How to set HTTP fallback on TCP 443 with Aspera On Demand

Overview

This article shows customers how to set up direct HTTPS Fallback on TCP 443 with the Aspera On Demand to S3.  HTTP fallback is a Aspera file transfer service which uses HTTP(s) as the file transfer protocol. This service is available if you happen to be one of the unfortunate few whose Network Administrators do not allow you to do FASP Transfers. This service comes as part of the Aspera Enterprise Server installation package.  The following diagram shows how HTTP Fallback works. 

httpfallback443.jpg

 

Prerequisites

This article assumes the following:

  • You have purchased and booted up Aspera On Demand v.3.2.2 
  • You have created an S3 bucket
  • You know your S3 Access ID and Secret Key or use a S3 enabled IAM policy to boot up your AMI.  To learn how to use IAM policy to boot your AMI, please see this article.
  • You can SSH as root to your Aspera On Demand Instance
  • Your Web Application and Transfer Server are on two separate machines
NOTE: We use Aspera Shares as the example web application.  If you have your own custom web application, and need support, please contact the SDK support team.

 

Procedure

 1) Connect to your AMI host from a Terminal/Command Prompt via SSH and sudo to root

# ssh -i [customer's pem] -p 33001 [ec2-user]@[ec2 host IP]
# sudo su -

 

 2) Upgrade Enterprise Server to a version newer than 3.1.3, e.g. 3.4

Please contact Aspera Support at support@asperasoft.com to obtain the installer.

# /etc/init.d/asperanoded stop
# /etc/init.d/asperatrapd stop
# /etc/init.d/asperalee stop
# rpm -Uvh aspera-entsrv-3.4.xxxx-linux-64.rpm

 

3) Set up API user and Transfer user  (Optional)

If you use the pre-created API user accounts and transfer user accounts (xfer and xfer2 and their password is the Instance ID) that come with your AMI, you can skip this step and go to Step 4).  

To view a list of pre-created API accounts and their mapping to transfer users, you can run

 # /opt/aspera/bin/asnodeadmin -l

 If you need to create a new API and transfer user, please follow the instructions below.

a) Create a new Transfer user

  1. Create a local user on the OS that will have the S3 docroot. In this example, we create a new Transfer user called xfer3.

    # useradd xfer3
    # mkdir /home/xfer3/.ssh
    # cp /opt/aspera/var/aspera_id_dsa.pub /home/xfer3/.ssh/authorized_keys
    # chown -R xfer3:xfer3  /home/xfer3/.ssh
    # chmod 700 /home/xfer3/.ssh
    
  2. Create a S3 docroot for the xfer3, and set the authentication method to token:

    # asconfigurator -F "set_user_data;user_name,xfer3;absolute,S3://AWSAPIUSER:AWSAPIKEY@s3.amazonaws.com/BUCKETNAME;authorization_transfer_in_value,token;authorization_transfer_out_value,token"

b) Create a new API user and set up mapping

# /opt/aspera/bin/asnodeadmin -a -u NewAPIuser -p a_secret_node_api_password -x xfer3

Now an API user is created to map to xfer3 which is S3 docrooted and a password is set for the API user.

c) Restart asperanoded

# service asperanoded restart

 

4) Ensure the Transfer user has a docroot set to a S3 bucket on the Transfer Server.   

To check the docroot of the Transfer user, you can run

# /opt/aspera/bin/asuserdata -u TransferUserName

Look for the output of "docroot option set:", you should see both "canonical_absolute" and "absolute" is set to your S3 bucket.

docroot option set:      
canonical_absolute=s://AWSAccessID:AWSSecretKey@s3.amazonaws.com/S3_bucket_name/    
canonical_show_as=/     
absolute: "s3://AWSAccessKeyID:AWSSecretAccessKey@s3.amazonaws.com/S3_bucket_name/"

 If you need to create a S3 docroot for the Transfer user and don't know how, please see this article.

5) Set http_server in aspera.conf

# vi /opt/aspera/etc/aspera.conf

and add the following highlighted section in the configuration file.

asp_conf.jpg

6) Set encryption to aes-128

# vi /opt/aspera/etc/aspera.conf

and insert the following in between <transfer> and </transfer>

<transfer>
...
<encryption>
<allowed_cipher>aes-128</allowed_cipher>
</encryption>
</transfer>

 For example

aes-128.jpg

7) Restart asperanoded

# service asperanoded restart

 

8) Start asperahttpd

Since asperahttpd listens on TCP 443, make sure no other process is listening on this port before you start asperahttpd.

# /etc/init.d/asperahttpd start

 

9) Adding Transfer Node to your Web Application

9a) If your Web Application is Aspera Shares on Demand (SHOD), log on to SHOD Web UI as admin, go to Home and click the "+" next to NODES to add your Transfer Server.

add_new_node.jpg

Set port to 9092, enter the name and IP address of your Transfer server, API User and API password  and click "Create Node"

new_node_detail.jpg

After you add the Transfer server, test the connection by clicking on "Test".  In this example, we use the pre-created API user account, xfer.

test_node.jpg

 

If connection is successful, you should see "Test Complete" in green and no error message in red.

test_complete.jpg

 

9b) If you have your own Web Application, make sure you connect to the Transfer server with the appropriate API user via port 9092. 

 

10) Test your HTTP Fallback

Upload a file using Aspera Connect (web browser plug-in) to your Web Application.  If the set up is successful, you can see transfer falls back to HTTPS in Transfers window of Aspera Connect.

httpfallback_connectplugin.jpg

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk