because values must be retrieved from disk instead of memory.
unlimited.fc.direct.forceClientSideFilter HotFolder false true, false Isolated case where server-side filtering (downloads) was not working for customer. This switch brings back older behaviour of Server returning entire remote file list and forces client to then filter through the files it needs.
unlimited.fc.direct.httpUsePortsOutsideRange Server false true, false FileCatalyst HTTP transfers may use up TCP ports in the server port range quickly, leaving the server starved for ports, and preventing new transfers from taking place until the ports are released by the OS (up to 240 seconds on Windows). By setting this property to true, when connections to the server are via the HTTP servlet running inside the server, it will use ports outside the port range.
unlimited.fc.direct.udp_receive_timeout HotFolder, Server 60 integer value 60 or larger in seconds By default, the application will wait 60 seconds waiting for packets to be received before declaring that packets are being blocked by a firewall or network has dropped. This values allows someone to increase it beyond 60 seconds. Values below the default 60 seconds are discarded.
unlimited.fc.direct.useCreateTimeForFilter HotFolder, Server false true, false This feature works with the "Transfer files older/newer than" feature on the HotFolder task "File Set" tab. When this feature is enabled, the filter will use the creation time rather than the modified time when comparing and deciding if a file should be transferred.

If you are doing downloads, this property needs to be added to the Server (since filtering happens server side when it is getting the list of files to download). For uploads it needs to be added to the HotFolder.
unlimited.fc.direct_mem.disabled All false true, false Forces application to create regular byte buffers instead of direct memory byte buffers. Performance may degrade when this is used, but is helpful when constrained by platform or memory limitations.
Java8 API description:
A byte buffer is either direct or non-direct. Given a direct byte buffer, the Java virtual machine will make a best effort to perform native I/O operations directly upon it. That is, it will attempt to avoid copying the buffer's content to (or from) an intermediate buffer before (or after) each invocation of one of the underlying operating system's native I/O operations.
unlimited.fc.direct_tcp_keepalive HotFolder Varies on JVM true, false Triggers the Java Socket SO_KEEPALIVE value for the client control channel.
Java8 API description:
When the keepalive option is set for a TCP socket and no data has been exchanged across the socket in either direction for 2 hours (NOTE: the actual value is implementation dependent), TCP automatically sends a keepalive probe to the peer. This probe is a TCP segment to which the peer must respond. One of three responses is expected: 1. The peer responds with the expected ACK. The application is not notified (since everything is OK). TCP will send another probe following another 2 hours of inactivity. 2. The peer responds with an RST, which tells the local TCP that the peer host has crashed and rebooted. The socket is closed. 3. There is no response from the peer. The socket is closed. The purpose of this option is to detect if the peer host crashes. Valid only for TCP socket: SocketImpl
unlimited.fc.disableGlobalByteBufferPool Server, HotFolder false true, false Disables use of a global byte buffer pool in the application.
unlimited.fc.disableMD5OnTheFly HotFolder, Server false true, false By default, during UDP transfers, FileCatalyst will verify each block using MD5. Value needs to be set in the product doing the transmitting (ie: Server for downloads, HotFolder for uploads). To disable this option set this property to true and restart the product.
unlimited.fc.doFullMD5WhenReconnected HotFolder false true, false If set to true, when doing a progressive transfer, if the connection is lost, upon reconnection the entire destination file will be verified using MD5 before attempting to append.
unlimited.fc.doMD5onProgressiveAppend HotFolder false true, false If set to true, when doing a progressive transfer, for each append the previous block will be verified using MD5 to ensure integrity. If set to false, this check is only performed if the connection was lost.
unlimited.fc.enable_delete_temp_file_thread Server true true, false FileCatalyst Server will periodically scan user home directories for temporary files and clean up any that are no longer needed. Setting this property to false will disable this feature. This includes files with the following extensions: .fctmp, .fczip, .fcsigs, and .fcdeltas.

Note: User home directories that are backed by EFS storage are not scanned for performance reasons.

unlimited.fc.fastio.disable_attribute_cache HotFolder, Server false true, false FileCatalyst caches recently accessed file attributes (size, modification time, etc) to speed up file system performance. Disabling this value may slow down directory listings on larger structures, but will ensure that we hit the native file system directly rather then rely on cached metadata.
This setting may be toggled if the HotFolder is not picking up file changes fast enough for frequently executed tasks (less than 30 minutes).
unlimited.fc.fastio.max_cache_age HotFolder, Server 120000 integer, age of cache in ms FileCatalyst caches recently accessed file attributes (size, modification time, etc) to speed up file system performance. This value determines the length of time the cached value is stored before expiring it.
The default value of 2 minutes (120000 ms).
unlimited.fc.follow_symlinks Server false true, false If this value is set to true, the server will follow symbolic links instead of ignoring them. This does not prevent access to files outside of the users home directory and files may end up being pulled from outside of the user's sandbox. This was previously called unlimited.fc.allow_symlink_download and this label is backwards compatible.
unlimited.fc.force.ownership_throw_on_error Server, HotFolder, TransferAgent, Command Line true true, false If this value is set to true, the force file ownership feature will cause all failed force file ownership operations to mark the transfer as a failure. If the value is set to false, then failed force file ownership operations will be logged, but the file will continue to transfer as normal. When the transfer completes, the destination file will have the same user ownership of the FileCatalyst application.
unlimited.fc.globalMD5RateLimit 0 Integer value for rate in Kbps, i.e. 10000 When set, all MD5 checks will be limited in speed to the specified rate. Default is 0 (no limit).
unlimited.fc.hideWelcomeMessageVersionString Server false true, false If set to true, FileCatalyst Server will not return a version string in its welcome message. Instead the version string is returned as part of the reply to the SYST command. Note that if this option is enabled, only FileCatalyst clients v3.6 and higher will be able to connect.
unlimited.fc.idleBandwidthShareRatio HotFolder 4 1-99 Value indicates 1/n bandwidth that idle clients will be given compared to active clients. Setting to a lower value (i.e. 1/20) may slow down transfers which toggle between states (moving from idle to active will not receive any new bandwidth until the next bandwidth reallocation broadcast every second). Should only be used to fine tune for optimal performance.
unlimited.fc.iptos_tcp HotFolder, Server 0 An integer value between 0 and 255 inclusive Sets the DSCP traffic class or type-of-service octet in the IP header for packets sent using TCP sockets in FileCatalyst. As the underlying network implementation may ignore this value, it should only be considered a hint to the OS.
unlimited.fc.iptos_udp HotFolder, Server 0 An integer value between 0 and 255 inclusive Sets the DSCP traffic class or type-of-service octet in the IP header for packets sent using UDP sockets in FileCatalyst. As the underlying network implementation may ignore this value, it should only be considered a hint to the OS.
unlimited.fc.log_file_listing_growth All 20000 Integer value Used by application for logging progress of large sorts of data items. By default, the application will output logs every 20000 items during filtering or sorting of larger directory structure. This value may be tuned up or down as needed.
unlimited.fc.maintain_uid_gid Server, HotFolder, CommandLine and Transfer Agent false true, false When set, use UID/GID rather than user name/group name. This will require the property to be set on the client side for uploads, and the server side for downloads. It is recommended to set the property on both sides to make it work for both upload and download.
unlimited.fc.no_so_linger HotFolder, Server false true, false Force to not use SO_LINGER property on the socket. Setting to true will remove the SO_LINGER.
Java8 API description
unlimited.fc.output_timestamp All clients false true, false Run-time flag for logging statistic measurements in CLI. Timestamp will reflect transfer time and remove setup time, and will spit out to System.out string value containing transfer time in seconds.
unlimited.fc.packetlossThreshold HotFolder, Server 2 Integer, 2-10000 Advanced setting for congestion control. Indicates how many packets may be skipped (gotten out of sequence) before the congestion control considers it a packet loss event.
unlimited.fc.postURL.encodeAllPathsParameter HotFolder, TransferAgent, Server false true, false A system property that allows the FileCatalyst application to URL encode the "allFiles" parameter that is sent to web applications when performing HTTP based Post URL operations. If the value is set to false, the "allFiles" parameter will be non-encoded and will contain the raw text of all files that were transferred. If the value is set to true, each file in the "allFiles" parameter will be URL encoded in the same manner as the remote paths and local paths parameters.
unlimited.fc.preallocation HotFolder, Server false true, false FileCatalyst does not pre-allocate files to their full size when transferring. It relies on the underlying file system to optimize file write operations. If you wish to pre-allocation the entire file, set this value to true.
unlimited.fc.progressiveDelayBeforeAppending HotFolder 0 Delay value, in seconds When performing a progressive transfer, if this value is set, after each progressive append the transfer will delay X seconds to allow more growth before continuing with another append.
unlimited.fc.showHiddenFiles HotFolder, Server, Transfer Agent,Express false true, false FileCatalyst has the ability to toggle hidden files as a system property so that customers can modify behaviour based on their needs. By default, value is set to false (we hide hidden files).
unlimited.fc.udpbuffersize HotFolder, Server 32768000 (default 8388608 if AIX detected) Integer value, in bytes Sets the UDP socket buffer for sender/receiver, in bytes.
Java8 API description ReceiveBufferSize
Java8 API description SendBufferSize
Value is normally overridden by operating system settings to be smaller. IBM JVM on AIX only allows buffer sizes of 1MB, 4MB, and 8MB. It is important to match these up with values on the OS level.
See support knowledge base article for details.
unlimited.fc.use.fast.md5 Server, HotFolder, Central, TransferAgent true true,false When attempting to verify the integrity of a given transfer, an MD5 checksum is calculated for both the source and destination files. If this property is enabled when the MD5 is generated, the application will use an MD5 implementation that is usually much faster than standard Java-based implementations. If this property is disabled when the MD5 is created, then a slower MD5 generation algorithm will be used to generate the MD5 checksums.
unlimited.fc.verifySizeAfterTransfer HotFolder false true, false If set to true, upon completion of a transfer, the size of the source and destination file will be compared. The transfer will fail if the size does not match.
unlimited.fc.waitForSourceFileToBeStatic HotFolder 0 Integer, time value in seconds This value if set, will not transfer a file unless it has been static for up to X seconds. Must also set "unlimited.fc.waitForSourceFileToBeStaticFilter" for this feature to work.
unlimited.fc.waitForSourceFileToBeStaticFilter HotFolder blank String value of file filter, i.e. *.mxf When set, will apply the "unlimited.fc.waitForSourceFileToBeStatic" only to files that match the specified include filter. This is GLOBAL, meaning it affects all tasks. Default is blank. If the Hotfolders "Wait for file growth to cease" feature is being used in a task, using the same file filters in this feature would cause the matched files to wait the sum of both configured delays.

