Enabling authentication in the file transfer service using scripting

The file transfer service provides role-based authentication. You can enable authentication in the file transfer service using scripting and the wsadmin tool.

About this task

There are two versions of the file transfer Web application: a secured version and an unsecured version. The secured version of this file, which is the version that authenticates its caller, is installed by default. The secured version is located in the app_server_root/systemApps/filetransferSecured.ear directory. The unsecured version, which is the version that does not authenticate its caller, is located in the app_server_root/systemApps/filetransfer.ear directory

The file transfer Web application, which handles both authenticated and non-authenticated requests, is located in the app_server_root/systemApps/filetransferSecured.ear directory.

Best practice: The z/OS operating system handles file transfer authentication based on the global administrative security setting. When this setting is enabled, only authenticated file transfers occur. When this setting is disabled, both secured and unsecured file transfers can occur. It is recommended that you enable global administrative security to prevent unauthorized use of the file transfer application.

In WebSphere Application Server a mixed cell environments, file transfer is a system application. You can activate authentication in the file transfer service by redeploying the file transfer Web application at the deployment manager level.

1. Run the redeployFileTransfer.jacl script to help you redeploy the file transfer Web application.
   This wsadmin script is located in the app_server_root/bin directory. Run the script from the app_server_root/bin directory using the following syntax:

   wsadmin -conntype NONE -lang jacl -profile redeployFileTransfer.jacl -c 
   "fileTransferAuthenticationXxx cell_name node_name dmgr"

   In this example, the variables represent the following:

   • Xxx is On or Off.
   • cell_name is the name of your cell.
   • node_name is the name of your node.
   • dmgr is the server type. This script will work only on the deployment manager.

   Use wsadmin.sh.

   Use wsadmin.

   Use wsadmin or wsadmin.bat.

   Review the following examples on how to run the script with the different authentication options:

   • To run the script with authentication, which uses the filetransfer.ear file, use a command similar to the following:

     wsadmin -conntype NONE -lang jacl -profile redeployFileTransfer.jacl -c 
     "fileTransferAuthenticationOn managedCell managedCellNode dmgr"

   • To run the script and file transfer service without authentication, use a command similar to the following:

     wsadmin -conntype NONE -lang jacl -profile redeployFileTransfer.jacl -c 
     "fileTransferAuthenticationOff managedCell managedCellNode dmgr"

   In the previous examples, the following values apply:

   • managedCell the names of the cell.
   • managedCellNode is the names of your node.
   • dmgr is the server type.
2. If you receive an error related to the file transfer service, troubleshoot the problem by reviewing the systemapps.xml file.
   You might receive the following error if you attempt to set authentication to a state in which it is already configured:

   Error: com.ibm.ws.scripting.ScriptingException: WASX7280E: An
   application with name "filetransfer" does not exist.

   This error will be displayed, for example, when you try to set authentication to on when it is already on or off when it is already off.

   To determine the current state of the file transfer authentication, see the systemapps.xml file in the app_server_root/AppServer/profiles/dmgr_profile/config/cells/cell_name/nodes/node_name directory:

   • This entry indicates that authentication is on:

     <deployedApplications>${app_server_root}/
        systemApps/filetransferSecured.ear</deployedApplications>

   • This entry indicates that authentication is off:

     <deployedApplications>${app_server_root}/
        systemApps/filetransfer.ear</deployedApplications>