cscott/ask-annie
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

batch transcripts

Browse Source
This commit is contained in:
Conan Scott
2026-03-24 20:47:49 +11:00
parent 6b3a2e739a
commit 9ec1517274
62 changed files with 3828662 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
out/961596767/audio.mp3 Normal file
View File

Binary file not shown.

140980
out/961596767/transcript.json Normal file
View File

File diff suppressed because one or more lines are too long

810
out/961596767/transcript.txt Normal file
View File

@@ -0,0 +1,810 @@
# Transcript: 961596767
# URL: https://vimeo.com/961596767
# Duration: 4495s (74.9 min)
[0:06] Well, good morning, everybody.
[0:08] Thank you so much for all joining, and and we'll have more join as we go here. I'm gonna turn off that
[0:16] transcription.
[0:19] So welcome to the ask Annie
[0:22] Secure Transport best practices user group session. We're, again, happy to have you join us, and
[0:27] I'm just going to mention a few little housekeeping items before introducing Annie and then allowing her to get started.
[0:35] Just wanna mention that we are recording this webinar,
[0:39] and I will send the recording link along with the presentation
[0:43] following today's session.
[0:45] Of course, if you have any questions throughout the presentation,
[0:49] Annie will be happy to address them. Feel free to just raise your hand in the
[0:54] bar there and
[0:56] speak up, and and we'll be glad to address that. Or you can send a note in the chat, which I will be watching as well Annie,
[1:03] and we will address your questions that way.
[1:06] Why I just quickly mention something?
[1:09] We've
[1:10] hosted
[1:11] customer user group sessions at some of our customer sites,
[1:16] Costco,
[1:17] D and B, Lockheed,
[1:19] our parent company, Sopra.
[1:21] We've had them at the locations there, and it's a great opportunity to allow you to collaborate in person with, your peers.
[1:29] And, it also
[1:31] it's no cost to you because,
[1:34] we do all the work and we come to you. And so, we
[1:38] appreciate as you having a room for us to hold the meeting, and then we'll take it from there. We'll even provide lunch
[1:44] and,
[1:45] refreshments. And so if you are interested in doing that at your facility
[1:50] or you know somebody that in your company that I could talk to, feel free to email us at community@xway.com,
[1:57] and we'd love to talk to you to
[2:00] hold a user group session like this in person.
[2:04] Again, they're they're wonderful opportunity
[2:06] as our
[2:07] customers have attested to that they love doing that. So feel free to let me know if if you would like to do that or point me in the direction of somebody that might make that decision.
[2:19] So without further ado, I will introduce
[2:22] Annie Yotova.
[2:23] She's our MFT architect and will be conducting today's session. Thanks, Annie.
[2:32] Good morning. Good afternoon. Good evening. I'm seeing a lot of some people from over
[2:37] on the other side of the ocean. So if this is your first ask, Annie, this is a question answer session.
[2:44] I have a live server,
[2:46] a variety of them today, actually,
[2:49] where we can go and look at things or,
[2:53] if you have a question about how something looks like or where to look for it.
[2:59] And then
[3:00] any question is welcome. It doesn't matter if you are asking about the server property or
[3:06] architecture question or migration, anything as long as it's about secure transport or somehow related to it, go feel free to. I recognize quite a lot of the names on the session.
[3:17] So I know most of you had been to one of those or more.
[3:21] For the ones that are new, welcome.
[3:24] Hope you enjoy it. And with that, who wants to kick it off today?
[3:31] And this is the most
[3:33] fragile part of this meeting until someone starts talking. Once we start, we usually don't even end on time. It usually run over. So
[3:44] who wants to kick it off?
[3:48] Okay. We do have a question from Mark in the chat session. Yanny, if you wanna look at that.
[3:54] Yep. And I'm seeing
[3:56] erase cancel already. I don't see anything in the chat.
[4:00] Hold on. Any way to configure a send a partner route to rename the file to deliver only if the file name already exists on the target side?
[4:08] Yeah. I saw it. Yep. Thank you. Okay. Thanks, Lucy. I'm I'm on two screens and one of them doesn't show me the correct chat, which is weird.
[4:15] Okay.
[4:16] So, Mark,
[4:18] you are try what protocol are you going to be using?
[4:22] Secure FTP.
[4:24] So FTP or FTPS?
[4:27] SFTP.
[4:28] SFTP.
[4:29] So that's the SSH one. So,
[4:32] unfortunately,
[4:34] no.
[4:35] Because we don't have a control on the other end. So you can always rename,
[4:41] but we cannot go and check proactively and only rename if something is happening on the other end. Sometimes it is because we don't might not even have free access into the folder properly.
[4:52] Because during a push, all we're doing is connect,
[4:56] log in,
[4:58] put a CD into the folder,
[5:00] put the file, and get out immediately.
[5:04] So we don't
[5:07] have a
[5:08] the ability to actually
[5:12] do anything.
[5:14] If you do a previous tab that goes and check stuff and you already know and, for example, use the set flow parameter or something to put it in the environment, then we can use that. But the step itself cannot do it.
[5:28] Yeah. That's why I was wondering. I didn't know if I could do a route that did, like, a pull from partner step,
[5:34] you know, to see if the file was there. And then based on the success or fail of that step, it would do a send to partner either with a normal name or a a rename or something like that with expression language?
[5:47] You might be able to. The problem though
[5:51] is that the pull from partner
[5:54] is not running in the same sandbox or in the same flow where you are at moment.
[6:00] So with the pull from partner,
[6:02] you can check for the file,
[6:05] put
[6:06] it eventually
[6:08] into the folder,
[6:09] then run around
[6:11] that
[6:13] runs a so
[6:16] the challenge here is that the pull from partner doesn't pull them in the same sandbox or in the same place where your current scenario is. So you'll need to exit with the current scenario.
[6:25] Then you can catch the result from pull from partner, which is either file or no file found. Right?
[6:31] And if it is a no file found,
[6:36] and then you can do the renames. So
[6:39] can you do it?
[6:40] Sure. But it will be connected.
[6:44] Because your first route will need to be just the pull from partner, nothing else
[6:49] with leaving the file seeking query test. And now the challenge is how do you get the file that was just originally uploaded to get into a sandbox for sending?
