# Transcript: 1038879037
# URL: https://vimeo.com/1038879037
# Duration: 5230s (87.2 min)

[0:02] Mentioned
[0:03] this user group is about question answers, so the rules of engagement are very, very easy. If you have a new question, raise your hand so I know to
[0:13] call on you.
[0:14] If you have something to add to the question we are talking about at the moment, either an additional question or just a comment of how you do that in your environment
[0:24] or clarification,
[0:25] even you are not the one asking the question, just unmute yourself and join the conversation
[0:30] so that we can keep things a little ordered.
[0:33] But if we move to another question, if you have something for the older question, just don't hesitate at any point. We can return back to the topic and so on.
[0:43] I have a live server I can go to if need be,
[0:46] and then we'll start from there. So, and that's about it. And don't hesitate to unmute yourself and talk, or,
[0:55] if you cannot or don't want to just type. I'm also monitoring the chat, so we'll be alternating chat and voice
[1:02] as much as we can.
[1:04] And that's about it from the housekeeping. For the ones that are here for the first time, welcome. For the ones that are, as I call them, my frequent flyers,
[1:12] I'm very glad to see you again. I like seeing all of you every month.
[1:16] So
[1:19] and, yes, Mirza, the meeting will be recorded and you'll get the recording after that. So anything that happens, you'll have the recording of it.
[1:28] Yep.
[1:29] So
[1:30] before
[1:31] the meeting started, Mirza had a question, and we had to stop him because we haven't started even the recording. So we'll go there first.
[1:38] So, Mirza, do you want to say your question, or do you want me to just read it because you also posted it in chat for us?
[1:51] Mirza so Mirza was asking if the MariaDB will ever be converted to a flat file, the database itself.
[1:57] And the answer at this point is no.
[1:59] In addition, starting from September this year, we're not using MariaDB anywhere anymore. We converted to Postgre.
[2:07] So when you update your servers to Maria
[2:09] to,
[2:10] the September or later release, you will see,
[2:15] the Postgre replacing the Maria, but it's pretty much still a database.
[2:21] Mirza, do you need anything else from that?
[2:23] Yeah.
[2:24] Can you hear me now? Yes. I can. So if you're in October 24, if you look on the OS level, there is no MariaDB anymore. It's Postgre.
[2:34] Oh, okay. So if if it's Postgre,
[2:38] can you type the name of the file?
[2:41] It it is a flat? What what is No. No. No. It's a Postgre SQL. It's a different database. Oh, it's SQL. It's not MariaDB anymore. Okay.
[2:51] Just switched the databases. The reasons were multiple. One of them was we were using a very old
[2:57] library
[2:58] that we had to replace, and there was no new version. But also we needed to reduce the number
[3:04] of databases we're supporting. And because we already have Postgres as an external database,
[3:09] the evaluation show that we actually can embed it safely,
[3:13] so we just switched to that. So it is still a database, and it will remain a database. There is some hide the SQL to log into the PostgreSQL,
[3:24] and that works fine.
[3:26] Can you repeat the question? Sorry. No. It was not a question. It was a remark. I I said we are using Heidi SQL as just a stand alone to log in to the PostK SQL,
[3:39] and that works fine.
[3:41] Yes.
[3:42] Okay. But then we can see all the the tables.
[3:46] So that was a
[3:47] Yep. A good
[3:49] So so yes. You can. But don't forget that if you are with the embedded database, we can change the schema at any time.
[3:57] So don't do anything weird with the database.
[4:00] The old rules of engagement
[4:02] apply.
[4:03] It was just to check what's
[4:06] what was in the database.
[4:07] I I understand. Believe me. I've probably done them more often than you have.
[4:14] I'm just saying it it it still applies. The old rules still apply. It is still an embedded database,
[4:20] and I'm happy to hear that someone converted to that. That tells me you're on a new enough enough release. I'm very happy.
[4:26] By the way, I own that on the test environment,
[4:30] but we had a lot of issues
[4:32] with the upgrades.
[4:34] Both to the September and to the October release.
[4:38] Okay.
[4:39] Awesome.
[4:41] Okay.
[4:42] Sounds like we oh, we got that covered. Well, we can only own that with
[4:47] X-ray support.
[4:49] But Do
[4:51] you have your email address if I need to ask you further question, I can ask?
[4:57] So Nicole can, provide that to you. You can also always post in the community forum. We'll talk about it at the end of the meeting where everyone is monitoring. So if I'm on vacation or missing for a few days, someone else can pick it up and other people can help.
[5:12] Okay. Sounds good. So
[5:14] and, of course, you can always call just call support. You know? Support is still around. No one that pays a sick so
[5:22] okay. Good.
[5:23] Anything else on this one?
[5:26] Nope. Okay. Pierre,
[5:28] is it possible to process Ebix protocol in SecureTransport?
[5:33] Not natively.
[5:37] Do you need SecureTransport
[5:38] as a server or as a client
[5:41] for Ebix?
[5:44] Here?
[5:50] I think he is muted.
[5:52] As a client.
[5:53] So okay. So ST cannot do it. However, actually, we have another
[5:59] product called very used to be called e Ebix client. Now these days, it's called financial secure client, something like that. I'm sorry. I I forgot what the new name is. That actually can do that.
[6:12] So if you need to
[6:14] connect to a EBIX server somewhere,
[6:18] talk to your account executive
[6:20] to get you access to the other client that we have.
[6:24] And there are no plans to implement EBIX in ST natively at this point, which doesn't mean that it will not happen,
[6:31] especially when we're working as a client that that basically transfer sites in our, world,
[6:37] And those are pluggable, so something can be built. But there isn't anything at the moment.
[6:48] K?
[6:54] Moving to the next one. As a as a server, nope. As a server is not possible at all.
[7:03] We just don't support that that protocol.
[7:08] If you need it for a specific user use case, please go to the ideas portal and post about that because they are looking into what people actually need, especially with the financial
[7:22] world that things are changing very, very hard at the moment.
[7:26] So it's possible that we might have something on the portfolio. I I'm just not much into the non MFT
[7:33] world.
[7:35] I don't think we have something per se on the we don't have anything on the MFT line besides the client that I mentioned,
[7:42] but actually has a couple more lines.
[7:45] So I would say to
[7:47] start there, start talk to your account executive, mention that you need Ebix.
[7:50] They will have some materials for you and then open an idea if you need it in ST, especially if you need
[7:57] the MFT and EBIX to mash, you know, get the file from somewhere else and send it or but the other way around.
[8:06] Okay.
[8:09] Okay.
[8:10] Kamesh, you're next.
[8:14] Hi, Ani. Yeah. My question is related to the disconnection
[8:18] utility that we have.
[8:20] Right now, we have it only for the SAPTP and NTP. So how about s three or any other protocols?