4 Security Settings

Main Security Page

4.a Enable Implicit SSL

By default, FileCatalyst server establishes a clear text channel to communicate commands with connected client programs. If you are using a password for authentication, or if policy dictates that this type of communication must be secure, you must enable SSL on the Control Connection. When enabled, FileCatalyst will use the specified certificate (see SSL Certificate Settings) to encrypt all commands and replies that are sent through the Control Connection.

Enabling Security will also ensure all admin sessions are created using SSL.

To enable a secure channel, go to the "Advanced" tab and check "Secure Server Port". If security has not previously been set up on the system, click the "Configure Security" text and step through enabling security for the application.

In order to connect from a 3rd party FTP client, you must set the connection mode to FTPS/Implicit.

4.b Enable AES

If procedure dictates that all data be encrypted, you must enable the AES option for the Data connection. When enabled, FileCatalyst will use AES encryption to ensure that, in the unlikely event that data was intercepted, it is useless to everyone except the intended recipient.

The strength of the encryption can be adjusted in the config file (fcconf.conf) to 128, 192, or 256 bit. The higher the encryption strength, the higher the overhead, and subsequently the lower the attainable transfer speed will be. It is recommended that unless policy dictates a higher strength, that users keep the default value of 128 to achieve the best balance of security and performance.

4.c SSL Certificate Settings

When "Enable SSL" is selected, you must specify a certificate to be used to encrypt the control connection:

Certificate File

This is the path to the SSL certificate stored in PEM format (*.pem).

Private Key File

This is the path to the private key file for the selected certificate stored in PVK format (*.pvk).

Password

This is the password for the selected private key.

New Certificate

New Cert Wizard

FileCatalyst provides a convenient SSL Certificate Generation wizard that, in the event you do not already have a certificate issued from a 3rd party such as Verisign or Thawte, allows you to create your own "self-signed" certificate. Please see help section for "SSL Certificate Generation Wizard" for more details.

Online instructions for converting .crt files into PEM files are available: http://conshell.net/wiki/index.php/Keytool_to_OpenSSL_Conversion_tips.

Mode details on installing SSL certificates are available: https://support.filecatalyst.com/index.php?/Knowledgebase/Article/View/293/0/how-to-install-a-ssl-certificate-into-a-filecatalyst-server.

View Certificate

New Cert Wizard

This option allows you to view the details of the currently selected SSL certificate.

4.d SSL Cipher Restrictions

FileCatalyst Server allows the selection of specific SSL ciphers which are considered appropriate for encrypted communication. By default, the entire Java SSL/TLS set is utilized. To modify the default values (example: enforce a minimum 128-bit encryption cipher), manual configurations may applied to fcconf.conf.

The following steps illustrate how to configure so that only strong ciphers are utilized:

  1. Enable SSL on the FileCatalyst Server: Follow the example provided in section 4.0. The option "Enable Implicit SSL" must be selected, and SSL must be properly functioning before restricting enabled ciphers.
  2. Shutdown FileCatalyst Server: As this is a manual fcconf.conf file modification, the server must be shutdown before changes can be made to the server.
  3. Restrict the Cipher List: The following lines should be added onto the fcconf.conf file to restrict ciphers:
    ## SSL Cipher restriction
    # By default, accepted SSL ciphers are specified as part of the standard Java JRE.
    # These can be modified to exclude less secure ciphers.
    FCServer.server.config.ssl.restrict.ciphers=true 
  4. Restart the Server & Verify Logs for Supported Ciphers: Because there is no specific cipher list defined yet in fcconf.conf, the server will recognize the lack of allowed encryption algorithm and immediately shut down. By examining the server logs, the complete list of supported ciphers for the platform is listed. The following is an example captured using Amazon Corretto OpenJDK version 1.8.0_242 on Windows Server 2019 Standard.
    Thu Mar 26 14:34:03 EDT 2020 - System: Windows Server 2019 10.0 amd64 - Java(tm) OpenJDK 64-Bit Server VM 1.8.0_242
    Thu Mar 26 14:34:04 EDT 2020 - Waiting for SSL Context to initialize...
    Thu Mar 26 14:34:04 EDT 2020 - SSL Context initialized.
    Thu Mar 26 14:34:04 EDT 2020 - No ciphers listed are currently supported by the JVM.  Please revise the allowable ciphers in the configuration.
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (0) TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (1) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (2) TLS_RSA_WITH_AES_256_CBC_SHA256
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (3) TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (4) TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (5) TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (6) TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (7) TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (8) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (9) TLS_RSA_WITH_AES_256_CBC_SHA
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (10) TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (11) TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (12) TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (13) TLS_DHE_DSS_WITH_AES_256_CBC_SHA
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (14) TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (15) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (16) TLS_RSA_WITH_AES_128_CBC_SHA256
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (17) TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (18) TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (19) TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (20) TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (21) TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (22) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (23) TLS_RSA_WITH_AES_128_CBC_SHA
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (24) TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (25) TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (26) TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (27) TLS_DHE_DSS_WITH_AES_128_CBC_SHA
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (28) TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (29) TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (30) TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (31) TLS_RSA_WITH_AES_256_GCM_SHA384
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (32) TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (33) TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (34) TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (35) TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (36) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (37) TLS_RSA_WITH_AES_128_GCM_SHA256
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (38) TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (39) TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (40) TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (41) TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (42) TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (43) TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (44) SSL_RSA_WITH_3DES_EDE_CBC_SHA
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (45) TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (46) TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (47) SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (48) SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (49) TLS_EMPTY_RENEGOTIATION_INFO_SCSV
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (50) TLS_KRB5_WITH_3DES_EDE_CBC_SHA
    Thu Mar 26 14:34:04 EDT 2020 - Available SSL cipher supported by JVM: (51) TLS_KRB5_WITH_3DES_EDE_CBC_MD5
    Thu Mar 26 14:34:04 EDT 2020 - null
    Thu Mar 26 14:34:04 EDT 2020 - Server can not start Admin server on port 12400 cannot create SSL server socket. Shutting down.
    Thu Mar 26 14:34:04 EDT 2020 - Server shutting down
    
