Difference between revisions of "Configuring JFileServer"
Line 220: | Line 220: | ||
The <FTP> configuration section has the following syntax :- | The <FTP> configuration section has the following syntax :- | ||
+ | |||
+ | <FTP> | ||
+ | <port>...</port> | ||
+ | <allowAnonymous/> | ||
+ | <debug .../> | ||
+ | |||
+ | <!-- FTPS support --> | ||
+ | <keyStore>...</keyStore> | ||
+ | <keyStoreType>...</keyStoreType> | ||
+ | <keyStorePassphrase>...</keyStorePassphrase> | ||
+ | |||
+ | <trustStore>...</trustStore> | ||
+ | <trustStoreType>...</trustStoreType> | ||
+ | <trustStorePassphrase>...</trustStorePassphrase> | ||
+ | |||
+ | <requireSecureSession> | ||
+ | <sslEngineDebug/> | ||
+ | </FTP> | ||
+ | |||
+ | The <port> setting defines the port that the FTP server will listen for connections on, if not specified the default FTP port of 21 will be used. If running the JFileServer file server as a normal user on a linux or Mac system you will need to use a non-privileged port, 1024 or above. | ||
+ | |||
+ | The <allowAnonymous/> setting specifies that anonymous guest logons are allowed to the FTP server. | ||
+ | |||
+ | The <debug flags="..."/> setting is used to enable FTP server debug output. The flags="..." value is a comma delimited list of debug output level names from the following list :- | ||
+ | |||
+ | {| class="wikitable" | ||
+ | ! style="text-align:left;"| Flag | ||
+ | ! Description | ||
+ | |- | ||
+ | | STATE | ||
+ | | Session state changes | ||
+ | |- | ||
+ | | RXDATA | ||
+ | | Dump received data packet | ||
+ | |- | ||
+ | | TXDATA | ||
+ | | Dump sent packet data | ||
+ | |- | ||
+ | | DUMPDATA | ||
+ | | Dump data packets | ||
+ | |- | ||
+ | | SEARCH | ||
+ | | File/directory searches | ||
+ | |- | ||
+ | | INFO | ||
+ | | Information requests | ||
+ | |- | ||
+ | | FILE | ||
+ | | File open/close/information requests | ||
+ | |- | ||
+ | | FILEIO | ||
+ | | File read/write requests | ||
+ | |- | ||
+ | | ERROR | ||
+ | | Errors sent back to the client | ||
+ | |- | ||
+ | | PKTTYPE | ||
+ | | Received packet type | ||
+ | |- | ||
+ | | TIMING | ||
+ | | Time packet processing | ||
+ | |- | ||
+ | | DATAPORT | ||
+ | | Data port handling | ||
+ | |- | ||
+ | | DIRECTORY | ||
+ | | Directory commands | ||
+ | |- | ||
+ | | SSL | ||
+ | | Secure sessions | ||
+ | |- | ||
+ | |} | ||
+ | |||
+ | === FTPS Server Configuration === | ||
+ | |||
+ | The FTP server allows connections to switch into secure SSL mode after connecting to the configured FTP server port. | ||
+ | |||
+ | To enable FTPS we need to create a keystore and truststore for the SSL connections. To create a keystore using the JKS format keystore type use the following commands, filling in the required details when prompted :- | ||
+ | |||
+ | $ keytool -genkeypair -alias jfsftp -keyalg RSA -keystore FTPSKeyStore | ||
+ | |||
+ | Enter keystore password: | ||
+ | Re-enter new password: | ||
+ | What is your first and last name? | ||
+ | [Unknown]: Your Name | ||
+ | What is the name of your organizational unit? | ||
+ | [Unknown]: OrgUnit | ||
+ | What is the name of your organization? | ||
+ | [Unknown]: Company | ||
+ | What is the name of your City or Locality? | ||
+ | [Unknown]: City | ||
+ | What is the name of your State or Province? | ||
+ | [Unknown]: Province | ||
+ | What is the two-letter country code for this unit? | ||
+ | [Unknown]: CC | ||
+ | Is CN=You Name, OU=OrgUnit, O=Company, L=City, ST=Province, C=CC correct? | ||
+ | [no]:yes | ||
+ | |||
+ | Enter key password for <client> | ||
+ | (RETURN if same as keystore password): | ||
+ | Re-enter new password: | ||
+ | |||
+ | To generate the truststore use the following commands :- | ||
+ | |||
+ | $ keytool -export -alias jfsftp -keystore FTPSKeyStore -rfc -file FTPS.cer | ||
+ | $ keytool -import FTPSCert -file FTPS.cer -keystore FTPSTrustStore | ||
+ | |||
+ | You can now fill in the JFileServer configuration to enable FTPS :- | ||
+ | |||
+ | <!-- FTPS support --> | ||
+ | <keyStore>/path/to/FTPSKeyStore</keyStore> | ||
+ | <keyStoreType>JKS</keyStoreType> | ||
+ | <keyStorePassphrase>keystore-password</keyStorePassphrase> | ||
+ | |||
+ | <trustStore>/path/to/FTPSTrustStore</trustStore> | ||
+ | <trustStoreType>JKS</trustStoreType> | ||
+ | <trustStorePassphrase>truststore-password</trustStorePassphrase> | ||
+ | |||