[8:27] Is there a plan that you have
[8:29] that to be implemented or
[8:33] I'm sorry. I missed the question. So you have what do we have only for SAP and connection activity that we have the transfer site?
[8:40] Yes. It is for s f SAP right now. So do we have plans for other protocols like s three and any cloud tools that you wanted to have? So do Do you mean the do you mean the reusing of the connection?
[8:54] Not reusing. The disconnection.
[8:58] When you use the SFTP on the printer side, we have option to do a disconnection.
[9:03] Oh, the test connection. Okay. Yeah. I was not getting that. I apologize. So Okay.
[9:09] Not
[9:10] at the moment.
[9:12] Again,
[9:13] what is happening is that we're hitting some technological
[9:16] gaps there between what libraries we're using.
[9:19] The SSH site is not the pluggable site. It was built way back in the days with a different technology, so it gave us a little bit of a
[9:27] a ability to do something that we cannot do on most of the modern sites.
[9:32] Mhmm. So Astrid had asked me to officially ask everyone if
[9:36] you need need that in a specific protocol
[9:40] to either open an idea or vote on the already existing one if someone did it because they need to see where the need really is.
[9:48] What I'm hearing lately a lot is s three and SMB
[9:52] because they are the big ones. But both of them are pluggable sites,
[9:58] which means that the only way for us to actually implement it there will be to implement it first into the
[10:03] SDK behind them,
[10:07] and that will take a while. And they haven't planned for it because there are more urgent needs on top of it.
[10:14] But it doesn't mean it will not happen immediately. So, yeah, and I you'll hear that a lot from me occasionally when I keep saying, open an idea
[10:24] or,
[10:25] go vote to an idea, but this is our route into r and d. I can go and tell them as many times as I want, what I need what I think people need or explain
[10:36] to people what
[10:38] needs to be done or, you know, try to convince them, but they really need to know the business cases and what it's blocking and things like that.
[10:47] So Okay. Yeah. Sure.
[10:50] Thanks. Okay.
[10:52] Pierre,
[10:53] I think it's still the old hand still up. So,
[10:58] Pierre, unless you have anything else?
[11:04] Think so. Okay. Arpit.
[11:15] Okay. Here is good. Arpit, you're up.
[11:19] Did I mistake your name? Nope. That's what it says. Arpit Oh, sorry. I was on mute. Sorry. You're fine. And by the way, something I forgot to mention. I will apologize ahead of time. I mangle names.
[11:31] I try to read them as best as I can, and I always manage to misletter somewhat.
[11:37] So I apologize.
[11:38] Just correct me, and I'll try to get better.
[11:42] So okay. Go ahead. The the right pronunciation.
[11:45] I just didn't unmute myself in time.
[11:49] So I was I have a question from a licensing point of view for for secure transport. Like, how do we define a file transfer? As I see the definition on the contract mentions that the file
[11:59] received and then delivered to a destination is considered a full file transfer.
[12:05] So in terms where we get a file, for example, someone uploads a file to MFT and then we publish that file to another account,
[12:14] that I think will be considered as as a delivery to the destination.
[12:18] However, afterwards, if,
[12:20] the user whether
[12:22] was using the account where the file is published,
[12:25] if they download that file many number of times, will each download also be
[12:31] calculated as a separate file transfer? Will will
[12:34] that be in line with the same file transfer since the file has been received and delivered?
[12:39] So under the current counting,
[12:41] the delivery to the account doesn't count as a transfer because the files still haven't left us. So when the file arrives, you deliver into the folder of the user. This is still to on zero because the file never left.
[12:54] If the end user downloads the file once, that's one transfer. If they download it 20 times, that's 20 transfers.
[13:01] Okay. Understood. So So we, basically, we don't consolidate or do anything else. Now
[13:08] there might be changes to that next year, but not in this scenario.
[13:12] But for the most part and this is one of the things I see a lot when I am talking to
[13:20] customers that are still on that are still on licenses,
[13:24] where they have a partner that comes every five minutes and that just downloads the same file over and over Mhmm. This will count as additional transfers. So we need to clear those. Plus, it's, I think, load on your server.
[13:35] Yeah. Definitely. Yeah. It does But, yes, it's so, essentially, we count when we so when you do send to partner or send to site from basic app or something like that or when you have a user coming and grabbing the file, that what we count.
[13:51] Okay. The file leaving s t will be considered as a single file transfer. Okay. This is this is a transfer for us. So file arise and leaves. Now how it arise, we don't care and so on. But the definition,
[14:03] the way we count at the moment is essentially the actual outbound
[14:07] Mhmm. File leaves and leaving with any of the transfer sites. It doesn't matter which one it is. So if you deliver it to an s three bucket, that's a download. That's, again, a delivery. Right? Correct.
[14:20] So okay. Yeah. Makes sense. And and and how about resubmission? So if we resubmit a failed transfer or a successful transfer, so until someone
[14:30] downloads or
[14:32] that that will not obviously obviously count count with with the with additional file transfer. But if we resubmit a file and that goes out using center partner via a transfer site, and will that also be an additional Yes. File transfer? Okay. Yeah. Makes sense. It doesn't matter how we initiate it. If you do a
[14:49] on demand push through the API, it counts. If you do a user comes and download, it counts. If you rerun the same file and go goes again to the five places it went originally, it counts.
[15:00] Okay. Makes sense. It all counts.
[15:03] It's essentially don't overthink it, at least on the current rules. But if if it leaves, it counts. That's that's what it is all about. That's what I'm trying. So in order to to to track this or to metricize it, if we do the outgoing
[15:21] in the extra logs, if we if we just check the outgoing file transfer, would you think that will be the the right
[15:27] way to calculate the number of file transfers, or is there a better way to to to track them? Actually,
[15:34] if what version of s what release are you on? I think we are still on the May release. We are going to go to the September release. So good. But Yeah. But okay. So but you're at '24 release. Right? This is the release. Yep. Yep. So if you go to
[15:50] setup, let me know when you see my browser.
[15:54] Oops. Yep.
[15:55] Okay. See it now.
[15:57] Steven, I saw your question. You're next.
[16:02] So
[16:05] if you go to to to to where we are. You go to setup
[16:10] and you go to server license.
[16:12] At the bottom of the screen, you can actually generate your load, and it will actually count everything you needed to count for whatever days it tell you tell it to count.
[16:21] So you could say last thirty days.
[16:25] You don't need to submit to the Amplify platform if you don't want to, and you can there are a couple of checkboxes here that do to include inbound transfers or not, and this is new. This is just for the newer ones. You might not see the exactly same check boxes because you're in May.
[16:40] But
[16:41] include account effective users is if you are still on the old license model because this is where it was needed.
