STInstallGuide49 Oct2009

An Axway Brand
SecureTransport Suite
Version 4.9
Installation Guide
October 2009
DIN0001ST49
Proprietary Rights Notice
Copyright © 1997-2009 Axway, Inc. All rights reserved. This manual is the Confidential Information of Axway, Inc.
The contents of this manual, and the Tumbleweed Valicert Validation Authority Server™ program, Tumbleweed Server Validator™
program, Tumbleweed Desktop Validator™ program, Tumbleweed Validator Toolkit™ program, Tumbleweed SecureTransport Server™
program, Tumbleweed SecureTransport Edge™ program, Tumbleweed SecureTransport Client™ program, MailGate® Appliance™
program, MailGate Edge™ program, MailGate Email Firewall™ program, Tumbleweed Desktop Messenger™ program, MailGate Secure
Messenger™ program and other computer programs together with their associated documentation (hereinafter collectively called
“Tumbleweed Software”), offered by Axway, Inc. (“Axway”) are copyrighted and are the property of Axway and its licensors. The use and
copying of this manual and the Tumbleweed Software are restricted by copyright law and are governed by the license agreement
accompanying the Tumbleweed Software (“License Agreement”). You may only use and copy this manual and the Tumbleweed Software
in accordance with the terms and conditions of the License Agreement, unless otherwise authorized in writing by Axway.
The contents of this manual are furnished for informational use only, are subject to change without notice, and should not be construed as a
commitment by Axway. Axway assumes no responsibility or liability for any errors or inaccuracies that may appear in the informational
content contained in this manual.
Some of the processes, arrangements, user interfaces, transaction sequences, site and system architectures, data arrangements, and data
processing algorithms, described or embodied in this manual or the Tumbleweed Software, are covered by one or more of the following
patents: U.S. Patent Nos. D399,836; 5,790,790; 5,903,651; 6,061,448; 6,119,137; 6,151,675; 6,192,407 6,385,655; 6,393,568; 6,442,689;
6,470,086; 6,487,599; 6,502,191; 6,516,411; 6,529,956; 6,532,540; 6,609,196; 6,651,166; 6,725,381; 6,748,529; 6,826,609; 6,901,509;
6,912,285; 7,073,056; 7,117,358; 7,127,741; and 7,162,738; Singapore Patent No. 60,542; and Taiwan Patent Nos. 117,795; 118,892; and
146,895.
Tumbleweed, the Arrows logo, Tumbleweed Validation Authority, Tumbleweed Valicert Validation Authority, Validation Authority Server,
Validation Authority Repeater, Validation Authority Responder Server, Validation Authority Repeater Appliance, Server Validator, Desktop
Validator, Validator Toolkit, MailGate, MailGate Appliance, MailGate Edge, Edge Defense, Tumbleweed Email Firewall, MailGate Email
Firewall, MailGate Secure Messenger, Desktop Messenger, SecureTransport, SecureTransport Server, SecureTransport Edge,
SecureTransport Client, Secure Inbox, Secure Envelope, Tumbleweed Secure Mail, Tumbleweed Secure Messenger, Tumbleweed Secure
Statements, Tumbleweed IME Integrated Message Exchange, Spam Analysis Engine, Intent Based Filtering (IBF), Dark Traffic,
Tumbleweed Dynamic Anti-spam Service (DAS), Tumbleweed Message Protection Lab, Tumbleweed FTP Analyzer ™, Tumbleweed
Secure Guardian ™, Tumbleweed Secure Policy Gateway ™, Tumbleweed Secure Staging Server ™, Tumbleweed Secure Archive ™,
Tumbleweed Secure Web ™, Tumbleweed Secure CRM ™, Tumbleweed Secure Messenger ™, Tumbleweed Secure Statements ™,
Tumbleweed My Copy ™, Tumbleweed L2i ™, Tumbleweed IME Developer ™, Tumbleweed ™ Personalize ™, Tumbleweed IME Alert
™, WorldSecure ™, World/Secure/Mail ™ and Tumbleweed Active Agents are either registered trademarks, trademarks or service marks
of Axway, Inc. in the United States and/or other countries. All other trademarks and service marks are the property of their respective owners.
Restricted Rights Legend for Government Users

As defined in Federal Acquisition Regulations (“FAR”) Section 2.101, Department of Defense Federal Acquisition Regulations (“DFARs”)
Section 252.227-7014(a)(1) and DFAR Section 252.227-7014(a)(5), this manual and the Tumbleweed Software are “commercial items,”
“commercial computer software” and “commercial computer software documentation,” as applicable. Consistent with FAR Section 12.212
and DFAR Section 227.7202, any use, modification, reproduction, release, performance, display or disclosure of this manual or the
Tumbleweed Software by the U.S. Government shall be governed solely by the terms of the License Agreement and shall be prohibited
except to the extent expressly permitted by the License Agreement. Licensor is Axway, Inc., 6811 E. Mayo Blvd., Suite 400, Phoenix,
Arizona 85054.
Axway, Inc.
6811 E. Mayo Blvd., Suite 400
Phoenix, AZ 85054
(480) 627-1800
http://www.axway.com
ii SecureTransport Installation Guide

Contents
Chapter 1 – Introduction 1
About SecureTransport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Contents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
SecureTransport Documentation Set . . . . . . . . . . . . . . . . . . . . . . 4
Axway Global Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Tumbleweed—an Axway Brand . . . . . . . . . . . . . . . . . . . . . . . . . . .5
C h a p t e r 2 – B e f o r e Yo u I n s ta l l 7
Preinstallation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Temporary Hardware Requirements during Installation . . . . . . . . . . . . . .9
Supported Browsers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Installation Prerequisites for Unix-based Servers . . . . . . . . . . . . . . . . . 10
Minimum Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . 10
Supported Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . 11
Installation Prerequisites for Appliances . . . . . . . . . . . . . . . . . . . . . . 14
Setting Appliance Network Configuration Parameters . . . . . . . . . . . . . 14
Configuring the DNS Server Address and Hostname . . . . . . . . . . . . . . 15
Installation Prerequisites for Windows . . . . . . . . . . . . . . . . . . . . . . . 17
Minimum Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . 17
Supported Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . 17
C h a p t e r 3 – I n s ta l l i n g S e c u r e Tr a n s p o r t 19
Installing on Unix-based Platforms . . . . . . . . . . . . . . . . . . . . . . . . . 20

Canceling the Unix-based Installation . . . . . . . . . . . . . . . . . . . . . . 25
Installing on an Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Installing SecureTransport . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Canceling the Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Installing on Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Canceling the Windows Installation . . . . . . . . . . . . . . . . . . . . . . . 32
C h a p t e r 4 – U p g r a d i n g S e c u r e Tr a n s p o r t 33
Upgrading a Unix-based Platform . . . . . . . . . . . . . . . . . . . . . . . . . 34

Before You Upgrade. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Upgrading SecureTransport . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Upgrading an Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
64-bit Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Upgrading on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Before You Upgrade. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Upgrade Installation Procedure . . . . . . . . . . . . . . . . . . . . . . . . . 41
iii
C h a p t e r 5 – C o n f i g u r i n g S e c u r e Tr a n s p o r t 43
Starting Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
SecureTransport Server Checklist . . . . . . . . . . . . . . . . . . . . . . . 44
SecureTransport Edge Checklist . . . . . . . . . . . . . . . . . . . . . . . . 45
Logging onto the server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Setup Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Viewing Server Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . 47
Step 1 Install Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Installing Server Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
About Rich Internet Client Licenses . . . . . . . . . . . . . . . . . . . . . . . 49
Step 2 Keystore Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Changing the Keystore Password. . . . . . . . . . . . . . . . . . . . . . . . 50
Step 3 Generate Certificate Authority. . . . . . . . . . . . . . . . . . . . . . . . 51
Generating a Permanent Internal Certificate Authority . . . . . . . . . . . . . 51
Using an External Certificate Authority . . . . . . . . . . . . . . . . . . . . . 53
Step 4 Generate Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
SecureTransport Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Step 5 Set Up Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
FIPS Transfer Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Step 6 Exchange CA Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Exporting the SecureTransport Server CA Certificate. . . . . . . . . . . . . . 62
Importing the SecureTransport Server CA Certificate. . . . . . . . . . . . . . 63
Exporting the SecureTransport Edge CA Certificate . . . . . . . . . . . . . . 64
Importing the SecureTransport Edge CA Certificate . . . . . . . . . . . . . . 65
Clean Up the Setup Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Additional Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Setting Up Proxy Configurations . . . . . . . . . . . . . . . . . . . . . . . . 67
A p p e n d i x A – F i l e S y s t e m C ha n g e s W h e n U p g r a d i n g 67
Files Added During the Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Files Added to SecureTransport Server . . . . . . . . . . . . . . . . . . . . . 68
Files Added to SecureTransport Edge . . . . . . . . . . . . . . . . . . . . . 68
Files Deleted During the Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . 69
Files Deleted from SecureTransport Edge and Server . . . . . . . . . . . . . 69
Files Modified During the Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . 70
Files Modified on SecureTransport Server . . . . . . . . . . . . . . . . . . . 70
Files Modified on SecureTransport Edge . . . . . . . . . . . . . . . . . . . . 70
Appendix B – Uninstalling SecureTransport 75
Uninstalling SecureTransport on Unix-based Servers . . . . . . . . . . . . . . . 76

Uninstalling SecureTransport on an Appliance . . . . . . . . . . . . . . . . . . . 77
Uninstalling SecureTransport on Windows . . . . . . . . . . . . . . . . . . . . . 78
Appendix C – Migrating SecureTransport 4.5.x to 4.9.x 75
Migration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Migration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Migration Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
iv SecureTransport Installation Guide

Appendix D – Tumbleweed Appliance SAN Card 75
Configuring the SAN Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Configuring the SAN Card for OCFS2 . . . . . . . . . . . . . . . . . . . . . 76
Configuring OCFS2 Services . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Creating an OCFS2 Volume. . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Mounting an OCFS2 Volume . . . . . . . . . . . . . . . . . . . . . . . . . . 79
SAN Fibre Card Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Appendix E – Maintaining Your Tumbleweed Appliance 75
Powering Up, Shutting Down, or Rebooting . . . . . . . . . . . . . . . . . . . . 76

Powering Up the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Powering Down the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . 76
Rebooting the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Reconfiguring the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Reconfiguring Network Settings. . . . . . . . . . . . . . . . . . . . . . . . . 77
Glossary 75
Index 75
v
vi SecureTransport Installation Guide
Chapter 1
Introduction
This chapter provides an overview of SecureTransport and explains how to use this installation guide.
Sections include:
About SecureTransport ........................................................................ 2
About This Guide ................................................................................. 3
Axway Global Support ......................................................................... 5
Tumbleweed—an Axway Brand ........................................................... 5
1
About SecureTransport
SecureTransport™ is a family of products that offers a robust solution for file transfer meeting the
needs of enterprises for security, automation, and application integration, as well as flexible
deployment configurations that can lower total cost of ownership (TCO) and provide superior return
on investment (ROI) over other solutions.
Enterprise file transfer products help companies secure and manage all aspects of the movement of
data between any two entities. File transfer can range from the transmission of large bulk data
between an organization and its customers or partners, to the exchange of high value or sensitive data
such as financial instruments or purchase orders. The data contained in files can be either structured
or unstructured, and the business processes supported by file transfer products are usually mission-
critical to the enterprise. Additionally, file transfer products must be able to support government
regulations (such as HIPAA, GLBA, FIPS, and Sarbanes-Oxley), which call for every business
process to be documented, auditable, and accountable.
Organizations require robust solutions that address the numerous challenges they are facing today.
SecureTransport supports numerous enterprise-class features including comprehensive
authentication and access control, interactive and automated transfers, guaranteed delivery, data
integrity, comprehensive logging and auditing, event-driven agents, data transformation, scheduling,
and application integration.
SecureTransport offers both client and server software products as well as turn-key appliances,
providing organizations numerous options for deploying high-performance, high-availability,
distributed solutions. Since SecureTransport works over the Internet as well as private IP networks,
it is an ideal alternative to secure file transfer solutions based on burdensome legacy networks or
costly Virtual Private Network (VPN) deployments.
The cryptographic libraries used by SecureTransport for the AS2 (SSL), FTPS, HTTPS, and SSH
(SFTP/SCP) protocols have been certified Federal Information Protection Standard (FIPS) 140-2
Level 1 compliant by the US National Institute of Standards and Technology (NIST), Computer
Security Division, and the Communications Security Establishment of the Government of Canada
Information Protection Group.
SecureTransport products provide high performance file transfer capabilities as well as state of the art
security, reliability, and automation. They are designed for the distribution and collection of
commercially valuable files over the Internet. SecureTransport products are compatible with FTP,
FTPS, HTTP, HTTPS, SSH, FIPS 140-2 Level 1, and AS2 standards.
2 SecureTransport Installation Guide

About This Guide
This guide is intended to provide information on the following topics:
• Preinstallation tasks and installation prerequisites
• Installing SecureTransport or upgrading from previous versions of SecureTransport
• Performing post-installation tasks
• Uninstalling SecureTransport
These tasks are covered for all supported platforms: IBM AIX, Red Hat Enterprise Linux (RHEL),
Sun Solaris, SUSE Linux Enterprise Server (SLES), Microsoft Windows, and Tumbleweed
Appliances. For information about upgrading, see Chapter 4, Upgrading SecureTransport.
Audience
This guide is intended for use by system administrators who run the installer and have administrative
privileges on the respective machines. They are responsible for the efficient use of networks by
organizations, ensuring that all components including the network, computers, and software fit
together and work properly. System administrators troubleshoot problems reported by users and
automated network monitoring systems, making appropriate recommendations for future servers and
networks.
Contents
The guide discusses procedures for both Unix-based and Windows operating systems. Each chapter,
where appropriate, is divided into sections that address the different platforms. The contents of the
SecureTransport Installation Guide is outlined below:
• Chapter 1 introduces SecureTransport, identifies the target audience, outlines the guide content,
provides information about additional SecureTransport documentation, and explains how you
can get technical support.
• Chapter 2 lists the preinstallation tasks and prerequisites that are necessary before you install
SecureTransport.
• Chapter 3 explains how to install SecureTransport on all supported platforms.
• Chapter 4 provides information about upgrading SecureTransport, including Tumbleweed
Appliances.
• Chapter 5 discusses configuration tasks that must be performed after installing SecureTransport.
• Appendix A lists files and directories that are added, deleted, and modified during an upgrade
from SecureTransport 4.8.1 to 4.9.
• Appendix B explains how to uninstall SecureTransport.
• Appendix C provides information about migrating from SecureTransport 4.5.x to
SecureTransport 4.9.x.
• Appendix D describes how to configure the optional SAN card for the Tumbleweed Appliance
and gives its specifications.
• Appendix E describes typical operation and maintenance procedures for your Tumbleweed
Appliance.
• The Glossary defines terms used in the SecureTransport documentation.
3
SecureTransport Documentation Set
SecureTransport provides the following documentation:
• SecureTransport Installation Guide – (This document) This guide explains how to install,
upgrade, and uninstall SecureTransport server on Unix-based platforms, Microsoft Windows,
and Tumbleweed Appliances.
• SecureTransport Release Notes – This document contains information about new features and
enhancements, late-breaking information that could not be included in one of the other
documents, and a list of known and fixed issues.
• SecureTransport Administrators Guide – This guide describes how to use the SecureTransport
Administration Tool to configure and administer your SecureTransport server. The content of
this guide is also available in the online help.
• SecureTransport Developers Guide – This guide explains how to use rules, rule packages, and
agents to customize SecureTransport. Additional information includes an explanation of how to
use the application framework.
• SecureTransport Rich Internet Client User Guide – This guide describes how to use the
SecureTransport Rich Internet Client to transfer files between your local machine and your
SecureTransport server. The content of this guide is also available in the online help.
• SecureTransport Browser Client User Guide – This guide describes how to use a web browser to
upload files to, download files from, and delete files on SecureTransport.
• SecureTransport Best Practices Guide – This guide describes components and tasks associated
with configuring and troubleshooting SecureTransport. This document is a supplement to the
SecureTransport Administrators Guide.
• SecureTransport Capacity Planning Guide – This guides provides information useful when
planning your production environment for SecureTransport.
• SecureTransport Software Developer Kit (SDK) online help – The SDK includes an HTML-
based API reference developers can use while customizing SecureTransport.

