Configuring FTPS Publishing

Configuring FTPS Publishing

* Updated for patch level 732_20191021 *

Registering a Delivery Type for FTPS Publishing

 Delivery Types are added in the 'Delivery Types' section of the 'Publishing Design' user interface in Rhythmyx. 

Steps to Register the Delivery Type

1. Login into Rhythmyx using the browser.
2. Click the tab for 'Publishing Design'.
3. On the left menu, choose 'Delivery Type'.
4. Then on the center of the page, choose Action > Create Delivery Type.
5. Provide a name for this Delivery Type, for eg: ftps
6. For the 'Spring Bean Name' field provide the value - sys_ftpsDeliveryHandler
7. Click Save.
8. Make the required changes in the site registration and content list(s) for publishing using this new delivery type.

Configuring the Delivery Type Definition

Delivery Types are configured by modifying the publisher-beans.xml file in the Rhythmyx configuration.  This file can be found in the following locations:

Jetty

<Rhythmyx>/jetty/base/webapps/Rhythmyx/WEB-INF/config/user/spring/publisher-beans.xml

JBOSS

<Rhythmyx>/AppServer/server/rx/deploy/rxapp.ear/rxapp.war/WEB-INF/config/user/spring/publisher-beans.xml

FTPS Bean Definition

Add the following bean definition to enable the FTPS delivery type.

<bean id="sys_ftpsDeliveryHandler" class="com.percussion.rx.delivery.impl.PSFtpsDeliveryHandler">
<property name="transactional" value="true"/>
<property name="implicitMode" value="false"/>
<property name="usePassiveMode" value="true"/>
<property name="useClientMode" value="true"/>
<property name="useEPSVwithIPv4" value="true"/>
<property name="usePrivateDataChannel" value="true"/>
<property name="controlKeepAliveTimeout" value="300" />

</bean>

Available Properties

<property name="timeout" value="-1"/>

defaults to -1 as not defined. It is the socket timeout in milliseconds for both when opening a socket and a currently open connection.
 

<property name="usePassiveMode" value="true"/>

Defaults to true.  Determines if using passive or active mode for the FTPS client.  Defaults to use passive mode. If using passive mode is on, then it will also disable the remote verification.  In most network environments this setting should typically be set to true. 

<property name="usePrivateDataChannel" value="true"/>

Defaults to true for FTPS.  Determines if the client requires a private / secure channel for ftp data connections.

<property name="connectTimeout" value="true"/>

Defaults to 0 as not defined.  Sets the connection timeout in milliseconds, which will be passed to the Socket object's connect() method.

<property name="activePortRange" value="0-65000"/>

Defaults to 0 as not defined.  If using active FTP mode (the default), then this will configure the port range that the Percussion FTP client will use for active data connections to the remote FTP servers data and connection port.  Must be set in following format: <startport>-<endport> e.g. 60000-60001

<property name="transactional" value="true"/>

Determines if the content will be published in a transaction where all the content items are created and written to temporary files before they are written to the target.  If false each item is written to the target as it is created.

<property name="implicitMode" value="false"/>

Determines if the FTPS connection will connect via implicit mode.  If the FTPS server is running on port 990 this setting should be set to true.

<property name="useClientMode" value="true"/>

Determines if the FTPS client operates in client or server to server mode.  Should generally be set to true.


<property name="useEPSVwithIPv4" value="true"/>

Enables support for extended passive mode. Should be set to true unless the remote FTPS implementation does not support EPS.


<property name="usePrivateDataChannel" value="true"/>

Should be true for secure FTPS connections.


<property name="controlKeepAliveTimeout" value="300" />

In some network environments routers/firewalls may close active control channel connections if they do not see activity on the control channel (for example a large file is being transferred on transmission ports).  This keep alive attempts to prevent this closure by periodically sending a NOOP over the control channel.  Default is 300 seconds (5 minutes).

<property name="maxRetries" value="10" />

Currently not implemented.  When implemented sets the maximum number of times a transfer will be attempted before it is failed.