  5. Enable Cipher List on the Server: There are multiple on-line forums describing the exact makeup of each cipher. In the case where only strong ciphers are required (encryption levels >= 128 bit), the following lines are entered into fcconf.conf. Only these specific ciphers will be used by the application server socket. If clients connecting does not have a match, the connection will be logged and dropped.
    # If the restrict.cipher == true, you must supply a list of acceptable ciphers
    # the application can utilize when opening up SSL server sockets.
    # Each cipher listed should have a unique number assigned (start with ".00"), with the preferred
    # cipher set to the lowest numerical value.
    FCServer.server.config.ssl.allowed.ciphers.00=SSL_RSA_WITH_RC4_128_MD5
    FCServer.server.config.ssl.allowed.ciphers.01=SSL_RSA_WITH_RC4_128_SHA
    FCServer.server.config.ssl.allowed.ciphers.02=TLS_RSA_WITH_AES_128_CBC_SHA
    FCServer.server.config.ssl.allowed.ciphers.03=TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    FCServer.server.config.ssl.allowed.ciphers.04=TLS_DHE_DSS_WITH_AES_128_CBC_SHA
    FCServer.server.config.ssl.allowed.ciphers.05=SSL_RSA_WITH_3DES_EDE_CBC_SHA
    FCServer.server.config.ssl.allowed.ciphers.06=SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    FCServer.server.config.ssl.allowed.ciphers.07=SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  6. Restart the Server and Verify Server Logs If SSL ciphers are restricted, server logs provide a list of ciphers enabled.
    Mon Sep 21 15:23:44 EDT 2009 - Initializing SSL Administrative Socket on port 12400
    Mon Sep 21 15:23:45 EDT 2009 - SSL ciphers restricted by configuration.
    Mon Sep 21 15:23:45 EDT 2009 - SSL cipher enabled: (0) SSL_RSA_WITH_RC4_128_MD5
    Mon Sep 21 15:23:45 EDT 2009 - SSL cipher enabled: (1) SSL_RSA_WITH_RC4_128_SHA
    Mon Sep 21 15:23:45 EDT 2009 - SSL cipher enabled: (2) TLS_RSA_WITH_AES_128_CBC_SHA
    Mon Sep 21 15:23:45 EDT 2009 - SSL cipher enabled: (3) TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    Mon Sep 21 15:23:45 EDT 2009 - SSL cipher enabled: (4) TLS_DHE_DSS_WITH_AES_128_CBC_SHA
    Mon Sep 21 15:23:45 EDT 2009 - SSL cipher enabled: (5) SSL_RSA_WITH_3DES_EDE_CBC_SHA
    Mon Sep 21 15:23:45 EDT 2009 - SSL cipher enabled: (6) SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    Mon Sep 21 15:23:45 EDT 2009 - SSL cipher enabled: (7) SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA

4.e Setting Encryption Method

In order to help keep sensitive configuration information secure, the application encodes data in the settings files. The default setting may be overridden to use either a salted AES or a salted DES encryption. To set the value, you must edit your fcconf.conf file. Find the line:

FCServer.server.config.encoding.format=DEFAULT

Changing the value of this setting to AES, DES, or DEFAULT will cause all encoded values to be re-encoded and saved with the new algorithm. If you are upgrading from a version where encoding did not take place, these values will be encoded and saved.

The default settings are:

FCServer.server.config.deployment.security.defaultTransport=TLSv1.3
FCServer.server.config.deployment.security.SSLv2Hello=false
FCServer.server.config.deployment.security.SSLv3=false
FCServer.server.config.deployment.security.TLSv1=false
FCServer.server.config.deployment.security.TLSv1.1=false
FCServer.server.config.deployment.security.TLSv1.2=true
FCServer.server.config.deployment.security.TLSv1.3=true

Supported protocols include:

  • SSLv2Hello
  • SSLv3
  • TLSv1
  • TLSv1.1
  • TLSv1.2
  • TLSv1.3

4.f Remote Access via Encrypted Protocols

If you are accessing the server using a remote admin, that application must have access to an FCConf.conf file that contains the protocol information. On Windows and Linux, this is the install directory and if you are running the admin that was installed with the server no file creation is necessary. If you are running the server as a service on OS X, you will need to copy the fcconf.conf file from

/Library/Application Support/FileCatalyst/Server

to

/Users/User/Library/Application Support/FileCatalyst/Server

Note that these settings must also be provided for other clients, such as the HotFolder, so that they can access the server.

4.g FileCatalyst Reverse Proxy

FileCatalyst Reverse Proxy allows a FileCatalyst Server to be completely isolated behind a firewall, with no incoming ports open and still be accessible to FileCatalyst Client applications. Documentation for the FileCatalyst Reverse Proxy is available for download.

Note that the link to the FileCatalyst Reverse Proxy documentation will require login credentials. Please log into the Support Portal (http://support.filecatalyst.com/) and click the Get Download Password Button. If you do not see the Get Download Password Button please submit a ticket to the Support Team.

5 SSL Certificate Generation Wizard

5.a Certificate Information

Security Wizard Step 1

This step allows you to enter information about your organization and will be stored in the generated certificate.

Note: The Common name is generally the domain name on which FileCatalyst server will be running. For example, if the server is located at filecatalyst.mycompany.com then set common name to ‘filecatalyst.mycompany.com’.

5.b Key Length

Security Wizard Step 1

The key length allows you to specify the encryption strength that will be used to generate the SSL certificate. The higher the strength the more secure your data will be. However keep in mind that higher strength encryption will also lower performance.

5.c Certificate Name and Save Location

Security Wizard Step 1

The certificate name specifies the filename under which the certificate will be stored. For example if you specify ‘mycert’ as the certificate name, the files will be stored as ‘mycert.pem’ (certificate file) and ‘mycert.key’ (the private key file).

When specifying a password for your certificate, please record the password and store it in a safe place. Without the password your certificate is useless and must be re-created. Passwords may not be the same as the certificate name.

You must select a location to store your certificate files. Please make note of this location as you will need it to select the newly created certificate on the Security Settings panel of FileCatalyst.

6 IP Filters

IP Filters provide a method of protecting your server from attacks or malicious users. Servers can be pre configured to allow or deny all IPs by default, and then provide exceptions to the default rules. If Allow is enabled, any IP's on the allow list will take precedence over the Denied list. If Deny is enabled, items in the deny list take precedence over the allow list.

IP Filters Main Screen

6.a Enable IP Filters

To enable IP filters, this box must be checked. If left unchecked, any filters applied (including the default apply/deny rule) will be ignored and all requests will be allowed.

6.b Allowed IP List

The allowed IP list indicates the IP's that should always be allowed access to the server, regardless of the default mode. In the case that an IP is found in both the Allowed AND Deny Lists, the rules of precedence described above will take place.

6.c Denied IP List

The denied IP list indicates the IP's that should always be denied access to the server, regardless of the default mode. In the case that an IP is found in both the Allowed AND Deny Lists, the rules of precedence described above will take place.

6.d IP Ranges and Wildcards

IP rules support both wildcards and ranges. For example:

  • 192.168.1.1 (only this specific IP should be affected by the rule)
  • 192.168.1-100.1 (all IPs starting with 192.168, followed by any value within the range of 1-100, followed by a 1 should be affected by this rule)
  • 192.168.*.* (any IP starting with 192.168 should be affected by this rule)

6.e IP Filters XML Schema

The IP Filters XML file (ipfilters.xml) describes the status (enabled/disabled) of the IP Filters mechanism, as well as the default rule (allow/deny) and any other rules defined.

<?xml version="1.0" encoding="UTF-8"?>

<!-- Root Element in the XML Representing The Access Restrictions
and their current status (enabled=true/false) -->
<AccessRestrictions Enabled="true">

<!-- Denotes the value of the default rule (Allow/Deny) -->
<DefaultRule AllowDeny="Allow"/>

<!-- Denotes the start of the rules for this server -->
<Rules>

<!-- Rules describing specific IPs or ranges that are always permitted to access the server -->
<Allow IP="127.0.0.1" />
<Allow IP="192.168.*.*" />

<!-- Rules describing specific IPs or ranges that are always denied from access the server -->
<Deny IP="147.1-100.*.*" />

</Rules>

</AccessRestrictions>

7 Email Settings

7.a SMTP Settings

Administrator Email

Enter the administrator's email address, or the email address in which you wish to send transfer notifications to.

Server Type Selection

FileCatalyst Direct now supports the ability to configure OAUTH2-based authentication for customers who use email servers that do not support basic SMTP connections has been added. To support authentication that does not require user interaction (also known as 2-leg authentication), we use a client credential flow within our applications.

You can select standard SMTP, Google's Gmail or Microsoft's Azure/Office 365.

Prerequisite: FileCatalyst Direct version 3.8.7 or later

SMTP Server

The hostname of your outgoing mail (SMTP) server.

Port

The port which the SMTP server is running on. Typically port 25.

Enable Authentication

If your SMTP server requires authentication, check this box and complete the username and password fields.

Username

If your server requires authentication to send mail, then enter the username provided by your system administrator.

Password

If your server requires authentication to send mail, then enter the password provided by your system administrator.

Use SSL

If your server requires SSL to send mail, then check this box

  • Note: If you enable this option and are not properly connecting to an SSL port on the SMTP Server then you will an encounter error stating "Unknown SSL message, plaintext connection?". If you see this message, de-select the use SSL option and then retest your SMTP settings.

7.b GMAIL OAUTH Settings

Gmail Account

The Gmail address associated with the account that will be responsible for sending the emails.

Certificate File

This file was generated by Google and is used to help google identify that this user has permission to send email.

To configure for Gmail and generate this file, you will need to enable access to Google's APIs for Service Accounts. You can find instructions for setting this up here:

https://developers.google.com/identity/protocols/oauth2/service-account

As noted in this instructions document, you will create and download a certificate file which will contain your service account key. This is the Certificate File that is referenced in the Gmail settings. This information cannot be recovered and must be regenerated if lost.

7.c Microsoft OAUTH Settings

Office 365 Account

This is the account for the user that will be sending the emails.