Axway Global Support
Axway Global Support offers technical support for Axway products.
Axway also offers product customization and special services through the Axway Professional
Services Organization. Contact Axway Global Support for more information.
When contacting Axway Global Support, please have the following information:
• Product version and operating system version.
• The text of the error or warning message.
• A description of the problem and attempts made to fix the problem.
You can contact Axway Global Support using one of the following methods:
Online
http://www.support.axway.com
Email
support@axway.com
Phone
Go to http://www.support.axway.com. Click the Contact Us link to display our list of
regional support contact phone numbers, and then locate the phone number appropriate for your
location.
Tumbleweed—an Axway Brand

Axway recently merged with Tumbleweed Communications to become the leading
global provider of multi-enterprise solutions and infrastructure, serving over 11,000
organizations in more than 100 countries.
NOTE:
If you purchase an appliance after June 30, 2009, it is branded as an Axway Appliance. All
information in the guide about Tumbleweed Appliances applies to Axway Appliances.
5
Chapter 2
Before You Install
This chapter describes the prerequisites and procedures required for installing SecureTransport.
Sections include:
Preinstallation Information.................................................................. 8
Installation Prerequisites for Unix-based Servers ............................. 10
Installation Prerequisites for Appliances........................................... 14
Installation Prerequisites for Windows .............................................. 17
7
Preinstallation Information
Review and understand the following information before starting the installer:
• Before you proceed, review the SecureTransport Release Notes for the current release for any
updates to this preinstallation information or the installation and setup procedures.
• SecureTransport cannot be installed in a directory name containing the "~" character (for
example, /opt/TMWD/~/).
• Services – After all components have been installed, the Admin and Database services are
started. These services are configured according to your responses to the questions the installer
asks during the installation procedure. These services are started so an administrator can
configure SecureTransport before starting any additional services.
• Server Certificates – During installation, a temporary self-signed CA is generated, and then a
temporary Admin certificate, signed by this CA, is generated.
• Administration Accounts – The installer creates the following default accounts with a default
user name and password:
• Master Administrator account “admin/admin”.
• Setup Administrator “setup/setup” for initial, one-time configuration of the system.
• Account Manager “account/account” who can create and manage user access and import
and export accounts.
• Application Manager “application/application” who can create service accounts and
create and configure applications.
NOTE:
For best security, change the default passwords.
• The installer suggests the port numbers listed below for the SecureTransport Server ports:
• Admin port number - 444
This is the port that the web server for the Administration Tool listens to. You must specify
the Admin port number in the URL when accessing the Administration Tool, using the form,
https://<hostname>:<Admin port>/. If you are installing SecureTransport on a Unix-
based server to run as a non-root user, the default port number is 8444.
NOTE:
When you install SecureTransport on a Unix-based server to run as a non-root user, 8000 is
added to port numbers that are below 1024. For example, port number 444 becomes 8444.
• Tomcat JK port number - 8009

This is the port that the Coyote JK Connector, the internal module of the admin server that
handles the execution of servlets and JSP pages, listens to. It must be greater than 1024.
• Tomcat shutdown port number - 8005
This is the port on which the admin server waits for a shutdown command.
• Database port number - 33060
This is the port used by the MySQL database. You can change this port after installation
using the Administration Tool.

TIP:
If you install more than one SecureTransport 4.9.x server on a computer, you must also change
the Hibernate second-level cache start port number for the second and subsequent installations.
When the installation is complete, stop the database, change the default start port number of
7800 in two places in each in the files ehcache-admin.xml, ehcache-tm.xml, and ehcache-
tools.xml in <FILEDRIVEHOME>/conf/, and restart the database. Hibernate uses two ports
starting at the start port number.
WARNING:
The directory name that you install into cannot contain multiple spaces or tab characters in a row.
Acceptable characters include the letters A-Z, the numbers 0-9, and a single space between two
words. For example, /opt/TMWD/ST Server is acceptable, but /opt/TMWD/ST Server or
/opt/TMWD/STServer\t are not acceptable.
TIP:
SUSE Linux Enterprise Server (SLES) on a Tumbleweed Appliance uses 10022 as the default
port number for SSH. You can change this port number after installation by editing
/etc/ssh/sshd_config.
Temporary Hardware Requirements during Installation

Approximately 1.5 GB of free hard disk space is temporarily required during the installation of
SecureTransport Server. This space is used by the installer files and as temporary swap space during
installation. After installing SecureTransport Server, you can reclaim the hard disk space by removing
the temporary installer directory. Make sure you have at least 2 GB of RAM available during
installation. See <Emphasis> Minimum Hardware Requirements on page 10 for more information on
memory requirements.
NOTE:
For more information on hardware requirements, see the SecureTransport Capacity Planning
Guide.
Supported Browsers
Use one of the following web browsers to access the SecureTransport Administration Tool, Browser
Client, and Rich Internet Client:
• Apple Safari 3 and 4 for the Rich Internet Client only.
• Microsoft Internet Explorer versions 6 SP2, 7, and 8.
• Mozilla Firefox versions 2.x and 3.x.
9
Installation Prerequisites for Unix-based Servers
You can install SecureTransport on the supported Unix-based servers: IBM AIX, Red Hat Enterprise
Linux (RHEL), Sun Solaris, and SUSE Linux Enterprise Server (SLES).
• Make sure you have root privileges on the server where you are installing or upgrading
SecureTransport. You must have root privileges even if you are installing as non-root.
• Make sure that no file is named fd in the /etc directory. Installation is aborted when the file
/etc/fd already exists.
• To install SecureTransport for a non-root setup, you must be logged in as root. After installation,
running the services while logged in as the root user is not supported.
• If you have a copy of MySQL installed on the computer where you intend to install
SecureTransport, the installation might fail if you install as non-root. This can happen because
the /var/tmp/mysql.sock file already exists and mysql cannot be started by a non-root user.
Make sure you either uninstall the other version of MySQL or install SecureTransport on a
different computer.
• When you perform a non-root install, the files STInstallLog.txt and STUser.txt are still
owned by root.
• When you perform a non-root install, the non-root user must have a valid shell that allows login
and command execution. For example, /sbin/nologin is not a valid shell, but /bin/bash is
a valid shell.
• When you perform a non-root install, the non-root user must be configured to have permission
to create and update a crontab entry to allow log file rotation. Usually, this is accomplished by
placing an entry for the user in the cron.allow file. If the cron.allow file does not exist,
make sure the non-root user is not listed in the cron.deny file.
• When installing SecureTransport in a high availability or high capacity clustered deployment.
the primary and secondary servers in the cluster must use the same installation path, such as
/opt/TMWD/SecureTransport. If all the servers in the cluster don’t use the same installation
path, synchronization between the servers doesn’t work. For synchronization to work, set all
servers in the cluster to the same time.
Minimum Hardware Requirements

The following table provides the minimum hardware requirements needed to install SecureTransport:
RAM For RAM For

Platform CPU
32-Bit OS 64-Bit OS
IBM AIX POWER5 1-way 1.50GHz 2 GB 2 GB

Red Hat Enterprise Linux Pentium 4 Model 540 (3.2 GHz) or 1 GB 2 GB
AMD Opteron Model 144 (1.8 GHz)
Sun Solaris SunFire V240 with one 1.34 GHz N/A 2 GB
UltraSPARC® IIIi processor
SUSE Linux Enterprise Pentium 4 Model 540 (3.2 GHz) or 1 GB 2 GB
Server AMD Opteron Model 144 (1.8 GHz)

To install and run SecureTransport, the OS must be able to allocate at least 2 GB of memory to
SecureTransport. On Unix-based platforms, you can limit the system resources available using
ulimit or similar commands. Make sure the resources allowed include at least 2 GB of memory.
Additionally, Solaris platforms must have 512MB free in the /tmp directory.
Consider that these are the minimum requirements. To make sure SecureTransport runs properly,
double the RAM and available disk space requirements.
You can view the limitations using the command ulimit -a. These limitations need to be adjusted
for the root user for the installation to run correctly and for the user running SecureTransport if a
non-root install is done. After installation, only the user running SecureTransport should be able to
allocate that much memory.
To change these limits, different commands are used for each Unix-based platform.
To set system resource limits on AIX:

1 Type smitty users.
2 From the menu, select Change / Show Characteristics of a User.
Make sure that Soft DATA segment and Hard DATA segment allow more than 1 GB of memory.
For best results, set these options to unlimited (-1).
To set system resource limits on RHEL:

1 Modify the file /etc/security/limits.conf. Use the following setting to allow more than
1 GB of memory:
<username> hard memlock 1048576
2 Reboot the computer.
To set system resource limits on Solaris:

• To permanently change the memory, use the projmod command to set the rcap.max-rss
attribute in the /etc/project file:
projmod -s -K rcap.max-rss=<MemoryInGB> db
where <MemoryInGB> is the amount of memory such as 10GB.
Supported Operating Systems

SecureTransport supports the following Unix-based operating systems:
• AIX 5L Version 5.3 Technology Level 9
SecureTransport runs as a 32-bit application on this 64-bit platform. SecureTransport only runs
on AIX 5.3. Previous versions of AIX are not supported. Later versions are not verified.
• RHEL 4 and 5 Update 2 32-bit
• RHEL 4 and 5 Update 2 64-bit
SecureTransport runs as a 32-bit application on this 64-bit platform.
• Solaris 10 10/08
SecureTransport runs as a 32-bit application on this 64-bit platform.
• SLES 10 SP2
NOTE:
Unless otherwise specified, SecureTransport runs as a 32-bit application on a 64-bit version of
the supported operating systems.
11
SecureTransport is also supported installed in the following virtualized environments:
• AIX 5L Version 5.3 Technology Level 9 running in an LPAR
• A Solaris Zone in Solaris 10 10/08
NOTE:
While SecureTransport is supported on the virtualization environments listed, no version of
SecureTransport supports VMware ESX 3.x or 4.x. While you might be able to run
SecureTransport 4.9.1 in a development environment as an unverified “platform,” no version of
SecureTransport is certified to run with VMware in testing and production environments.
AIX Requirements
There is a default 1 GB limit on the size of files on AIX. The 1GB file size limit must be removed by
editing the /etc/security/limits file. Change the default to:
fsize = -1
You can also use AIX System Management Interface Tool (SMIT) to change the file size limit.
To change the file size limit using SMIT:

1 Type smitty users.
2 From the menu, select Change / Show Characteristics of a User.
Make sure that Soft FILE size is set to unlimited (-1).
By default, a JFS filesystem created on AIX has a limit of 2 GB. For best results, create a JFS
filesystem with large file support.
If you are setting up a cluster using AIX, use the following commands to change the maximum bundle
size:
/usr/sbin/no -p -o udp_sendspace=131072
/usr/sbin/no -p -o udp_recvspace=131072
Run these commands on all the computers in the cluster.

Before installing SecureTransport on the AIX platform, you must make sure the ARG_MAX setting is
correct.
To change the ARG_MAX setting:

1 Check the ARG_MAX setting by typing the following:
getconf ARG_MAX
2 If the value is less than 1048576, run the following command as the root user:
chdev -l sys0 -a ncargs=256
NOTE:
If the ncargs setting has a value less than 9, the SecureTransport Transaction Manager does
not start. Make sure you set ncargs to a value equal to or higher than 9. For best results, use
256 or higher, up to 1024.

RHEL Requirements
The following tasks must be completed before installing SecureTransport on Red Hat Enterprise
Linux.
Compatibility Packages
If you are using Red Hat Enterprise Edition Linux version 5 or later, make sure you have the
compatibility packages compat-libstdc++-33 and compat-db-4.2.52-5.1 installed. The
compat-libstdc++-33-3.2.3-47.3.rpm and compat-db-4.2.52-5.1 packages are
available on the installation media or from the Red Hat Network website.
Search the installation media for the files or download the packages from the Red Hat Network
website at https://rhn.redhat.com. You must register your product at http://redhat.com/now to locate and
download the package. For more information on downloading the package, see
https://www.redhat.com/apps/support/, select Knowledgebase, and search for the keywords compat-
libstdc++ or compat-db.
To install a package:
1 Log into your system as root.
2 Navigate to the directory where you downloaded the package.
3 Type rpm -Uvh <name_of_package>.arch.rpm.
SELINUX
Red Hat Enterprise Linux enables SELINUX by default. Before installing SecureTransport, disable
SELINUX in /etc/sysconfig/selinux. You must restart the server after making this change.
To disable SELINUX:
2 Modify /etc/sysconfig/selinux using a text editor. Set SELINUX= to disabled.
SELINUX=disabled
3 Save and close the file.
4 Restart the server.
SLES Requirements
SLES 10 enables SELINUX by default. Before installing SecureTransport, disable SELINUX in
/etc/sysconfig/selinux. You must restart the server after making this change.
To disable SELINUX:
2 Modify /etc/sysconfig/selinux using a text editor. Set SELINUX= to disabled.
SELINUX=disabled
3 Save and close the file.
4 Restart the server.
13
Installation Prerequisites for Appliances
Tumbleweed Appliances are preconfigured to meet the hardware and operating system prerequisites.
Make sure you follow the instructions for setting up the appliance in the Axway Appliance Quick Start
card before installing the software. See <Emphasis> Preinstallation Information on page 8 for
additional information.
• SecureTransport 4.7 and later runs on Dell-based appliances only. These releases do not run on
the Flash appliances.
• Upgrading your appliance from SecureTransport 4.8.1 or a previous release to SecureTransport
4.9.1 upgrades the operating system to SLES 10 SP2. If you made any changes to the appliance
operating system not specified in SecureTransport documentation or installed any software not
bundled with the appliance, it might be lost in the operating system upgrade.
• You cannot perform the operating system upgrade in an SSH session. You must connect
physically to the appliance console or connect remotely using a network KVM switch or the
Dell Remote Access Controller (DRAC) administration console.
TIP:
SUSE Linux Enterprise Server (SLES) on a SecureTransport appliance uses 10022 as the
default port number for SSH. You can change this port number after installation by editing
/etc/ssh/sshd_config.
Setting Appliance Network Configuration Parameters

Before you make your appliance available to your network, check to see that you have set network
configuration parameters for your appliance, including the IP address, subnet mask, and default
gateway.
To connect a keyboard and monitor to your appliance, see the Axway Appliance Quick Start card.
Use the YaST configuration utility to change the IP address. For information about YaST, visit:
http://www.novell.com/documentation/oes/sles_admin/data/cha-yast-text.html
To change the IP Address:

1 Log on the appliance as the root user. The default root password is:
axway
2 On the command line, type yast to open the YaST configuration utility.

3 In the YaST utility, select Network Devices from the menu on the left and select Network Card
from the menu on the right. Use the Tab and Shift+Tab keys or the arrow keys to navigate.
Figure 2.1: Using the YaST Control Center
4 Select Change to modify an existing card, then select the network card you want to change.
Press Enter or select Edit to modify the card information.
TIP:
You can configure both the Gb1(eth0) and Gb2 (eth1) IP addresses using this method.
5 Type the correct values for your network in the fields.

Press F10 or select Finish to save your changes.
To connect the appliance to your network, see the Axway Appliance Quick Start card.
Configuring the DNS Server Address and Hostname

After you connect the appliance to the network, configure the DNS server address and hostname. Use
the YaST configuration utility to perform these tasks.
To configure the DNS server address and hostname:

1 Log on the appliance as the root user. The default root password is:
axway
2 On the command line, type yast to open the YaST configuration utility.
3 In the YaST utility, select Network Services from the menu on the left. Use the Tab and
Shift+Tab keys or the arrow keys to navigate.
15
4 Type the correct values for your network in the fields.
5 Press F10 to save your changes.
If you have purchased an optional SAN card for your appliance, see Appendix D, Tumbleweed
Appliance SAN Card before installing the software.