[6:58] Because now you'll need to figure out sometimes of triggering
[7:01] because the pull from partner
[7:03] will not put the found file or the reaction from it in the same
[7:09] scenario.
[7:11] Does this make sense?
[7:13] It does. Yes. Thank you very much.
[7:16] It's just one of those disconnected
[7:18] things. It's useful, but not for your kind of scenario.
[7:22] So in your case,
[7:24] you can play with it and probably manage to get it done,
[7:29] but I don't
[7:32] I I just it it won't be as straightforward as it needs to be, not with SFTP. And the reason I asked why is because, obviously, with some protocols, we have better control than with others.
[7:44] Gotcha. Thank All
[7:46] you're trying is not to override. Right?
[7:49] Exactly. Yeah. They want a standardized file name,
[7:52] but, you know, and they delete it after they process it. But occasionally,
[7:57] if something fails on their end, they're like, well, if it's there, don't override it. Give it a different name.
[8:02] And I'm like, well, okay. That gets difficult. And I was saying with that pull from partner and you have the check boxes to,
[8:10] you know, proceed on route,
[8:12] failure or proceed on, you know, step success. I didn't know if I could branch off a route, you know, with two different send to partners, one with a rename and one without. And before I even started messing with it, I just thought I would ask.
[8:27] Yeah. Unfortunately,
[8:29] the on the on a
[8:31] pull from partner, the success
[8:33] will just tell you I scheduled to just pull to run immediately. It won't tell you if I found any files or not.
[8:39] It's just a different it's just the API call.
[8:42] It just puts it in the database and that's what this step does inside Gotcha. The route. So that won't help you at all. Okay. Thanks.
[8:50] But you can run around somehow with secondary route. But one thing to be careful, of course, is how you're going to manage this long term. I would say if you can talk to your partner, just ask them, can you just add the timestamp at the end of your names always,
[9:06] you know, something like that. Or at the beginning, Chorus, an extension or something, and they can just drop them because there's the cleaner way.
[9:14] Yeah. It's always our preference is to put a a date stamp in the name, but, you know, you get some vendors that just for whatever reason don't seem to handle those kind of requests well. So I was, you know, trying to accommodate them, but I think it's just gonna be more trouble than it's worth.
[9:31] I I just don't yeah. It it's the only way for you will be to do a daisy chain, you know, run-in the and you'll need to figure out how to get this file back into a position to push it out. Because once you get the post from partners,
[9:46] you can run another route now, but the file is not there anymore because it's actually running with the one you just pulled or the one that we didn't find. So it gets progressively complicated.
[9:57] So just talk with your partner.
[10:01] K. Thanks. Mhmm. Okay.
[10:07] Oh, got
[10:08] We are getting an error
[10:10] as the sorry.
[10:15] We're getting a failure to connect to remote host,
[10:19] violates maximum packet
[10:24] Uh-huh. Olga, do you have any idea what
[10:27] software are they running on the other end?
[10:31] Hello, everyone. No idea.
[10:35] Okay.
[10:36] So the best so couple of things you can do. So the problem is that with the buffer sizes
[10:44] so this is the incoming packet.
[10:47] And is this
[10:49] connect is this pull or push?
[10:53] Well, I'm getting the error message when trying to test the connection.
[10:58] Not even I'm not even getting to the point of attempting to push or pull.
[11:03] By just trying to list the sites or
[11:06] testing the collection,
[11:08] it throws that error message.
[11:17] Oh,
[11:18] it's just some
[11:27] You're cutting out. You're cutting out.
[11:31] Kimi. Okay.
[11:34] Okay.
[11:40] It shows.
[11:42] I know you're breaking up.
[11:45] Yep. I heard that. So sorry about that.
[11:51] Can you hear me now properly? Yes. Yes. I can hear you properly.
[11:55] Yes. Okay.
[11:58] Hold on a second. My VPN dropped my connection again. I'm having the usual phone with my VPNs.
[12:03] I think it just does not
[12:06] like
[12:07] TMs.
[12:08] The gateway
[12:12] itself, if you go into the advanced settings, there are a couple of buffers.
[12:17] Whereabouts?
[12:19] Set the software
[12:21] there.
[12:24] You might want to play with them to try to the other on the transfer side.
[12:34] So you said on the transfer side because your line is very bad.
[12:38] I don't know. If you don't mind, you can write the instructions. I can follow them because I don't Yeah. Just I
[12:49] will.
[12:50] Sorry. Thank you. Bye. Thank you.
[13:07] Audio is cutting out, Annie. No.
[13:12] We really don't can't understand at all. No.
[13:24] Annie, does it help to drop off and come back in?
[13:29] Can't
[13:30] hear you.
[13:33] Okay. Is this better?
[13:36] Keep talking.
[13:38] Okay.
[13:39] Let me drop off and down. No. That so now you're good.
[13:44] Oh, okay. I switched lines, and I was hoping it will catch up.
[13:48] Okay.
[13:50] Now we can hear you.
[13:52] Okay. And I think you're seeing the browser as well. Right? Yes.
[13:58] Okay. Let's hope this holds.
[14:02] Okay.
[14:03] So
[14:04] on the transfer side,
[14:21] The other ones,
[14:23] it's the buffer sizes.
[14:25] One of them, usually the connection read or write buffer is the one that gives the problematic
[14:29] one
[14:31] in this
[14:32] case.
[14:34] Unless
[14:36] they are running some kind of software data compliant, play with how much is unclear.
[14:42] Part of the issue is that
[14:45] until
[14:46] unless they tell you what they are doing, sometimes it's impossible.
[14:51] And that's why I asked you if it is
[14:54] pull or push. If it is on the connect itself,
[14:57] it would be it shouldn't be the buffers,
[15:00] but it might be the block size of the SFTP message, the one over here at the bottom.
[15:05] So
[15:06] try to change those, see if the message is changing
[15:10] is the best I can say based on the on the error.
[15:14] Okay. I'm
[15:16] showing that.