Client ID

This is the Client ID for the application on the Microsoft Exchange Service that has permission to send emails.

Client Secret

This is the Client Secret that was created to identify this application to the client.

Tenant ID

This is the tennant where the Microsoft Exchange Service is hosted.

To configure for the Microsoft Exchange Service, the administrator of the service must create a Service/Daemon app.

Instructions for registering an app suitable for a ClientCredentials flow can be found here:

https://learn.microsoft.com/en-us/graph/auth-register-app-v2

This will allow you to retrieve the values needed. You will also need to make sure that you generate a client secret. This value must be saved when generated as it cannot be retrieved later, and new value would need to be generated.

Once the application has been registered, then it needs to have Microsoft Graph Mail.Send API Permission added. It is important to add this permission as the Application Type.

7.d Enable Email Alerts

If this is enabled and the user specifies on their side (i.e. from the client application) to send alerts, then email will be sent to the address provided. Note that some SMTP servers have rules in place that may limit the recipient email address to a certain domain name. If you encounter issues configuring these settings please contact the administrator of your SMTP server.

Alert E-mail Subject

Enter the subject that you would like all email alerts to have. The default subject for alert emails is "FileCatalyst Transfer Notification"

Send emails 'From' Admin email

This option determines who will receive email alerts once a transfer has finished. If this option is unchecked, all email alerts will sent to the email address specified within the Admin email text area. If the option is checked, all email alerts will be sent from the specifed admin email to the client's email address

Additionally, email notifications will be sent daily if the license is going to expire or if more than 5% of incoming connections are being rejected due to exceeding the licensed limit.

8 Administration Settings

8.a Configuration

Connection Port

Specifies the port which the remote administration tool will use to connect to the FileCatalyst Server (default: 12400).

Enable Remote Connections

Specifies whether or not to allow computers other than “localhost” to connect to the FileCatalyst Server. This value cannot be set until a username has been specified and password has been set for the Remote Admin. Enabling Remote Connections will set the passwords their default values: "system" for the Admin and "rsystem" for the Read Only Admin. Disabling Remote Connections will clear any set passwords.

Enable HTTP Remote Administration

Specifies whether or not to allow computers other than “localhost” to connect to the FileCatalyst Server through HTTP connections. If disabled, all non-local HTTP connections and REST services to the FileCatalyst Server will be rejected.

Force authentication for localhost

Specifies whether or not to force localhost administration connections to authenticate (adminuser/password), or to allow connections through as they already have physical access to the machine.

Expected behavior on a Windows machine is to set this value to false. It implies that when you start the server, the administration console will come up as expected and you can immediately configure and monitor the FileCatalyst Server.

On a Linux/UNIX environment however, client-side remote access is often granted onto a server via SSH or VNC. In order to lock down configuration from regular users, it is desirable to select this feature and limit access.

Read-Only Administrator Account

Provides an optional administrator account that is used only to monitor the server but not apply any settings. When this user connects, all configuration options are hidden, while all activity and monitoring tools are available.

8.b Using FileCatalyst Server Admin

FileCatalyst Server is managed through a remote protocol and server interface. This allows the flexibility of being able to manage your server, from anywhere, at anytime. You will use the FileCatalyst Server Admin tool (included in the FileCatalyst Server installer for Windows, and available as a separate download) for either of these scenarios:

  1. Accessing FileCatalyst Server from a remote computer; for example, over the Internet or over a LAN.
  2. From the local machine, while FileCatalyst Server is running as a service or is otherwise 'headless' (no GUI)

Once connected, the administrator is presented with the standard server administration GUI.

Logging In

With no sites defined, the tool is used to log into an instance of FileCatalyst Server running on “localhost” (ex. FileCatalyst Server running as a service on the same physical machine). However, to create a remote connection you must first define a site with the Connection Manager (see below). Once defined, select the server from the drop down, enter a username and password, and click “Login”

Using Active Directory

The remote administrator may authenticate using an Active Directory; however, this option must be enabled and configured through the fcconf.conf configuration file, located in the FileCatalyst Server install path. To enable, first locate the configuration parameter FCServer.server.config.admin.auth= and add the value "ActiveDirectory".

Next, the configuration values must be set by uncommenting the selection of FCServer.server.config.LDAP.AD parameters (found next in the conf file) and setting appropriate values. Once both steps are done, a resulting configuration section might look like the following example:

FCServer.server.config.admin.auth=ActiveDirectory files
FCServer.server.config.LDAP.AD.url=ldaps://127.0.0.1
FCServer.server.config.LDAP.AD.port=636
FCServer.server.config.LDAP.AD.context.00=SECURITY_PRINCIPAL=MYDOMAIN\\{userinput}SEARCH_FILTER=(&(sAMAccountName={userinput}))SEARCH_BASE=dc=myCompanyName,dc=comSECURITY_GROUPS=FCUSERS

Connection Manager

After clicking ‘Manage’, the connection manager allows you to define connection information for various FileCatalyst servers. The “localhost” account is created by default, and is for connecting to a server running on the same machine. To define a new site, simply click add new site, then fill out the required information (site name, host, and port (default 12400)).

Click “Close” to save the site.

8.c Connections

The “Connections” tab allows you to see the connections into the FileCatalyst Server from remote administration tools such as the Remote Server Admin, Remote Server Applet, or Server API.

The ‘Connection Type’ column shows that each connection is one of:

  1. ‘CONTROL’ connections sent commands to the server
  2. ‘STATUS’ connections retrieve user and admin status updates from the server
  3. ‘LOG’ connections retrieve administrative log output from the server

Right-clicking the table permits closing remote admin connections. Remote admin connections (such as the Server GUI) may reconnect.

8.d Administration Filters

FileCatalyst Server has the ability filter IPs for remote administration connections. This works similar to the User IP Filters, which allow you to designate a default behavior (i.e. DENY all connections) and then apply a filter to allow specific IP addresses or ranges that are allowed access.

Administrators trying to connect from a blocked IP address will be notified they have been blocked by IP Filters.

9 HTTP Settings

HTTP Access

FileCatalyst Server allows the application to administered through Internet access. To fully enable this access, visit the Administration panel and check “Enable Remote Connections”. The specified Connection Port and Web Port must be opened on the firewall if one is in place.

Enable HTTP Transfers

Allows FileCatalyst Clients to transfer data to the server via the embedded HTTP Servlet.

Allows FileCatalyst Clients access to the Link functionality if this option is selected

Use SSL

Enabling SSL will force all browser requests to the configured web port to go through an SSL socket.

HTTP Config

  • The IP format can be chosen from the drop-down depending on whether the administration URL will be used internally or externally.
    • Note: If the bind all interface option is selected, FileCatalyst Server will listen to all IP formats that are present within the drop-down window. If the option is disabled, the FileCatalyst Server will only listen to requests to the currently selected IP format.

  • Web Port may be changed to any valid and available port.
  • Webroot: This URL serves as the entry point for web applications hosted by the server.

    Webroot

    The 'Manage Application' button leads to FileCatalyst Server's Web Administration tool. A detailed explanation on how to use the Web Administration tool can be found here

    The 'Transfer Files' button opens additional options for browser- and TransferAgent-based transfers to and from the FileCatalyst Server

  • Servlet: This URL is used by FileCatalyst client software in order to establish HTTP-based transfers. Directly accessing it will show a status page.

  • Link: This URL is the entry point to the FileCatalyst Link application described in this section: Link Settings.

  • Note: When IP Masquerade is enabled, all access links will be updated to use the masquerade address. There will be also be a new notification that informs you of the changes that have been made the access links. Here is an example of what the access links may look like when IP Masquerade is enabled.

    accessLinksMasquerade

9.b Enabling AJP Connector

To enable the AJP Connector, check the appropriate box.

On their own, IIS or Apache cannot serve Java based applications. AJP (Apache JServ Protocol) allows the FileCatalyst Embedded Web server to be integrated with a 3rd party web server like IIS or Apache. The 3rd party web server may then proxy requests to the FileCatalyst server without the need to open additional ports on the firewall. It also allows the HTTP server in FileCatalyst to take advantage of any pre-existing SSL encryption that might exist on the web server.

The following documents explain how to integrate IIS and Apache with the Tomcat web server; the process is identical to integration with FileCatalyst.

Note that enabling AJP access will block direct access to HTTP on the server. All access must go through the AJP provider. This includes but is not limited to the HTML UI, the applets, the servlet, REST services, Link, the Server Upload Form and the help documentation. Links in the UI will not work.

9.c HTTP Uploads with HTTP Servlet

In order to use HTTP Servlet to upload files, HTTP transfers should be enabled first (see section Enabling HTTP Access).

The user can find the HTTP Upload tool via the splash page found at the web root (see image below). The user must click "Transfer Files", followed by "Upload (HTTP)".