+ | The <requireSecureSession/> configuration setting will only allow connections that use the FTP SSL mode to logon. | ||
+ | |||
+ | The <sslEngineDebug/> setting is used to enable additional debug output from the Java JSSE SSL session processing. | ||
+ | |||
+ | == NFS Server Configuration == | ||
+ | |||
+ | The <NFS> configuration section is used to configure the NFS protocol server that allows a client to mount a JFileServer filesystem which can then be accessed as if it were on a local drive on the client system. | ||
+ | |||
+ | The <NFS> configuration section has the following syntax :- | ||
+ | |||
+ | <NFS> | ||
+ | <enablePortMapper/> | ||
+ | <disablePortMapperRegistration/> | ||
+ | <PortMapperPort>...</PortMapperPort> | ||
+ | <MountServerPort>...</MountServerPort> | ||
+ | <NFSServerPort>...</NFSServerPort> | ||
+ | <RPCRegisterPort>...</RPCRegisterPort> | ||
+ | <rpcAuthenticator> | ||
+ | ... | ||
+ | </rpcAuthenticator> | ||
+ | <debug .../> | ||
+ | <mountServerDebug/> | ||
+ | <portMapperDebug/> | ||
+ | <FileCache>...</FileCache> | ||
+ | <fileCacheDebug/> | ||
+ | </NFS> | ||
+ | |||
+ | '''TODO:''' NFS configuration settings |
Revision as of 14:46, 23 December 2018
The JFileServer file server is configured using a simple XML file, the same configuration format is used by the Enterprise version of the file server.
The configuration is contained within the <fileserver> main section with various sub-sections to configure which file server protocols are enabled, configuration for each protocol, security and debug logging. Here's an overview of the XML configuration file :-
<fileserver> <server>...</server> <SMB>...</SMB> <FTP>...</FTP> <NFS>...</NFS> <shares>...</shares> <debug>...</debug> <security>...</security> <licence>...</licence> </fileserver>
Environment variables may be used in attributes and values within the XML configuration using the syntax '${env-var-name}'.
Some configuration settings allow an optional platforms="..." attribute, this allows a configuration to be used on multiple platforms. If the current platform that the JFileServer is running on is not listed in the platforms="..." list then the setting will be ignored.
The available platform values are Windows, Linux, MacOSX and Solaris. The platforms value is a comma delimited list of valid platforms for the current setting.
The <server> configuration section is used to enable or disable which file server protocols are available. The syntax has changed from the JLAN configuration as each protocol now has an enable="true|false" attribute, this makes it easier to use an environment variable to control whether a particular file server protocol is enabled.
The <servers> configuration section has the following syntax :-
<servers> <SMB enable="true|false"> <FTP enable="true|false"> <NFS enable="true|false"> </servers>
Contents
SMB Server Configuration
The <SMB> configuration section is used to configure the SMB protocol server that allows a drive or mount to be mapped to the JFileServer file server which can then be accessed as if it were a local drive on the client system.
The <SMB> configuration section has the following syntax :-
<SMB> <host> <broadcast>...</broadcast> <smbdialects>...</smbdialects> <comment>...</comment> <netBIOSSMB .../> <tcpipSMB .../> <hostAnnounce .../> </host> <authenticator ...> ... </authenticator> <sessionDebug .../> </SMB>
Note: The JLAN XML configuration has <Win32NetBIOS/> and <Win32Announce/> configuration options, these are currently ignored by JFileServer as the Win32 NetBIOS legacy code has been moved out into a seperate add-on project. With most clients using native SMB connections on port 445, and SMB2/SMB3 connections requiring native SMB connections, there are only a small number of special cases where the Win32 NetBIOS interface is of use.
The <host> Configuration Section
The <host> sub-section contains the main networking and protocol configuration settings.
The <broadcast> setting specifies the network broadcast mask that is required to send broadcast datagrams, used by the NetBIOS protocol and host announcement. JFileServer now accepts the setting of 'AUTO' where the broadcast mask will be determined automatically. In some cases this may not work, you will then need to specify the broadcast mask. For eample if your network addresses are in the 192.168.1.x/8 range the broadcast mask would be 192.168.1.255.