[15:19] Yeah. Because it's
[15:22] there is
[15:24] the the problem is the package size, and what is happening when we connect is that they are supposed to respond with a specific length after the two servers negotiate between them. And that's what there is the error is telling you that the packages don't match. We expect one length, something else is receiving is getting received. Which means that the other server is either not receiving our
[15:45] our our request properly or they don't know how to handle it. That's why much meeting them in the middle might be the way to go. So I would increase the block size of the SFTP over here a little bit and see if that changes anything.
[16:00] Start from there. And if that doesn't help get our support to look with you, but you'll probably need networking access
[16:07] because someone will need to inspect the package and see where exactly the communication falls to.
[16:14] Mhmm. Okay.
[16:16] I'll try that. It doesn't seem to work.
[16:19] It's that's why I said that's
[16:22] the best you can do without actually working with them. The other thing is if you have a communication line with your partner, ask them what kind of server are they using.
[16:31] Mhmm.
[16:32] Mhmm. What version? Because
[16:34] we are RFC compliant and we're a Maverick server. If they're an open SSH server,
[16:40] which is building on top of some of the newer features
[16:44] that are not RFC compliant, but that you work with other open SSH servers. I've seen this kind of problems in this case.
[16:51] Simply because we're very strict on the RFC,
[16:54] and the library we're using, Maverick, is much stricter than open SSH ever had been.
[17:00] Okay.
[17:01] And if
[17:03] and if they most of their other partners are OpenSSH,
[17:06] maybe they have some checkbox somewhere to make it more strict.
[17:11] Okay.
[17:12] So that's that's all you can do from the SD side of the house, unfortunately.
[17:18] And we and there is no checkbox on our side that says be less RSC compliant.
[17:25] We're always trying to be as secure, as compliant, you know, the whole
[17:30] nine yards, which is annoying sometimes. I would admit that. Mhmm.
[17:36] But
[17:38] yeah. My good feeling is it will turn out to be an open s s a derivative on the other end because that that's where I've seen this kind of issues before.
[17:47] Which also means if you just go on the OS level and try to open the connection from there, it will work beautifully perfectly fine because OS level servers are open SSHs.
[17:58] Mhmm. So makes it even harder to troubleshoot. But if you haven't tried yet, is this is this site going through the edges or is it going directly out?
[18:09] SSH.
[18:10] No. I I know it's SSH, but in the zone down here
[18:15] DMZ.
[18:15] It's going by DMZ. DMZ. Okay. So if it's going through the DMZ,
[18:20] log in on the edge, one of the edges, and try to just connect to the SSH through the from the edge directly.
[18:29] This is really an open SSH versus mother h tank, the open SSH will connect.
[18:35] Alright. We'll do that. Thank you Yep. So
[18:38] If that doesn't work either, you might be looking into a firewall discrepancy
[18:43] somewhere. Something somewhere is getting your packages either cut or expecting bigger ones, but that's where I would start. It if it works from the edge directly,
[18:53] but doesn't work from ST, get our support to try to help you because we're talking Maverick versus OpenSH most likely. But if the edge cannot connect either,
[19:02] then go to your partner and it's it's not managed. Now open as a edge. If both of them cannot connect, something somewhere is not responding as it's supposed to.
[19:11] Mhmm.
[19:13] That's Thank you. Yeah. I I know that's not the answer answer, but unfortunately,
[19:18] until you chase down exactly what's going on, there is no real solution for something like that.
[19:23] Sure.
[19:24] Thank you. Mhmm.
[19:26] Of course.
[19:30] Okay.
[19:31] Raquel, is there a way to verify that our local certificates are attached to them? Permanent certificates
[19:37] for us to operate.
[19:38] Oh, my favorite question.
[19:40] So Good.
[19:43] There is no easy way to find out
[19:47] what is attached to what unless you want to go dig through configuration.
[19:52] One thing is because those usually have a very specific names.
[19:57] If you go to
[19:59] server configuration
[20:02] and type the name of your certificate in the value,
[20:07] admin d for example
[20:09] Uh-huh.
[20:10] It will pop up all of them and you just look to see which are they'll say alias and so on.
[20:15] Okay.
[20:16] So another thing to look for, if you look for the work alias as a parameter, this is always referring to a certificate.
[20:24] So if you go that way, you'll see what is referenced. There are some that obviously are not certificates,
[20:29] but you can ignore them.
[20:31] But most of them will be like that. So cert alias for the rep encrypt and so on, trusted aliases,
[20:37] you know, that's the way to look at easiest. You can look with API, of course, but, you know, I know Yeah. It's the same.
[20:46] Okay. This will also
[20:48] show you see how even the listeners, if they're attached to a listener, they will also show up here even if you cannot edit from here. So I personally prefer that way. Look for Aliyah,
[20:59] but also once you find all of them and once you look at the list of them over here Mhmm. Of the certificate,
[21:06] just get the names one by one and do them as a value for server configuration. You see where they pop up. Okay.
[21:13] What you will not see if some of them are used inside of transfer sites or inside of steps.
[21:19] For that,
[21:21] the cleanest way, do an XML export.
[21:24] Yep. I was wondering. Okay. Is it in there? Okay. Yeah. It it will be referenced
[21:30] by the name of it. So if you do XML export and look for RMD, you'll see it and so on. The minimum ST requires to run is a single certificate.
[21:40] Technically speaking, you can use a single admin d certificate for absolutely everything,
[21:44] and ST will function.
[21:46] Really? Yes.
[21:48] It it's not recommended because you're basically putting every single egg you have and then some more into the same basket. And
[21:56] if you have edges,
[21:57] you need a special certificate to run the edges to server communication.
[22:02] It's not allowed to use the admin tier one. Okay. So if you have servers and edges, you have at least two of them. Admin d sorry. Admin the admin d is the only one that's always called that way. Everything else can be called any way you want.
[22:16] Okay. It is the other one that always needs to be called specifically is MDN.
[22:22] This is for the message disposition notifications for those, you know, on the tracking table,
[22:27] this small envelope at the beginning, that's where it needs to be called MDN.
[22:32] The
[22:33] rep reposted encryption one is usually called rep encrypt, but you can change that these days.
[22:38] I I still always call it that way because it's easier to note. You'll usually have at least one or more for the different protocols.
[22:45] So a normal server server will have between,
[22:48] I don't know, two and six at least.