Installation Prerequisites for Windows
Make sure you have administrative privileges on the machine where you want to install
SecureTransport Server.
Make sure any antivirus software running on the computer is disabled during the installation. Leaving
the antivirus software running can cause the install to fail.
Minimum Hardware Requirements

SecureTransport requires a Pentium 4 Model 540 (3.2 GHz) or AMD Opteron Model 144 (1.8 GHz)
or better with 2GB RAM.
Supported Operating Systems

SecureTransport supports only the 32-bit version of Windows 2003 Server Enterprise Edition SP2
with all critical updates applied.
TIP:
Make sure your Windows Server is using the NTFS file system. SecureTransport runs only on
partitions using NTFS.
17
Chapter 3
Installing SecureTransport
This chapter describes the installation procedures for SecureTransport. Sections include:
Installing on Unix-based Platforms ................................................... 20
Installing on an Appliance................................................................. 26
Installing on Windows ....................................................................... 29
19
Installing on Unix-based Platforms
This section explains how to install SecureTransport on Unix-based platforms. During this process,
the installer asks a series of questions and supplies default responses. The latter are contained within
square brackets at the end of the question, for example:
Enter your choice [1]:
where the number between the brackets is the default response. You can answer a question in one of
the following ways, depending on the type of the question and on your choice:
• Type the number corresponding to a provided option.
• Type the requested information, for example:
Installation folder [/opt/TMWD/SecureTransport]: /opt/TMWD/ST
• Press Enter without typing any information to accept the default response.
NOTE:
You can change most settings configured during installation using the Administration Tool. See
Chapter 5, Configuring SecureTransport and the SecureTransport Administrators Guide for more
information.
To start the SecureTransport installer:

1 Copy the SecureTransport installer into a temporary directory and navigate to that temporary
directory.
2 Expand and extract the file using the following commands:
gunzip STEE-4_9_1-<OS>-<processor>-<BuildNumber>.tar.gz
tar -xf STEE-4_9_1-<OS>-<processor>-<BuildNumber>.tar
where the variables represent the following:
<OS> is the operating system: AIX (for IBM AIX), RHEL (for Red Hat Enterprise Linux), SunOS
(for Sun Solaris), or SUSE (for SUSE Linux Enterprise Server).
<processor> is the type of processor running the operating system: i386, ppc, x86_64, or
sparc.
<BuildNumber> is the actual build number listed in the installer executable file, for example,
Build472.
NOTE:
Although you can start more than one instance of the SecureTransport installer, the installation
fails when more than one instance is running. Make sure you are only running one instance of
the installer to complete the installation successfully.
3 In the temporary directory where you extracted the installer, type the following at the command
prompt to run the SecureTransport installer:
./Install.sh
The SecureTransport installer displays a welcome message:
Loading [English] resources.
You are installing: SecureTransport

***********************************************************
*** Tumbleweed SecureTransport ***
*** ***
*** Welcome to Tumbleweed SecureTransport Installation ***
*** This application will install Tumbleweed ***
*** SecureTransport Server and its components. ***
*** ***
** Copyright (c)1993-2009 Tumbleweed Communications Corp **
***********************************************************
and begins asking questions to which you must respond.
To install SecureTransport:
1 The installer checks to see if SecureTransport is already installed on the computer:
Checking if SecureTransport is already installed...
Please pick an installation instance or choose new.
(1) <old installation name> [<old installation directory>]
(2) NEW INSTALLATION
(3) Quit
Type the number representing the task you want to accomplish:
• Type 1 to upgrade from the installation listed.
• Type 2 to start a new installation.
• Type 3 to quit the installation procedure (default).
NOTE:
All existing installations are listed at the beginning of the list. Options 2 (NEW INSTALLATION) and
3 (Quit) might be represented by different values.
2 If you select NEW INSTALLATION, the following question appears:

Proceed with installation?
(1) Yes
(2) No
(3) Version Information
Type the number representing the task you want to accomplish:
• Type 1 to proceed with the installation.
• Type 2 to quit the installation procedure (default).
• Type 3 to display the version numbers of the SecureTransport features being installed.
3 Review the license agreement for SecureTransport carefully. Press Enter to display the next page
until you have read the entire agreement.
Accept the license agreement?
(1) Yes
(2) No
Type 1 to accept the license.
Type 2 to reject the license and cancel the installation (default).
4 If more than one installation of SecureTransport exists on the machine, the following prompt
appears:
ST Install location & name
Installation name []:
Type a name to uniquely identify this installation. You will use this name later when installing
patch releases to this installation, or when you upgrade to a new version.
21
5 Type the path and directory where you want to install SecureTransport. Make sure this is not the
same directory where you copied the installer files.
Installation folder [/opt/TMWD/SecureTransport]:
NOTE:
The installation path of SecureTransport Server entered here is referred to as
<FILEDRIVEHOME> throughout this document.
If you want to keep the default setting of /opt/TMWD/SecureTransport, press Enter to

continue.
WARNING:
The directory name that you install into cannot contain multiple spaces in a row or tab characters
in a row. Characters that are acceptable include the letters A-Z, the numbers 0-9, and a single
space between two words. For example, /opt/TMWD/ST Server is acceptable, but
/opt/TMWD/ST Server or /opt/TMWD/STServer\t are not acceptable. In addition, the
directory name cannot contain the “~” character (for example, /opt/TMWD/~/).
6 Select the installation type:

(1) Server
(2) Edge
Type 1 to install the SecureTransport Server (default). The Server installation type installs the
full feature set of SecureTransport.
Type 2 to install the Edge (proxy) installation of SecureTransport. The Edge server provides a
proxy setup of SecureTransport and contains a subset of SecureTransport Server features.
NOTE:
The remaining steps in this section describe a server installation.
7 To install SecureTransport to run as a non-root user, type y for the following question:
SecureTransport Server Configuration
Perform a "non-root" install [y/n] [n]
If you type y, the question User name to run ST [root]: displays. Type the non-root user
name you are using for SecureTransport.
Type n or accept the default if you are installing SecureTransport to run as the root user.
TIP:
During a non-root installation, you might see an error such as
<bash: /root/.bashrc: Permission denied>. Ignore the error since it doesn't interfere
with system operations.
8 Modify or accept the port settings for the Server Configuration:

a Type the appropriate port number for the Administration Tool or accept the default of 444.
Admin port number [444]:
TIP:
When you install SecureTransport under a non-root user, the default value for Admin port is
8444.
b Type the appropriate port number for Tomcat JK or accept the default of 8009:
Tomcat JK port number [8009]:

c Type the appropriate port number for Tomcat shutdown or accept the default of 8005:
Tomcat shutdown port number [8005]:
d Select a new port number for the database installed by SecureTransport or accept the default
setting of 33060:
Database port number [33060]:
e Type y to back up log files generated each day and create new ones for the subsequent day.
The server makes a backup and creates a new log file at 23:59 or 00:00 hours, depending on
the log file type. This is the default response. Type n if you do not want to rotate the log files:
Enable nightly log rotation [y/n] [y]:
f A secret file contains a random phrase that encrypts the SecureTransport system cookies.
The installer disables this option by default and generates a secret file randomly. The secret
file size must be at least 1024 bytes.
Import a secret file [y/n] [n]:
Type n to have SecureTransport randomly generate a secret file (default). Select this option
when you are installing a stand-alone or primary server. A primary server is used in a high
availability or high capacity clustered deployment as the server the secondary servers
synchronize with.
NOTE:
You cannot change the secret file after you have configured SecureTransport. The
install_secret command can only be run on a secondary server immediately after
installation, before you configure the server.
Type y to import the secret file from another SecureTransport Server installation. Select this
option when you are installing secondary servers in a high availability or high capacity
clustered deployment. This imports the secret file created for the primary server. See the
SecureTransport Administrators Guide for more information on configuring your software
for high availability.
When this option is selected, the following question also displays:
Secret file name or "cancel" []:
Type the name of the imported secret file or type cancel to let SecureTransport randomly
generate a new secret file.
The installer creates the secret file in the following directory:
<FILEDRIVEHOME>/lib/certs/private
When installing a secondary server, copy the secret file from the primary server to the
secondary server before running the installer and specify the primary server secret file
location during installation.
Run the install_secret command line utility to install the secret file if you are using a
Tumbleweed Appliance. See the SecureTransport Administrators Guide for more
information on command line utilities.
23
9 Once you have selected all the options, the installer provides a summary of your choices. For
example:
SecureTransport Installation Summary
*******Section 1*******
Install mode : New
*******Section 2*******
Accept the license agreement : Yes
*******Section 3*******
Install type : Server
Installation folder : /opt/TMWD/SecureTransport
Installation name : ST-001
Admin port number : 444
Tomcat JK port number : 8009
Tomcat shutdown port number : 8005
Database port number : 33060
Enable nightly log rotation : Yes
Import a secret file : No
10 Review the information and select one of the options that follow the summary.
[Menu options]
(1) Accept values and continue
(2) Display values
(3) Edit fields
(4) Start Over
(5) Quit
• Type 1 to accept your entries and continue (default). The installer creates a configuration file
and a message is displayed: configuration file generated
• Type 2 to re-display the entries you made.
• Type 3 to edit the entries you made.
• Type 4 to start the installation procedure from the beginning. This response cancels all
responses you gave to this point.
• Type 5 to quit the installation.
Once you type 1, you see the following message.
Configuration file generated
*** Secure Transport installer is running. Please wait... ***

SecureTransport can take several minutes to install.

Completing the Installation:
When the installation procedure is complete, the installer displays the PROCESS COMPLETE message,
followed by several lines of SecureTransport startup information:
*** Secure Transport installer is running. Please wait ... ***
***************************************************************************
** PROCESS COMPLETE **
** **
** To enable features such as AS2 or SSH you might need to update your **
** license, refer to the Administrator's Guide for further details. **
** **
** **
***************************************************************************
Log file: <FILEDRIVEHOME>t/STInstallLog.txt
Starting admin interface

Using CATALINA_BASE: <FILEDRIVEHOME>/tomcat/admin
Using CATALINA_HOME: <FILEDRIVEHOME>/tomcat
Using CATALINA_TMPDIR: <FILEDRIVEHOME>/tomcat/admin/temp
Using JAVA_HOME: <FILEDRIVEHOME>/jre
The installer also creates a log file, <FILEDRIVEHOME>/STInstallLog.txt.
NOTE:
A silent installation method for SecureTransport is supported. This method of installation allows
you to carry out an installation without any questions being asked by the installer. Visit the Axway
Global Support web site for more information. See Axway Global Support on page 5 for the URL.
After successfully installing SecureTransport, you must perform a number of post-installation steps,
such as updating your SecureTransport license, enabling, configuring, and starting the
SecureTransport services. See Chapter 5, Configuring SecureTransport for more information.
Canceling the Unix-based Installation

The SecureTransport installer gives you opportunities to cancel the installation.
To stop the installation:

1 When displaying a question with an option to quit or stop the installation, you can exit the
installer.
Or, you can provide responses to the installer questions until the installer displays the Menu
Options section and select option 5 to exit the installer.
2 The following message displays when you choose to exit the installer:
Are you sure you want to quit the ST installation? [y/n] [n]:
Type y and press Enter. The following message appears:
ST Installer Exiting...
Good bye
25
Installing on an Appliance
This section explains how to install and uninstall SecureTransport on a Tumbleweed Appliance.
Installing SecureTransport
This section explains how to install SecureTransport on a Tumbleweed Appliance. During this
process, the installer asks a series of questions and supplies default responses. The latter are contained
within square brackets at the end of the question, for example:
where the number between the brackets is the default response. You can answer a question in one of
the following ways, depending on the type of the question and on your choice:
• Type the number corresponding to a provided option.
• Press Enter without typing any information to accept the default response.
NOTE:
You can change most settings configured during installation using the Administration Tool. See
Chapter 5, Configuring SecureTransport and the SecureTransport Administrators Guide for more
information.
To upgrade the operating system and load the SecureTransport installer:

1 Copy the SecureTransport appliance installer into a temporary directory and navigate to that
temporary directory.
2 Expand and extract the file using the following commands
tar -xzf STEE-4_9_1-App-x86_64-Upgrade-<BuildNumber>.tgz
where <BuildNumber> is the actual build number listed in the installer executable file, for
example, Build472.
3 In the temporary directory where you extracted the file, run the following command:
./upgrade.sh
The script completes the operating system upgrade and prepares the SecureTransport installer.
To install SecureTransport:
NOTE:
1 In the /opt/TMWD/installer directory, run the following command:

./Install.sh
The SecureTransport installer displays a welcome message and prompts you for setup
information.

***********************************************************
*** ***
*** ***
***********************************************************
Proceed with SecureTransport installation?
(1) Yes
(2) No
2 Type your selection.
• Type 1 to start the installation.
• Type 2 to quit the installation procedure (default)
• Type 3 to display current version information.
If you type 1 to continue the installation, the following prompt appears:
ST Install location & name
SecureTransport Installation Type
(1) Server
(2) Edge
3 Type your selection.
• Type 1 to install the SecureTransport Server (default). The Server installation type installs
the full administrative feature set of SecureTransport.
• Type 2 to install the Edge (proxy) installation of SecureTransport. The Edge Installation type
provides a proxy setup of SecureTransport. It does not install a number of administrative
features available with the Server installation. For more information, see the
4 If you type 1 to install the SecureTransport Server, a report like the following appears:
Install type : Server
Installation folder : /opt/TMWD/SecureTransport
Installation name :
Admin port number : 444
Tomcat JK port number : 8009
Tomcat shutdown port number : 8005
Database port number : 33060
Enable nightly log rotation : Yes
Import a secret file : No
Then the following prompt appears:
[Menu Options]
(2) Display values
(3) Edit values
(4) Start over
(5) Quit
If you select option (1) to accept the default values, the installation continues and processing
information appears.
27
*** Secure Transport installer is running. Please wait ... ***
***************************************************************************
** **
** To enable features such as AS2 or SSH you might need to update your **
** license, refer to the Administrator's Guide for further details. **
** **
** **
***************************************************************************
Log file: <FILEDRIVEHOME>t/STInstallLog.txt

Appliance1:/opt/TMWD/installer #
The installer also creates a log file, <FILEDRIVEHOME>/STInstallLog.txt.
NOTE:
A silent installation method for SecureTransport is supported. This method of installation allows
you to carry out an installation without any questions being asked by the installer. Visit the Axway
Global Support web site for more information. See Axway Global Support on page 5 for the URL.
After successfully installing SecureTransport, you must configure the setup by updating your
SecureTransport license, enabling and configuring the software, and starting the SecureTransport
services. For these next steps, see Chapter 5, Configuring SecureTransport.
Canceling the Installation

The SecureTransport installer gives you opportunities to cancel the installation.
To stop the installation:

1 When displaying a question with an option to quit or stop the installation, you can exit the
installer.
Or, you can provide responses to the installer questions until the installer displays the Menu
Options section and select option 5 to exit the installer.
2 The following message displays when you choose to exit the installer:
Are you sure you want to quit the ST installation? [y/n] [n]:
Type y and press Enter.

Installing on Windows
This section provides detailed instructions for installing SecureTransport on a Windows Server.
You cannot install more than one instance of SecureTransport on a Windows server. You can install
one instance of either SecureTransport Server or SecureTransport Edge.
During the installation, do not close any console windows that are opened.
To install SecureTransport, complete the following steps:

1 Uncompress and extract the SecureTransport 4.9.1 installer into a temporary directory. Run the
SecureTransport installer file STEE-4_9_1-Windows-x86-<BuildNumber>.exe where
<BuildNumber> is the actual build number listed in the installer executable file such as
Build472.
The Welcome dialog box displays.
2 Click Next to start the installation process. The installer displays the License Agreement dialog
box.
Review the License Agreement for Secure Transport carefully. Use the scrollbar on the right-
hand side of the dialog box to scroll throughout the entire text.
(Optional) Click Print to print out a copy of the License Agreement if you prefer to read it on
paper or want save a copy of it.
Select I accept the terms of the license agreement to indicate that you accept the License
Agreement and click Next to proceed with the installation procedure.
The installer displays the Setup Type and Destination Folder dialog box.
29
3 Select the installation Type - Server or Edge.
The SecureTransport Server Installation installs the full feature set of SecureTransport,
including the Transaction Manager.
The Edge server provides a proxy setup of SecureTransport and contains a subset of
SecureTransport Server features.
During the installation, which takes several minutes, a command window displays some of the
processing. Disregard the installer message stating Unable to locate tools.jar. The
installation continues properly.
NOTE:
The remaining steps in this section apply to a server installation. Refer to the SecureTransport
Server Administrators Guide for more information about the SecureTransport Edge installation.
(Optional) Click Browse to define a destination folder for the SecureTransport installation that
is different from the default one:
C:\Program Files\Tumbleweed\SecureTransport
Click Next to proceed with the installation procedure. The installer displays the SecureTransport
Options dialog box.
WARNING:
The directory name that you install into cannot contain multiple spaces in a row or tab characters.
Characters that are acceptable include the letters A-Z, the numbers 0-9, and a single space
between two words. For example, C:\Program Files\Tumbleweed\ST Server\ is acceptable,
but C:\Program Files\Tumbleweed\ST Server\ is not acceptable. In addition, you cannot
install SecureTransport into a directory whose name contains the “~” character (for example,
C:\Program Files\Tumbleweed\ST~\).