Clicking on the "Upload (HTTP)" button will take the user to a login page where user must provide valid credentials associated with a user that exists on FileCatalyst Server. Once the user is authenticated, they can either browse files from local file system or drop files into the upload area and upload files into their home directory:

If the transfer is successful, has errors, or is cancelled, the user will be redirected to new page. Pictured below is the redirect from a successful file transfer:

The redirect pages are configurable. The file config.js can be edited to provide redirect URLs for transfer error, success, and cancelation events using "errorurl", "succesurl", and "cancelurl" respectively. To customize, simply replace the defaults with your own valid paths to custom files.

The config.js file provides several other configuration options. A detailed explanation of each field is provided here.

9.d Enabling Cross-Origin Resource Sharing (CORS) for HTTP Servlet

By default, the HTTP Servlet is not set up to respond to requests that come from web pages served from a origin different from its own. The HTTP upload tool does not need the HTTP Servlet to respond to Cross-Origin requests because the HTTP Servlet and the HTTP upload tool are both hosted on the same WebServer (ie. they share the same origin). However, If the HTTP upload tool is being integrated into another web application as described here, the HTTP Servlet would need to be able to respond to Cross-Origin requests.

The configuration file trustedorigins.xml is used to define the origins that are trusted by HTTP Servlet and allowed to make requests to the HTTP Servlet to transfer files. More specifically, the URL entered for an origin tag (<origin>) is a trusted origin. Add as many trusted origins as required, where each origin contains one unique entry. Alternatively, to allow the HTTP Servlet to trust any origin, enter an origin tag with the value set to '*'.

Restart the server after modifying the trustedorigins.xml file for the changes to take effect.

For instance, if the HTTP upload tool is deployed on a web application at  http://filecatalyst.com/httpupload/  then http://filecatalyst.com  must be added to the trusted origin list.

9.e A Note About Licensing And The HTTP Servlet

Un-Licensed, The following restrictions apply:
  • Personal, or developmental use only. All others must buy a license.
  • Maximum 20 KB/s upload transfer rate
  • Maximum 20 KB/s download transfer rate
  • Maximum 2048 KB file size
  • Maximum 1 concurrent service request

To confirm if you are licensed for the HTTP Servlet, click on the Servlet link in the HTTP Settings tab as shown above.

10 Link Settings

10.a Overview

In an attempt to allow FileCatalyst clients a simple and easy method to send files to others, FileCatalyst provides clients with the ability create an email "link" that is sent out to a recipient list specified when the link is created. Upon receiving the link, the recipient will be able to open the email and activate the link by clicking on the URL specified within the email's content. Once a link is activated, a temporary user with no assigned home directory will be created on the server, and the recipient of the weblink will use this temporary user to access the files that are contained within the link. Temporary users created this way will automatically delete after the period of inactivity set by you in link settings

Note: If IP Masquerade is enabled, all Links that are sent out by FileCatalyst Server will have their access IP replaced with the current masquerade address. If both the IP Masquerade and Use Host Name For Links options are enabled, the hostname will be used over the IP Masquerade address

Additional documentation can be found at the following locations:

  • Link User Guide contains basic overview on how to use the software to create and download a link.

10.b Link Management

The link management tab allows you see all of the links that are currently stored within the server application. In addition, the table provided will allow you to view important information such as the link ID, which user created the link, how many times the link has been accessed by a client, the creation date of the link and the date the link expires on.

Note: When using FileCatalyst TransferAgent to download a Link, the "Link State" will be set to "COMPLETED" upon both full and partial downloads of the Link. When using HTTP Download, the state will only be set to "COMPLETED" when all files have been downloaded.

In addition to the details for each link, the table that is presented supports a collection of options that you might find useful. Right clicking on an entry within the table will present a pop up window where you will be able to chose if you would like to delete, resend, or view the link that you have selected. The link table also supports the ability to search for links matching a particular link ID or user name specified within a search window. To bring up this search window, simply select the menu item "Actions -- Find", or press "ctrl-f".

10.c Link Creation Settings

Allow Clients To Set Link Expiration Options

Enable this option to give client applications the ability to set an expiration time on links. When a client specifies an expiry, the time must be smaller than the value found within the "Number of days that links will be stored" configuration option.

Delete Links After First Successful Download

Enable this option to cause the Server to delete Links after they are successfully downloaded.

Note 1: This setting applies to all current Links for as long this option is enabled

Note 2: A Link is considered to be downloaded when all files in the Link have been downloaded. If one or more of the files in a Link aren't downloaded, and the "Delete Links After First Successful Download" option is selected, the Link will delete/expire as normal.

Note 3: This setting takes precedence over "Allow Clients To Set Link Expiration Options". If both settings are enabled, a client application may only create single-use Links, but is still allowed to set a custom expiry date as per the description for "Allow Clients To Set Link Expiration Options" above.

Number Of Days That Links Will Be Stored

The number of days that a created link will stored. By default the amount of days that links are stored within the server is 7. However you may change this value to any value that is between 1 day and 31 days.

Number Of Days For Failed Emails Will Be Stored

The number of days a failed email will be stored for retry. The default failed email retention value is 2 days; however, you may change this value to any value between 1 and 5 days.

Number Of Minutes That Pass Before Inactive Temporary Users Are Removed

The number of minutes an inactive temporary user will be stored within the server. The default value is 20 minutes; however, you may change this value to any value between 1 and 60 minutes.

Use Host Name For Links

Hostname may be used instead of IP to give links a friendlier appearance, as well as to allow both internal and external users to access the application. If you wish to use a hostname instead of IP, check this box and specify a hostname in the provided field (ie. somemachine.yourdomain.com instead of default IP value).

Note: To function properly, the hostname must be able to be resolved by the recipients of the links. This is typically done through appropriate DNS entries, but may also be accomplished by the user editing their system (ie. a "hosts" file).

Enable Service Image

Enable this option and provide a valid image file (JPG, PNG, or GIF) in order to show the image in Link emails, as well as on the Link Creation and Link Download pages. In Link emails, the image is shown at the top of the email content; on the Link pages it appears at the top-left corner of the page.

Note: Updating these settings will not affect emails that have already been sent.

Note 2: On the Link Creation and Link Download pages the logo is vertically limited by the height of the navigation bar and horizontally by 125px.

11 Reporting

11.a Overview

FileCatalyst provides defined reports that contain important information that is gathered during transfers. These reports are stored within a database located within the report location directory, and inside of that database, there are two kinds of reports.

The first of these reports are the file transfer data reports that contain a record for every individual file transfer that takes place. The reports are written at the end of each file transfer and contain important information such as file size, transfer time, mode, status, average rates, and destination addresses.

The second type of reports are the bandwidth reports which contain records that include the transmit and receive rate of a session at a given time. These reports also contain the username of the user transferring as well as a timestamp of when the report was created. The frequency of these records is determined by adjusting the report snapshot interval. If there are no active transfers at the time of the snapshot, there will be no record written. If there is data in the snapshot, a record will be written for each user that is currently transferring, as well as a record that is the sum of all transmit and receive rates for all users.

It is also important to note that both report types can be exported into a CSV file that may be consumed by third-party applications. To download these reports as a CSV, navigate to the HTML administration web application, and click on the reporting tab. Within the reporting panel, you will see a section called "Run Report" which contains options that can be used to filter out reports from the CSV export . Once all the information for your export has been set, click on the "Export CSV" button and then the CSV file will automatically download to your system.

11.b Settings

Click the checkbox to enable reporting and press Apply. Define the location for reports in the first field, followed by the Retention Period and the Snapshot interval. The Retention Period is used to define how long logs are kept for before they are purged. Report Snapshot Interval refers to the granularity of the bandwidth data information being captured. Shorter intervals provide the most information, but at the cost of system performance and report file size.

11.c Run Report

FileCatalyst Server provides 2 basic graphical reports; one for the amount of data a user has transferred over a time period, and another that displays snapshots of the transmit and receive rates at defined intervals for individual users or the server as a whole.

Select a type of report, a range of users, and a range of time. Click "Run Report" to generate a graph of the statistics requested. Here are a few sample reports:

Zooming

FileCatalyst allows you to zoom in on the reports as well. If for example you run a report such as the one below, you can click in the top left of the area on which you want to zoom and drag the mouse cursor to the bottom right of the area on which you want to zoom. Here is an example of the full report, and the section to be zoomed on has been highlighted.

And once you release the mouse button, the highlighted section will fill the entire graph area as illustrated below:

In order to zoom out, hold the mouse cursor anywhere on the graph, click and drag it to the left, and the release.

11.d Report File Format

Exported FileCatalyst report files are currently written using a CSV (Comma-separated values) file format. The first line of the file will always contain the headers for each field. The format for both the Data report and the Bandwidth report are as follows.