The <smbdialects> setting configures which SMB dialects the file server will negotiate with a client. The value should be a comma delimited list of dialect names. The high level dialect names available are SMB1 for the standard server, plus SMB2 and SMB3 for the Enterprise server.
The <comment> setting provides a comment that is visible to clients when displaying the server properties.
The <netBIOSSMB .../> setting configures the SMB file server to use the TCPIP socket based NetBIOS protocol. The default setting of <netBIOSSMB/> will enable the TCPIP NetBIOS interface using TCP port 139 and UDP ports 137 and 138. These settings can be overridden using the sessionPort="...", namingPort="..." and datagramPort="..." attributes. For example, if running the JFileServer on a linux or Mac system as a normal user the server will not be able to bind the privileged ports 137/138/139, so we may use the following configuration and use firewall rules to forward the network traffic to the unprivileged ports :-
<netBIOSSMB sessionPort="1139" namingPort="1137" datagramPort="1138"/>
An optional platforms="..." attribute may be used for the NetBIOS SMB setting.
The <tcpipSMB> setting configures the SMB file server to use the native SMB socket based protocol. The default setting of <tcpipSMB/> will enable the native SMB interface using TCP port 445. This setting can be overridden using the port="..." attribute. For example, if running the JFileServer on a linux or Mac system as a normal user the server will not be able to bind the privileged port 445, so we may use the following configuration and use firewall rules to forward the network traffic to the unprivileged port :-
<tcpipSMB port="1445"/>
An optional platforms="..." attribute may be used for the TCPIP SMB setting.
The <hostAnnounce .../> setting is used to enable the TCPIP NetBIOS host announcer that periodically broadcasts the server details to the local network. This allows the server to show up in the local network list or workgroup.
The default host announcement is broadcast every minute, the announcement interval can be set using the optional interval="..." attribute.
The <authenticator> Configuration Section
The <authenticator type="..."> section configures how the SMB server handles user authentication. The optional type="..." attribute can have the values "enterprise" or "local", or it is possible to specify your own authenticator class. The enterprise authenticator setting provides the latest authentication methods such as NTLMv2 and Kerberos via the NTLMSSP and SPNEGO mechanisms. The local authenticator setting provides support for older LanMan and NTLMv1 authentication, these are considered to be insecure these days so it is recommended to use the "enterprise" setting.
For the "enterprise" setting the authenticator configuration has the following syntax :-
<authenticator type="enterprise"> <disableNTLM/> <useSPNEGO/> <disallowNTLMv1> <-- Kerberos related settings --> <Realm>...</Realm> <Password>...</Password> <LoginEntry>...</LoginEntry> <kerberosDebug/> </authenticator>
By default the Enterprise authenticator enables NTLM logons, either NTLMv1 or NTLMv2. To only allow the more secure NTLMv2 logons use the <disallowNTLMv1> configuration setting.
To enable Kerberos logons to the SMB file server the <Realm>, <Password> and <LoginEntry> values are required. The <Realm> setting should contain the Kerberos realm, usually the domain name in uppercase. The <Password> setting is used to access the server Kerberos setup. The <LoginEntry> setting specifies the Java JAAS login entry name to use for the SMB server service logon, the default value is FileServerSMB.
The <kerberosDebug/> setting is a convenience setting that enables various Java debug output levels by setting the required properties.
The <useSPNEGO/> setting enables the use of SPNEGO (Simple Protected NEGOtiation) as well as the default NTLMSSP. If you have enabled Kerberos logons then SPNEGO will be enabled automatically.
The <sessionDebug> Configuration Setting
The <sessionDebug flags="..."/> setting is used to enable SMB server debug output. The flags="..." value is a comma delimited list of debug output level names from the following list :-
Flag | Description |
---|---|
PKTTYPE | Received packet type |
STATE | Session state changes |
RXDATA | Dump received data packet |
TXDATA | Dump sent packet data |
DUMPDATA | Dump data packets |
NEGOTIATE | Protocol negotiate phase |
TREE | Tree connection/disconnection |
SEARCH | File/directory searches |
INFO | File/directory information requests |
FILE | File open/close/information requests |
FILEIO | File read/write |
TRAN | SMB transactions |
ECHO | Echo requests |
ERROR | Errors returned to the client |
IPC | IPC$ named pipe requests |
LOCK | Lock/unlock requests |
DCERPC | DCE/RPC request processing |
STATECACHE | File state cache |
TIMING | Time packet processing |
NOTIFY | Asynchronous change notifications |
STREAMS | NTFS streams handling |
SOCKET | Socket connections |
PKTPOOL | Memory pool allocate/release |
PKTSTATS | Memory pool statistics |
THREADPOOL | Thread pool handling |
BENCHMARK | Benchmarking requests |
OPLOCK | Opportunistic lock handling |
PKTALLOC | Memory pool handling |
COMPOUND | Compound request handling (Enterprise only) |
CANCEL | Cancel request handling (Enterprise only) |
SIGNING | Packet signing (Enterprise only) |
ENCRYPTION | Encryption handling (Enterprise only) |
For example, to enable SMB server debug output to help with logon and connection issues you could use the following setting :-
<sessionDebug flags="Negotiate,Socket,State,Error"/>
FTP Server Configuration
The <FTP> configuration section is used to configure the FTP protocol server that allows a client to connect using any FTP client application. A standard FTP connection sends plaintext commands, and details including username and password, so it is recommended to use FTPS so that the commands are sent over an encrypted SSL connection.