4 When the SecureTransport Options dialog box appears, you can accept the default values or
change any of the settings.
a Type a port number for the SSL Administration Tool port. The default port number is 444.
b Type a port number for the Tomcat JK port. The default port number is 8009.
c Type a port number for the Tomcat Shutdown port. The default port number is 8005.
d Type a port number for the database. The default port number is 33060.
e Select Enable Nightly Log Rotation if you want the system to perform automatic backup and
purging of log files on a nightly basis. When this feature is enabled, SecureTransport Server
backups log files, generated on the respective day, and creates a new one for the subsequent
day. The server takes a back up and creates a new log file at 23:59 or 00:00 hours, depending
on the log file type.
Enable Nightly Log Rotation is enabled by default. You can enable or disable the nightly log
rotation after installation - see the SecureTransport Administrators Guide for more
information.
f Set the Secret File Path.
A secret file contains a random phrase that encrypts the SecureTransport system cookies.
The secret file size must be at least 1024 bytes. If you are setting up a high availability or
high capacity clustered deployment, and this server is a secondary server in the cluster,
import the secret file from the primary server. Specify the location by typing the path or
clicking Browse to locate the file.
When installing a secondary server, copy the secret file from the primary server to the
secondary server before running the installer so you can specify the primary server secret file
location during installation.
NOTE:
You cannot change the secret file after you have configured SecureTransport. The
install_secret command can only be run on a secondary server immediately after
installation, before you configure the server. See the SecureTransport Administrators Guide for
more information on command line utilities.
31
If you are not setting up a high availability or high capacity clustered deployment or this
server is the primary server, leave this field blank. The installer creates a secret file.
The installer creates the secret file in the following directory:
<FILEDRIVEHOME>/lib/certs/private
TIP:
See the SecureTransport Administrators Guide for more information on configuring your software
for high availability or high capacity.
Click Next to continue. The installer displays the Ready to Install the Program dialog box.
5 Click Install to start the installation. The installer displays the Setup Status dialog box and a
command prompt window.
The installation process can take several minutes to complete.
If the installation fails, click OK at the prompt and refer to the installer log for details.
6 When the installation procedure is complete, the installer displays the InstallShield Wizard
Complete dialog box.
7 Click Finish to complete the installation and close the installer.
After successfully installing SecureTransport, you must configure the installation. See Chapter 5,
Configuring SecureTransport for more information.
Canceling the Windows Installation

You can cancel the installation at any stage by clicking Cancel. The installer opens a confirmation
dialog box and proceeds according to your response.
Click Yes to exit the installation or No to continue the installation process.

Chapter 4
Upgrading SecureTransport
This chapter describes the upgrade procedures for SecureTransport 4.9.1. You can upgrade from
SecureTransport 4.7.1, 4.8.1, or 4.9. To upgrade from SecureTransport 4.6.1 or any SecureTransport
4.9 Limited Availability release, first upgrade to SecureTransport 4.7.1, 4.8.1, or 4.9 General
Availability and then to SecureTransport 4.9.1. If you have more than a few customizations, contact
the Axway Professional Services Organization. For contact information, see Axway Global Support
on page 5.
If you have a version other than those listed and want to migrate to 4.9.1, contact Axway Global
Support. For information about migrating from SecureTransport 4.5.x to SecureTransport 4.9.x, see
Appendix C, Migrating SecureTransport 4.5.x to 4.9.x.
Contact Axway Global Support or the Axway Professional Services Organization if you are
upgrading from an earlier version of SecureTransport with any ESP component. For contact
information, see Axway Global Support on page 5.
Upgrading a Unix-based Platform .................................................... 34
Upgrading an Appliance.................................................................... 38
Upgrading on Windows ..................................................................... 39
Sections include:
NOTE:
If you upgrade a high availability cluster to SecureTransport 4.9.x and you do not plan to send
SecureTransport event data to Synchrony Sentinel, on every server edit the
<FILEDRIVEHOME>/conf/configuration.xml file and change mode="passive" to
mode="passive_legacy". For more information, see the section on changing the cluster
configuration in the SecureTransport Administrators Guide.
33
Upgrading a Unix-based Platform
Make sure your previous version of SecureTransport is not running (refer to the SecureTransport
Administrators Guide for more information).
Before You Upgrade

• Duplicate your existing SecureTransport installation so you can run it in parallel with your
upgraded system.
• Make sure that the SecureTransport server is not in use and all the connections are closed (refer
to the SecureTransport Server Administrators Guide for more information on shutting down
SecureTransport services).
• Back up the operating system.
• Back up your existing SecureTransport installation. To back up your preceding SecureTransport
installation, follow the backup procedure steps. In the rare case of an upgrade procedure failure
resulting in system instability of any kind, please follow the upgrade recovery procedure.
• Make sure the port number for Tomcat JK2 is greater than 1024. (The default value is 8009.)
Check the following locations for the port number:
• In <FILEDRIVEHOME>/tomcat/admin/conf/jk2.properties find
Connector port=.
• In <FILEDRIVEHOME>/tomcat/admin/conf/server.xml find Connector port= and
jmvRoute=.
• In any <FILEDRIVEHOME>/tomcat/admin/conf/workers2.properties file find
port=.
If the Tomcat JK2 port number shown is less than or equal to 1024, change all occurrences to a
number greater than 1024.
• During a non-root upgrade, you might see an error such as
<bash: /root/.bashrc: Permission denied>.
You can ignore this error since it doesn't interfere with system operations.
Backup Procedure Before Upgrading

Back up your previous installation before upgrading.
To back up your installation:

1 Stop all the SecureTransport services. Refer to the SecureTransport Administrators Guide for
details.
2 Back up the SecureTransport directory by tarring the files or using another backup method.
Your backup must include the following files:
• All files in <FILEDRIVEHOME>
• All files in the /etc directory and its subdirectories whose names end with the installation
name
Use the following command to find the files:
find /etc -name "*<installation name>" -print
where <installation name> is the name you specified when you installed the current
installation.

• The root crontab file
NOTE:
If you create a custom role after upgrading to SecureTransport 4.9.1, all newly created
administrators with this role are assigned a Delegated Administrator role. During the upgrade
process, a message displays informing you of this change.
Upgrading SecureTransport uses the same installer as a new installation. The interaction is different.
To upgrade SecureTransport:
1 Expand and extract the SecureTransport installer into a temporary directory and navigate to this
temporary directory. The commands are:
gunzip STEE-4_9_1-<OS>-<processor>-<BuildNumber>.tar.gz
tar -xf STEE-4_9_1-<OS>-<processor>-<BuildNumber>.tar
where the variables represent the following:
<OS> is the operating system: AIX (for IBM AIX), RHEL (for Red Hat Enterprise Linux), SunOS
(for Sun Solaris), or SUSE (for SUSE Linux Enterprise Server).
<processor> is the type of processor running the operating system: i386, ppc, x86_64, or
sparc.
<BuildNumber> is the actual build number listed in the installer executable file, for example,
Build472.
NOTE:
2 In the temporary directory where you extracted the installer, type the following at the command
prompt to run the SecureTransport installer:
./Install.sh
The installer displays a \welcome message:
***********************************************************
*** ***
*** ***
***********************************************************
35
3 The installer searches for previous installations of SecureTransport on your machine and lists
any that it finds in the first installer question for your response:
Please pick an installation instance or choose new.
(1) <old installation name and [directory]>
(2) NEW INSTALLATION
(3) Quit
Type the number representing the installation instance you want to upgrade to SecureTransport
4.9.1 and press Enter.
4 The installer asks if you have backed up the existing installation:
Have you made a full backup of your existing SecureTransport installation?
[y/n] [n]:
If you have made the backup, type y and press Enter. Otherwise, cancel the installation and
make the backup before resuming the installation.
To cancel the installation, type n and press Enter. The upgrade installation is canceled after an
additional confirmation prompt is displayed.
5 The installer displays a confirmation menu:
(1) Upgrade ST
(2) Quit
Type 1 to continue the upgrade (default), 2 to cancel the installation, or 3 to display the
information about currently installed versions of SecureTransport and the SecureTransport
components being installed, and then press Enter.
NOTE:
There might be more than one instance of SecureTransport listed for upgrade.
6 The installer displays the multipage license agreement. Press Enter to move from one page to the
next. Review the license agreement for SecureTransport 4.9.1 carefully.
Accept the license agreement?
(1) Yes
(2) No
To accept the license agreement, type 1 and then press Enter.
7 The installer displays the installation summary and a menu options confirmation prompt:
[Menu Options]
(2) Display values
(3) Start over
(4) Quit
Type 1 to accept your entries and continue (default), 2 to redisplay the entries you made, 3 to
edit the entries you made, 4 to start the installation procedure from the beginning (this response
cancels all responses you gave to this point), or 5 to quit the installation. Press Enter.
The installer creates a configuration file and displays several lines of information about the
upgrade process. When upgrading SecureTransport Edge or SecureTransport Server, the
following displays:

Configuration file generated
** Stopping SecureTransport **
Stopping admin services
Stopping ftpd services
Stopping httpd services
Stopping sshd services
Stopping as2d services
Stopping db services
Stopping tm services
8 When the upgrade is complete, the installer displays the following text:
***************************************************************************
** **
** **
** **
***************************************************************************
Log file: <FILEDRIVEHOME>/STInstallLog.txt
** Starting SecureTransport **
Starting ftpd services

Starting httpd services
Starting sshd services
Starting as2d services
Using CATALINA_BASE: <FILEDRIVEHOME>/tomcat/as2
Using CATALINA_TMPDIR: <FILEDRIVEHOME>/var/tmp
Starting tm services
The upgrade procedure is now complete. At the end of each installation the installer creates a log and
saves it in the following location:
<FILEDRIVEHOME>/STInstallLog.txt
After successfully upgrading to SecureTransport 4.9.1, you must configure SecureTransport

following the steps described in Chapter 5, Configuring SecureTransport.
37
Upgrading an Appliance
The installation file provided upgrades 64-bit appliances. Before upgrading your appliance, back up
of the operating system and SecureTransport. See Before You Upgrade on page 34 for more
information on backing up SecureTransport.
64-bit Appliances
• Supported Models: ST4620, ST5620, ST6620, ST4720, ST5720, and ST6720
• Installer file: STEE-4_9_1-App-x86_64-Upgrade-<BuildNumber>.tgz
• Upgradable from SecureTransport 4.7.1, 4.8.1 and 4.9
NOTE:
<BuildNumber> is the actual build number listed in the file such as Build472.
The appliance upgrade is similar to the Unix upgrade.
To upgrade to the new version of the operating system and SecureTransport:

1 Follow the instructions in To upgrade the operating system and load the SecureTransport
installer: on page 26 substituting the upgrade file for the installer file.
2 In the /opt/TMWD/installer directory, run the following command:
./Install.sh
The SecureTransport installer displays a welcome message.
3 Follow the instructions starting at step 3 of To upgrade SecureTransport: on page 35.

Upgrading on Windows
This section provides detailed instructions for upgrading to SecureTransport 4.9.1 on Windows.
Before You Upgrade

The following provides information useful to know before starting the installer.
• Duplicate your existing SecureTransport installation so you can run it in parallel with your
upgraded system.
• Before upgrading, make sure you are running Windows Server 2003, Service Pack 2. If you do
not already have Service Pack 2 installed, upgrade to Service Pack 2 before running the
SecureTransport installer.
• Back up the operating system.
• Before upgrading, make sure the Cygwin console and all Cygwin tools installed with your
previous SecureTransport installation, including the Cygwin cron service, are closed. Check the
Users tab in the Windows Task Manager to make sure no one else is using Cygwin. If necessary,
close the Cygwin console and tools manually. See the SecureTransport Administrators Guide for
more information.
• Make sure there are no MySQL processes running. Stop any MySQL processes that are running
before starting the upgrade.
• Make sure any antivirus software running on the computer is disabled during the installation.
Leaving the antivirus software running can cause the upgrade to fail.
• Make sure you back up the old installation. To back up your preceding SecureTransport
installation, follow the backup procedure steps. In the rare case of an upgrade procedure failure
resulting in system instability of any kind, please follow the upgrade recovery procedure.
Backup Procedure Before Upgrading

Back up your previous installation before upgrading.
To back up your installation:

1 Stop all the SecureTransport services. Refer to the SecureTransport Administrators Guide for
details.
2 Back up Windows registry entries. Run regedit.exe.
a Select each of the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus
HKEY_LOCAL_MACHINE\SOFTWARE\Tumbleweed
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Uninstall\{74039923-B563-4816-AE9C-BA1B47847D93}
b At each entry, right click and select Export > Export Registry File and save the registry entry
to a safe location. For example, save:
C:\Program Files\Tumbleweed\SecureTransport
c When you are finished backing up the registry entries, exit regedit.
39
3 Back up files of the earlier SecureTransport installation.
d Create a zip file called SecureTransport.zip containing all the files in your existing
SecureTransport installation for the files in the
C:\Program Files\Tumbleweed\SecureTransport directory, preserving the folder
structure.
e Back up the following folder:
C:\Program Files\InstallShield Installation Information\
{74039923-B563-4816-AE9C-BA1B47847D93}
Recovery Procedure
Make sure you uninstall SecureTransport 4.9.1 before attempting to recover your backup. If the
upgrade fails, you can recover your previous version of SecureTransport Server using the following
steps.
To recover the Windows backup:

1 Expand the SecureTransport.zip file created during the backup procedure and extract the
files into the original installation directory of your previous SecureTransport installation.
2 Run regedit.exe to start the Windows registry, and delete the following registry entries:
• HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus
• HKEY_LOCAL_MACHINE\SOFTWARE\Tumbleweed
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Uninstall\{74039923-B563-4816-AE9C-BA1B47847D93}
3 Restore the registry entries that you backed up. To import a registry entry into the Windows
registry, double-click the name of the respective.reg file, located in the SecureTransport
installation directory where you extracted the backup files.
4 Make sure the file cygwin1.dll is included in your path - for example:
C:\Program Files\Tumbleweed\SecureTransport\cygwin\bin
5 Make sure the folder STServer\bin is included in your path - for example:
C:\Program Files\Tumbleweed\SecureTransport\STServer\bin
6 Install the SecureTransport services.
a To install the services on a SecureTransport Server installation, navigate to the folder
STServer\bin, located under the SecureTransport installation folder, and double-click the
following files: install_ftpd_service.com, install_httpd_service.com,
install_sshd_service.com, install_tm_service.com,
install_admin_service.com, and install_as2d_service.com
b To install SecureTransport services on a SecureTransport Edge installation, navigate to the
folder STServer\brules\bin, located under the SecureTransport installation folder, and
double-click the following files: install_ftpd_service.com,
install_httpd_service.com, install_sshd_service.com,
install_admin_service.com, and install_as2d_service.com.
7 Install Cygwin cron:
c Navigate to the SecureTransport installation directory and double-click the
cygwin\bin\cygwin.bat file to start the Cygwin shell.
d In the Cygwin shell, execute the following command:
cygrunsrv -I cygwin_cron -d \"Cygwin cron\" -p /usr/sbin/cron -a -D
-f \"Cygwin Cron\"

8 Restore the following directory:
C:\Program Files\InstallShield Installation Information\
{74039923-B563-4816-AE9C-BA1B47847D93}
9 Reboot your system and start all SecureTransport services. See the SecureTransport
Administrators Guide for more information.
Upgrade Installation Procedure

After you have backed up your previous installation, you can upgrade to a new version of
SecureTransport
To upgrade SecureTransport:
1 Make sure that the SecureTransport server is not in use and all the connections are closed.
2 Copy the installer file to a temporary directory. Run the SecureTransport installer file STEE-
4_9_1-Windows-x86-<BuildNumber>.exe where <BuildNumber> is the actual build
number listed in the installer executable file such as Build472.
3 The installer detects the existing installation and asks if you have backed up your existing
SecureTransport Server installation. If you have made the backup, click Yes and proceed with
the upgrade installation. Otherwise, cancel the upgrade installation and perform the backup
described in Backup Procedure Before Upgrading on page 39 before resuming the upgrade
installation.
4 When the Installer dialog box opens, click Next to start the process.
During the installation, which takes several minutes, a command window displays the
processing steps. Disregard a line indicating that the installer is “Unable to locate tools.jar.”
When the installation is complete, a success message appears.
After upgrading to SecureTransport 4.9.1, configure the installation. See Chapter 5, Configuring
SecureTransport for more information on the post-installation steps you must perform.
41
Chapter 5
Configuring SecureTransport
This chapter describes how to setup and configure SecureTransport for basic operation. This chapter
assumes SecureTransport has already been installed. If SecureTransport has not been installed or
there are questions relating to the installation, refer to the information in Before You Install and
Installing SecureTransport. The Setup Administrator account is used only for the initial post-
installation configuration.
Use the Setup Administrator account to configure key items needed for SecureTransport to function.
These items are listed in the Starting Setup section of this chapter. After the initial setup is complete,
use the administrator login for future maintenance and changes. Refer to the SecureTransport
Sections include:
Starting Setup..................................................................................... 44
Step 1 Install Licenses ....................................................................... 48
Step 2 Keystore Password.................................................................. 50
Step 3 Generate Certificate Authority ............................................... 51
Step 4 Generate Certificates .............................................................. 54
Step 5 Set Up Servers ........................................................................ 57
Step 6 Exchange CA Certificates ....................................................... 62
Clean Up the Setup Account.............................................................. 66
Additional Configuration Tasks ......................................................... 67
43
Starting Setup
For the initial configuration, SecureTransport provides a setup account with a default password. Make
sure that the default password is changed. Use this account to help with the initial system
configuration. Read through the following checklist to make sure these items are available, before
beginning the set up of the system for first time use.
SecureTransport Server Checklist

These are items needed for the SecureTransport Server configuration:
Items Your Installation
SecureTransport Server IP Address

Core Server License for SecureTransport Server
Server Feature License for SecureTransport
Server
CA and certificate attributes
Initial password for the root CA
Port Setting Default Your Installation
HTTP Port 80
HTTPS Port 443
HTTPS Admin Port 444
HTTPS Admin Shutdown Port 8005
FTP/S Port 21
SSH Port 22
AS2 Port for HTTP 10080
AS2 Port for HTTPS 10443
AS2 Shutdown Port 8006
Database Port 33060
Transaction Manager Port for SSL 4455
Transaction Manager Port for non-SSL 81
NOTE:
Default port numbers might be different than those listed in the tables if you installed on an
appliance (SSH Port is 10022) or if you installed as a non-root user (add 8000 to the default listed
for port numbers that are below 1024).