[16:48] The incoming file volume is needed if you're in our managed cloud or if you need to account for how many bytes come it come in because of how cloud charges for for for data. But
[16:59] if you you can disable all of those, so the incoming file volume is slow ish.
[17:05] So if you just want a quick check, I usually disable it unless if I really need it so that you don't need to do the calculation.
[17:12] And then you can do last thirty days or whatever you will need to do here, and it will just do the calculation for you. If you just go to a tracking table or saying, you know, or something can just do the outbounds
[17:22] Mhmm. What you need to remove is after that to remove so if you do that, you go to the tracking tape. Let's do it with a tracking table. It will be the same in somewhere else.
[17:32] And then hold on a second. You have too many.
[17:36] Go to advanced.
[17:39] And on the protocols over here, you want to there is one
[17:45] called routing,
[17:48] which is not even here it is, advanced routing. You need to remove that one. So either pick all of them, but if you get other
[17:55] part other sites, it will not pick them up. The easiest way is just to count the advanced routing ones only, then count all and remove the advanced routing ones. The advanced routing ones are basically the published to accounts.
[18:08] Right. The ones that are outbound, but don't count for this license
[18:13] for the subscription.
[18:15] Okay. Wonderful. So that that's what you need. And from here, obviously, you do outbound.
[18:21] You do
[18:22] files only
[18:24] because you don't want the messaging if you do pass it or something like that or some of the messaging messaging protocols.
[18:31] And then
[18:33] for you know, you can play with it. Just successes.
[18:35] So any more failure failures don't count. Okay. Just successes.
[18:40] So all you need is successful
[18:42] outbound, which are not routing. That that's the definition, the easiest way. And, again,
[18:47] this is valid at the moment. Later next year,
[18:51] there might be something changing,
[18:53] especially in some use cases. In your case, I don't think so.
[18:57] Okay.
[18:58] But they had been revising some of the policies and counters and so on. Okay. So will that be for new subscriptions
[19:05] or will that apply for existing subscriptions
[19:08] as well, which are valid for, say, another few years? It will be valid for everyone because if you look at how the contracts and it will depend a little bit on when you signed and what contracts you had and so on.
[19:21] Essentially, the current counting
[19:24] is under counting when you're on prem and when you never use ST to pick up the file, when you just drop it somewhere for someone to pick up on the OS level.
[19:34] That's where the blind spot is. Okay. Okay. And we had always known that.
[19:39] So
[19:40] now the server with is a lot of this in the last year or so, we had done quite a lot of changes on the server
[19:49] to allow us
[19:51] to
[19:54] to keep better track of what files are where and which file is which, you know, between core ID and a couple more things. So now we have a little better control. Because when discounting started a few years ago, we literally had no idea which outbound belongs to which inbound unless you had Sentinel in the picture.
[20:11] So Mhmm. Okay.
[20:13] Okay? Makes
[20:14] sense. And and one additional question. So Sure. What
[20:17] is it the core ID that links the inbound to outbound or which ID or
[20:23] or the thing that we can use to just Yeah. It's correlate the inbound to the outbound so that we have the full cycle?
[20:31] It's not that easy, actually, actually, even with the core ID. So there is a multiple IDs depending on your scenario.
[20:39] Sometimes you'll have multiple core IDs, for example, when you do unzip because we need to split one for each file.
[20:45] For the most part, core I if you have a straight transfer, it will be core ID.
[20:50] However, with publish to account, we need a second base transfer over there, so things get a little weirder.
[20:56] In the Sentinel world, we actually have additional ID we're specifically calculating for it. From the ST perspective,
[21:04] my advice is run one of your transfers and then open the tracking table entry. It will have all of the IDs
[21:10] and just figuring out which one works for you.
[21:13] Okay.
[21:14] Especially the inbound, outbound. And we have we keep adding new and new IDs over there as much as we can. Okay. Okay. Thank you for that.
[21:24] But one of the things to remember with ST is that we don't keep track of the files in the database per se. So at the moment when we drop the file into the other user's folder,
[21:35] it
[21:36] essentially, it we try to keep track that it's still the same one.
[21:40] Right?
[21:42] But it's parked through the STFS folders occasionally.
[21:46] And if you delete those, we don't know what that is anymore. So there are cases where we might lose the information.
[21:53] When they download the file, we don't go to the database to try to figure out where this file came from. We'll check locally, but that's pretty much it.
[22:00] So
[22:01] Okay.
[22:02] Thank you. Okay. Yep. Okay.
[22:06] Steven,
[22:07] you're on MSSQL.
[22:09] Right? Which doesn't matter, actually.
[22:13] Morning. Hey, Steve.
[22:14] Good morning.
[22:16] So
[22:21] I can see the question. Do you want to set to to talk to it, or do you want me to just read the question and we can start from there?
[22:29] I can ask the questions.
[22:31] Sure. So
[22:33] we are on September
[22:35] update on for our SD five five.
[22:39] And
[22:40] and as you mentioned,
[22:43] that's
[22:44] I already convert the internal database to progress SQL.
[22:49] So
[22:51] now with progress SQL for the edge,
[22:54] the database is set to be auto sync.
[22:58] However,
[22:58] we're moving towards
[23:01] a CPU implementations.
[23:03] And instruction is saying that we need to break
[23:08] the
[23:09] edge
[23:11] or the set
[23:13] from the the core and the edge away from the auto sync
[23:18] database configurations.
[23:20] Since
[23:22] our progress SQL is auto sync, how do we go about breaking the edge out from auto sync? Okay. So it is, but it's also configurable.
[23:32] So if you look at the configuration of the edges,
[23:36] what happens in the new post grid edges is that instead of having each edge talking to its own local database,
[23:45] we have the secondary database just sitting and being updated while both the primary and secondary edge or all of them talk to the same database.
[23:54] So what you need to do
[23:56] is to reconfigure the edges
[23:59] to be non syncing
[24:02] so that you basically stop the synchronization
[24:04] to force them for each of them to to use its own database.
[24:13] And how would we go about
[24:15] configuring
[24:17] that to be non sync?
[24:18] I'm not seeing this instruction
[24:21] over on the
[24:22] CPU pages.
[24:25] It's not it won't be in the video pages. It will actually be in the edges configuration pages. I don't have an edge up. I just looked very quickly,
[24:33] so I cannot show to you that exactly.
[24:36] But
[24:38] the pay so there is one page
[24:41] on the
[24:43] so if you go to the database
[24:46] set setup page on the edges where
[24:49] you configure the cluster itself, where you basically tell it where database is and who to sync to whom and so on, you need to disable everything over there and point each of them to its own and remove the rest of the nodes. You basically need to set up the edges to be independent servers and independent edges
[25:07] as opposed to being part of a cluster.
[25:18] Did I lose everyone?
[25:22] Just me.
[25:24] Oh. No. Okay.
