FAQs

Storage

What Data is stored?

Copies of all files transferred through OpConMFT are stored in archival folders for purposes of auditing and to enable job restart on failure.

These archival files are automatically removed according to the "Prune Old Data" field per https://localhost:41100/Settings.aspx. The default time is 1 year.

This can optionally be disabled entirely by toggling off the "Archive Files" option for MFT jobs, which was exposed in a recent version of OpCon.

What Logs are stored?

We have general debug logs for each interpeter process run as well as logs for individual job runs.

Logs for job runs rotate out according to the Prune Old Data field in https://localhost:41100/Settings.aspx. The default time is 1 year.

Debug logs do not rotate out. This is not usually a concern, but when the Extra Debug Data checkbox is enabled these files can grow greatly in size and may need to be purged manually as needed. These can be found in C:\Program Files\OpConMFT 3.13\ProgramData\debug as well as C:\Program Files\OpConMFT 3.13\UserData\USER_NAME\debug. For the latter folder, this will only be relevant when running the Scheduler Service under a non-default user (default is SYSTEM).

The server has its own set of logs - one for each internal server (ftp/http and ftps separately). These are rotated out after a default of 4 days.

The size of logs varies greatly depending on protocol and the specifics of individual file transfer job runs.

File capabilities – Internal and External

The following Transfer protocols are supported by the OpConMFT Client:

FTP
FTPS
HTTP
HTTPS
WebDav (automatically enabled for HTTP and HTTPS sites if the server supports these extensions)
SFTP
Azure Blob Storage
Amazon S3

The following Transfer protocols are supported by the OpConMFT Server:

FTP
FTPS
HTTP (+ WebDav)
HTTPS (+ WebDav)
SFTP

Security

Server

FTPS

FIPS mode on:
    |   TLSv1.2: 
    |     ciphers: 
    |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 
    |       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 
    |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 
    |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 
    |       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 
    |       TLS_RSA_WITH_AES_256_CBC_SHA256 
    |       TLS_RSA_WITH_AES_256_GCM_SHA384 

FIPS mode off:
    |   TLSv1.2: 
    |     ciphers: 
    |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA 
    |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 
    |       TLS_DHE_RSA_WITH_AES_128_CCM 
    |       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 
    |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA 
    |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 
    |       TLS_DHE_RSA_WITH_AES_256_CCM 
    |       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 
    |       TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 
    |       TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 
    |       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 
    |       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 
    |       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 
    |       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 
    |       TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 
    |       TLS_DHE_RSA_WITH_SEED_CBC_SHA 
    |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 
    |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 
    |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 
    |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 
    |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 
    |       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 
    |       TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 
    |       TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 
    |       TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 
    |       TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 
    |       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 
    |       TLS_RSA_WITH_AES_128_CBC_SHA 
    |       TLS_RSA_WITH_AES_128_CBC_SHA256 
    |       TLS_RSA_WITH_AES_128_CCM 
    |       TLS_RSA_WITH_AES_128_GCM_SHA256 
    |       TLS_RSA_WITH_AES_256_CBC_SHA 
    |       TLS_RSA_WITH_AES_256_CBC_SHA256 
    |       TLS_RSA_WITH_AES_256_CCM 
    |       TLS_RSA_WITH_AES_256_GCM_SHA384 
    |       TLS_RSA_WITH_ARIA_128_GCM_SHA256 
    |       TLS_RSA_WITH_ARIA_256_GCM_SHA384 
    |       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 
    |       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 
    |       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 
    |       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 
    |       TLS_RSA_WITH_SEED_CBC_SHA 

HTTPS

FIPS mode on:
    |   TLSv1.2: 
    |     ciphers: 
    |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 
    |       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 
    |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 
    |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 
    |       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 
    |       TLS_RSA_WITH_AES_256_CBC_SHA256 
    |       TLS_RSA_WITH_AES_256_GCM_SHA384 