[22:51] Okay. But technically
[22:53] speaking, it's lost if you don't have edges, you require a single one.
[22:57] And if you have edges, we need two of them. At least two. Yeah. At least two. And I've seen people try and quit one. Actually, SQL will not stop them. It just doesn't work very well or can backfire on you.
[23:10] Okay. I I think that's our our struggle is if we have to replace one of these, where all do we have to update?
[23:17] Nowhere.
[23:18] If you replace it in place, it will update automatically. If you're changing the name yeah. If you just do replace
[23:25] in place, you know, when when you go into, for example, into generate or import, if the name already exist, it will ask you if you want to override. If you say yes at this point,
[23:36] you override and it will this certificate will start getting used everywhere where the old one was assigned
[23:42] as long as you keep the name. If you change the name and with admin d, you cannot even do that, obviously, because the administration UI only works with admin d. But if you're changing the name, then you do that. You go to server configurations
[23:55] to see there is server configuration
[23:58] and you can use either the API or the XML export. I personally
[24:02] do XML export for that kind of stuff because it's faster.
[24:05] Yeah. It's cleaner to just grab everything, find it, and then just follow through. K. Thank you. But yeah. If you are replacing in place, unlike a route that are referenced by ID, certificates are still referenced by name.
[24:20] So as long as you keep the name, we really, really, really don't care that the certificate is different now.
[24:26] Okay. Thank you. Mhmm.
[24:29] And don't forget that if you have edges and you replace the certificate, you might need to go and play on the edges as well. Yes.
[24:38] As a reminder,
[24:39] I'm I'm not going to tell how many times I get called because everything broke and they just replaced the certificate on the server and forgot the edges.
[24:47] Yep.
[24:50] So that's it.
[24:51] It's the same with the trusted
[24:54] CAs as well, locals, and so on. It's it's straightforward. We always reference by alias. So
[25:01] okay?
[25:03] Yes. Thank you.
[25:06] Michael,
[25:07] transfer
[25:08] is not hanging up even though the transfer was successful in the second try. The first attempts, we cancel.
[25:16] Uh-huh.
[25:19] Let me see if I can see that on a little bigger screen. Michael, you still with us? Yeah. Yeah. I'm I'm still here. Yeah. It it actually started happening
[25:28] very soon after we had upgraded to February patch
[25:32] thirty two zero four.
[25:35] And it stays canceled forever? It doesn't stays canceled forever. It it does not yeah. It it it doesn't go. And and in some cases, it it
[25:45] isn't very often, but in some cases, like,
[25:48] it'll show in a failed sub transmission state for the inbound,
[25:53] and then every subsequent one for outbound will show in this cancel state.
[26:01] Yeah. It's it's it's really strange. I I haven't I haven't seen this before.
[26:06] Me neither. But I've seen something very similar happening
[26:11] when
[26:12] there was a corrupted
[26:14] record.
[26:16] So one thing to do, go
[26:19] to the new menu that we have about the events,
[26:22] the the event queue
[26:24] Yeah.
[26:25] And see if those that are the cancels will show up on the list here. They should if this is what's going on. So there are there are two options here. One of them is that the event is still in the event table for some reason, it is not getting cleared. The other option is this is just a tracking table issue.
[26:42] So start with the event q and c if the ones that are still showing cancel, if they actually are here in the event queue as well.
[26:50] Okay.
[26:52] And if they are you know that I'll send you to support with that, obviously, because I cannot help with that. But before you go, just check to see if the event is still in play. I've seen a similar problem. So when you update it last time,
[27:08] did it fail did it did the update work from the first time?
[27:12] I'm sorry. Repeat the question. Sorry. When you updated ST the last time Mhmm. Did the update work from the first time or did you have to redo it twice?
[27:26] I believe
[27:28] in prod, it was fine.
[27:31] I think in our test environment, I had to do it twice, but, it. I'm not seeing this in the test environment. I I think prod was fine. I I'll have to go back and look at my notes. The
[27:42] reason I'm asking is because I had a very weird experience
[27:46] with the server where the update failed,
[27:49] but the but no one did the rollback. Instead, they did the update the second time immediately after that.
[27:57] And it
[27:59] was
[28:01] Oh, you're cutting out again.
[28:03] Showing
[28:07] okay.
[28:09] Is this better? Yeah. It's a little better, but
[28:13] I'm sorry. I don't know what's going on today with all of my Internets.
[28:19] I I so I was having a problem where an update failed.
[28:23] It didn't throw back
[28:25] and instead turn on the second update on top of the first, and that left some files in a weird shape.
[28:31] And the tracking table was influenced that way.
[28:34] Oh, okay. So that's why I asked.
[28:36] Yeah. I'll go back and review my notes. I don't think that was the case in prod, but it I I I don't remember because it it was a couple months back. Actually, a few months back.
[28:47] And this just started happening?
[28:49] It happened when we went to the February patch.
[28:54] Okay.
[28:55] Prior to that,
[28:57] I forgot what level we were on, but it was only about eight months. I mean, it wasn't like after a full year.
[29:02] How often does it happen?
[29:05] This is daily.
[29:07] And it's not it's not particular to this one. It could be any any of our transfers.
[29:14] You know, it almost feels like there might be an old file somewhere on the system from the from before the update. From like a completely failed Yeah. Cannot reconcile.
[29:26] Okay. Okay.
[29:34] Okay. Yeah. So I'll I'll look through that through the event queue and then yeah. And then go through support. Awesome. Thank you. Yep.
[29:43] Yep.
[29:45] I
[29:46] have another question on the chat. Is it better security wise to request partner to authenticate their password or key? Always a key.
[29:55] Security wise, keys are always more secure than passwords. And in ST, you can even do double key plus password to even make it more secure.
[30:03] But passwords
[30:05] rely on a user not using their birth date as part of their password or things like that. So it's a lot easier to steal someone's password
[30:13] than a key. And I don't have a name for the person that asked that question.
[30:18] Actually, it's yeah.
[30:19] My name is Mark. So I guess the final question to that is yeah. Thank you for answering.
[30:25] How do you set it up so that a partner can authenticate via password or SSH key?
[30:31] Oh, that's you know, we're on the correct page to show you. So when you go to the login settings,
[30:39] you can do oops. For the end users, see where it says optional for passwords?