[25:26] I
[25:27] don't I don't have an edge, unfortunately. Let me see if the server will actually
[25:32] the servers are working a little differently in that regard. So because you cannot even on the servers hold on a second. Let's go explore some things. Hold on.
[25:42] Where
[25:44] did my server go now?
[25:51] Okay. So if you go to database and it will look a little different on the edges. I just don't have an edge at the moment.
[26:03] So
[26:09] you'll need to disable so this is a single server, so I don't have anything. You'll need to disable the replication
[26:15] on the edges.
[26:17] Okay?
[26:19] That will basically stop them from syncing into each other.
[26:22] And you need to make make sure that
[26:25] the connections over here are to the local and not to the primary. So on the cluster, what you know will happen
[26:32] is that you have the host to the primary setup.
[26:36] So what you'll need to do is to disable all of that.
[26:43] Where you want to look is at the installation guide probably,
[26:46] what which explains how to install the new edges when they are not clustered.
[26:51] So
[26:52] when you have the two edges at the bottom somewhere
[26:55] so this is different. Again, this is the server, and I don't have that.
[26:59] But there are a couple of
[27:02] so, you know, where if you have the access policies as well that explain who can see what,
[27:07] all of that needs dismantling.
[27:10] If you don't
[27:11] find that,
[27:13] open a support case because I'm pretty sure they already have the procedure for that of how to convert.
[27:19] It's pretty straightforward. You disable it temporarily. You go to the ZGU, and then you can enable it back.
[27:29] Make sense? A little bit? Yes. Yes. Yes. Yes. So
[27:33] so it's not much it's not much different from the old world. So in the old cluster,
[27:39] you had to go and change the server's file to to stop the replication between them. Right? Now we don't have a server's file anymore. Now it's everything is on the UI. So you do exactly the same. You basically tell it you are on your own. You don't have a partner. That's all you need to do, really.
[28:01] Thank you.
[28:02] Thanks, Annie.
[28:03] Okay. And
[28:05] if you still are lost, as I said, work with support or drop me a mail so I can see if I can put together an edge quickly.
[28:12] I it's just I I
[28:14] I used to have a whole cluster. I was looking for it. My lab died,
[28:18] so I had to rebuild it, and I haven't gotten around to to the edges yet.
[28:23] Okay. Alright. But it's it but they are pretty straightforward.
[28:27] You just when you look at the UI, it's pretty straightforward where you want to stop it. Now
[28:33] here is where you need to make some decision as well because and this is where we're still working a little bit on that
[28:40] because we need them to stop replicating
[28:43] so that during the video process, we have one live edge.
[28:47] But and this is critical
[28:49] because remember that the second edge is working off the database of the first one. So if you update just one of them, the other one becomes dead in the water unless it's using its own database. The good news is that as soon as you update everyone,
[29:03] you can I so the edges replication
[29:06] is not functional,
[29:08] which means that you can keep them disconnected for as long as you want? And when you are ready, you can connect them again and just override the other one of the databases
[29:16] from the primary to secondary with the replication.
[29:19] So you don't need to plan to set up the replication again immediately after the failover,
[29:25] after the video finishes.
[29:28] It's a good idea if you if you're using local admins and so on for password and so on, but it will not functionally change anything if you just leave them disconnected for a while.
[29:42] Yes. Definitely the same.
[29:44] Yeah.
[29:45] Okay.
[29:46] And I know that we had a couple of people on the phone at the moment,
[29:50] which I've talked about that just plan not to get their edges synchronizing at all
[29:55] for various reasons.
[29:58] Because it's, yes, it's helpful when they're synchronized for the configuration and so on, but also it's pretty straightforward to break the synchronization. And for ZGO, it needs to be broken
[30:08] because of how it works.
[30:10] And before anyone else because I got that question last week. Actually, we're not going to have ZDO for edges only, you know, something like double databases inside of the post grade. That's just an overkill.
[30:22] So
[30:23] okay?
[30:25] Alright. Thank you, Annie.
[30:30] Anything else from you?
[30:35] Nope. Okay. No. Mirza has not on at this point. Okay. Good. Mirza has another question. How can we transfer syslog to Splunk?
[30:45] Well, ST doesn't do syslog to start with, so I'm not sure which logs you are asking about exactly.
[30:54] We
[30:55] have a team
[30:58] which
[31:01] it's a security cyber team, and then they want to monitor the
[31:05] syslog of the
[31:07] go anywhere,
[31:10] a x y secure transport server's syslog.
[31:15] So because most
[31:17] of the stuff written in a DB, so they cannot break into the DB. So they
[31:23] want to see that
[31:25] if if they can have
[31:27] a communicate
[31:28] with their
[31:30] SPLINK
[31:31] SPLINK log
[31:33] server so that
[31:37] they can they
[31:38] can monitor live
[31:40] the syslog of the Yeah.
[31:43] So are you in our cloud or are you on prem?
[31:46] No.
[31:48] We are not on cloud. We are using
[31:52] internal Okay.
[31:54] So Okay. We don't use syslog. What we're using is log for so for most of the logs, like server logs, we use log four j.
[32:02] We also but we also can have a double login where we lock in the database, but also
[32:09] we can lock onto the flat files. So if you look at the admin guide,
[32:14] there is actually a section about forwarding clocks
[32:18] to flat files.
[32:19] Okay. That will explain you how to do it, and you can do both database and flat files at the same time without much of a performance hit.
[32:27] Okay. Yeah. That will be great.
[32:29] So
[32:31] open the admin guide, look for flat files or locks or something like that. You will find the section you need to change a couple of files on the file system, the lock four j files.
[32:41] This is for the server lock only.
[32:43] The audio log and the file tracking cannot be done that way because they are not Log four j's and they are not locks. They are basically objects.
[32:53] So But server lock, you can do that.
[32:56] Server log,
[32:57] I mean, not OS
[33:00] log. Application log, I'm looking for x
[33:04] y secure transports.
[33:06] So secure transport okay. Let me get my browser back up. So everything that every lock we create
[33:13] goes to what we call the server lock, which is in the database.
[33:18] Okay. And this is this tab over here.
[33:21] Right. There are multiple files, multiple objects, and so on. This one that is here under server lock can be for can be written both on disk
[33:30] on the OS level
[33:32] and
[33:33] on the database at the same time. You just need to do the configuration for that.
[33:39] Okay.
[33:40] If you go on the OS level under the installation directory of secure transport, there is a folder called varlogs.
[33:48] Not the varlogs
[33:49] of the OS level, the varlogs under secure transport.
[33:53] This is where all of the flat files are.
[33:57] It will be everything you already forwarded plus everything that doesn't go to the database. So the database error log, for example, is always there because that means we don't have database.