The <FTP> configuration section has the following syntax :-
<FTP> <port>...</port> <allowAnonymous/> <debug .../> <keyStore>...</keyStore> <keyStoreType>...</keyStoreType> <keyStorePassphrase>...</keyStorePassphrase> <trustStore>...</trustStore> <trustStoreType>...</trustStoreType> <trustStorePassphrase>...</trustStorePassphrase> <requireSecureSession> <sslEngineDebug/> </FTP>
The <port> setting defines the port that the FTP server will listen for connections on, if not specified the default FTP port of 21 will be used. If running the JFileServer file server as a normal user on a linux or Mac system you will need to use a non-privileged port, 1024 or above.
The <allowAnonymous/> setting specifies that anonymous guest logons are allowed to the FTP server.
The <debug flags="..."/> setting is used to enable FTP server debug output. The flags="..." value is a comma delimited list of debug output level names from the following list :-
Flag | Description |
---|---|
STATE | Session state changes |
RXDATA | Dump received data packet |
TXDATA | Dump sent packet data |
DUMPDATA | Dump data packets |
SEARCH | File/directory searches |
INFO | Information requests |
FILE | File open/close/information requests |
FILEIO | File read/write requests |
ERROR | Errors sent back to the client |
PKTTYPE | Received packet type |
TIMING | Time packet processing |
DATAPORT | Data port handling |
DIRECTORY | Directory commands |
SSL | Secure sessions |
FTPS Server Configuration
The FTP server allows connections to switch into secure SSL mode after connecting to the configured FTP server port.
To enable FTPS we need to create a keystore and truststore for the SSL connections. To create a keystore using the JKS format keystore type use the following commands, filling in the required details when prompted :-
$ keytool -genkeypair -alias jfsftp -keyalg RSA -keystore FTPSKeyStore Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: Your Name What is the name of your organizational unit? [Unknown]: OrgUnit What is the name of your organization? [Unknown]: Company What is the name of your City or Locality? [Unknown]: City What is the name of your State or Province? [Unknown]: Province What is the two-letter country code for this unit? [Unknown]: CC Is CN=You Name, OU=OrgUnit, O=Company, L=City, ST=Province, C=CC correct? [no]:yes Enter key password for <client> (RETURN if same as keystore password): Re-enter new password:
To generate the truststore use the following commands :-
$ keytool -export -alias jfsftp -keystore FTPSKeyStore -rfc -file FTPS.cer $ keytool -import FTPSCert -file FTPS.cer -keystore FTPSTrustStore
You can now fill in the JFileServer configuration to enable FTPS :-
<keyStore>/path/to/FTPSKeyStore</keyStore> <keyStoreType>JKS</keyStoreType> <keyStorePassphrase>keystore-password</keyStorePassphrase>
<trustStore>/path/to/FTPSTrustStore</trustStore> <trustStoreType>JKS</trustStoreType> <trustStorePassphrase>truststore-password</trustStorePassphrase>
The <requireSecureSession/> configuration setting will only allow connections that use the FTP SSL mode to logon.
The <sslEngineDebug/> setting is used to enable additional debug output from the Java JSSE SSL session processing.
NFS Server Configuration
The <NFS> configuration section is used to configure the NFS protocol server that allows a client to mount a JFileServer filesystem which can then be accessed as if it were on a local drive on the client system.
The <NFS> configuration section has the following syntax :-
<NFS> <enablePortMapper/> <disablePortMapperRegistration/> <PortMapperPort>...</PortMapperPort> <MountServerPort>...</MountServerPort> <NFSServerPort>...</NFSServerPort> <RPCRegisterPort>...</RPCRegisterPort> <rpcAuthenticator> ... </rpcAuthenticator> <debug .../> <mountServerDebug/> <portMapperDebug/> <FileCache>...</FileCache> <fileCacheDebug/> </NFS>
TODO: NFS configuration settings