Managing Virtual Folders

IBM webMethods Managed File Transfer enables you to create a Virtual File System (VFS) to provide an abstract view of resources in your remote FTP and SFTP servers. This capability enables users and client applications to access a variety of file structures in a uniform way.

Default Virtual Folders

IBM webMethods Managed File Transfer offers a default virtual folder backed by cloud storage. The location information for this folder is inaccessible, but you can create subfolders within it and configure new virtual folders pointing to these subfolders. Grant users access to these virtual folders.

Adding subfolders under the default virtual folder location

To add virtual folders under the default virtual folder location

  1. Go to Virtual folders, and choose the virtual folder named default on the Virtual folders page.

  2. On the right panel, select Create folder and click   .

  3. In the Add folder dialog box, type a unique name for the subfolder and click Add.

Note
You cannot delete subfolders on IBM webMethods Managed File Transfer. Only users with the Delete folder permission can delete the subfolders, if they are connected through listeners.

Configuring folders with a default virtual folder location

To configure folders with a default virtual folder location

  1. Go to Virtual folders and click   .

  2. In the Add virtual folder dialog box, type a unique name for the virtual folder and click Add.

  3. On the right panel, expand Location and select Configure with default virtual folder location.

  4. Click Browse. Select the path to a subfolder under the default virtual folder created previously and click Save.

Note
You cannot reconfigure folders that are set with a default virtual folder location to use a remote location.

Adding a Virtual Folder

Create a Virtual File System (VFS) by creating one or more virtual folders, in a manner in which you typically arrange in a file system hierarchy. Although the information might be stored across remote file systems, a virual folder makes it appear as a cohesive data collection in the VFS.

To create a virtual folder

  1. Go to Virtual folders and click  

  2. In the Add virtual folder dialog box, type a unique name for the virtual folder and click Add.
    The new virtual folder appears in the folders list.

Modifying a Virtual Folder

To modify a virtual folder

  1. Go to Virtual folders, and click on a virtual folder that you want to edit and modify the required configuration settings for the virtual folder.

  2. Click Save.

Searching for Virtual Folders

To search for a virtual folder

  1. Go to Virtual folders and specify all or one of the following search criteria:

    Field Description
    Partner Select one of the following:
    • All partners. Search for the virtual folders associated with all the partners in IBM webMethods Managed File Transfer.
    • Specific partner. Search for the virtual folders associated with a specific partner in IBM webMethods Managed File Transfer. Select this option, type the name of the partner, and click Ok.
    User Select one of the following:
    • All users. Search for the virtual folders associated with all the users in IBM webMethods Managed File Transfer.
    • Specific user. Search for the virtual folders associated with a specific user in IBM webMethods Managed File Transfer. Select this option, type the name of the user, and click Ok.
    Folder name Type the name of the specific virtual folder you want to view.
  2. Click Apply for the changes to take effect and click Reset to clear the values. The virtual folders list is populated with the virtual folders matching the search criteria.

Configuring Additional Settings for a Virtual Folder

To configure additional settings

  1. Go to Virtual folders, and on the Folders tile, click on a virtual folder.

  2. Type a different virtual folder name and select one of the partner options:

    Option Description
    No Partner Select this option if you do not want to associate the virtual folder with a partner or the enterprise.
    Enterprise Select this option if you want to associate the virtual folder with the enterprise. Type a new enterprise name and click Create.
    Partner Select this option if you want to associate the virtual folder with a partner. Either select a partner from the list or type a new partner name. Click Create to associate the virtual folder with a partner.
  3. Configure the location in one of the following ways:

    Option Description
    Configure a remote location Select this option to specify a file path in a remote server along with a protocol (transport mechanism) from the list, and type the file path location. For example, FTP://host:port/DestinationFolder/. Type a username and password for the remote server.
    See Supported protocols and Supported storage types for more information.
    Configure a default virtual folder location Select this and click Browse to configure the path of the folder that you created under the default virtual folder.
    See Adding subfolders under the default virtual folder location for more information.
  4. Add a user to the virtual folder and configure the permissions with the username.
    The user can now view, download, upload, delete, create a folder, delete folder, or rename the folder.

    • When you grant user permissions to a parent folder, the user inherits the same permissions for all subfolders.
    • When you grant user permissions to a subfolder, the user inherits the permission to traverse through the parent folders.
    • For a user, when you override the inherited permissions and specify a different set of permissions to a folder, those new permissions are inherited by the subfolders within the parent folder.
    • Support for these permissions is dependent on the specific VFS that you are configuring.