[34:06] We have a database fallback file over there, which is when the database is busy or dead to a place to write whatever we still have in the buffers, things like that. Once you go to those files, they're just flat files,
[34:20] and they can be consumed in multiple ways. Just don't remove them in real world. Right? Because we keep writing.
[34:28] Okay.
[34:30] So
[34:31] you said it is it easy to do it? Yes. Absolutely. And there is step by step in the admin guide.
[34:37] In admin guide, the new admin guide, 5.5
[34:41] with
[34:42] Yeah. Any of the admin guides. It has been there forever.
[34:46] Okay.
[34:48] So if you open that so okay. We can go there. Hold on. Okay. Thanks.
[34:53] Here is the documentation,
[34:56] and then I'll look for flat
[34:58] files.
[35:01] It's
[35:03] not here, but I'll start from here.
[35:06] Let's see. Redirect Log four j output from database.
[35:10] That's the section.
[35:13] And if you look down there, it explains how to change, what to change. So there is appenders,
[35:20] different appenders,
[35:21] you can change them and change any of them that you want, and they can go
[35:26] either. So this is how explains how to do the ones for the admin.
[35:30] Each of the services has its own log for J file, and you can forward as many as you want.
[35:37] So
[35:38] pretty straightforward,
[35:39] really. Okay. So the the you said that these will go to the as a flat file in the in the OS level
[35:48] Yes. Directory?
[35:51] They will go into the var logs directory usually.
[35:55] This directory under the home folder of the user.
[35:58] But but when you create so this is the by default, which doesn't mean that you cannot put it somewhere else. It just need to be local. Don't put it on a shared storage because this will kill your performance. You want it locally on the similar. Well, we want to keep by default where they are,
[36:13] but
[36:14] you also said that they
[36:16] can be there, plus we can have it as a flat file too. So Yes. Where where the flat files will go when I will you keep both of them?
[36:26] So the flat files will go in the viral logs folder. That's where the flat files go. The database file on your database.
[36:34] Okay. So
[36:36] one log will be the for flat files and database will stay in the database directory Yes. By default. Yes. And they can be written at the same time. So it's basically every log message is getting written in both places.
[36:48] It is Log four j. Log four j has the ability to do double loggers in the same append double appenders in the same logger.
[36:54] So that's what really is happening.
[36:57] Yeah. That that that we want because we don't want to touch a default log file, plus we want to to return in a flat file so our Yes. Other team can see whatever they need to see it. Yes.
[37:11] And, again,
[37:12] if you and if you get stuck and cannot do the changes or you're not sure how to, just ping open a ticket with support. They'll be very happy to help you and give you the even more details step by step, but it's pretty straightforward.
[37:24] Sure. They know the because previously,
[37:27] I have done it.
[37:29] Mhmm. It wasn't very helpful. So if they are up to date notes, so I will open
[37:34] the case again with them. Yeah. I so part of the challenge with this kind of documentation is that most of the people that do the documentation and do the thing have been doing it for so many years
[37:45] Right. That I
[37:47] I'm blind to the problems in some of those things occasionally.
[37:51] You know, I I read it. It makes sense to me, but that's because I know how to do it already. So and this is, by the way, a a note for everyone. If something in our documentation is not clear, like this one, if you find that it's not good enough or Steven about
[38:05] how to set up the how to stop the edges replication,
[38:09] Set open a ticket with support. We all also have if you go to the live documentation,
[38:15] there is, let me just minimize things. There is a feedback button over here. It goes directly to the to the documentation team.
[38:24] So
[38:24] I would urge everyone
[38:27] whenever you read our documentation, if you see something unclear, incorrect, or something that just can use more clarification, use the feedback button. It will not get you help.
[38:37] It's not for that. If you need help, open a support ticket,
[38:41] but or or posting community.
[38:44] But if you just want to send some feedback back to the documentation team, what needs fixing,
[38:48] they are pretty good at reacting on the feedback button.
[38:52] That's why we invented it. So we would love some feedback.
[38:56] And if it is this is useless, just tell them so. Well, explain why.
[39:01] You know? We can do some That's good
[39:04] that you explained me. I didn't know that. Plus,
[39:07] find previously
[39:10] that many
[39:11] steps are not clear, and I'm
[39:14] not putting your support team down. But,
[39:17] unfortunately,
[39:18] sometime they just
[39:20] give you the same link, which you already have gone through and make no sense. So it's good that you
[39:27] have improved your support
[39:29] team that Yeah. Bring them up to date. So when that happens, usually, that is because they don't realize you saw documentation.
[39:37] You will not believe the number of people that open ticket without even looking at the documentation.
[39:42] So what I find useful when I had already looked at the documentation,
[39:47] but something is not clear is to when you open the case is to explain to them which part is unclear.
[39:53] You know? Right.
[39:55] Instead of just asking them how to do that, you explain this is what I follow. This is the steps I am in. This is where I am. I'm stuck.
[40:02] I know it's gonna work, and I know that it it sounds like we should be better at that. But the reality is with the number of cases and numb you know how it is.
[40:12] And
[40:13] ninety percent of the people that ask how to usually just need the link to the documentation
[40:18] in my experience.
[40:20] Yeah. As long as the documents are step by step,
[40:24] the the people who support the software, they can do it. But sometime
[40:29] things are not, as as you said, is not as clear as we thought we think, but it's it's good that things are getting
[40:39] more
[40:40] clear.
[40:42] Yep.
[40:43] And,
[40:44] again,
[40:45] we
[40:46] there is a huge amount of documentation.
[40:48] So the more you can link us to what's wrong, the better and easier for us to find it. Right?
[40:56] Okay.
[40:57] Good.
[40:58] I have a few questions in the chat, and then Varun Kumar will be next. So in the chat,
[41:05] Gayat
[41:06] okay. I cannot pronounce your name. Gayatri?
[41:09] I'm man Mangolith. I apologize.
[41:12] How is the life cycle
[41:13] managed for internal users and external partners?
[41:16] What do you mean under life cycle?
[41:23] Hi, Annie.
[41:25] Life cycle in the sense, like,
[41:27] from the time
[41:28] they part they join as a partners to transfer files
[41:32] Mhmm. Till,
[41:34] till they leave the
[41:36] customer,
[41:37] or the the vendor leaves. So how that is maintained, like, through
[41:41] active directory group, access access authentication,
[41:44] or how these are maintained.
[41:46] So we are newly building up this,
[41:49] actually, a multi platform. That that's what I needed to hear. Okay. So if you are newly aged. So we can do it in multiple ways.
[41:57] You can have local accounts,
[41:59] which is basically give them direct access into ST, create them onto the ST. When you create an account,
[42:05] we keep the account creation date. We keep the last modified date. We keep the last login date for the users that ever logged in. I haven't yet, obviously,
[42:15] but other accounts might have,
[42:17] and so on. And we have a account maintenance application under the applications,
[42:23] and maybe
[42:24] it's even set up,
[42:26] where you can specify what to happen to those. So for example, you might want after ninety days of inactivity to disable the accounts.