SecureTransport Edge Checklist
These are items needed for the SecureTransport Edge server configuration:
Items Your Installation
SecureTransport Edge IP Address

SecureTransport Server IP Address or hostname
Core Server License for SecureTransport Edge
Server Feature License for SecureTransport
Edge
CA and certificate attributes
Initial password for the root CA
Port Settings Default Your Installation
HTTP Port 80
HTTPS Port 443
FTP/S Port 21
SSH Port 22
AS2 Port for HTTP 10080
AS2 Port for HTTPS 10443
Database Port 33060
Proxy Server Port 1080
IP Port for SecureTransport Server 4455
NOTE:
Default port numbers might be different than those listed in the tables if you installed on an
appliance (SSH Port is 10022) or if you installed as a non-root user (add 8000 to the default listed
for port numbers that are below 1024).
45
Logging onto the server
Log onto your server with all checklist items readily available.
To log onto the system:

1 Open a browser.
2 Type https://<servername>:<portnumber> where <servername> is the name or IP
address of the server you want to configure and <portnumber> is the SSL port number you
assigned to the Administration Tool during installation. The default port number is 444 or 8444
if you are running as a non-root user.
3 Type the setup username and password. The default setup username is setup and the default
password is setup.
Setup Steps
There are six steps involved in configuring SecureTransport for initial use:
1 Install Licenses – Install the core and feature licenses.
2 Keystore Password – Replace the blank keystore password with one you create.
3 Generate CA – Regenerate the Internal CA used to sign other certificates.
Alternately, you can import a CA certificate.
4 Generate Certificates – Generate certificates for each protocol server you are using, FTP, HTTP,
etc.
You can import server certificates. They must be signed by the imported CA.
5 Set Up Servers– Set up the HTTP, FTP, SSH, and AS2 protocol servers, the Transaction
Manager (TM) server, and the Database server.
The SecureTransport Edge server also supports a proxy (SOCKS) server setup.
6 Exchange Certificates – Import and export CAs from SecureTransport Servers and
SecureTransport Edge servers.
Complete the steps in the order listed to prevent conflicts.

Viewing Server Log Messages
At any time during the setup process, you can view the log messages SecureTransport has generated
by selecting the Server Log page.
For more information about the Server Logs, see the SecureTransport Administrators Guide.
47
Step 1 Install Licenses
Two licenses must be installed. The first, the Core Server License, includes the number of accounts,
Rich Internet Client, and Web Client users allowed. The second, the Features License, identifies
additional features that are licensed. These can include the AS2, SSH, SiteMinder, and
Connect:Direct protocols.
The FTP and HTTP protocols are included in the core license. For AS2, SSH, SiteMinder, or
Connect:Direct features, please contact your local account executive or supplier.
Installing Server Licenses

The Server License page allows the Administrator to install SecureTransport licenses. Contact
Axway Global Support to obtain text files containing the core server license and the features license.
See Axway Global Support on page 5 for contact information.
To install the license files:

1 Select 1-Install Licenses.
2 Open the text file containing the core server license information and copy the entire contents of
the file to the clipboard.
3 Paste the entire contents of the file into the Update License text area and click Update License.
The core server license information displays.
4 Open the text file containing the features license information and copy the entire contents of the
file to the clipboard.
5 Paste the entire contents of the file into the Update License text area.
6 Click Update License.
The features license information displays.

TIP:
When you log in to SecureTransport Server as an administrator, you can access this page by
selecting Setup > Server License.
About Rich Internet Client Licenses

You must install a core license with Rich Internet Client user licenses included to run the Rich Internet
Client. There are four categories for the Rich Internet Client license:
• Unlimited Rich Internet Client licenses: If your company has purchased an unlimited number
of Rich Internet Client user licenses, then the display shows “unlimited” for the number of Rich
Internet Client Users.
• One Rich Internet Client license for each account license: If your company has purchased
one Rich Internet Client license for each account license, then the display show the same
number of Accounts and number of Rich Internet Client licenses.
• Fewer Rich Internet Client Number licenses than account licenses: If your company has
purchased fewer Rich Internet Client licenses than account licenses, then the display shows the
maximum number of users that can use the Rich Internet Client.
• No Rich Internet Client licenses: If your company did not purchase any Rich Internet Client
licenses, then end users cannot use the Rich Internet Client. The display does not include the line
with Rich Internet Client Users.
49
Step 2 Keystore Password
In this step you reset the keystore password. This task is required before you can generate an internal
certificate in Step 3, Generate CA.
Changing the Keystore Password

SecureTransport contains a keystore for all the certificates created and used within the software. A
default blank keystore password is set during installation. Change the password from this default.
To change the default Keystore Password:

1 Select 2-Keystore Password.
2 Select Keystore Password if it is not already visible.
3 Type the old keystore password in the Old Password field. Leave this field empty if this is the
first time you are changing the keystore password.
4 Type a new password in the New Password field and repeat the password in the Confirm New
Password field.
5 Click Update to change the password.
TIP:
selecting Setup > Certificates > Keystore Password.

Step 3 Generate Certificate Authority
In this step you create a new internal Certificate Authority (CA). This task is required before you can
generate certificates for the services in Step 4, Generate Certs.
Generating a Permanent Internal Certificate Authority

SecureTransport uses digital certificates for many security functions. These certificates can either be
self-signed, meaning they are issued by the SecureTransport Server or signed by a third party, such
as an external company like Verisign or a corporate CA. During the installation process,
SecureTransport installs a default self-signed CA.
This step regenerates the self-signed Internal CA with a new password and with Distinguished Name
(DN) attributes specific to an organization. You can use the Internal CA to sign local certificates when
you generate them in Step 4.
51
To create a new internal certificate:
1 Select 3-Generate CA.
2 Click Generate New CA.
3 Type the required information for the internal certificate.

Internal certificates require the Certificate Subject information. For internal certificates, type the
following information:
• Validity in days — the number of days the certificate is valid. The default is 365 days.
• CA key password — the private key password used to unlock the certificate.
• Confirm CA key password — the private key password must be entered again for
confirmation.
• Common Name — a description of the certificate. Do not use the host name or the fully-
qualified host name (FQDN) of the server without additional identifying text.
• Department — the name of department that the certificate is issued.
• Company — the name of the company that the certificate is issued.
• City — the name of the city where the location of the certification is located.
• State — the name of the state where the location of the certification is located.
• Country — the name of the country where the location of the certification is located.
4 Click Generate.
TIP:
selecting Setup > Certificates > Internal CA.

Using an External Certificate Authority
Optionally, you can also import an external certificate. Follow the steps listed below.
To import an external certificate:

1 Replace lib/certs/ca-crt.pem.
2 Replace lib/certs/private/ca-key.pem.
3 Import ca-crt.pem in the trusted keystore with a “ca” alias.
Now, you can sign certificates using the external CA.
53
Step 4 Generate Certificates
The next step allows you to generate the server certificates that SecureTransport uses. Select 4-
Generate Certs to generate local, self-issued server certificates. Generated certificates are assigned
RSA keys.
SecureTransport can use certificates for multiple purposes. For example, the ftpd certificate is
commonly used for securing FTPS and SSH connections. Separate certificates and aliases can be used
for each protocol. The httpd certificate is commonly signed by a public CA so that external users,
especially those using a web browser to access the system, will trust the certificate. The other
certificates are either internal to the product or only used by the Administrators; they can be signed
by the internal CA. The admind certificate is generated as part of the installation process.
To use a certificate signed by an external CA, see the SecureTransport Best Practices Guide or the
Axway Global Support Knowledge Base for more information.
SecureTransport Certificates
For a SecureTransport Server installation, generate the following certificates:
Alias Certificate Use
ftpd An SSL server certificate for users connecting to transfer files

httpd An SSL server certificate for users connecting to transfer files
admind An SSL server certificate for users connecting to the web
administration system
mdn A certificate used to sign the MDN receipts. The MDN alias must be
named mdn. This certificate is not required to run SecureTransport
Server. Generate it only if you are using MDN receipts.
tm A certificate for the Transaction Manager. This certificate is not
required to run SecureTransport Server. You can use this certificate as
the key alias for the TM Server Port specified in Step 5 Set Up Servers
on page 57.

For a SecureTransport Edge installation, generate the following certificates:
Alias Certificate Use
ftpd An SSL server certificate for users connecting to transfer files

httpd An SSL server certificate for users connecting to transfer files
admind An SSL server certificate for users connecting to the web
administration system
These certificates can be signed by the internal SecureTransport CA. See Step 3 Generate Certificate
Authority on page 51.
NOTE:
The following procedures is used to generate a self-issued certificate. Refer to the
SecureTransport Administration Guide for information about generating a Certificate Signing
Request (CSR).
To generate a self-issued certificate:

1 Select 4-Generate Certs.
2 Click Generate to create a new certificate.
3 Select the certificate type: X509 Certificate / SSH key.

• Type the CA key password — the password of the Internal CA private key.
4 Select Self-issued Certificate. Type the required information for the self-issued certificates.
Self-issued certificates require the Certificate Subject information. For self-issued certificates,
type the following information:
55
• Alias — the name that identifies the certificate.
If an alias that is already assigned to another certificate is used, a dialog box displays asking
if you want to overwrite the original certificate. Be sure the appropriate alias has been
entered for the new certificate. If you are sure you want to replace the original certificate
with the new one, click Overwrite. Click Cancel to discard the new certificate and keep the
original one. You are returned to the Generate Certificate dialog box to make changes.
Validity in days — the number of days the certificate is valid.
• Key Size — a number representing the size or length of the key, expressed in bits. Possible
values are 1024, 2048 (default), 3072, or 4096 bits.
• Common Name — a description of the certificate. Do not use the host name or the fully-
qualified host name (FQDN) of the server without additional identifying text. Do not use the
same Common Name as is used in the Certificate Authority.
• Department — the name of department that the certificate is issued.
• Company — the name of the company that the certificate is issued.
• City — the name of the city where the location of the certification is located.
• State — the name of the state where the location of the certification is located.
• Country — the name of the country where the location of the certification is located.
If you want to create a Certificate Signing Request (CSR), see the SecureTransport
5 Click Generate.
a (Optional) Select Save backup of private key to file if you want to save a copy of the private
key.
b Type a password in the Password field, type it again in the Confirm Password field, and
click Continue.
c When asked to open or save the file, click Save and select a location on the local file system.
A message displays indicating that the certificate was successfully saved.
6 Click Close.
NOTE:
Third-party certificates do not work for the SSH daemon.
TIP:
selecting Setup > Certificates > Local Certificates.

Step 5 Set Up Servers
The next two steps cover setting up the initial configuration settings for the various protocol services.
This step describes the settings for HTTP, FTP, AS2, SSH, and TM Server.
The 5-Set Up Servers page displays the database, FTP, HTTP, AS2, SSH, and TM Server settings.
When you are setting up an Edge server, you can also configure the Proxy server settings. This page
also allows the Administrator to change the protocol, shutdown ports, specify the protocol SSL key
aliases, enable and disable services, and start or stop the services. When logged in as the Setup
Administrator on SecureTransport Server, the following features display:
TIP:
selecting Operations > Server Control.
57
When running as the Setup Administrator on SecureTransport Edge, the following features display:
TIP:
When you log in to SecureTransport Edge as an administrator, you can access this page by
selecting Operations > Server Control.
FIPS Transfer Mode

For client-initiated transfers using the AS2, FTPS, HTTPS, or SSH (SFTP/SCP) protocols, you can
select Enable FIPS Transfer Mode to restrict the SecureTransport server to use only FIPS 140-2
Level 1 certified cryptographic libraries. This requires the sender and the recipient (clients and partner
servers) to use only the approved algorithms, ciphers, and cipher suites listed in the SecureTransport
Administration Guide and assures that the entire transfer is secure at FIPS 140-2 Level 1.
NOTE:
If FIPS transfer mode is enabled for a protocol server and the client that uses that server does
not provide the required FIPS cipher or cipher suite, SecureTransport will not complete the
transfer.

To set up the servers:
1 Select 5-Set Up Servers.
2 Use the following procedures to set up the appropriate servers. On the SecureTransport Edge,
you can also configure the proxy port.
Configuring FTP Servers

To use HTTP and FTP, specify the FTP and the HTTP settings for both the SecureTransport Edge and
To configure the FTP Server:

1 Select Enable FTP and/or Enable FTPS.
2 Change the FTP Port to use a port number other than the default setting of 21.
TIP:
FTP might already be running on port 21. To avoid a port conflict, you can disable FTP at the OS
level or assign it a different port number instead of changing the port number in SecureTransport.
3 If you enabled FTPS, select a key alias from the drop-down list, for example, ftpd.
Key Alias — A key alias is the name used to identify a certificate and/or key present in the
keystore. This is the alias name used when generating a certificate using the Certificate
Manager.
4 If you enabled FTPS, to restrict FTPS connections to FIPS 140-2 Level 1 certified cryptographic
libraries, select the Enable FIPS Transfer Mode check box.
The sender and the recipient must use the ciphers and ciphers suites listed in the
SecureTransport Administration Guide. If the sender and the recipient do not provide the
required ciphers and ciphers suites SecureTransport will not complete the transfer.
5 Click Start.
NOTE: If the server is already running, you cannot click Start. This note applies to each “Click
Start” step in this procedure.
6 Click Update.
NOTE: If you are configuring multiple servers (for example, FTP, AS2, and SSH) at once, you
can wait and click Update once, at the end of your server selections.
Configuring HTTP Servers
To configure the HTTP Server:

1 Select either Enable HTTP and/or Enable HTTPS.
2 If you enabled HTTP, change the Port to use a port number other than the default setting of 80. If
you enabled HTTPS, change the Port to use a port number other than the default setting of 443.
3 If you enabled HTTPS, select a key alias from the drop-down list, for example, httpd.
Manager.
59
4 If you enabled HTTPS, to restrict HTTPS connections to FIPS 140-2 Level 1 certified
cryptographic libraries, select the Enable FIPS Transfer Mode check box.
5 Click Start.
6 Click Update.
Configuring AS2
If an AS2 license is available, enable the AS2 service. Specify the AS2 settings on both
SecureTransport Server and SecureTransport Edge.
To assign an AS2 Port Number:

1 Select Enable AS2 (non-SSL) and/or Enable AS2 (SSL).
2 Type a port for each protocol you enabled.
3 If you enabled AS2 (SSL), select a SSL Key Alias from the drop-down list.
Manager.
4 If you enabled AS2 (SSL), to restrict AS2 (SSL) connections to FIPS 140-2 Level 1 certified
cryptographic libraries, select the Enable FIPS Transfer Mode check box.
5 In the AS2 Shutdown Port field, type a shutdown port for AS2 server.
6 Click Start.
7 Click Update.
Configuring SSH
If you are using SSH, specify the SSH settings for both the SecureTransport Edge and
To assign an SSH Port Number:

1 Select Enable Secure File Transfer Protocol (SFTP) and/or Enable Secure Copy (SCP).
2 Type a port to assign.
3 If the system SSH server is using port 22, assign a different port number. To avoid a port
conflict, you can disable SSH at the OS level or assign it a different port number instead of
changing the port number in SecureTransport.
4 Select a SSH Key Alias from the drop-down list.
Manager.