Data Report Information

Fields Values
Report Create Time A positive 64-bit integer value representing milliseconds since 1970
Username The username for account that initiated the transfer
Transfer Type ‘UDP’, ‘FTP’ representing the protocol used for the transfer
Direction ‘UPLOAD’, ‘UPLOAD_RESUME’, ‘DOWNLOAD’, ‘DOWNLOAD_RESUME’ representing direction of transfer
ID 32-bit integer, can be negative but will always be unique across all records.
Status ‘SUCCESS’, ‘CANCEL’, ‘ERROR’ representing the state of the transfer upon completion
File Size A positive 64-bit integer value representing the total size of the source file to be transferred
Data Transferred A positive 64-bit integer value representing the amount of data actually transferred (less than total if cancelled or error)
Transfer Start time Date/Time of transfer start in format yyyy/MM/dd HH:mm:ss.SSS (i.e. 2008/07/30 16:09:10.037)
Transfer stop time Date/Time of transfer stop in format yyyy/MM/dd HH:mm:ss.SSS (i.e. 2008/07/30 16:09:10.037)
Average Rate A positive 32-bit floating point value representing the average data transmit/receive rate (Kbps)for the duration of the transfer
Peak Rate A positive 32-bit floating point value representing the peak data transmit/receive rate (Kbps) over the duration of the transfer
Effective Rate A positive 32-bit floating point value representing the effective data transmit/receive rate (Kbps) over the duration of the transfer
Packet Loss % A positive 32-bit floating point value representing the packet loss percentage over the duration of the transfer
Remote Host The IP address of the remote client which initiated this transfer
File Path The local path which the file was transmitted or received
Session ID A value created in a transfer with a FileCatalyst HotFolder which identifies which transfer task a particular file transfer is associated with
Agent ID The identification value assigned to the server by File Catalyst Central
Location The FileCatalyst Server's IP Address
Remote Location The IP Address of the remote client
Report Archive Time A positive 64-bit integer value representing milliseconds since 1970

Sample CSV file contents:

"1217536998271","user","UDP","DOWNLOAD","1162920586","SUCCESS","221184000","217088000","2008/07/31 16:43:18.271","2008/07/31 16:43:55.990","47532.0","49916.0","46584.0","0.0","127.0.0.1","C:\data\user\bigfiles\sub\500MB", ,"1331613959626-11-NULL","1323899227284","192.168.1.107","192.168.1.147","1506630436501"

Bandwidth Report Information

Fields Values
TimeStamp A positive 64-bit integer value representing milliseconds since 1970
Username The username for account that initiated the transfer. The global sum user is ‘_SUM_’
Remote Host The IP address of the remote client which initiated this transfer. Value will be blank for the global sum user.
Report Time Date/Time of this bandwidth snap shop in format yyyy/MM/dd HH:mm:ss.SSS (i.e. 2008/07/30 16:09:10.037)
Transmit Rate A positive 32-bit floating point value representing the transmit rate (Kbps) at time of snapshot
Receive Rate A positive 32-bit floating point value representing the receive rate (Kbps) at time of snapshot

Sample CSV file contents:

"1217350587500","user","127.0.0.1","2008/07/29 12:56:27.500","0","85000"

12 FileCatalyst Central—Enterprise Monitoring and Management

12.a Connecting to FileCatalyst Central

Allows a FileCatalyst Server to connect to FileCatalyst Central (formerly known as MonitoringAgent or MonitoringConsole).

Connections to FileCatalyst Central must be initiated by the service (HotFolder or Server). Fill in the information to connect to Central (address/port/monitor username/password), as well as indicate what IP this server is known as and an alias that can be used to recognize this specific service.

Enabling connection to FileCatalyst Central will also initiate report generation, so that Central can download transfer activities to it's database.

13 External File Systems

FileCatalyst Server has the ability to leverage external file systems (such as cloud storage instances) for file storage. Supported file systems include:

  1. Amazon S3
  2. Azure Blob
  3. OpenStack Swift
  4. Google Cloud Storage
  5. Backblaze B2
  6. Wasabi
  7. Dropbox (Labs)
  8. SMB / CIFS
  9. Encrypted

Note: File Systems marked with the "Labs" tag are still under development, and while generally functional, issues may be encountered in their use. Labs features and products are made available for prototyping and public feedback, but are not recommended for production use, and may be subject to changes in both content and function before general release.

This feature is described in a separate document: FileCatalyst Server: External File Systems.

14 System Monitor

14.a System Activity Monitor

This graph indicates the transfer rates of your server, including both FileCatalyst and FTP traffic. The blue line indicates the total receive rate of the server (that is files being uploaded to the server). The red line indicates the total transmit rate (that is files being downloaded from the server). The green line is the total rate (that is combination of the transmit and receive).

14.b Monitor By Session

The system monitor allows you to view and manage current sessions on the server. It lists all active sessions, their IP address, username, status, and connection time. You can kill an individual session by right clicking on an item in the list and selecting “Kill Session”. You may also block the IP or disable the User account logged in for the session, which will also terminate it and prevent it from reconnecting.

14.c Monitor By User

This monitor allows you to view and manage current sessions, grouped by logged on users, on the server. It lists all active users, and how many active sessions they have. You can kill all sessions from a user by right clicking on an item in the list and clicking the Kill Session(s) button. You can also block all of the IP's used by that user, or disable the user account from this menu.

14.d Guaranteed Delivery

FileCatalyst Server provides the capability to perform on-the-fly modification to bandwidth allocation, priority, and file delivery time. This allows administrators to temporarily override the bandwidth values assigned to user sessions. There are a variety of ways to re-allocate bandwidth depending on the needs of the administrator.

In order to access these functions, navigate to the ‘System Monitor’ section on the left of the GUI, and select the ‘By Session’ tab. Assuming there are active sessions, right-click the session to be modified and select ‘Override Bandwidth /Priority’ followed by the desired option. Modified sessions are highlighted in yellow until defaults are restored automatically or manually.

The available options can be set by ‘Current File‘ or by ‘Current Session’. Modifications classed as ‘Current File’ will only take place for the duration of the one file already in progress. Modifications classed as ‘Current Session’ will span multiple files, and will end once the session in-progress has finished.

Current File Options

Deliver ASAP

This will allocate 99% of the available server bandwidth to the transfer of the current file, in the selected session. A note will appear to present the ETA (Estimated Time of Arrival) of the file. All other sessions will be reduced to very low bandwidth values until the selected file is completely transferred.

Specify Delivery Time

This will allow the administrator to choose an exact delivery time for the current file, in the selected session. The administrator will be warned if the selected time is not possible due to license or bandwidth constraints. If the selected time is possible, the exact bandwidth required to meet that delivery time is calculated and applied to the session. Upon completion of the file delivery, the bandwidth is returned to the default values for that user.

Note: this feature has known limitations. The bandwidth calculated to complete the transfer at the specified time is not re-adjusted as the transfer progresses. Over time, external factors such as congestion and/or other users connecting/disconnecting, may render the initial bandwidth calculation inadequate to complete the transfer by the specified time. For this reason, this feature may only be relied upon if the congestion is minimal, and there are a minimal number of connects/disconnects during the transfer. These limitations will be addressed in a future version.

Current Session Options

Override Priority

This will decrease or increase the priority of the selected session based on the value (1 - 10) selected by the administrator, permitting the selected session to use less or more of the available bandwidth relative to the other active sessions. The amount of bandwidth permitted as a result depends on how many sessions are active. User accounts, by default, have a priority of medium, so the impact of setting a session priority may be less if several users are connected. Please see the note below for more information.

Specify Exact Rate

This allows the administrator to specify the exact bandwidth for a session. For example, setting the bandwidth for a session to 500 Kbps guarantees that session will transfer at exactly that rate for the duration of the session. If the value is higher than the default bandwidth that user was assigned, additional bandwidth will be taken from other sessions to accommodate. If the specified value is lower than the default bandwidth the session was assigned, the difference will be divided among the remaining sessions. If the specified value is not possible due to other bandwidth already being allocated, a warning message will be presented to the administrator notifying them of the maximum available bandwidth they can assign.

The bandwidth override functions may be reset at any time by right clicking the desired session, selecting ‘Override Bandwidth /Priority’ followed by ‘Reset Default Bandwidth’. In addition, the bandwidth for all sessions may be reset by right clicking any session and selecting ‘Reset All Bandwidths’.

NOTE: These override settings cannot allocate more bandwidth to the user than they have assigned in their client application. For example, if a client application is set to use 10 Mbps, and the server attempts to allocate 50 Mbps, the rate of the client will not increase. The assumption is that the client application is set for their individual link speed, and as such an attempt by the server to override this value may accidentally oversaturate the client's network.
If all active sessions have the same priority, then the server permits each session to use an equal percentage of the licensed maximum bandwidth. The permitted bandwidth for each session depends on how many sessions are active, such that the sum of the maximum bandwidths permitted by all sessions equals the absolute maximum bandwidth allowed by the server licence. Sessions with different priorities are permitted to use different percentages of the licensed maximum bandwidth based on differences between the assigned priorities. If the network does not support as much bandwidth as the server licence permits, priority differences can have little to no effect on the balance of the realized session bandwidths.

15 Running at Startup

15.a Windows Service

FileCatalyst Server can be configured to run as a service. Clicking the File menu option Run at Startup will install the FileCatalyst Server as a service. On next startup, FileCatalyst Server will start automatically. When run as a service, the administration will not be available through a Graphical User Interface (GUI). In order to use a GUI, the administrator must connect using the FileCatalyst Server Admin application or via an HTTP connection to the applet URL.