<property name="bufferSize" value="0" />

Defaults to 8096 (8k) when set to a non positive value.  The size of the buffer used when transferring data.  Increasing the buffer size may improve FTPS performance during file transfers.

 Setting FTPS Connection Settings

FTP, FTPS, and SFTP server details are configured by editing the 'Site' in 'Publishing Design' area of the Rhythmyx user interface. 

 Implicit vs Explicit Mode

Microsoft IIS FTPS supports two modes of operation.  The default is explicit mode and can be configured on the typical port 21, in explicit mode, a plain socket connection is made to the FTPS server, after which the server responds with what features will use TLS security.  Implicit mode is configured by configuring the FTPS server to listen on port 990.  In implicit mode the connection is always TLS.  

Troubleshooting Firewall & Network Configuration

Troubleshooting FTPS implementations can involve several layers of firewalls and network issues. 

Troubleshooting example:

FTPS with FTPS configured on port 990, passive port range of 5020-5021

Windows IIS FTPS Server Configuration

1.) In the ROOT of IIS Configuration set the FTPS Firewall Settings to match the IP address that percussion will use to contact the FTPS server.  

2.) Set the port range to be 5020-5021

3.) Save the ROOT IIS FTPS Firewall Settings.

4.) In the FTPS site of the IIS configuration, set the FTPS Firewall settings IP address to match the IP address that percussion will use to contact the FTPS server.

5.) In Windows Firewall. Add the following INBOUND rules:

TCP 990 In Allowed - FTPS In

TCP 5020-5021 Allowed FTPS Passive In

6.) In Windows Firewall.  Add the following OUTBOUND rules:

TCP 990 Out Allowed - FTPS Out

TCP 5020-5021 Out Allowed  - FTPS Passive Out.

7.)  Save the windows firewall settings.

 On the Percussion Server:

1.) In Windows Firewall. Add the following INBOUND rules:

TCP 990 In Allowed - FTPS In

TCP 5020-5021 Allowed FTPS Passive In

2.) In Windows Firewall.  Add the following OUTBOUND rules:

TCP 990 Out Allowed - FTPS Out

TCP 5020-5021 Out Allowed  - FTPS Passive Out.

3.)  Save the windows firewall settings.

4.) Edit the jetty/base/webapps/Rhythmyx/WEB-INF/config/user/spring/publisher-beans.xml file.

There should be one bean defined for the FTPS delivery type.  Replace it with the following:

<bean id="sys_ftpsDeliveryHandler" class="com.percussion.rx.delivery.impl.PSFtpsDeliveryHandler">
<property name="transactional" value="true"/>
<property name="implicitMode" value="true"/>
<property name="usePassiveMode" value="true"/>
<property name="useClientMode" value="true"/>
<property name="useEPSVwithIPv4" value="true"/>
<property name="usePrivateDataChannel" value="true"/>
<property name="controlKeepAliveTimeout" value="300" />

</bean>

Note:  Make sure that there are no backup files under the spring folder.  If you prefer to keep the backup of the publisher-beans.xml file, it must be kept outside of Rhythmyx folder.

5. Save the file and restart the Percussion service.

6. Log into to Percussion and in publishing design for the specified site confirm that the additional site details have the correct IP address of the remote FTPS server and correct port. 

7. Confirm that the content lists that are to  be used are configured for the FTPS delivery type.

8. Run publishing.  Review results in the publishing log.  

If FTPS publishing is not working, debug logging logging can be enabled.  See the logging page for more information.

NOTE:

As a System Administrator it is a common practice to backup a configuration file when making changes to it.  Normally this is a good practice.  When working with files in the WEB-INF/config/folder structure like the config/user/beans/publisher-beans.xml file, it is important to make sure that you do not save a backup of the file in this folder tree.  We recommend either using XML comments <!-- commented stuff --> in the files, or to save the backup to a different location.  The product processes all files that exist in this special config folder tree as active configuration files to support 3rd party or customer created Java extensions.  If a backup file is located in these directories, it will be processed as a valid and active configuration, and may overwrite your intended production config.  To avoid troubleshooting headaches, either use XML comments, or backup to a different location.