[42:33] Activity is considered a login. So if they don't show up in ninety days, you can either disable them, delete them, and so on,
[42:40] and you can set it up differently with different actions.
[42:43] So this is for local accounts, or you can just leave it there forever, you know, up to you.
[42:48] We do support SSO and LDAP as well, both for local accounts and and for what we call the template, which is non which is where we don't even need to create the local account. So when you have a local account, you can either have the authentication locally,
[43:03] password or key that is saved inside of ST,
[43:06] or you can have a password through or some other mechanism through SSO or LDAP
[43:12] or SAML
[43:13] or OAuth out OAuth two, in which case the life cycle is actually handled outside of ST. And
[43:20] when they disappear from the SSO, even though they have a local account, they cannot log in because their login details won't work.
[43:27] For those accounts, you might want to do some other cleanup because
[43:32] even though the login
[43:35] so you for
[43:37] them, you might want to set up the account maintenance
[43:40] to be cleaning them if they don't log in because
[43:43] for whatever days. You know? Or you can have additional service to remove them from SQL, something like that. So it's really up to you and based on where your account or your users are and how you want to handle them. And the the the best part, you can mix and match. You don't need to just pick one pattern.
[44:01] You can have one pattern for internal people, different for major partners, different from one u one off users and things like that.
[44:11] Does this help?
[44:14] Yes. Like, for both the for both the local account creation and eval, even through SSO authentication,
[44:21] we need to manually come and delete if they are
[44:25] gone. Right?
[44:26] Like, even
[44:28] If you delete them manually, they are gone. Yes. If you if you run with local accounts,
[44:35] if you use the account so because we'll have the last mod the the last login date
[44:40] Mhmm.
[44:41] If you use last login date in the account maintenance application and tell it to delete if no if the user doesn't log in in thirty days, we SDK can self clean as well.
[44:52] It depends on what you want to do. So and and that's why I'm saying you you don't need to pick one pattern, but you can also pick. And if you're using SSO, you might not even need accounts because we have the account templates
[45:05] which allow you to specify
[45:09] some some certain parameters
[45:12] and how to
[45:14] get the user in based on
[45:17] what the SSO based based on SSO parameters, for example,
[45:21] so that you can allow them in and to do things, for example, to drop files or to receive files
[45:27] without even having local accounts, in which case there is nothing to clean. Because as soon as they are disabled in the SSO, they will not be able to get to us anymore.
[45:36] But, also, a user account, if you do a local user account with external authentication, SSO, whatever,
[45:44] As soon as the external authentication stops working, this account is dead in the water anyway.
[45:50] Okay. But, yes, you need to clean them up somehow. Usually, the account maintenance is good for that, but you can also just go delete them, or we have APIs.
[45:59] So if you can set up a process somewhere where whoever is disabling in the SSO can call the API to also disable or remove in ST,
[46:07] or you can have them disable at this stage and then delete it later down the road. Or any way you want to handle it, we can support it for the most part.
[46:17] And between the APIs and everything else, it it kinda sorta gives you all the options.
[46:23] Okay. Generally, what what is the recommended approach that, actually customers have for these, life cycle management of these users?
[46:33] That's the million dollar question, isn't it? The answer is,
[46:38] so because you are new, one thing you learn about SD is that in a lot of cases, there is really no best case scenario
[46:46] Mhmm. Because it depends on your organization.
[46:48] If you're
[46:49] it it's there isn't best,
[46:52] and that's why I pointed out multiple ways because each of them is best for a certain place.
[46:57] I have a customer that doesn't have any local account and only operates through templates.
[47:02] That means that each user that, basically, you cannot have specific
[47:07] app, specific things for each user. They are basically following the same pattern, different folders and so on, but all of them are doing the same things, essentially.
[47:15] And we have some that have every each each other.
[47:19] My recommendation
[47:20] is to use the maintenance application if you have local accounts
[47:25] just to clear up case.
[47:27] But, also,
[47:29] it really, really depends on if you want the passwords, the credentials
[47:34] stored locally or not.
[47:36] Because when the
[47:39] the credentials are stored elsewhere,
[47:42] SSO,
[47:43] OUT, s you know, will end up and so on.
[47:47] Now you have actually a double object, so you need to do some planning on how to make sure that you don't have too many dead objects in ST
[47:56] that cannot connect.
[47:57] It's safe. It just can get cluttered.
[48:00] So there isn't a best practice per se because we are not prescriptive on that. That's why we have so many options. And
[48:08] what you learn about ST is that this will be happening everywhere. Every every time you try to do something,
[48:14] you'll have at least four options depending on how exactly you want to do it.
[48:20] Just because it's think of ST more of a platform
[48:24] and more of a
[48:26] big tool set
[48:28] more than a single product that just do two things.
[48:32] Right? Which gives you a lot of flexibility,
[48:34] but also is very, very challenging when you're starting with it sometimes.
[48:40] Okay.
[48:42] So for the for the SFTP services and, I mean, secure transport, will maintain the accounts even for the SFTP service that is exposed to by X-ray cloud.
[48:54] How does accounts are maintained for the external partners?
[49:00] They are created as local accounts in ST?
[49:04] The same name? Yeah. Yeah. Okay. Yeah.
[49:07] ST perspective so okay. So
[49:10] if someone needs to connect to ST, they either need an account or they need to be mapping into a template. That's basically how it works to another service. So there is no other option.
[49:21] If ST is going to connect to someone else's server,
[49:25] those are called transfer sites, and they're configured inside of the accounts that need to talk to them. So if you need to push or pull a file, then the connection details for that is inside of the account in what we call transfer sites.
[49:39] That's pretty much it.
[49:41] Okay.
[49:42] And there is also an SFTP service. Right? And maybe this is all regarding the secure transport, I think. Yeah. But for the SFTP services also, it's the same, like, access SFTP,
[49:54] sir.
[49:57] Now we renew, like, we have the secure transport back end and the admin edge services,
[50:03] admin admin UI and edge services. And there is a internal SAP
[50:08] service and external
[50:10] SFTP service.
[50:12] Okay. So okay. So the so the SFTP,
[50:15] is for file transfers, is part of secure transport. So when we case say secure transport, it means all of our protocols plus the admin, plus the databases, and everything else.
[50:26] So the admin accounts are separate from the user accounts. So everything you have with the server side just and so on to connect to this UI
[50:33] are just administrations work. It's just for your use for your admins or our admins or whoever is managing.
[50:40] When a user comes to you, a partner, internal, external, or something like that, they'll be connecting to one of our protocol services.