[30:45] So you leave it on optional for password.
[30:47] For the keys, it's per protocol.
[30:50] So when you go on the let's do
[30:53] because that's what you are asking for originally.
[30:57] Sorry.
[30:59] When you go to the demo settings
[31:03] nope. Wrong. It's the listener settings.
[31:06] Always mess them up.
[31:08] Over here,
[31:11] see where it says client certificate?
[31:13] Mhmm. If you do that optional,
[31:16] that means that we'll first try to do a key, and if they don't provide the key or
[31:22] or something, they can go for password. So if you keep both passwords and certificate on optional,
[31:28] what will happen with the server is that the server will say, tell the customer that we want the key, but if they don't have a key, we'll allow them a password instead.
[31:37] So they can use IDA.
[31:40] Okay. Great. Thank you so much. Mhmm. It's and don't forget if you have edges, this setting is on the edge edges, not on the servers. The one for the passwords need to be set on the servers, but for the certificates, you go where the daemon is.
[31:55] Okay. Got it. Thank you so Access? Yep. Okay.
[31:59] And obviously, you also have required here, which will mean everyone needs to have key. And because it's on the listener, by the way, and because I know you are new, you can have two different listeners on separate ports.
[32:11] And you can make one of them mandatory
[32:14] certificate while the other one allows both or either. Any way you want to do it, if you want to do that.
[32:21] Okay. Alright.
[32:23] So and then you can make it a lot more secure that way. But also don't forget that you have dual authentication as well.
[32:31] So if you want to
[32:32] to to force your customers,
[32:35] you can
[32:39] to require you can my bad. You can actually have dual authentication for them,
[32:46] which will require both password and certificate.
[32:49] And in this case, it's certificate or key first. We cannot change the order. We always ask for the key first.
[32:57] Okay.
[32:59] Got it. Alright. Thank you. Mhmm.
[33:09] Yeah. Olga, I can see the error. Get our support to look into that. I think it's Maverick and the open s s not liking each other.
[33:17] Alright. Thank you.
[33:19] Yeah. It's it's basically
[33:21] the good news is that something is changing, which means that at least they are reading what you have. So it might be just a question of adjustments of what needs to be over there, and you might need to talk to your partner as much as when none of us like doing that occasionally.
[33:36] Alright. But it's I I as I said, I've seen this kind of errors when one of the servers is trying to be too clever for its own good.
[33:45] Mhmm.
[33:48] Let me know how that goes. I'm Will do. Interested. Will But
[33:53] yeah. And if
[33:55] you talk to them first question that our support will ask you to know what they are running on the other end anyway. So
[34:01] okay.
[34:02] Okay.
[34:05] I don't see anything else in the chat.
[34:08] So
[34:10] what else do we have?
[34:17] I have a raised hand or is it older?
[34:20] Nope. Oh, yeah. Hey. Hey, Ani. Hi, Kamish here from DNB.
[34:25] We
[34:26] had an issue recently
[34:27] for a m in proc file wherein,
[34:30] actually, support has suggested us to increase the partitions
[34:34] to 10.
[34:36] So just wanted to understand more on what the partition is doing and how that it handles the file processing there
[34:43] When that is that is they have mentioned that there wouldn't be any deadlock situations happening.
[34:48] On what protocol is that? It's for SSH.
[34:53] Okay. And what was the which partition did they tell you to change? Because we have this a couple of cases. Partitions days to prebuild.
[35:02] Oh, in the in for the database?
[35:05] Yep.
[35:08] So the
[35:11] way
[35:14] It is just a suggestion that we had received and we had The
[35:18] what so with enterprise clusters.
[35:22] It's yeah.
[35:24] Yeah. An enterprise cluster.
[35:26] Yep. So with the enterprise cluster, in order for us to be keeping more of the tracking table and the server lock, we need partitions in the database and they are based on days. So for every day, we'll need to build a new partition.
[35:41] When
[35:43] we switch to the next day and we need the next partition, if it is prebuilt,
[35:48] then we can start immediately writing as opposed to taking resources to create the partition. And at this time, our TM gets a little hanged up because it cannot write anywhere.
[35:59] So that that's the whole logic into it. It's a database thing. Okay. So in general, is it like this partition happens by default
[36:09] by self or any certain time time frame in the morning or something like that? So that's where we have been seeing some letters in the file processing. Is it like, say, for example, it happens between 12AM to 1AM or something?
[36:23] Is there a periodic Yeah.
[36:25] It happens the moment we need to write into a new partition, which is at midnight, basically.
[36:30] The moment when the clock switches,
[36:32] we need the partition to be there to start writing. If it's not there, it's if it is not prebuilt,
[36:38] we need to build it on the spot.
[36:40] That's why having building multiples
[36:43] at the same time helps because when the when we need to build when we need to write into the next day, it's already there.
[36:50] Okay. Having the earlier partition being defined,
[36:54] does that not consume any memory
[36:57] for
[36:58] ST?
[37:01] No. It's in the database.
[37:03] It's in the database. So will that that that
[37:07] so just wanted to ensure that we do not have any DB logs that's happening on the partition, which is currently being written and others are
[37:14] being free to write write it upon.
[37:18] Yes. It it basically
[37:21] so so the way it works is that in order so with the big databases, it doesn't apply for standard cluster because our baby database
[37:30] doesn't need that. When you have the partitions,
[37:33] this is for searching indexes purposes.
[37:36] But because our partitioning is based on the date, the moment when you switch the date at midnight, we start building partitions. That's why I usually recommend not to have any maintenance jobs running at midnight on the application either because there is a lot of faster stuff happening at midnight. We rotate other files and so on. But when exactly the partitioning happens depends on your load. Literally,
[37:58] the first record that needs to be written after midnight needs to have the partition already built. And if it's not there, it will start building on the spot which will slow down everything because everyone
[38:09] is hanging and waiting for the partition to be built.
[38:13] Okay. Now that yeah. You thanks for the details, Annie. And now one further clarification on the same point. When you say the partition numbers to be five or 10 or 14, whatever, what is those parameters
[38:24] means?