15.b Linux, Solaris, AIX Service

Installation on Unix-derived operating systems follow the same commands. For more information, read the files included in the tar bundle: ./README and ./service_wrapper/SERVICE_WRAPPER_README

NOTE:Ubuntu servers require additional packages installed. Please refer to the packaged SERVICE_WRAPPER_README files for details.

  1. FIRST STEPS: Install application, install license, enable remote administration
    • Create application folder: /opt/utechsoft/server/
    • Download FileCatalyst Server(Unix GZip/TAR bundle)
    • Unzip/Untar bundle
      cd /opt/utechsoft/server
      gunzip ./fc_server.tar.gz
      tar -xvf ./fc_server.tar
    • Run server to extract License request string
      ./jre/bin/java -jar FileCatalystServer.jar
      Your license key is not valid. Contact Unlimi-Tech Software for a valid license key
      Request String: R2D2C3P0W3333333
    • Contact FileCatalyst for your license string.
    • Edit fcconf.conf, enter in licensing information, enable remote administration.
    • Set the administrative password on the server.
      ./jre/bin/java -jar FileCatalystServer.jar -passwdadmin
  2. CONFIGURE application to run as a run-time daemon
    • Run the following commands as the root user to install the service:
      sudo su -
      cd /opt/utechsoft/server/service_wrapper
      chmod +x *.sh
    • Edit the fc_env file if necessary (installation directory, java path, etc)
    • Install the service
      ./install.sh
  3. At this point, you should be able to start the service. You can now login using the FileCatalyst Server Admin to configure the application.
  4. Logs can be examined in /opt/utechsoft/server/wrapper.log

Uninstall by running the /opt/utechsoft/server/service_wrapper/uninstall.sh script as the root user.

16 HTTP Servlet

16.a Connection Illustration

16.b HTTP Tunneling

The HTTP Servlet allows FileCatalyst Direct Clients to fall back to HTTP-based transfer when ‘auto’ mode is used, or to always use HTTP in certain client scenarios.

Typically, FileCatalyst Direct Clients will fall back from Accelerated UDP to multi-stream TCP to single-stream TCP; the servlet adds one more layer: fallback to HTTP.

The benefit of HTTP-based transfer is that it is almost never blocked by corporate firewalls. As long as a user's computer is able to connect to the Internet, they should be able to transfer files over HTTP. Although HTTP-based transfers cannot be accelerated with the FileCatalyst Protocol, two key benefits remain:

  • virtually guaranteed connectivity between client and server ends. End users will not need to have special configuration performed by their IT department in order to make a transfer
  • The reliability and scheduling benefits of the FileCatalyst product are still intact

The servlet will also translate HTTP requests to FTP for non-FileCatalyst FTP servers. If you have a legacy FTP server still in production, you may use the Servlet in conjunction with our client software (with a special Client Connect Key) in order to allow them to communicate with the legacy FTP server through the HTTP tunnel.

The Servlet needs to be licensed in order to operate within the Server architecture.

17 Performance Tuning

The FileCatalyst Performance Tuning documentation can be found here

18 Administration Via Command Line

18.a Installing the Software

Download the desired version of FileCatalyst Server and save it to a location such as our recommended directory: /opt/utechsoft/server

Extract the files:

gzip -d fc_server.tar.gz
tar xvf fc_server.tar

Run the following command to make the shell scripts executable

chmod a+x *.sh

18.b Licensing the Server

Run the server for the first time:

./fc_server_console.sh

You will be prompted with a License Request String. If you have not already been sent a license key, send this request string to Unlimi-Tech and someone will reply with a license key.

Once you obtain a license key, edit the file ‘fcconf.conf’, and enter your license as follows:

## License key
FCServer.server.config.license=3D9456711670A38C040ABC66CA13297B23

18.c Changing Default Ports

Edit the file ‘fcconf.conf’, and look for the lines similar to this:

## FC server port number.
## Default FC port is 21.

FCServer.server.config.port=21

## FC data port numbers
## Default data port is 0 (means any available ports will be used).

FCServer.server.config.data.port.pool=8000-8999

In some cases port 21 may already be in use by an FTP server running on the same machine. If this is the case, you can change the server port number to any open port. Make sure to note the port for client configuration.

The data port range can also be configured by changing 8000-8999 to the values you desire.

18.c Creating SSL Certificate and Enabling Security

A script is included to help you generate an SSL certificate. Run the following command and follow the on screen instructions:

./fc_server_genssl.sh

Once you have generated an SSL certificate, you must configure the server to use it. Edit the file fcconf.conf, and use the following settings:

## SSL settings
FCServer.server.config.private.key.pass=
FCServer.server.config.enable.security=true
FCServer.server.config.private.key=yourcert.pvk
FCServer.server.config.certificate.file=yourcert.pem

The password cannot be set directly in the fcconf.conf file, as it is not stored in plain text. To set the SSL certificate password, run the following command:

./jre/bin/java -jar FileCatalystServer.jar -passwdssl

When the password is set, restart FileCatalyst Server and SSL will be enabled.

Mode details on installing SSL certificates are available: https://support.filecatalyst.com/index.php?/Knowledgebase/Article/View/293/0/how-to-install-a-ssl-certificate-into-a-filecatalyst-server.

18.d Managing Users

Users cannot be created or edited from the command line as this information is now stored in a database. However, it is possible to change a password for a user by running the following command:

./jre/bin/java -jar FileCatalystServer.jar -passwd <username>

18.e Enabling Remote Admin

Remote Admin is stand alone application that can run on a machine that has GUI or XWindows and can connect to either a FileCatalyst Server running on a headless Linux machine or to manage a FileCatalyst server service. To enable remote admin, you must edit fcconf.conf, and enable the following settings:

FCServer.server.config.remote.admin.enabled=true
FCServer.server.config.remote.admin.username=admin
FCServer.server.config.remote.admin.password=
FCServer.server.config.remote.admin.port=12400

To change the remote administration password run the following command:

./jre/bin/java -jar FileCatalystServer.jar -passwdadmin

18.e Specifying Configuration Directory

FileCatalyst Server normally stores configuration files in the working directory where the application is installed. If it is desired to have a separate directory to store configuration files, this can be done by modifying the command-line arguments used when starting the server.

On Linux installs, modify the starting script files to add the "-fconfig [dir]" as additional arguments. Example: fc_server_console.sh script would become:

./jre/bin/java -XX:+IgnoreUnrecognizedVMOptions --add-modules=java.xml.bind -Xms64M -Xmx1024M -jar FileCatalystServer.jar -fconfig /my/directory/ &

If launching the application as a service, the /conf/wapper.conf file must be modified to include these new run-time arguments:

# Application parameters. Add parameters as needed starting from 1
wrapper.app.parameter.1=unlimited.fc.server.FileCatalystServer
wrapper.app.parameter.2=-fconfig
wrapper.app.parameter.3=/my/directory/

On Windows machines, the executables (.exe) files cannot be used to start the application with separate configuration directories. However, you may start the FileCatalyst Server using a command-line JAVA call much like on Linux. In addition, if the server is run as a service, you may make similar modifications to the service wrapper portion of the fcconf.conf file in the installed directory. When the service is started, the Java service wrapper will load up FileCatalyst using a separate directory indicated by the application run-time arguments.

# Application parameters. Add parameters as needed starting from 1
wrapper.app.parameter.1=unlimited.fc.server.FileCatalystServer
wrapper.app.parameter.2=-fconfig
wrapper.app.parameter.3=c:/my/directory/

Note that two configuration files (fcconf.conf & ipfilters.xml) as well as database files (.fcdb/) will utilize this as the new configuration root directory.

18.f Command Line Usage


Command-line usage for FileCatalyst Server
Usage:
./jre/bin/java -jar FileCatalystServer.jar [COMMANDS] [options]

HELP COMMANDS:
-help --> prints this help to console
-version --> prints out the Version number

OPTIONS:
-fconfig <path> --> Specify alternate configuration (fcconf.conf, etc) path)
-path <path> --> Specify alternate server working directory
-license <license string> --> Specify alternate licenses string to use at run-time
-webroot <root www folder> --> Specify alternate webroot path to use at run-time
-port <port num> --> Specify what socket plain server listens on (non-SSL)
-writebuffer <buffer in KB> --> Specify value of the write buffer in KB
-maxblocksize <bytes> --> Specify maximum block size (bytes)
-controlpanel or -systray --> Launches the Server Remote Admin GUI in addition to the Server.
-quiet --> Do not create console output logger

ADDITIONAL COMMANDS:
-shutdown --> Asks a running FileCatalyst Server to shut down
-diagnostic --> Asks a running FileCatalyst Server to generate a diagnostics archive for debugging
-requestString --> Prints out the request string that the FileCatalyst Server will use for licensing

INTERACTIVE COMMANDS:
The following commands prompts user for more input to perform actions.
FileCatalyst Server should be shut down first before running.