  5. Define specific file-based encryption and decryption PGP keys for a virtual folder.

    When encryption and decryption keys are configured at multiple levels such as user, listener, and virtual folder, IBM webMethods Managed File Transfer enforces the following order of listener preference:

    • Users
    • Virtual folders
    • Listeners

    For example, if user A accesses port 10 and uploads a file in VFS TestFolder123, then IBM webMethods Managed File Transfer checks if the encryption or decryption key is available for user A. If no key is available at the virtual folder level, then IBM webMethods Managed File Transfer checks for the user settings for the key. If no key is present at the user settings level, then IBM webMethods Managed File Transfer checks the server level settings for the key. If no key is present at the server level settings, then files are not encrypted or decrypted during upload or download.

    Note
    IBM webMethods Managed File Transfer does not use these keys when a virtual folder is configured in a post-processing or scheduled action. If you want to configure the encryption and decryption keys in an action, create an encryption or decryption task.
  6. Click Save.

Supported Protocols

Protocol Configurations

FTP, FTPES, and FTPS

Field Description
Keystore Alias (Applicable only for FTPES and FTPS) Type the certificate alias. This key is used for certificate based login.
Connection Pool Size Limit the number of connections created using a particular VFS. The default value is unlimited, which does not restrict the number of connections created using a particular VFS.
High availability download recovery Select the option to allow IBM webMethods Managed File Transfer to resume a download that was not completed previously.
High availability upload recovery Select the option to allow IBM webMethods Managed File Transfer to resume an upload that was not completed previously.
Passive Select the option to enable IBM webMethods Managed File Transfer to connect to a remote server using the passive mode.
IBM webMethods Managed File Transfer uses the active mode by default.
Force CWD to exact directory Select the option if you are connected to a FTP server that allows file operations only on the current directory. Enabling this option forces a change to the target directory before executing the file operations.

HTTP and HTTPS

Field Description
Keystore Alias (Applicable only for HTTPS) Type the certificate alias. This key is used for certificate based login.
High availability download recovery Select the option to allow IBM webMethods Managed File Transfer to resume a download that was not completed previously.
High availability upload recovery Select the option to allow IBM webMethods Managed File Transfer to resume an upload that was not completed previously.

SFTP

Field Description
Key Alias Type the certificate alias. This key is used for certificate based login.
Preferred cipher Configure the preferred cipher from the list of supported ciphers.
Excluded cipher If you want to remove a cipher from the supported cipher list, then configure it in the Excluded cipher field.
SSH Fingerprint Click the button to retrieve the host key fingerprint from the remote SFTP server. Remove the SSH fingerprint, if you do not want host key fingerprint verification for the virtual folder.
Two-factor authentication Select this option to use both password and public key authentication to connect to the remote SFTP server configured for this VFS.
Connection Pool Size Limit the number of connections created using a particular VFS. The default value is unlimited, which does not restrict the number of connections created using a particular VFS.
High availability download recovery Select the option to allow IBM webMethods Managed File Transfer to resume a download that was not completed previously.
High availability upload recovery Select the option to allow IBM webMethods Managed File Transfer to resume an upload that was not completed previously.

SMB

Field Description
SMB Version Select the SMB version from the list.
  • SMB v1. Select this for legacy SMB servers.
  • SMB v2. Select this to support SMB Server 2 and SMB Server 3.
Dfs enabled This is applicable only for SMB v2 option. Select Dfs enabled, if the remote SMB server is configured with a Distributed File System (DFS).
High availability download recovery Select the option to allow IBM webMethods Managed File Transfer to resume a download that was not completed previously.
High availability upload recovery Select the option to allow IBM webMethods Managed File Transfer to resume an upload that was not completed previously.

WEBDAV and WEBDAVS

Field Description
Key Alias Type the certificate alias. This key is used for certificate based login.
High availability download recovery Select the option to allow IBM webMethods Managed File Transfer to resume a download that was not completed previously.
High availability upload recovery Select the option to allow IBM webMethods Managed File Transfer to resume an upload that was not completed previously.