5 To restrict SSH (SFTP/SCP) connections to FIPS 140-2 Level 1 certified cryptographic
libraries, select the Enable FIPS Transfer Mode check box.
6 Click Start.
7 Click Update.
To view the SSH Server Public Key Fingerprint, click View Fingerprint.
NOTE:
View Fingerprint does not work until a key alias has been assigned and the page is updated.
Configuring the Transaction Manager Server on SecureTransport Server

For an SecureTransport Server installation, specify the ports Transaction Manager (TM) listens to.
These ports are used both by SecureTransport Server (internally) and SecureTransport Edge for
communication.
To assign a TM Port number:

1 Type a port number to assign for a TM SSL Port and/or a TM Non-SSL Port.
2 Select an SSL Key Alias from the drop-down list.
Manager.
3 Click Start.
4 Click Update.
Configuring the Backend TM Server on SecureTransport Edge

On the SecureTransport Edge, specify the address and port number of a SecureTransport Server. This
specification allows the two-tier streaming architecture to function.
To assign a Server Host IP Address:

1 Type the IP address for the Server Host.
2 Type a TM Secure Port number or accept the default. The default setting is 4455.
3 Select an SSL Key Alias from the drop-down list.
4 Click Update.
Configuring the Proxy Server on SecureTransport Edge

On the SecureTransport Edge, specify the port for the SecureTransport proxy server. The proxy port
is used by SecureTransport Server to handle outgoing connections passed through a SecureTransport
Edge.
To assign a Proxy Port number:

1 Type a port number to assign for a Proxy Port.
2 Click Start.
3 Click Update.
61
Step 6 Exchange CA Certificates
This step pertains only to a two-tier architecture, where both an SecureTransport Edge and
SecureTransport Server are being configured.
In a two-tier deployment, the SecureTransport Edge and SecureTransport Server authenticate each
other through the use of certificates. These certificates have already been created and specified in
previous steps. In this step, a trust relationship between the two servers must be set up. This set up
involves exchanging certificates between SecureTransport Edge and SecureTransport Server.
To complete this step, access to both the SecureTransport Server and SecureTransport Edge
Administration Tool must be readily available. Use a separate browser window to open each
Administration Tool.
Exporting the SecureTransport Server CA Certificate

Use the following steps to export the CA certificate from the SecureTransport Server.
To Export the SecureTransport Server CA Certificate:

1 Select 6-Exchange Certs.

2 Click the name of the certificate to export. The View Certificate dialog box displays.
3 Click Export and save the file to a location in the local system.
4 Click Close.
5 Copy the CA certificate file to the SecureTransport Edge server, if necessary.
Importing the SecureTransport Server CA Certificate

Use the following steps to import the CA certificate from the SecureTransport Server to the
SecureTransport Edge.
To Import the SecureTransport Server CA Certificate:
2 Click Import. The Import Certificate dialog box displays.
63
3 Type an Alias for the imported certificate. Make sure the alias is unique and different from any
other trusted CA aliases
4 To import the certificate file:
a Select Import certificate from file and click Browse to locate the file on your local system.
Or select Paste certificate in space below to copy and paste the certificate contents.
b Click Import to import the certificate to the Edge server.
5 Click Close in the Import Certificate dialog box.
The newly imported certificate appears in the Trusted CA Certificates list.
Exporting the SecureTransport Edge CA Certificate

Use the following steps to export the CA certificate from the SecureTransport Edge.
To Export the SecureTransport Edge CA Certificate:

2 From the list of trusted CAs, click the alias that matches the CA certificate set up for the
SecureTransport Edge server in 2-Generate CA.
The View Certificate dialog box displays.
3 Click Export in the View Certificate dialog box.

4 Click Export and save the file to a location in the local system.
5 Click Close.
6 Copy the CA certificate file to the SecureTransport Server, if necessary.

Importing the SecureTransport Edge CA Certificate
Use the following steps to import the CA certificate from the SecureTransport Edge to the
To Import the SecureTransport Edge CA Certificate:

2 Click Import. The Import Certificate dialog box displays.
3 Type an Alias for the imported certificate. Make sure the alias is unique and different from any
other trusted CA aliases.
4 To import the certificate file:
a Select Import certificate from file and click Browse to locate the file on your local system.
Or select Paste certificate in space below to copy and paste the certificate contents.
b Click Import to import the certificate to the Edge server.
5 Click Close in the Import Certificate dialog box.
The newly imported certificate appears in the Trusted CA Certificates list.
TIP:
selecting Setup > Certificates > Trusted CAs.
65
Clean Up the Setup Account
The initial configuration of SecureTransport is now complete. As a final step, clean up the Setup
account either by removing it or by changing the password. You can use the default administrator
account for additional configuration tasks.
To clean up the Setup account:

1 Log out of the administration system.
2 Log in using the default username, admin and default password admin.
3 Select Accounts > Administrators.
4 Take one of the following actions:
• Remove the Setup Administrator by clicking Delete under the Action column at the Setup
Administrator entry.
• Change the password for the Setup Administrator by clicking Edit under the Action column
at the Setup Administrator entry. Type a new password.
For best security, change the default password of the account, admin, and application
administrator accounts.
For more information on the Accounts > Administrators settings, see the SecureTransport
Administrators Guide.
NOTE:
Once you have made the configuration changes using the Administration Tool, run stop_all to
stop all SecureTransport services., then run start_all to restart them.

Additional Configuration Tasks
Depending on how you want to set up SecureTransport there are some additional tasks you must do
after performing the initial configuration.
Setting Up Proxy Configurations

ProxyHosts can be either HTTP or SOCKS proxies. Outgoing HTTP connections use the first enabled
HTTP ProxyHost. All outgoing connections for all protocols proxy through one of the SOCKS
ProxyHosts. In SecureTransport Server you can avoid using the SOCKS proxy by editing the
configuration.xml file as shown in the following example.
<OutboundConnections connectTimeout="25" maxConnectionsPerHost="100">
<Proxy serverHost="" serverPort="">
<ProxyHost host="<hostname>" port="8080" enable="true" type="HTTP"/>
<ProxyHost host="" port="" enable="false" type="SOCKS"/>
<NonProxyHost host="<hostname>"/>
</Proxy>
. . .
</OutboundConnections>
To avoid using the SOCKS proxy on SecureTransport Edge:

1 Edit the file <FILEDRIVEHOME>/conf/socks.properties.
2 Locate the direct hosts section:
# directHosts should contain ;-separated list of inetaddress and ranges.
# These machines will be addressed directly rather than through
# the proxy. See range for more details, what sort of entries
# permitted and understood.
#proxy = www-proxy:1080
#directHosts = 130.220.;.unisa.edu.au;localhost
3 Add a line with the hostname of the HTTP proxy as shown in the following example:
directHosts = <hostname>;localhost
4 Save your changes.
NOTE:
Modifying the SecureTransport Edge using this method might prevent the SecureTransport
Server from using the HTTP proxy server through a firewall.
67
Appendix A
File System Changes When Upgrading
This appendix list the files that are added, deleted, and modified during an upgrade from
SecureTransport 4.9 to 4.9.1. All other files are replaced.
The changes are the same on all platforms but different for SecureTransport Server and
SecureTransport Edge.
Always back up the currently running version of SecureTransport before upgrading the software to
preserve any customized files. See Upgrading SecureTransport on page 33 for more information.
Sections include:
Files Added During the Upgrade ...................................................... 68
Files Deleted During the Upgrade .................................................... 69
Files Modified During the Upgrade .................................................. 70
67
Files Added During the Upgrade
These tables list for each server type the files and directories in release 4.9.1 that did not exist in
release 4.9.
Files Added to SecureTransport Server
Directory File or directory name
<FILEDRIVEHOME>/brules/local/wptdocuments/ SynchronyTransfer.xml
<FILEDRIVEHOME>/lib/jars/external/ axway-common-circularbuffer-1.1.61.jar
axway-common-core-1.1.61.jar
axway-sentinel-ua-1.1.61.jar
cglib-2.2.jar
commons-cli-1.2.jar
commons-collections-3.1.jar
ehcache-1.6.1.jar
ehcache-jgroupsreplication-1.3.jar
jta-1.1.jar
jul-to-slf4j-1.5.8.jar
slf4j-api-1.5.8.jar
slf4j-log4j12-1.5.8.jar
xercesImpl-2.9.0.jar
Files Added to SecureTransport Edge

<FILEDRIVEHOME>/lib/jars/external/ axway-common-circularbuffer-1.1.61.jar
axway-common-core-1.1.61.jar
axway-sentinel-ua-1.1.61.jar
cglib-2.2.jar
commons-cli-1.2.jar
commons-collections-3.1.jar
ehcache-1.6.1.jar
ehcache-jgroupsreplication-1.3.jar
jta-1.1.jar
jul-to-slf4j-1.5.8.jar
slf4j-api-1.5.8.jar
slf4j-log4j12-1.5.8.jar
socks_apps.jar
xercesImpl-2.9.0.jar

Files Deleted During the Upgrade
This table lists the files from release 4.9 that are deleted during the upgrade to release 4.9.1.
Files Deleted from SecureTransport Edge and Server
<FILEDRIVEHOME>/lib/jars/external/ TrkApiUA.jar
xerces.jar
69
Files Modified During the Upgrade
These tables list for each server type the files that are modified by adding release 4.9.1 information
or replacing release 4.9 information with release 4.9.1 information during the upgrade from release
4.9.
Files Modified on SecureTransport Server
<FILEDRIVEHOME>/brules/local/ agentlist
<FILEDRIVEHOME>/brules/local/wptdocuments/ wptdocument.conf
<FILEDRIVEHOME>/conf/ access-control.xml
configuration.xml
export.conf
tm-log4j.xml
transforms.xml
<FILEDRIVEHOME>/tomcat/admin/webapps/ plugin.xml
coreadmin/WEB-INF/plugin/applicationtypes/
Files Modified on SecureTransport Edge
<FILEDRIVEHOME>/conf/ access-control.xml
configuration.xml
<FILEDRIVEHOME>/tomcat/admin/webapps/ plugin.xml
coreadmin/WEB-INF/plugin/applicationtypes/

Appendix B
Uninstalling SecureTransport
This chapter describes how to uninstall SecureTransport on all platforms.

Sections include:
Uninstalling SecureTransport on Unix-based Servers....................... 76
Uninstalling SecureTransport on an Appliance................................. 77
Uninstalling SecureTransport on Windows........................................ 78
75
Uninstalling SecureTransport on Unix-based Servers
This section explains how to uninstall SecureTransport from any of the supported Unix-based
platforms.
To uninstall a SecureTransport installation:

1 Run the uninstaller script by typing the following on the command line:
<FILEDRIVEHOME>/bin/utils/Uninstall
WARNING:
Do not run the SecureTransport uninstall command from within the <FILEDRIVEHOME> directory
or any subdirectories. All directories, including the <FILEDRIVEHOME> directory are deleted
during the uninstall process.
The uninstaller displays the following prompt:

Warning: You are about to remove directory [<FILEDRIVEHOME>] and its
contents!
Are you sure you want to do this? (y/n)
2 Type y and press Enter.
3 The uninstaller displays several lines of information about the process. The last line indicates
that the uninstall is complete
Uninstall: START: <current date and time>
Stop the SecureTransport admin, ftpd, httpd, sshd, as2d, tm, db.
Stopping SecureTransport services
<FILEDRIVEHOME>/bin/stop_all -A <installation name>
Stopping socks services
Remove the SecureTransport entry from crontab.
Remove entries for [<installation name>] from the /etc/fd directory.
Remove SecureTransport start-up from the boot path.
Removing [<startup script>] and correspondent symbolic link
Remove the [<FILEDRIVEHOME>] directory.
Uninstall: DONE: <current date and time>

Uninstalling SecureTransport on an Appliance
This section explains how to uninstall SecureTransport from the supported appliances.
To uninstall a SecureTransport installation:

4 If you are not already logged in, log in to the appliance.
5 Run the uninstaller script by typing the following on the command line:
<FILEDRIVEHOME>/bin/utils/Uninstall
WARNING:
Do not run the SecureTransport uninstall command from within the <FILEDRIVEHOME> directory
or any subdirectories. All directories, including the <FILEDRIVEHOME> directory are deleted
during the uninstall process.
The uninstaller displays the following prompt:

Warning: You are about to remove directory [<FILEDRIVEHOME>] and its
contents!
Are you sure you want to do this? (y/n)
6 Type y and press Enter.
7 The uninstaller displays several lines of information about the process. The last line indicates
that the uninstall is complete
Uninstall: START: <current date and time>
Stop the SecureTransport admin, ftpd, httpd, sshd, as2d, tm, db.
Stopping SecureTransport services
<FILEDRIVEHOME>/bin/stop_all -A <installation name>
Stopping socks services
Remove the SecureTransport entry from crontab.
Remove entries for [<installation name>] from the /etc/fd directory.
Remove SecureTransport start-up from the boot path.
Removing [<startup script>] and correspondent symbolic link
Remove the [<FILEDRIVEHOME>] directory.
Uninstall: DONE: <current date and time>
77
Uninstalling SecureTransport on Windows
This section explains how to uninstall SecureTransport from Windows.
NOTE:
You can also use the Add/Remove Programs option in the Control Panel to uninstall
To uninstall SecureTransport:
1 Prior to uninstallation, make sure the Cygwin console and all Cygwin tools, installed with your
previous SecureTransport installation, are closed - if necessary, close the Cygwin console and
tools manually.
NOTE:
Before uninstalling the SecureTransport Server on Windows, make sure that no SecureTransport
resources (such as files) are being used. Also, make sure that the Cygwin cron service is
stopped, and that no Cygwin processes (aside from the one being used by the uninstaller) are
active. In addition, if you try to uninstall SecureTransport in Windows and the <FILEDRIVEHOME>
directory or a file stored in it is in use, the uninstallation process fails.
2 Run the installer (see the section Installing on Windows on page 29). The installer displays the
following uninstallation confirmation prompt:
3 Click Yes when prompted to confirm. The installer opens a command prompt window to display
several messages before displaying the Setup Status dialog box.
4 When uninstallation is complete, the installer displays the Uninstall Complete dialog box. Click
Finish to complete the uninstallation procedure and close the wizard.
You can find logs containing details of uninstallation at C:\Documents and Settings\<User
Name>\Local Settings\Temp\{74039923-B563-4816-AE9C-BA1B47847D93}. Log files
stored here are erased when the computer is rebooted. If you want to keep the log file, copy it to a
different location.

Appendix C
Migrating SecureTransport 4.5.x to 4.9.x
This appendix describes a proposed migration plan from SecureTransport v4.5.x to SecureTransport
4.9.x. This information is provided “as-is” as guidelines and an aid to your migration planning.
Sections include:
Migration Requirements .................................................................... 76
Migration Tasks ................................................................................. 77
Migration Sequence ........................................................................... 79
75
Migration Requirements
Review the following points before you plan your migration:
• The following utilities are no longer available: gencerts, class, config, and pass.
• AS2 partnerships no longer have outbox/send, outbox/failed, and other subdirectories. In
SecureTransport 4.9.x, all items are located in the outbox folder of the SiteMailbox application
associated with the user account for the AS2 partnership.
• All SecureTransport 4.5.x agents have been replaced by new built-in agents which work for
SecureTransport 4.7 and later.
• Inventory all agents, applications, configuration, and other items that your IT and business
groups, Tumbleweed Professional Services, the Axway Professional Services Organization, or
any third parties must migrate. Plan and schedule the required tasks.
• Make sure the planned completion date of the migration is consistent with your rollout plans for
your current configuration and your future configuration and deployment.
• Run SecureTransport 4.9.x in parallel with your current SecureTransport 4.5.x production
system for at least two months. Use this time to gain an understanding of SecureTransport 4.9.x,
learn how to use the new features, and gain confidence in its performance, scalability, stability,
and reliability while you implement your required functionality on SecureTransport 4.9.x.
• Minimize the down time of your production SecureTransport system when switching from
SecureTransport 4.5.x to 4.9.x.
• Include a back-out plan to make sure you that you can quickly switch from your new
SecureTransport 4.9.x system to your previous SecureTransport 4.5.x production system.