-passwd <username> --> Modify user password in database
-passwdadmin --> Modify the administrative password
-passwdssl --> Encrypt and insert the SSL password
-testIO --> Execute a write IO test for the server
-testReadIO --> Execute a read IO test for the server

19 Firewall Setup

19.a Control Connection

The firewall on the server side of the network must be configured to allow incoming TCP connections on port 21, or whatever has been set as the incoming server port.

19.b Data Connections

The firewall on the server side of the network must be configured to allow incoming UDP/TCP packets on ports 8000 - 8999, or whatever range has been specified in the server configuration. If you only plan to allow uploads to the server, and do not plan to use standard FTP clients to connect to the server, you can limit this to UDP only. TCP is only required to establish data connection to retrieve directory listings for FTP downloads and directory listings.

19.c HTTP Transfers

If you wish to enable HTTP Transfers (including Link transfers) you must add a control connnection rule for port 12480.

20 REST Services

20.a Enabling REST services

FileCatalyst Server is capable of accepting REST service calls in order to configure and control the service. REST services are required and automatically enabled when you connect the Server to be managed by FileCatalyst Central, but may also be used to build a remote control application external to the FileCatalyst Server.

To manually enable REST services, you need to allow HTTP access (see HTTP Settings tab). This will open up the web server port (default 12480), and allow access to REST services.

20.b REST services security

All REST services require user authentication to run them. User credentials are passed in using HTTP headers. There are two ways to pass in user credentials.

  • Using the RESTAuthorization header.

    This HTTP header can be used to pass in user credentials. The user credentials are Base 64 encoded and follow the following format: username:password

    JSON Example assuming the administration username and password is admin:system
    URL: http://localhost:12480/rs/users
    Method: GET
    Accept: application/json
    RESTAuthorization: YWRtaW46c3lzdGVt

    Returned JSON:
    {{"totalRecords":3,"totalFilteredRecords":3,"isListFiltered":false,"user":[...]}

  • Using the RESTSessionSecret header

    This is the more secured (and recommended) version for using the REST services. At least one call needs to be called using the above mentioned HTTP Header (RESTAuthorization). A POST call to the /rs/AuthorizationSession REST service with the above header and the user credentials in the data content is required to get back a session secret. Once the session secret is known, it can then be used for all subsequent calls using the RESTSessionSecret header. The session secret will be valid for as long as the session stays alive on the server.

    JSON Example assuming username/password is admin/system:
    URL: http://localhost:12480/rs/AuthorizationSession
    Method: POST
    Accept: application/json
    Content-Type: application/json
    RESTAuthorization: YWRtaW46c3lzdGVt

    Content:
    {"authorization":"YWRtaW46c3lzdGVt"}

    Returned JSON:
    {"sessionSecret":"644783159662526094"}

    JSON Example using RESTSessionSecret:
    URL: http://localhost:12480/rs/users
    Method: GET
    Accept: application/json
    RESTSessionSecret: 644783159662526094

    Returned JSON:
    {{"totalRecords":3,"totalFilteredRecords":3,"isListFiltered":false,"user":[...]}

20.c REST services documentation

Documentation on the REST services provided by the FileCatalyst Server application can be viewed here

Alternatively, the documentation may be downloaded from here

20.d REST example using Swagger

In addition to the REST documentation, a web application built on the Swagger UI framework has been provided.

By using this application, you will be able to view all of the available REST services within the application, as well as examples of responses and requests that a particular call may produce or consume. In addition to these examples, the Swagger application supports the ability to configure REST call and make them directly against the application. Upon executing a REST call, the application will present you with the response for the call, as well as a small CURL example of the request that was made.


How to view the Swagger UI application

If you are viewing this document from a web-based connection, this application may be viewed by clicking here.

If you are viewing this document from a local connection, this application may be viewed at the following URL: http://{fc.server.web.ip}:{fc.server.web.port}/help/Server/restDocs/ui/index.html

21 Frequently Asked Questions and Troubleshooting

1) Users are unable to connect to the server, what is going on?

Your firewall may be blocking incoming TCP requests on port 21 (or whatever port you set for the control connection).

2) No files can be uploaded to the server, what is going on?

Make sure the user under which FileCatalyst server is running has sufficient permissions to write files to the data directory specified.

3) I am seeing 0 byte files in the data directory, why aren't transfers working properly?

Your firewall or router must allow incoming UDP traffic so data can be received from the client applications. Further, if the server is behind a NAT, the packets must be forwarded to the proper IP address. Another possible issue is that the client side is behind a firewall and doesn't allow outgoing UDP data.

4) It looks like even with no firewall, no UDP packets are being received by the server, why not?

It is possible that you have set the encoding unit size greater than 1472, which results in fragmented UDP packets. Some routers and firewall's will automatically drop fragmented packets. If this is the case try lowering the packet size to 1472 or less. Windows operating systems tend to perform better with a value of 1024.

5) Transfers are slower when there are a large number of incoming file transfers, why?

The answer is likely that your disk is not able to keep up with the transfers. The only option is to upgrade your disk to something faster. To receive at hundreds of Mbps, you will need to have a very efficient storage device to keep up. You could start with a fast SATA drive at 10K or 15K RPM, a fast RAID, or a fast SAN or NAS connected over GigE.

6) Will a hub affect my performance?

Hubs are more susceptible to collisions at high speeds which will result in an additional packet loss. As you increase the packet size, the UDP packets FileCatalyst sends will no longer fit in an ether frame. The OS will fragment the Jumbo packets into many smaller fragmented packets that match the MTU of your network (usually 1500 bytes). The larger the packet, the more pieces it is broken into.

7) Are there additional bottlenecks that I should be aware of?

If your concurrent connection speed is 100 Mbps and FileCatalyst server is storing data to network storage (NAS or SAN) on a 100Mbps or lower switch; this will cause FC to compete with itself for bandwidth when receiving and writing. The transfer rate using this network topology would be approximately 50Mbps or lower.

Performance may be further affected if you are connected to a 100 Mbps or lower hub as this is a potential source of packet loss due to congestion. If replacing the hub with a fast switch is not an option, do not attempt to send at the full capacity of the hub with a packet size greater than 1472 (or whatever setting does not cause fragmentation) or significant performance degradation could occur.

8) How can I see my networked mapped drives under Windows 8 or higher?

Windows machines which have mapped network drives may not being visible to the Server due to Microsoft's implementation of User Access Control (UAC) starting with Windows Vista.

There are examples online on how to disable this or set the system to allow drives to be visible to services.

To implement a workaround:

  1. Unzip the file enablelinkedconnections.zip in the application directory (C:\Program Files\FileCatalyst Server\)
  2. Run the registry entry enablelinkedconnections.reg to enable the Server to see mapped network drives.
  3. A reboot will be required for this to take effect
  4. To uninstall, run the undo.reg the same way as enablelinkedconnections.reg, a restart is also required on uninstall

9) Where are my logs?

On Window or Linux, the logs can be found in the logs directory in the application's install directory. On OS X, the logs will be found in logs folder of the appropriate application folder in "Library/Application Support/FileCatalyst" for the user running the application, or in the root library if the application is being run as a service. The path to the logs can also be found in the configuration file as log.location.

10) Why are transfers to/from my External File System slow or failing?

Due to their nature, External File Systems are subject to a number of limitations. Please consult the limitations section of your particular EFS in the FileCatalyst Server: External File Systems document.

22 About FileCatalyst

22.a Save Info to Log Location

This will gather some basic info about your application version, Java version and OS

22.b Diagnostic Report

The Diagnostic Report button collects state, logs, and configuration information about your application that will be useful to FileCatalyst engineers for analysis and troubleshooting. The information is assembled into a zip archive under the diagnostics subfolder of your application installation directory, from where it can be forwarded to the FileCatalyst support team if desired.

Generating diagnostics is a background activity, there will be limited visual feedback to the user when the Diagnostic Report button is pressed, and regular product usage can be resumed immediately. The diagnostics archive can take a few minutes to generate, depending on how busy the product is with other operations. In order to keep times short and the resulting zip file small, the logs are filtered based on time and size. Some temporary files may appear in the diagnostics folder during this time. When the archive is complete and ready to send, it will appear in the diagnostics folder with a name similar to "FileCatalyst<product>_<date&timestamp>_diagnostics.zip".

Please login to the Support Portal (https://support.filecatalyst.com/) to submit a ticket and upload diagnostics and other relevant ticket files. If you already have a Ticket ID, you can also use Support2U (https://support2u.filecatalyst.com/) to send this diagnostics file directly.

23 Support

23.a Support System

Visit our support website at https://support.filecatalyst.com to view the knowledge base and to submit a ticket (Available 24/7).

If you have already submitted a Ticket and would like to send us your case files please go to https://support2u.filecatalyst.com to upload them. A valid Ticket ID will be required.

23.b Support Information

For support contact information, support hours and live chat: Visit our website at https://support.filecatalyst.com