[38:27] How many days ahead of time are built so that you
[38:32] need to take a break
[38:35] to build it on the
[38:38] spot?
[38:40] Okay. Yeah. For us, the suggestion was for ten or fourteen. So when you say ten days, we will have a partition for ten days in advance. Is it?
[38:52] There
[38:54] and keep the partitions still waiting in the database or when midnight here, pause.
[39:02] Sorry, Annie.
[39:03] You're cutting. Your wife is cutting.
[39:06] Yeah.
[39:07] Kamesh, yes. That's exactly what it is. We just build them at the CRM. Hold on.
[39:17] Okay. Is that better?
[39:19] Yeah.
[39:20] Yeah. Sorry
[39:24] about that. Yes. So it they will be just built and stay in the database. That's all that is happening.
[39:30] Having them there doesn't change anything for ASCII itself.
[39:34] Okay. Got you. Thanks But what it helps is when you switch over when we need to switch over,
[39:41] we don't need to do it on the spot exactly where everything else is happening.
[39:47] Okay. Yeah. Thank you. Thanks.
[39:52] Okay.
[39:55] Okay.
[39:59] I don't see raised hands. I don't see anything in chat. So anything else? And I have a live server. Oh, we have a question.
[40:08] Mark Lee, when upgrading secure transport to the latest version, what are some common issues that you customers are encountering?
[40:16] The
[40:19] issue will be so it depends on how old your previous update was,
[40:23] Mark.
[40:24] If you are just
[40:26] update or two behind, usually almost none.
[40:29] When you have a huge leap, it's the security.
[40:32] Cypher's max,
[40:34] everything we had retired, but your customer base haven't
[40:37] because of security concerns.
[40:39] So you will have people that cannot connect to you and servers you cannot connect to anymore every time you switch.
[40:45] We'll try to keep your configuration
[40:47] the same as it was before the update.
[40:51] But if it but sometimes we need to retire or completely
[40:55] disappear a cipher, and that's where things are happening.
[40:59] The other issues are usually coming from updated libraries.
[41:03] If the customer had been using
[41:05] something
[41:06] which was either a side effect or
[41:10] something usually on the weaker security set.
[41:14] But other from that, it should be pretty small saving. As part of the update, we keep
[41:20] all of the server configurations
[41:22] as they were as much as possible.
[41:28] And you're but and
[41:30] and now show that you are coming from 2022.
[41:33] First of all, you'll need to do a middle upgrade. You cannot jump directly into the 2024, so you know that I suspect.
[41:39] So you'll need to go through
[41:42] twenty twenty three January probably is the cleanest way. And then from there well, actually, you'll need to do two jumps because you cannot do more than 12 at the same time if you're more than twenty four months behind.
[41:55] Or just alter for you is,
[41:59] you expect
[42:03] that 10%
[42:05] of your customer base will have Cypher's or access that anymore.
[42:10] Just from
[42:12] general principle. And it depends on how how close they were monitored. The older the customer, the more likely there's the warning on old stuff.
[42:21] Other from that,
[42:23] not nothing clearly. I mean, it should be pretty straightforward unless you go straight into a bug somewhere, which happens.
[42:31] But
[42:36] other from that, are you are you just updating in place or are you doing a migration out?
[42:41] Mark?
[42:43] Just updating in place. Okay. That's good. Because with the update in place, all of your configurations will survive. So you are because the new servers, when you install them, their security is a lot tighter than it used to be. So if you're doing a migration,
[42:58] you'll need to watch for that because you're in place. The only things to look at, first of all, read through all the readmiss
[43:05] of all the releases between yours and the newest one because there are places where we specify what we retire
[43:11] and so on. So anything on the list of retired ciphers,
[43:15] retired kinds of max and so on, all of that will stop working with update.
[43:21] But other from that, there haven't been that many major changes, and I don't want to say that there had been a lot of major
[43:29] changes, but they had been new functionalities being called it as opposed to changing existing stuff for the most part.
[43:36] Are you using any plugins,
[43:39] especially transfer site plugins? No. We're not. No? Good.
[43:43] Because some of them has changed
[43:46] a lot since 2022.
[43:48] The s three is brand new.
[43:50] The SharePoint got a couple of updates. So if you're using just the standard set of protocol that comes with the product, it should be on the clear.
[43:58] But,
[43:59] for example, s three, we added quite a lot of new tanks into it.
[44:04] Everything called should still be working unless it turns out that their configuration was actually set in a weird way.
[44:11] So that's what I would watch out for. But it will be mostly ciphers and things like that.
[44:17] But you still would recommend
[44:19] not doing a complete jump to the latest version.
[44:23] We should do a hop to twenty twenty three and then You need yeah. You you need two hops actually looking at your version. You cannot do more than twelve months hop because we don't test that.
[44:35] So what you need to do is going from where you are, you are
[44:39] February 22
[44:40] to January 23,
[44:42] then December 23, and then come into '24.
[44:46] Okay.
[44:48] Okay. Got it. Yep. So the official line is we support you for three years.
[44:53] That's what the support is. However, the direct update is twelve months only.
[44:58] Okay.
[45:00] So
[45:01] and, of course, you can always try, but it's a production environment and, you know,
[45:06] if something fails, they'll tell you to do it anyway. So we never test more than those twelve months, and I try to keep it down to eleven. Just, you know, twelve is really talkative.
[45:16] So that's why I'm saying with you in in February, I would just do January
[45:21] and December 23, and then jump into whatever
[45:25] you want in '24.
[45:26] If you cannot find the older builds because we don't have them anymore,
[45:31] ask support for that and explain to them where you are and what you are trying to achieve. Because they might give you a later '22 build instead of the January.
[45:39] Just
[45:40] you just need to jump through.
[45:43] Okay. But it will be two jumps in this case for you.
[45:46] Okay. Got it. Which is also why I keep telling people,
[45:50] keep more updated, please.
[45:53] Because there is such a huge amount of security changes between
[45:58] for the last two and a half years that, as I said, you'll have customers that won't be able to connect.
[46:05] Got it. One
[46:07] other thing, by the way, and it is on the transfer sites and we got Kamesh, I can see you and someone else as well. But
[46:16] one thing and then it's Christopher Duncan after that. So one thing to be careful, transfer site when you're pushing and pulling
[46:23] and default settings.