FIPS mode off:
    |   TLSv1.2: 
    |     ciphers: 
    |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA 
    |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 
    |       TLS_DHE_RSA_WITH_AES_128_CCM 
    |       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 
    |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA 
    |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 
    |       TLS_DHE_RSA_WITH_AES_256_CCM 
    |       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 
    |       TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 
    |       TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 
    |       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 
    |       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 
    |       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 
    |       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 
    |       TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 
    |       TLS_DHE_RSA_WITH_SEED_CBC_SHA 
    |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 
    |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 
    |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 
    |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 
    |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 
    |       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 
    |       TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 
    |       TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 
    |       TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 
    |       TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 
    |       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 
    |       TLS_RSA_WITH_AES_128_CBC_SHA 
    |       TLS_RSA_WITH_AES_128_CBC_SHA256 
    |       TLS_RSA_WITH_AES_128_CCM 
    |       TLS_RSA_WITH_AES_128_GCM_SHA256 
    |       TLS_RSA_WITH_AES_256_CBC_SHA 
    |       TLS_RSA_WITH_AES_256_CBC_SHA256 
    |       TLS_RSA_WITH_AES_256_CCM 
    |       TLS_RSA_WITH_AES_256_GCM_SHA384 
    |       TLS_RSA_WITH_ARIA_128_GCM_SHA256 
    |       TLS_RSA_WITH_ARIA_256_GCM_SHA384 
    |       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 
    |       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 
    |       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 
    |       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 
    |       TLS_RSA_WITH_SEED_CBC_SHA 

SFTP

    | ssh2-enum-algos: 
    |   kex_algorithms: (8)
    |       ecdh-sha2-nistp256
    |       ecdh-sha2-nistp384
    |       ecdh-sha2-nistp521
    |       diffie-hellman-group18-sha512
    |       diffie-hellman-group16-sha512
    |       diffie-hellman-group-exchange-sha256
    |       diffie-hellman-group14-sha1
    |       diffie-hellman-group1-sha1
    |   server_host_key_algorithms: (4)
    |       ecdsa-sha2-nistp384
    |       rsa-sha2-512
    |       rsa-sha2-256
    |       ssh-rsa
    |   encryption_algorithms: (11)
    |       chacha20-poly1305@openssh.com
    |       aes128-gcm@openssh.com
    |       aes256-gcm@openssh.com
    |       aes128-ctr
    |       aes192-ctr
    |       aes256-ctr
    |       aes128-cbc
    |       aes192-cbc
    |       aes256-cbc
    |       blowfish-cbc
    |       3des-cbc
    |   mac_algorithms: (4)
    |       hmac-sha2-256
    |       hmac-sha2-512
    |       hmac-sha1
    |       hmac-md5

The defaults are listed above. As of 3.13.5 we have added fine-grained control over all of the above ciphers and algorithms for SFTP.

The following options are not enabled by default but can be selectively enabled as desired:

kex_algorithms:
    diffie-hellman-group-exchange-sha1
    diffie-hellman-group14-sha1
    diffie-hellman-group1-sha1
                    
server_host_key_algorithms:
    sk-ssh-ed25519-cert-v01@openssh.com
    ssh-rsa-cert-v01@openssh.com
    ssh-dss-cert-v01@openssh.com
    ssh-rsa
    ssh-dss
                    
encryption_algorithms:
    aes256-cbc
    aes192-cbc
    aes128-cbc
    blowfish-cbc
    3des-cbc

mac_algorithms:
    hmac_sha1-etm@openssh.com
    hmac-sha1
    hmac-md5

Client

PGP (data-at-rest encryption)
- RSA (1024-bit, 2048-bit, 4096-bit)
- DSA/DSS (1024-bit, 2048-bit, 4096-bit)
CMS
- We provide support for CMS internally but this has not been exposed at the OpCon level. This is data-at-rest encryption, similar to PGP, that uses SSL/TLS certificates instead of PGP keys.
FTPS
- See Non-FIPS ciphers for Server, above.
HTTPS
- See Non-FIPS ciphers for Server, above.
SFTP
- See SFTP cipers/algorithms for Server, above.
- Like server, we offer fine-grained control of these options for each managed site.
SSH Keys (available for use for client authentication and also server authentication over SFTP)
- RSA (1024-bit, 2048-bit, 3072-bit, 4096-bit)
- DSA (1024-bit, 2048-bit, 3072-bit, 4096-bit)
- ECSDA (256-bit, 384-bit, 412-bit)

Best Practice for build out of Servers in an Environment

While the customer should choose a setup that works best for their environment, the following recommendations are considered Best Practice:

Because OpConMFT merges both Client and Server products we recommend separate Production and Test servers
- One installation of OpConMFT for Production
- One installation of OpConMFT for Test
We do not support load-balancing of jobs across multiple OpConMFT installations.

FAQs

Storage​

What Data is stored?​

What Logs are stored?​

File capabilities – Internal and External​

The following Transfer protocols are supported by the OpConMFT Client:​

The following Transfer protocols are supported by the OpConMFT Server:​

Security​

Server​

FTPS​

HTTPS​

SFTP​

Client​

Best Practice for build out of Servers in an Environment​