[50:47] The HTTP
[50:48] or the SSH or PEC or a s two or FTP, whatever you enable,
[50:53] and the same credentials will work across all of them.
[50:56] So the account I was just showing you, when you have a username password over there, it will work for any of the enabled services.
[51:05] Okay. Even for the public,
[51:08] publicly exposed,
[51:10] HTTP,
[51:11] service, like web client, publicly exposed web client. This is this service over there. Yes.
[51:17] So ST is a gateway. When you create a user, unless you do a login policy that specify that this user will only use one protocol, which is unusual, but happens.
[51:28] By default, an existing user will have access. Regardless
[51:33] if it is on the external or internal because the edges doesn't carry accounts, it just streams to the server,
[51:40] they can log in. You can do password policies.
[51:43] The sorry. You can do login policies
[51:46] to assist who can go from where and so on if you want to.
[51:51] Okay. But the moment when you have a username and let let let's keep it easy. If you have a username password
[51:58] and you enable HTTP, for example,
[52:01] and SFTP,
[52:02] it can be used on both.
[52:06] Okay.
[52:07] And, of course, we have security. So you can say, for example, SSH cannot use passwords. It require keys, which means that even if you have a password, we will not let you in because we require a key.
[52:17] But that's just configuration.
[52:19] But for the most part, from an SD perspective,
[52:22] an account exists for all protocols at the same time.
[52:25] And external and internal doesn't make a difference unless either you have a separate set of servers,
[52:31] which in cloud you don't,
[52:33] or you have a separate set of login policies that specifically specify that this specific user can or cannot do something.
[52:41] Okay.
[52:43] Okay?
[52:44] Okay. Thank you,
[52:45] Annie. Absolutely.
[52:47] Okay.
[52:50] Back to the chat. Alana,
[52:53] Splunk it fatflies.
[52:54] You're implementing
[52:55] you have extra log looks different on the admin UI and in the files?
[52:59] Open a ticket, please.
[53:02] Okay. Yeah. Thank you. And I
[53:05] I it it's it's fine because it's aborted,
[53:08] and that's by the user, but I I do want to have that kind I want that matching from what we see in file tracking on the admin UI.
[53:16] So, yeah, it should be matching. So it might be there might be some differences in how you would present things when we're writing them.
[53:24] But if you have differences in the numbers or statuses or
[53:28] something like that, get support to look into it.
[53:31] Okay. We'll kinda take it for that. Yeah. Yeah. If it is the formatting only,
[53:36] you actually have control of that. So it might be just a configuration tweak.
[53:40] But if especially if the numbers don't match, get support to look into it. They should really, really match.
[53:46] Okay. Perfect. Thank you. And then just circling back, on the previous question because that was really cool. I had no idea that account maintenance was a thing.
[53:57] Is that available for admin accounts as well, or is it just
[54:02] No. It's accounts only. It's the local only. So we don't want to do a lot of things on admin accounts because there we don't have that many customers like you that have a lot of them.
[54:13] And when you have just a 100, you know, you can manually fix them.
[54:17] Yeah. Okay.
[54:18] And I know you I know your use case is a little different because I've seen your server, but,
[54:24] you know, what I'll tell you. Right? Open an idea. Maybe we'll explore it.
[54:28] Yeah. Perfect. Yeah. Because we have a lot of account or admins that are read only,
[54:34] so they can look at file tracking. Obviously, we're trying to implement Splunk so they don't even have to
[54:40] Yeah. Have an admin account, but,
[54:42] that's a little ways off. So and we have to verify our admin accounts yearly. So
[54:48] anything to be easier.
[54:50] Yeah. Open open, you know, open an idea because that's literally
[54:55] know, I've been doing KST for, what, nineteen and a half years now. That's the very first time in my life someone asks me if we can put them in accounts under maintenance application.
[55:03] So know that they are now working
[55:06] to
[55:08] be able to add
[55:11] active directory groups
[55:13] as an administrator.
[55:15] And then if you have that, you can just
[55:19] put them all in the same member of the same
[55:22] active directory group,
[55:24] and then you only need one group
[55:27] for everyone to have the same rights.
[55:31] Yes. And we have asked for that, and I heard recently
[55:35] that they are going to implement that. But I don't know when, but they wanted to do that.
[55:41] I I actually have something better for you. The new Oout plugin
[55:46] allows you to have the admins only in Oout,
[55:50] not to exist in ST at all.
[55:53] You just create the roles for them, you assign them through Oout.
[55:57] This is the new that. Can you put the name of the plugin in the chat?
[56:02] Of course. Oh, I would
[56:04] do.
[56:07] We just released it about two months ago, three months ago, maybe. August, September, somewhere there, and
[56:14] it's our favorite baby. And that's my favorite feature for 2024
[56:19] even though ZGU also came out. That's the one I love because this is for the first time ever
[56:25] where accounts,
[56:26] admin accounts, don't need to physically reside in STN. Because as you know, with LDAP and,
[56:32] admins, you still need to create all of the accounts in STN. You just offer the authentication.
[56:38] This is a full blown authorization plugin as well. So as long as add you
[56:44] groups in that instead of accounts
[56:47] in the OAuth.
[56:49] You can well, we don't care what you do in OAuth
[56:52] because all we care is how your assertion comes in as long as you have a assertion. Check the all out because that can be interesting.
[57:00] Yes. Yeah. All out can have a d behind it and get groups there. So look at all out. Yes.
[57:07] And the same plugin also was updated for users, by the way. So
[57:12] yes.
[57:13] So, Alana, by the way, for your use use case, I would strongly recommend as well for you to look at externalizing
[57:20] the authentication for those,
[57:22] admins and look at the all out. And I know it's complicated sometimes in your environment,
[57:27] but that might be the path forward if you need to do it more often.
[57:31] Yeah. A 100%.
[57:33] And,
[57:34] we'll definitely take a look at it. I know that we looked at OAuth the first version.
[57:38] I don't think we looked at OAuth two. No. Of course. Yeah. The fur no. It was still OAuth two, but it was the old version, and it was just authentication.
[57:46] So we just messed up the first time around.
[57:49] This time, it's actually a proper one with real authorization.
[57:53] And, again, it it's not just because it's all out, but it's literally the very first time in the history of ST where we allow admin accounts not to exist locally in ST.
[58:03] So
[58:04] it it's a huge improvement of how you can do things, and especially for your case where you need so many admins,
[58:11] that will if you and it doesn't need to be all or nothing. You can still leave some of the accounts locally,
[58:17] you know, admin account of your basic admins and so on. But this will make it a lot easier for you to
[58:23] manage all of the ones that you actually need.
[58:26] K. Fantastic. Thanks, Annie.
[58:28] Okay.