[46:25] So the default ciphers
[46:27] that are on the server menu
[46:30] will only kick in if the site doesn't carry its own.
[46:34] So for any site and this is where you'll see a difference
[46:38] between different sites that look the same,
[46:41] but work differently. The ones that had been saved with the custom track with the custom ciphers
[46:48] will keep working with whatever the list was over there. The ones that are saved empty will use the default ones and the default ones will change for you. So you might have some transfer sites not working out of the blue. Usually, all you need is to go and save them,
[47:03] but just keeps an eye keep an eye on that. So I'll
[47:07] I'll I'd say to just keep an eye for pushes and pulls that cannot connect anymore.
[47:14] Makes sense. Yep. That makes sense. Okay.
[47:18] Okay. Kamesh.
[47:20] Yeah. Hey, Annie.
[47:22] The question related to RHEL version.
[47:25] So currently, we are on lawyer version of RHEL, which I think we will be getting
[47:29] out of support. So wanted to know if we wanted to move on to the latest RHEL version,
[47:35] is that we have to rebuild a server or we can upgrade the real alone? Will that be helpful?
[47:44] It will depend on what your OS admins tell you. Don't forget that you cannot have the cluster with one server on nine and the other on seven.
[47:52] I would not try in place upgrades between seven and nine just because if something goes horribly wrong, you don't have nowhere to go back to.
[48:01] So Okay. My recommendation is built a new environment on the site and migrate everything.
[48:06] Okay. So what would be in case of any custom practices that we have, so custom built things, so can that be carried forward?
[48:15] Define custom.
[48:17] Okay.
[48:19] Say, as you know, for D and B, we have various custom components that we have built in. So just wanted to know if there is any custom components that is built
[48:28] that can be just simply packed and taken to the new
[48:32] Rails
[48:33] server So
[48:34] if we're talking about plugins, yes. It doesn't matter what the OS is. If it's something on the OS level and can be built on their own, you will need to talk to whoever build it to make sure you don't have dependencies.
[48:46] Okay. Gotcha. Okay. But plugins don't care the OS.
[48:51] Okay. Gotcha. Okay? Okay. Christopher, what can you come? Thank you.
[48:56] Hey. Sorry about that. I guess I hit a key combo when I was in another window and it raised my hand. I don't have a question.
[49:03] Oh, okay. Well, you sure you don't have to ask a question?
[49:07] I'm sure.
[49:09] Okay.
[49:11] It's okay. Okay.
[49:13] Anyone else?
[49:19] Okay. I'm not even going to try to pronounce
[49:22] Vitas, I think, name. Yes. Yes. Yeah. Yes. I'm Vitas from from Origins. So I have a question regarding
[49:30] passive
[49:30] Doctor environment installation.
[49:32] So once you have, like, a shared database,
[49:35] which is not writable, of course, in the Doctor,
[49:38] is it possible to install the nodes simply by
[49:41] copying
[49:42] production
[49:43] of, you know, like, installation folder into
[49:47] corresponding
[49:47] Doctor server and kind of, like, bootstrapping those servers that way, or it needs to go through kind of, like, a normal installation?
[49:59] The
[50:00] official answer is you need to go to an official installation,
[50:03] and the reason for that is because we're doing a couple of weird things. We don't know how they'll break in the future.
[50:09] So my recommendation
[50:11] is
[50:12] build it as a separate cluster somewhere against its own database,
[50:17] follow the
[50:18] instructions
[50:19] to the letter.
[50:21] I know it's annoying.
[50:23] And then just point it to the correct database at the very end. You need to do that then.
[50:29] Okay. So basically You cannot just
[50:33] I see. So basically, install as a a totally independent cluster and then
[50:38] later,
[50:38] at the very end, switch to the shared database. Right?
[50:42] Shared database and shared Yes. And and replicated file system. Okay.
[50:49] Yes.
[50:50] If you look at the mhmm. Go ahead. Sorry. Yeah. I was reading that documentation.
[50:55] So, yeah, it seems to me kinda weird though. They're saying you need to install it, but how I can install it if if if I don't have, like, functional debt database. I only have, like, read only replica.
[51:07] Yeah. So Yeah. Okay. Yeah.
[51:09] It's the other way around. You basically install the Doctor as a totally separate cluster.
[51:14] Then, you know, that step where you you replace the configuration IDs in the configuration file. This is the step where you tell it you are actually a Doctor of another environment.
[51:24] Yeah.
[51:25] And then after all of that is done, then you you either start the which is not realistic, or at this point, you just repoint this server to the actual replica.
[51:36] Okay. So what to do then was, like, a clustered file system we we we use in our cluster of s so we can replicate. Can we use can I use it, like, from first
[51:47] step when I install you know, can I sit on that replicated
[51:51] file system while installing
[51:55] Doctor environment?
[51:56] Or, again, should I kind of
[51:59] have, like, a separate file system?
[52:02] So okay. So we support Gluster only for home folders, and it can be anywhere you want.
[52:08] Yes. That's the yes. Okay. You can point to the same one. I I reply I would point to a replica just to be on the safe side, but it doesn't matter. The installation itself doesn't care where the home folder is Yeah. At all. But yeah. Understood. Okay.
[52:24] Okay. Thank you.
[52:26] Thank you.
[52:27] And
[52:28] when you need to update it, we actually have two parameters.
[52:33] One of them to to tell the server
[52:36] tell the update that you don't want to start the services and that the database is already updated.
[52:42] So when it comes the time to update your Doctor,
[52:45] that's
[52:46] street pretty straightforward
[52:48] without breaking the replication.
[52:57] Okay?
[52:59] Okay.
[53:01] Okay. So for that purpose, you only run, like, admin services
[53:05] to update? Or Not even that.
[53:08] Oh, okay. You don't even need to run that because From the command line, do the update. Okay. Yes.
[53:14] Yes.
[53:15] Are are you using MSS? Which database are you using?
[53:19] PostgresQL.
[53:21] Okay. So when it gets to updates,
[53:24] they are not in the documentation. We're working to putting them there. One one of them is called DST
[53:29] DB update.
[53:31] The other one is called start services.