Supported Storage Types

Configuring a virtual folder with Amazon-S3 bucket

To configure the VFS with Amazon-S3

  1. Specify the following information and click Save.

    Field Description
    Bucket name Specify the Amazon-S3 bucket name.
    Folder path Specify the folder path for the bucket. If you do not specify the folder path, then the root of the bucket is considered by default.
    Region name Choose the AWS (Amazon Web Services) region from the list. This is the location where your Amazon-S3 bucket resides.
    Access key ID Specify the Access key ID to access the Amazon-S3 bucket.
    Secret access key Specify the secret key which corresponds to the Access Key ID that has the access to Amazon-S3 bucket.
Note
  • For more information about Amazon-S3 service, refer Amazon documentation.
  • When you provide a non-existent folder path in a VFS pointing to S3, the folder automatically gets created during file operations.

Configuring a virtual folder with Hosted-S3 bucket

To configure the VFS with Hosted-S3

  1. Specify the following information and click Save.

    Field Description
    Bucket name Specify the Hosted-S3 bucket name.
    Folder path Specify the folder path for the bucket. If you do not specify the folder path, then the root of the bucket is considered by default.
    Access key ID Specify the Access key ID to access the Hosted-S3 bucket.
    Secret access key Specify the Secret access key which corresponds to the Access key ID that has the access to Hosted-S3 bucket.
    Endpoint Specify the Endpoint to access the Hosted-S3 bucket.
    URL Style Choose one of the following addressing models:
  2. Path. In this URL model, the hostname is s3-hosted.example.com and the bucket name is specified in the path as /bucket-name/.
    For example, https://s3-hosted.example.com/bucket-name/
  3. Virtual host. This URL model involves including the bucket name as a subdomain of the hostname.
    For example, https://bucket-name.s3-hosted.example.com/

Azure storage

If you want to configure the VFS with Azure storage type, then select the AZURE-FILE or AZURE-BLOB from the list.

Note
IBM webMethods Managed File Transfer currently supports only AZURE-FILE shares and AZURE-BLOB containers.

Configuring a virtual folder with AZURE-FILE

To configure the VFS with AZURE-FILE

  1. Specify the authentication information that must be sent to Azure storage type for authorizing access to specific resources. AZURE-FILE share supports Shared Key and Shared Access Signature (SAS) authentication types.

    Choose one of the following ways to provide the authentication information:

    Option Description
    Shared Key The shared key type passes a header with each request that is signed using the respective storage account access key.
    Specify the values for the following fields:
    • Account name. The account name that corresponds to the Azure account for the AZURE-FILE location.
    • Access key. The key that you create at the Azure portal for the corresponding account name.
    Shared access signature (SAS) The Shared Access Signature (SAS) type provides secure delegated access to resources in the storage account without compromising the security of the data. Additionally, control what resources the client may access, what permissions they have on those resources, and how long the SAS is valid, among other parameters.
    • Account name. Specify the account name that corresponds to the Azure account for the AZURE-FILE location.
    • SAS token. The SAS token is a string that you generate in the Azure portal for an account.
    High availability download recovery Select the option to allow IBM webMethods Managed File Transfer to resume a download that was not completed previously.
  2. Specify the location where the folder for the AZURE-FILE share resides.

Note
AZURE-FILE share supports headers for customization, security, caching, modification checks, and efficient transfers.

Configuring a virtual folder with AZURE-BLOB

To configure the VFS with AZURE-BLOB

  1. Specify the authentication information that must be sent to the Azure storage for authorizing the access to resources. The AZURE-BLOB supports Shared Key, Shared Access Signature (SAS), and Anonymous public access authentication types.

    Choose one of the following ways to provide the authentication information:

    Option Description
    Shared Key The shared key type passes a header with each request that is signed using the respective Storage Account Access Key.
    Specify the values for the following fields:
    • Account name. The account name that corresponds to the Azure account for the blob location.
    • Account key. The key that you create at the Azure portal for the corresponding account name.
    Shared Access Signature (SAS) The Shared Access Signature (SAS) type provides secure delegated access to resources in your storage account without compromising the security of the data. Additionally, control what resources the client may access, what permissions they have on those resources, and how long the SAS is valid, among other parameters.
    • Account name. The account name that corresponds to the Azure account for the blob location.
    • SAS token. The SAS token is a string that you generate in the Azure portal for an account.
    Anonymous public read access The anonymous public read access type provides you with read access within a publicly accessible container without authorizing the request.
    Specify the values for the following fields:
    • Account name. The account name that corresponds to the Azure account for the blob location.
    High availability download recovery Select the option to allow IBM webMethods Managed File Transfer to resume a download that was not completed previously.
  2. Select a storage sub-type. The below mentioned are the two types of storage sub-types:

    • Block Blob. It stores the unstructured data such as files, media, images, and documents in blocks.
    • Append Blob. It appends the unstructured data such as files, media, images, documents and so on.