Migration Tasks
The following table describes tasks for migrating from SecureTransport 4.5.1 to 4.9.x.
Table C.1: Migration Tasks
Task Description
Reassess and coordinate Since the release of SecureTransport 4.5.x, there have been one major
overall requirements and release (4.6.0) and several feature or maintenance releases
objectives culminating in SecureTransport 4.9.1. In light of these releases,
reassess your overall requirements and objectives.
Do not port your 4.5.1 work to SecureTransport 4.9.x without
considering how you can meet your requirements and objectives by
effectively using the features added to SecureTransport since 4.5.x
and coordinating your requirements and implementation plans with
SecureTransport 4.9.x functionality. This appendix uses “coordinate”
for this process.
Rewrite Perl agents as Because the performance of external agents written in Perl is a very
Java in-process agents significant cause of performance issues with SecureTransport, to gain
the benefits of the performance improvements that SecureTransport
4.9.x provides, reimplement all Perl agents in Java either using your
development staff or by partnering with the Professional Services
Organization.
Reassess and coordinate Engage with the Professional Services Organization and other
security requirements technical resources to revisit the requirements of your IT Security
Audit team and to determine how SecureTransport 4.9.x meets those
requirements or must customized to meet them.
Coordinate and implement Considering the extensive UI changes in SecureTransport 4.6 and
user interface (UI) additional changes made in the other releases, engage with the
changes Professional Services Organization and other technical resources to
reassess any changes you or the Professional Services Organization
has made to 4.5.x and coordinate that work with SecureTransport
4.9.x.
Reassess and coordinate SecureTransport 4.6.x added PGP encryption. Determine if this
PGP additions encryption feature meets your requirements. Plan any custom work
necessary to meet your requirements.
Migrate system, account, Using SecureTransport 4.5.x commands, extract system, account, and
and user configuration user configuration and create XML files that SecureTransport 4.9.x
can import. SecureTransport 4.9.x can import some or all of this
configuration.
Migrate certificates Move the certificates from SecureTransport 4.5.1 to 4.9.x.
77
Task Description
Migrate rules packages If your SecureTransport 4.5.x implementation includes any custom
rules packages you created, make sure the precedence level for each
rule follows the new precedence level settings. For more information
about precedence levels and creating custom rules, see the
SecureTransport Developers Guide. Also, modify the custom rules
that use built-in agents and remove these agents.
Note:
• Do not copy 4.5.x agents to your 4.9.x system.
• Do not modify a 4.9.x agents. If necessary, copy the agent and
modify the copy.
Migrate work from the Make sure that the Professional Services Organization migrates all
Professional Services custom code and related work built by the Professional Services
Organization Organization for your implementation of SecureTransport 4.5.x.
Check the high Log in to your Primary node using the Administration Tool. If you do
availability or high not see the Synchronize button, follow the steps for high availability
capacity clustered clustered deployment in the SecureTransport Administrators Guide.
deployment

Migration Sequence
The following procedure outlines an example sequence for migrating from SecureTransport 4.5.1 to
4.9.x.
To migrate from SecureTransport 4.5.1 to 4.9.x:

1 Deploy a parallel system running SecureTransport 4.9.x. Gain experience using the new release.
Start testing and certification.
2 Complete the tasks listed in Table C.1 on page 77.
3 For a high availability or high performance clustered deployment, migrate the secondary
servers. Then, log in to your Primary node using the Administration Tool. If you do not see the
Synchronize button, follow the steps for high availability clustered deployment in the
4 Collect performance, scalability, and reliability information.
5 Conclude testing, certification, and running of the parallel system.
79
Appendix D
Tumbleweed Appliance SAN Card
This chapter describes how to configure the optional SAN card for the Tumbleweed Appliance and
gives its specifications.
Sections include:
Configuring the SAN Card................................................................. 76
SAN Fibre Card Specifications .......................................................... 80
75
Configuring the SAN Card
The ST5620, ST5720, ST6620, and ST6720 appliances can be configured with an optional SAN card.
This section explains how to configure the card to use OCFS2 and how to set up OCFS2. Use OCFS2
when you want to set up a cluster with the SAN card.
To learn more about OCFS2, go to www.novell.com/documentation and search on the word OCFS2.
For best results when using OCFS2 and the SAN Device:
• Do not install SecureTransport on a OCFS2 volume.
• Place all the user home directories on an OCFS2 volume.
• Make sure that the port number specified in the cluster.conf file for OCFS2 is accessible
between all the nodes in the cluster.
For SAN card specification information, see SAN Fibre Card Specifications on page 80.
Configuring the SAN Card for OCFS2

Before you can use OCFS2 with the SAN card, you must configure the device.
To configure the SAN device:

1 Initialize, carve, or configure RAIDs on the SAN disks as needed to prepare the devices you
plan to use for your OCFS2 volumes. Leave the devices as free space.
2 Use a SAN-supported utility to register the SecureTransport appliance with your SAN device. If
you do not already have a utility, contact your SAN vendor for more information.
3 On the SAN device, assign virtual disk space to the registered appliance.
For best results, use a utility to provide multiple path I/O capabilities and automatic load balancing.
If you do not already have a utility that does this for your SAN card, contact your SAN vendor for
more information.
TIP:
When configuring SecureTransport user home directories, make sure to store them on an
OCFS2 volume that all nodes in the cluster have access to. See the SecureTransport
Administrators Guide for user home configuration.
Configuring the Disk Heartbeat

The O2CB cluster service (o2cb) uses the disk heartbeat to communicate node status. The heartbeat
system file is stored on the SAN to make it available to all nodes in a cluster. The file has block
assignments that correspond sequentially to the slot assignment for each node. Every node reads and
writes to the appropriate block at a two-second interval. A node is considered offline if it does not
write to the file after a specific number of sequential intervals, known as the heartbeat threshold. The
default O2CB heartbeat threshold value is set to 9, which translates into 16 seconds. To determine the
total maximum wait time, use the heartbeat threshold value, subtract 1, then multiply the remainder
by 2 as shown in the following formula:
(O2CB_HEARTBEAT_THRESHOLD value - 1) * 2 = threshold in seconds
Using the formula, you can determine the wait time using the heartbeat threshold setting of 9:
(9 - 1) * 2 = 16 seconds

You can change this setting by modifying the file /etc/sysconfig/o2cb.
While OCFS2 does not use much bandwidth, it does require the nodes to be alive on the network and
sends regular keepalive packets to ensure that they are. To avoid a network delay being interpreted as
a node disappearing on the net which could lead to a node-self-fencing, a private interconnect is
recommended.
In a two-node configuration a cross-over cable can be connected to the second NIC in the appliance
to establish a direct link. If your cluster has more than 2 nodes it is recommended to connect the
second NIC of the appliance to a network switch. Use the YaST configuration utility to change the IP
address of the second NIC.
Configuring an Automatic Reboot in Case of a Kernel-panic

In case of a kernel-panic the system can be configured to automatically reboot. To automatically
reboot the system 60 seconds after a panic, add the following line to the end of the
/etc/sysctl.conf file:
kernel.panic = 60
Configuring OCFS2 Services

Before you can create OCFS2 volumes, you must configure OCFS2 services. This section describes
how to edit the /etc/ocfs2/cluster.conf file, copy the cluster.conf file to all nodes, and
create and start the O2CB cluster service (o2cb).
To configure cluster services:

1 Log in as the root user or equivalent on the appliance.
2 If you have not yet enabled the O2CB cluster service, type chkconfig --add o2cb.
When you add a new service, chkconfig ensures that the service has either a start or a kill entry
in every run level.
If you have not yet enabled the OCFS2 service, type chkconfig --add ocfs2.
3 Configure the O2CB cluster service driver to load on when you start the appliance.
a Type /etc/init.d/o2cb configure.
The message Load O2CB driver on boot (y/n) [y]: displays.
b Press Enter to accept the request.
The message Cluster to start on boot (Enter “none” to clear) [ocfs2]:
displays
c Press Enter to accept the request. If you do not want to name the cluster ocfs2, type a new
cluster name and then press Enter to save the cluster name. The cluster name is also specified
in the /etc/ocfs2/cluster.conf file.
4 Edit the /etc/ocfs2/cluster.conf file to specify your nodes.
Make this file the same on all the nodes in the cluster. Use the following steps to set up the first
node. Later, you can copy the cluster configuration file to all other nodes.
Every time you change settings, such as the cluster name and IP address, all nodes must have the
same cluster configuration file and the cluster must be restarted for the changes to take effect.
a Edit the cluster configuration file using a text editor such as vi.
77
b Edit the IP address, host name, and IP port number (the default port number is 7777), if
required for each node. If you changed the cluster name from the default of ocfs2, make
sure it is the same for all nodes. If you did not configure the o2cb driver using the correct
cluster name, you need to reconfigure the cluster driver using the new cluster name.
c Add additional nodes by copying and pasting the node section and modifying it for each new
node. The name setting for each node must match the hostname. The node_count setting
for the cluster needs to contain the total number of nodes in the cluster.
node:
ip_port = 7777
ip_address = 192.168.1.1
number = 0
name = localhost1
cluster = ocfs2
node:
ip_port = 7777
ip_address = 192.168.1.2
number = 1
name = localhost2
cluster = ocfs2
cluster:
node_count = 2
name = ocfs2
d Save the file and copy it to all the nodes in the cluster.
5 Restart the O2CB cluster service to make the changes to take effect.
Type /etc/init.d/o2cb stop to stop the cluster service.
Type /etc/init.d/o2cb start to restart the cluster service.
Creating an OCFS2 Volume

Create an OCFS2 file system on only one of the nodes in the cluster. Also, add new nodes to the
clusters on only one node in the cluster.
1 Bring the OCFS cluster online by typing the following command:
/etc/init.d/o2cb online <ocfs2>
where <ocfs2> is the name of your OCFS2 cluster.
The OCFS2 cluster must be online since the format operation must verify that the volume is not
mounted on any of the nodes in the cluster.
2 Create a partition on the virtual disk using fdisk. For information about the syntax for this
command, see the fdisk man page.
3 Create and format the volume using mkfs.ocfs2. For information about the syntax for this
command, see the mkfs.ocfs2 man page.
For example, type mkfs.ocfs2 -b 4K -C 128K -L mylabel /dev/foo

See the following table for a description of the options available with mkfs.ocfs2.
OCFS2 Parame-
Description and Recommendation
ter
Volume label (-L) A descriptive name for the volume to make it uniquely identifiable when it
is mounted on different nodes.
Use the tunefs.ocfs2 utility to modify the label as needed.
Cluster size (-C) Cluster size is the smallest unit of space allocated to a file to hold the data.
You can choose between 4, 8, 16, 32, 64, 128, 256, 512, and 1024 KB.
The cluster size cannot be modified after the volume is formatted.
If you plan to use the volume to store large files such as database files, a
cluster size of 128 KB or more is recommended. For smaller files, you can
use anything from 16 to 64KB.
Number of node The maximum number of nodes that can concurrently mount a volume. On
slots (-N) mounting, OCFS2 creates separate system files, such as journals, for each
node. Nodes that access the volume can be a combination of architectures
such as x86, x86-64, ia64, ppc64 and s390x.
Node-specific files are called local files. A node slot number is appended to
the local file. For example: journal:0000 is the local file for the node
assigned to slot number 0.
Set the maximum number of node slots for each volume when you create it,
based on the number of nodes that will concurrently mount the volume. Use
the tunefs.ocfs2 utility to increase the number of node slots as needed.
However, you cannot decrease the number of node slots.
Block size (-b) The smallest unit of space addressable by the file system. Specify the block
size when you create the volume.
Options include 512 bytes (not recommended), 1 KB, 2 KB, or 4 KB. 4 KB
is the recommended size for most volumes. The block size cannot be modi-
fied after the volume is formatted.
Mounting an OCFS2 Volume

The following steps show you how to mount an OCFS2 volume.
To mount an OCFS2 volume:

1 Bring the OCFS cluster online by typing the following command:
/etc/init.d/o2cb online <ocfs2>
where <ocfs2> is the name of your OCFS2 cluster.
The OCFS2 cluster must be online since the format operation must verify that the volume is not
mounted on any of the nodes in the cluster.
2 From the command line, use the mount command to mount the volume.
79
3 To auto-mount the SAN virtual disk space, do the following:
a Edit the file /etc/init.d/SANmount and modify the virtual device name and mount point
appropriately. The text in bold shows where to modify the file:
#! /bin/sh
. /etc/rc.status
# First reset status of this service
rc_reset
echo -n "Accessing SAN mount point ..."
mount /dev/<SAN LUN> /<mount point>
# Remember status and be verbose
rc_status -v
rc_exit
b To activate auto-mounting of the SAN volume when booting the system, type the following
command:
chkconfig SANmount on
SAN Fibre Card Specifications

This section describes the optional SAN card that can be used with the ST5720 and ST6720
appliances.
NOTE:
This card is only offered when you purchase the appliance; it is not available separately.
The following information is provided to help you use the SAN card properly.
• The optional SAN card is a QLogic SANblade QLE2462. Make sure you only connect
compatible SAN devices to this card. For a list of compatible devices, contact QLogic at
http://www.QLogic.com.
TIP:
To see the full datasheet for the SANblade QLE2462, go to the Qlogic web site at
http://www.QLogic.com/EducationAndResources/DataSheetsResourcelibrarySan.aspx.
• The card is dual-channel (Dual Port 4-Gbps Fibre Channel (FC) to PCI Express Host Bus
Adapter [HBA])
• Bus Interface: PCI Express x4
• Data Rate: 4/2/1 Gbps auto-negotiation (4.2480/2.1240/1.0625 Gbps)

Appendix E
Maintaining Your Tumbleweed Appliance
This section describes typical operation and maintenance procedures for your Tumbleweed
Appliance.
Sections include:
Powering Up, Shutting Down, or Rebooting ..................................... 76
Reconfiguring the Appliance ............................................................. 77
75
Powering Up, Shutting Down, or Rebooting
Use the following procedures to power up your Tumbleweed Appliance, shut it down, or reboot it.
Powering Up the Appliance

See the Axway Appliance Quick Start card.
Powering Down the Appliance
To shut down the appliance gracefully:

• Press the Power button on and then release it. This starts a graceful, safe operating system
shutdown.
To force a shutdown:
• If the appliance is “hung” for a long period or does not respond to pressing the Power button
momentarily, press and hold down the Power button. This forces the appliance to shut down
immediately.
WARNING:
Forcing a shutdown (pressing and holding the Power button, pulling the AC power cord, or an
unexpected power loss) can cause data loss and render the appliance inoperable. In installations
where there can be occasional power dropouts, an uninterruptable power supply (UPS) is
recommended.
Rebooting the Appliance
NOTE:
Do not pull the AC power cord or force a shutdown and turn the appliance back on to reboot. This
could cause damage to the appliance hard drives and render the appliance inoperable.
To reboot your appliance:

• Shut down the appliance gracefully by pressing the Power button momentarily. Turn it back on
after it has shut down completely by pressing the Power button momentarily.