[53:34] They will show up in the documentation.
[53:36] If they don't, before you try updating your gear, open a support ticket for them to give you the instructions.
[53:43] Or I need to ask them that. Or or if they don't make it to the documentation next month or so, I'll just put them on an article in community. But there are two parameters on the installer. One of them is saying, don't update the database
[53:55] because in a Doctor situation, you are running with a replica of the production. The moment your production is updated, the database that is also replicated is also updated.
[54:04] All you need is to update the binary.
[54:06] Yes. And then start services is a property that tells the servers don't start after the update, which happens automatically
[54:14] because your database is read only, so it cannot even start.
[54:18] Mhmm.
[54:19] So we have we have the properties for that. The Okay. Yeah.
[54:24] The official rule is that you need to break the replication before you start updating.
[54:28] But we also know that some of the products that we use don't allow that. So
[54:35] Okay. Thanks. Yeah. Yeah. Just follow the as weird as it sounds, just follow the admin guide on how to build the Doctor step by step. Forget about the replicated database. Just run against the plain database.
[54:48] Build the secondary cluster on the site, and then just switch them to point to the replicated database. That's the cleanest way. Okay.
[54:56] Understood. Thank you. Mhmm.
[54:58] Okay.
[55:01] Okay.
[55:02] Do we have anything else?
[55:11] Hey, Annie. I actually do have something else.
[55:14] Sure. So we are actually moving away from Oracle,
[55:18] but we do have the option to migrate to Oracle RAC or
[55:23] SQL Server.
[55:24] Mhmm.
[55:27] I know if we move to SQL server, we'd literally have to blow away our entire environment and start fresh. However, if we move to rack,
[55:34] is that a better option to what we have existing?
[55:39] And have you ever
[55:41] gone through that process before? Because it it sounds painful.
[55:46] It is painful,
[55:47] and it will really depend on your DBA and what they're comfortable doing. From ST perspective,
[55:53] if they can replicate the database behind the rack and they give you the scan address and you shut down ST endpoint to the nearest scan address, we really don't care
[56:04] that database
[56:05] moved on us, literally.
[56:07] Because Oracle and Oracle Rack is the same database. Yeah. Yeah. It just it sounds like it'd be easier to move to Rack versus
[56:14] move to SQL.
[56:16] It's all
[56:18] more like
[56:21] Oh, you're cutting out again.
[56:24] Okay.
[56:31] Yep. There you are. Is
[56:35] this better? Yeah. It's a little better. So what were you saying now?
[56:39] Apparently, I just need to refer sorry.
[56:43] Moving to Rack will be cleaner. Yes. Because for ST,
[56:48] Oracle and Oracle Rack is still Oracle for us. So we don't care. With with Rack, we go against the scan address.
[56:54] So for all intents and purposes, it's just a JWCR code connection is just moving to a different database.
[57:00] What you just make sure you shut down as you completely before
[57:04] you move,
[57:05] because it cannot switch the database otherwise, but that's about it.
[57:10] Okay. But
[57:11] if your company's policies to go to a different type of server, MSS, SQL, and so on, it's not that hard. Yes. You need to blow everything and you'll lose the tracking table and so on. But the XML import will work. So all of your routes and accounts and certificates will come with you. So you might as well.
[57:31] Yeah. I'm just trying to think of the the least painful way to do this. But yeah.
[57:37] Okay. I would say
[57:41] Uh-oh. You cut out again.
[57:50] Because
[57:52] the answer will count them. Yeah.
[57:55] Okay.
[57:57] Okay.
[57:58] Awesome. Thank you. Back, I think. Is that better? Yeah. It's better now. I I I I you were cutting out with with your answer, but I I think I know where you're going with that. I mean, essentially, talk to the DBAs.
[58:09] I was saying the PA.
[58:11] Yeah. Mhmm. Okay. Yep.
[58:14] Thank you.
[58:17] Okay.
[58:19] Do we have anything else?
[58:39] Okay. Do we have any more questions or
[58:43] comments?
[58:49] Nope.
[58:52] Well, it's been It's like we don't just an hour.
[58:55] You wanna go back
[58:56] unshare,
[58:58] Annie?
[58:59] Go back to sharing it anymore. Okay.
[59:04] Let's see here.
[59:11] Where the
[59:12] why the screen is doing that?
[59:19] Well, it's all of sudden, the
[59:21] why the presentation went away. It was there before.
[59:26] See here.
[59:28] There. Do you see it now?
[59:32] No. Not yet.
[59:33] Let me go back to presenting.
[59:36] I think it just kicked me out, so I'll go back in. It's coming back in. There
[59:41] we go.
[59:43] Okay. So
[59:46] alright.
[59:48] Well, sounds like I don't see any more comments or questions in the chat.
[59:54] So
[59:58] I'll just move
[59:59] through, and then we'll give you guys a few minutes back to your day here.
[60:02] Just a reminder
[60:04] for online collaboration,
[60:06] and you'll again get this presentation
[60:09] by the end of today
[60:11] when we end this call. But you can click on any of the links and get questions,
[60:16] q and a forums, and different information with the different links. So in our Actsway community portal. So feel free to go there and
[60:26] get more information
[60:27] from what you need there.
[60:29] And,
[60:31] obviously, we have MFT videos on YouTube.
[60:34] You're welcome to look at those.
[60:37] And then we also do peer reviews
[60:41] through our g two, and you can go to the website
[60:44] listed here that, again, will be in the presentation. And as a thank you for your time, we will send you a $25 gift card. So just a little incentive there.
[60:55] So if there's no more questions, thank you again on behalf of Annie and myself. Thank you so much again for joining this
[61:02] secure transfer user group session,
[61:05] and hope you have a great rest of your day and end of your and rest of your week. And we'll see you soon.
[61:12] Thanks, everyone.
[61:14] Bye, everyone. Thank you. Thank you so much. In
[61:17] case you haven't seen, by the way, before everyone disappears,
[61:21] Astrid and Jerome are doing zero downtime updates. Okay. Everyone is going. So but there will be more user groups this week. So if someone haven't seen them.
[61:31] Yes. In the meantime, thanks everyone for joining.
[61:34] Talk to you next time.
[61:37] Bye bye.