  3. Specify the Azure container folder path for the Location field.

  4. Specify the advance configuration options as follows:

    • Storage size. Specifies the size of each part of the file which gets uploaded to the blob container.
    • Azure headers - Add additional header parameters to set the extra metadata for the blob container. Click    to add the Header key and Header value information, respectively.
      The following are the list if supported headers:
      • cacheControl
      • contentType
      • contentEncoding
      • contentLanguage
      • contentDisposition

Note
AZURE-BLOB now supports creating and renaming of folders and files upto 256 MB.

Configuring a virtual folder with Google Cloud Platform (GCP) bucket

IBM webMethods Managed File Transfer supports GCP storage buckets using Google Cloud Service Account.

To configure the VFS with Google Cloud Platform

  1. Specify the following information and click Save.

    Field Description
    Service account private key Specify the encoded private key (a JSON file) for a service account. This key is used to authenticate the service account and authorize it to access GCP resources.

    • Open your Google Cloud console settings.

    • Go to IAM & Admin > Service Accounts.

    • Click Create service account.

    • Provide the configured email address.

    • Click keys tab and add the JSON key.

    • Refer Google Cloud documentation for more details.

    Bucket name Specify the GCP bucket name.
    Folder path Specify the folder path for the bucket. If you do not specify the folder path, then the root of the bucket is considered by default.
    High availability download recovery Select the option to allow IBM webMethods Managed File Transfer to resume a download that was not completed previously.
Note
  • Hosted-S3 and Google Cloud Platform configurations are available only on the Virtual folders tab. This cannot be configured while creating actions.
  • When you provide a non-existent folder path in a VFS pointing to GCP, the folder automatically gets created during file operations.

Antivirus Scanning

IBM webMethods Managed File Transfer supports antivirus scanning of inbound files by using an open source antivirus scanner ClamAV, which supports Internet Content Adaptation Protocol (ICAP). Antivirus scanning is limited to the scanning of inbound files, and does not support scanning of the internal IBM webMethods Managed File Transfer Server environment, outbound files or incoming files from default or child of default directory.

ClamAV virus signatures are updated every day by IBM. ClamAV is exposed to the ActiveTransfer Server using an ICAP Server.

Antivirus scanning is enabled by default. You can disable the antivirus scanning if you absolutely trust the entity that is sending the files to the VFS. However, IBM does not recommend disabling the antivirus scanning.

Note
  • Virus scanning may have some impact on IBM webMethods Managed File Transfer performance, since all files being transferred are scanned.

To disable IBM webMethods Managed File Transfer antivirus scanning of inbound files:

  1. Log in to your tenant.

  2. Go to Virtual folders > Folders section.

  3. Click on the folder that does not require antivirus scanning.

  4. Click Disabled under Antivirus Scanning. Click Save.

Important
  • IBM webMethods Managed File Transfer maintains a scan buffer size of 2 MB for antivirus scanning.
    • Files less than 2 MB in size are maintained in the Java Virtual Machine (JVM) and forwarded to the destination after scanning.
    • Files larger than 2 MB in size are scanned in 2 MB sections and forwarded to the destination, section by section. The file is completely written to the destination only when the entire file is scanned. You may experience a slow upload or session might go on hold in these scenarios, until the file is completely scanned and uploaded. It is recommended that you use a larger client timeout for such scenarios.
    • IBM webMethods Managed File Transfer stops taking virus scanning requests if the collective sum of all 2 MB buffers exceeds 1 GB per instance.

Actions taken when a virus is found

No files are uploaded without an antivirus scan if the VFS is configured with scanning. If the ICAP server detects any virus in the file data sent for scanning, the ICAP server reports it to ActiveTransfer Server. You receive a reply that a virus is found and the connection is terminated. The ActiveTransfer Server then stops the file upload, deletes the file data from the JVM, and triggers deletion of the partial file data in ActiveTransfer Server.