Reconfiguring the Appliance
Use the following information to reconfigure the network settings for your Tumbleweed Appliance.
Reconfiguring Network Settings

Before proceeding, you must have the following information:
• New IP address to be assigned to the appliance
• Subnet mask of your network
• Gateway/router IP address
You can change the IP address for your SecureTransport appliance using YaST from the following
places:
• From the appliance after connecting a VGA monitor and USB keyboard
• From the Dell Access Remote Controller (DRAC)
Use the YaST configuration utility to perform system configuration functions, such as network
settings and routes. For information about YaST, visit:
http://www.novell.com/documentation/oes/sles_admin/data/cha-yast-text.html
77
Glossary
Account – Contains information about a user or a internal system that processes SecureTransport
file transfers. SecureTransport supports two kinds of accounts: user and service.
Action – An action is a set of agents that are triggered when certain conditions are met. Actions can
be either agents written in Java which allow in-process sharing of information between agent
invocations or an external mechanism used to integrate with agents written in scripting languages
such as Perl or Python. Such actions can be performed through a shell mechanism.
Agent – Code that implements all or part of the business logic associated with an event.
Agent interface – The set of inputs and outputs used during agent execution.
Apache – The Apache HTTP Server.
Application framework – SecureTransport provides an application framework in which you can
create runtime and post-process workflow to automate file processing. The SecureTransport
application frames includes user and service accounts, applications, subscriptions, and transfer sites.
Availability – The degree to which a system suffers degradation or interruption in its service to the
customer as a consequence of failures of one or more of its parts.
Certificate – SecureTransport supports three types of certificates: login , partner, and private. Login
certificates are used to login to SecureTransport servers. Partner certificates are used for encrypting
PGP and AS2 data to an account and verify the signature of data. Private certificates are used or
decrypting and signing PGP and AS2 data.
Certificate Authority – CA. Also called a Trusted Third Party. An entity (typically a company)
that issues digital certificates to other entities (organizations or individuals) to allow them to prove
their identity to others.
Certificate Signing Request (CSR) – An unsigned certificate for submission to a Certification
Authority, which signs it with the Private Key of the CA Certificate. Once the CSR is signed, it
becomes a real certificate.
Cluster Model – A group of associated SecureTransport servers is known as a cluster. A cluster
contains one primary server (machine) and one or more secondary servers. The primary server
retrieves items from the internal SecureTransport Event Queue and distributes them among the
secondary servers. When the primary server goes down, a secondary one takes over assuring the high
availability of SecureTransport services.
Condition – A boolean expression that contains a comparison condition or a condition function. A
condition can examine events and event attributes.
Condition function – A Java class that evaluates input parameters and returns a true or false value
depending on the result such as a class that parses an Electronic Data Interchange (EDI) file and
compares the value of a data element with a string.
75
Cygwin – Cygwin provides a Linux-like environment for Windows. SecureTransport uses the
Cygwin monitor and tools.
DMZ – Demilitarized Zone. A network area that sits between an organization's internal network and
an external network, usually the Internet.
DN – Distinguished Name. A name that uniquely defines a directory entry within an LDAP database
and locates it within the directory tree. A DN is similar to a fully-qualified file name in a file system.
DNS – Domain Name Server. A general-purpose distributed, replicated, data query service chiefly
used on Internet for translating hostnames into Internet addresses.
Event – An occurrence or happening that is significant to a task or program, such as the completion
of an input/output operation.
External Agent – An agent executed by the Transaction Manager through a separate process.
Those agents can be written in any programming language.
FIPS – Federal Information Processing Standards. Published by the National Institute of Standards
and Technology (NIST), these standards are used by all non-military government agencies and
contractors. All computer-related products purchased by the US Government must conform to FIPS
requirements.
Firewall – A piece of hardware or software functioning in a networked environment to prevent
communications forbidden by the security policy. A firewall has the basic task of controlling traffic
between different zones of trust. Typical zones of trust include the Internet (a zone with no trust) and
an internal network (a zone with high trust).
FQDN – Fully qualified domain name. The unique name of a network entity, consisting of a
hostname and a domain name that can resolve to an IP address.
In-process Agent – An agent written in Java directly executed by the Transaction Manager Java
Virtual Machine.
When the SecureTransport Server is first setup, you must select a keystore password.
LDAP – Lightweight Directory Access Protocol. A networking protocol for querying and modifying
directory services running over TCP/IP.
Load Balancing – A technique used to spread work between many processes, computers, disks or
other resources.
OpenSSL – Open Source toolkit for SSL/TLS
Package – A group of related rules.
PEM – Privacy Enhanced Mail (PEM) is an early form of message security and authentication that
uses public key encryption. PEM requires a public key infrastructure ( PKI). SecureTransport
provides the PKI environment for PEM security.
PGP Key Encryption – A hybrid of conventional and public key cryptography, PGP key
encryption provides a high level of transaction security. PGP takes an encrypted plaintext message,
compresses it; and generates a random number session key. Then, a fast, secure encryption algorithm
is used to encrypt the plaintext into ciphertext. After the encryption, the key is additionally encrypted
to the receiver’s public key. The resulting key-encrypted session key is sent with the ciphertext to the
receiver. At the receiving end, the process is reversed. The receiver’s PGP copy uses the associated
private key to decrypt the ciphertext.
Precedence – A number higher than 0 used to determine which rules are executed when the
conditions match more than one rule. The lower the number, the higher the precedence. Rules with
the highest precedence are executed. If you need to have multiple actions fire in a certain order under
the same set of conditions, you should use one rule with multiple actions in sequence.

Private Key – Secret key in a Public Key Cryptography system, used to decrypt incoming
messages and sign outgoing ones.
Protocol server – A server that implements one of the protocols supported by SecureTransport.
Proxy – An intermediate server that sits between the client and the origin server. It accepts requests
from clients, transmits those requests on to the origin server, and then returns the response from the
origin server to the client.
Public Key – The publicly available key in a Public Key Cryptography system, used to encrypt
messages bound for its owner and to decrypt signatures made by its owner.
RPM – Formerly known as the Red Hat Package Manager, RPM is a package management system
with a proprietary package file format that is used in installs, updates, uninstalls.
Root Certificate – An unsigned public key certificate, or a self-signed certificate, and is part of a
public key infrastructure scheme based on the ISO X.509 standard. The certificate includes a digital
signature from a certificate authority (CA) which vouches for correctness of the data contained in a
certificate.
Rule – An association between a condition and a set of agents to be executed.
Rule Package – See Package.
Scalability – Indicates the capability of a system to increase total throughput under an increased
load when resources are added.
Secure Sockets Layer (SSL) – A protocol created by Netscape Communications Corporation
for general communication authentication and encryption over TCP/IP networks. The most popular
usage is HTTPS, i.e. the Hypertext Transfer Protocol (HTTP) over SSL.
SecureTransport Administration Tool – The administrative application accessed through a
web browser for SecureTransport Edge servers and SecureTransport Servers.
SecureTransport Edge – A multi-protocol file transfer gateway used for multi-tier security
architecture deployments of SecureTransport. It enables secure demilitarized zone (DMZ) streaming
of file transfer data to prevent storing sensitive information in the DMZ.
SecureTransport Server – A centrally managed system for monitoring and managing secure file
transfer activity across multiple file transfer sites or applications.
Subscription – Determines how files are submitted to and received from applications.
State Variable – A variable used by agents to coordinate processing within a user session.
Transport Layer Security (TLS) – Successor protocol to SSL for general communication
authentication and encryption over TCP/IP networks.
Transaction Manager (TM) – An agent execution framework used for application integration in
SecureTransport.
Transfer Site – Location such as a local folder or protocol server used by SecureTransport to pull
data from or send data to during a transfer.
Uniform Resource Locator (URL) – Name and /or address of a resource on the Internet. This is
the common informal term for what is formally called a Uniform Resource Identifier. URLs are
usually made up of a scheme, like http or https, a hostname, and a path.
Uniform Resource Identifier (URI) – A compact string of characters for identifying an abstract
or physical resource. URIs are commonly referred to as URLs.
X.509 – An authentication certificate scheme used for SSL/TLS authentication.
77
Index
Symbols C
<FILEDRIVEHOME> 22 canceling the appliance installation 28
canceling the Unix-based installation 25
A canceling the Windows installation 32
certificate
about SecureTransport 2
ftpd 54
about this guide 3
generate 54
accounts https 54
account manager 8 internal 50, 51
application manager 8 MDN 54
master administrator 8 self-issued 55
setup administrator 8 SSL server 55
admin port 31 TM 54
admin service 8 Transaction Manager 54
admind certificate 54 validity period 52
administration accounts 8 certificate alias 54, 55
AIX 20 certificate attributes 44
Apple Safari certificate authority
supported versions 9 external 53
appliance certificate authority (CA) 51
installation prerequisites 14 certificates 8
IP address 77 admind 54
network settings 77 Edge 54
operating system upgrade 14 SecureTransport Edge 55
powering down 76 SecureTransport Server 54
powering up 76 changing the keystore password 50
rebooting 76 character tags 75
reconfiguring 77 checklist
supported models for upgrade 38 SecureTransport Server 44
uninstalling 77 clean up the setup account 66
upgrading 38 common name (CN) 52
appliance installation configuring AS2 60
canceling 28 configuring FTP 59
ARG_MAX configuring HTTP 59
changing 12 configuring SSH 60
AS2 port number 60 configuring the backend TM server on SecureTransport Edge
Axway Appliance 5 61
Axway Support configuring the proxy server on SecureTransport Edge 61
Global 5 configuring the Transaction Manager server on
SecureTransport Server 61
B configuring TM 61
backend TM server 61 core server license 48
backup before upgrade Cygwin 78
Unix-based platforms 34 Cygwin cron 40
Windows 39
backup recovery
Windows 40
browsers
supported 9
build number 20
Index - 75
D I
database IBM AIX 20
port 8, 31 installation prerequisites 10
database service 8 requirements 12
digital certificates 51 supported versions 11
distributed administration IBM AIX in an LPAR 12
secret file 23, 31 importing the SecureTransport Edge CA certificate into
SecureTransport Server 65
E importing the SecureTransport Server CA certificate 63
installation
enable AS2 (non-SSL) 60 non-root 22
enable AS2 (SSL) 60
installation name 21
exchanging CA certificates 62
installation path 22
exporting the SecureTransport Edge CA certificate 64
installation prerequisites
exporting the SecureTransport Server CA certificate 62 Unix-based servers 10
external CA 54 installation prerequisites for Unix-based servers 14
external certificate authority 53 installation summary 24
installation type 22, 30
F installer 26, 35
features license 48 installing on Microsoft Windows 29
files changed when upgrading 67 installing on Unix-based platforms 20
fingerprint installing SecureTransport licenses 48
SSH server public key 61 internal certificate authority 51
FIPS 2 Internet Explorer
FIPS 140-2 Level 1 certification 58 supported versions 9
FIPS transfer mode IP address
certified cryptographic libraries 58 Server 45
client-initiated transfers 58
Firefox J
supported versions 9
JFS filesystem
firewall 67 large file support 12
FTP port number 59
ftpd certificate 54 K
G key alias 61
keystore password 46, 50
general information before installation 8
generate certificate 54 L
generating a permanent internal CA 51
license 28, 48
H install 48
Rich Internet Client 49
hardware requirements license agreement 29, 36
installation 9 licenses
temporary 9 core server 48
HTTP and FTP features 48
setup 57 log on
HTTP port number 59 server 46
HTTP proxy 67 logging on to the server 46
httpd certificate 54

M proxy port number 61
Proxy Server 61
master server 23
MDN certificate 54
R
Microsoft Internet Explorer
supported version 9 recovery procedure
Microsoft Windows Windows 40
backup before upgrade 39 Red Hat Enterprise Linux 20
Cygwin cron 40 compatibility packages 13
destination folder 30 installation prerequisites 10
installation options 31 requirements 13
installation requirements 17 supported versions 11
installing on 29 RHEL 20
minimum hardware requirements 17 Rich Internet CLient licenses 49
Options dialog box 31
SecureTransport services 41 S
supported versions 17
uninstalling 78 Safari
upgrade prerequisites 39 supported versions 9
Microsoft Windows installation secondary server 23, 31
canceling 32 secret file 23, 31
Microsoft Windows registry 39 SecureTransport
minimum hardware requirements documentation set 4
Microsoft Windows 17 SecureTransport Edge certificates 54
Unix-based servers 10 SecureTransport Edge checklist 45
Mozilla Firefox SecureTransport licenses 48
supported versions 9 SecureTransport Server checklist 44
MySQL SecureTransport services 41
installation prerequisites 10 self-issued certificate 55
self-signed CA 51
N SELINUX
nightly log rotation 23, 31 disabling 13
non-root installation 22 server
port numbers 8 log on 46
prerequisites 10 server configuration 22
server host IP address 61
P server licenses 48
servers
password
HTTP, FTP, AS2, SSH, TM 57
keystore 46
services 8
passwords
setup
default 8
starting 44
port
setup account
admin 8, 22
clean up 66
database 8, 23
Tomcat JK 8 setup HTTP and FTP 57
Tomcat shutdown 8 setup status dialog box 32
port setting setup steps 46
Edge 45 SLES 20
port settings SOCKS proxy 67
Server 45 Solaris 20
preinstallation information 8 Solaris Zone 12
primary server 23, 31 SSH port number 60
protocol servers SSH server public key fingerprint 61
HTTP, FTP, SSH, AS2 46 SSL key alias 60, 61
Index - 77
Sun Solaris 20 Unix-based servers
installation prerequisites 10 installation prerequisites 10
supported versions 11 minimum hardware requirements 10
SunOS 20 Red Hat Enterprise Linux, Sun Solaris, IBM AIX, SUSE
Linux Enterprise Edition 10
supported browsers 9
Upgrade prerequisites
supported operating systems 11, 17
Windows 39
SUSE Linux Enterprise Edition 20
upgrade prerequisites
installation prerequisites 10 Unix-based platforms 34
requirements 13 upgrading
supported versions 11 files and directories added 68
files changed 67
T files deleted 69
files modified 70
temporary hardware requirements 9
Unix-based platforms 35
TM certificate 54
upgrading an Tumbleweed Appliances 38
TM port number 61 upgrading on Unix-based platforms 34
TM server port 54 upgrading on Windows 39
Tomcat user accounts
JK port 8, 22, 31 administration 8
shutdown port 8, 31
Transaction Manager V
configuring 61
validity in days 52
server port 54
virtualized environments 12
Transaction Manager certificate 54
Tumbleweed Appliance W
installation prerequisites 14
IP address 77 web browsers
network settings 77 supported 9
operating system upgrade 14 WIndows
powering down 76 uninstalling 78
powering up 76 Windows
backup before upgrade 39
rebooting 76
Cygwin cron 40
reconfiguring 77
destination folder 30
uninstalling 77
installation options 31
upgrading 38 installation requirements 17
installing on 29
U minimum hardware requirements 17
Options dialog box 31
uninstaller script 76, 77
SecureTransport services 41
uninstalling SecureTransport on an appliance 77 supported versions 17
uninstalling SecureTransport on Unix-based servers 76 upgrade prerequisites 39
uninstalling SecureTransport on Windows 78 Windows installation
Unix-based installation canceling 32
canceling 25 Windows registry 39
Unix-based operating systems
supported 11 Y
Unix-based platforms YaST configuration utility 14, 15, 77
backup before upgrade 34
installing 20
upgrade prerequisites 34
upgrading 34, 35
Unix-based server
uninstalling 76

STInstallGuide49 Oct2009

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

STInstallGuide49 Oct2009

Uploaded by

Copyright:

Available Formats

An Axway Brand

Restricted Rights Legend for Government Users

ii SecureTransport Installation Guide

Installing on Unix-based Platforms . . . . . . . . . . . . . . . . . . . . . . . . . 20

Upgrading a Unix-based Platform . . . . . . . . . . . . . . . . . . . . . . . . . 34

Files Added During the Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Appendix B – Uninstalling SecureTransport 75

Uninstalling SecureTransport on Unix-based Servers . . . . . . . . . . . . . . . 76

Appendix C – Migrating SecureTransport 4.5.x to 4.9.x 75

iv SecureTransport Installation Guide

Configuring the SAN Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Appendix E – Maintaining Your Tumbleweed Appliance 75

Powering Up, Shutting Down, or Rebooting . . . . . . . . . . . . . . . . . . . . 76

2 SecureTransport Installation Guide

4 SecureTransport Installation Guide

Tumbleweed—an Axway Brand

• Tomcat JK port number - 8009

8 SecureTransport Installation Guide

Temporary Hardware Requirements during Installation

Minimum Hardware Requirements

RAM For RAM For

IBM AIX POWER5 1-way 1.50GHz 2 GB 2 GB

10 SecureTransport Installation Guide

To set system resource limits on AIX:

To set system resource limits on RHEL:

To set system resource limits on Solaris:

Supported Operating Systems

To change the file size limit using SMIT:

Run these commands on all the computers in the cluster.

To change the ARG_MAX setting:

12 SecureTransport Installation Guide

Setting Appliance Network Configuration Parameters

To change the IP Address:

14 SecureTransport Installation Guide

Figure 2.1: Using the YaST Control Center

5 Type the correct values for your network in the fields.

Configuring the DNS Server Address and Hostname

To configure the DNS server address and hostname:

16 SecureTransport Installation Guide

Minimum Hardware Requirements

Supported Operating Systems

To start the SecureTransport installer:

20 SecureTransport Installation Guide

and begins asking questions to which you must respond.

2 If you select NEW INSTALLATION, the following question appears:

If you want to keep the default setting of /opt/TMWD/SecureTransport, press Enter to

6 Select the installation type:

8 Modify or accept the port settings for the Server Configuration:

22 SecureTransport Installation Guide

*** Secure Transport installer is running. Please wait... ***

24 SecureTransport Installation Guide

Starting admin interface

The installer also creates a log file, <FILEDRIVEHOME>/STInstallLog.txt.

Canceling the Unix-based Installation

To stop the installation:

To upgrade the operating system and load the SecureTransport installer:

1 In the /opt/TMWD/installer directory, run the following command:

26 SecureTransport Installation Guide

Starting admin interface

The installer also creates a log file, <FILEDRIVEHOME>/STInstallLog.txt.

Canceling the Installation

To stop the installation:

* Secure Transport installer is running. Please wait... *