[58:29] Yeah. Annie, one quick question in addition to the same topic. Yeah. So when the when when you use OAuth two and there are no admins residing locally, so from an audit point of view, how do we know who did what, or does it still get tracked in the in the audit logs?
[58:44] So when the user comes in, they are carrying a lot a name of the admin account as part of the session.
[58:51] Even though it's not an account an admin account per se, it's still with a name of some way. Okay. So this is what gets recorded in the audit. We're not doing anything with security
[59:02] wise. That's stupid. Right? It's actually but what it but it just doesn't physically exist. It's it's not different from what will happen if you have an admin. They do something. Can't you delete their account? We don't delete the audit log that is assigned to them. Right? Right. So we still have a identification
[59:19] that will tell you who that is. It just doesn't exist on SK.
[59:23] Okay.
[59:24] Wonderful. Thank you for that. So,
[59:27] Rahul, what is the default location for, to have syslogs? It's not syslogs. It's just the,
[59:33] so we don't have syslog. If you mean server lock, the default is in the database,
[59:39] but you can send it to the file system as well. And Steven actually gave you some ideas under there
[59:45] where they are. So the Log four j files are in the conf folder, and you usually put them in the var logs. If you are putting if you're sending the logs
[59:54] to the file system again, I'll keep repeating that,
[59:57] Please please please make sure you put it to a local folder and not on a shared one.
[60:02] It might be sound easier to do shared, but if you are writing to shared, the speed is
[60:08] bad,
[60:08] and you end up with performance issues.
[60:13] Okay.
[60:14] Maria,
[60:16] you have an expiring CA.
[60:18] That's easy.
[60:20] So it doesn't matter if it is on the server or on the edge. If you ex if you have an expired CA,
[60:26] you go to setup
[60:28] Uh-huh.
[60:29] Certificates,
[60:31] trusted CAs,
[60:34] and just import it over here. You can find the old one and remove it if you want to.
[60:39] I usually Because now till now, I have in local certificate.
[60:45] Okay. So if it is a local I found in local certificate. Okay. The only thing is how can I update
[60:51] what I have inside here?
[60:55] This is the the thing that I don't know. If I import,
[60:58] okay Mhmm. It's going to
[61:01] be in the same or it's going to create a new one.
[61:05] So when you import,
[61:08] if you import so you specify the alias.
[61:11] Mhmm. If the alias already exists, it will ask you if you want to override or
[61:17] not. So if you use the same alias, it will override the existing one. If you use the new alias,
[61:24] it will just add it. It's up to you. That's how we can you you decide where to put it. Okay. Thank you very much. K.
[61:32] Of course, as you know, because it was
[61:36] things don't close for me then. So just make sure after you import it
[61:42] Yes, to check to check that it is valid and chained. Can you see,
[61:47] actually, my whole browser and what I don't know if you see the small screen at the moment.
[61:52] I see the screen.
[61:54] Okay.
[61:54] So after you you import it, open the certificate. On the top of it, it should say valid and chained to a If
[62:02] it doesn't, then you need to find us the route and intermediate
[62:06] and important over here under trusted.
[62:09] Okay.
[62:11] Because case in any case, if I put in trusted CAs
[62:16] Mhmm. And then I put also in local certificates,
[62:19] it's going to be
[62:21] no difference?
[62:23] So, no, the local certificate is the certificate itself.
[62:27] The trusted contains intermediate
[62:29] and root certificates to that had signed
[62:32] the local certificates.
[62:34] Okay.
[62:35] So so usually when you need to replace a certificate,
[62:40] if if it's just because a certificate expired, then you usually just need the local.
[62:44] But all the trusted ones that are usually for ten years or something expire
[62:49] sooner or later. So when when when
[62:52] your local need to be replaced because its parent expired,
[62:57] you also need to import the parent.
[62:59] The parents or route intermediate certificates go under trusted.
[63:03] Mhmm.
[63:04] Your own certificate come under local.
[63:07] It's internal? What's the internal?
[63:11] Oh, the internal is our own CA, the one you generate when you install SDK.
[63:15] It's the one that you remember
[63:17] that you we can generate certificates.
[63:20] That's what ours is.
[63:22] You can generate, you can import, you know, you can can do a lot of things, but that's basically our CA,
[63:28] the single one. You can import, but you're never importing new internal CA?
[63:33] No. You can just generate. I see the yep. I see the button. But
[63:38] Yeah. It it's comp well, you can, but there is a couple more steps you can do over there. Basically, the problem the problem with local
[63:47] certificate import so you can, but there is an additional set of steps that need to be done on the OS level to get the private key where it belongs.
[63:57] So
[63:58] But, normally, you don't have to do that. Yeah. And you It is linked with the license, I think.
[64:05] No. It's not. It's just the local CA. This is what is used when Yes. But when you are installing,
[64:12] okay, I remember
[64:13] that it was
[64:15] generated
[64:17] after you put the
[64:19] the license.
[64:20] Oh, well.
[64:25] Technically,
[64:26] yes, because that's how they order the steps, but it's not tied to it. It's independent.
[64:32] So, basically,
[64:34] when you install ST New, we don't have any certificate. So we create a new CA for you, and we create the admin DIS certificate so that you can go to the admin DIS to start configuring.
[64:44] This is how it starts. Then as part of the initial configuration,
[64:48] we ask people to generate their own CA, which they'll be used to signing things.
[64:52] We don't so there is a process that will allow you to import an external CA into ST.
[64:58] We
[64:58] I don't like that because,
[65:01] part of the because there is no tracking. Anyone that has the password for the GCA now can generate as many certificates as you want, and we don't have any validation of who created what and where.
[65:12] And your security team doesn't like that.
[65:16] So Okay.
[65:17] But, I mean, we have customers that have their company CAs over here,
[65:22] and we have a process for that. I I much rather prefer working with the local and then just have certificates how you have them, Maria, you know, signed from whatever needs to sign them.
[65:33] And then everything that ST creates is with the local.
[65:36] And if you you need to give them a proper certificate, you know, not from local, then you generate it somewhere else and import into ST.
[65:45] Okay.
[65:47] Okay.
[65:50] Arpit, I can see your hand up. Let me just see,
[65:53] if I have something in the chat.
[65:57] Raul, yep. You meant server logs.
[65:59] They're in the database by default when you install.
[66:02] There are a couple that always go on the OS level, like the fallback file, you know, Gibi fallback log file, because that means the that database is not responsive.
[66:11] But they are by default in the
[66:14] database only.
[66:16] You can send them to flat files or both ways. My recommendation is never remove them from the database because that makes your troubleshooting a lot easier.
[66:27] Okay.
[66:29] Kent, I can see your question,
[66:32] and I'll get that, and then RPQ are next.
[66:35] In subscription, there is a retrieve button
[66:38] for file pull transfers, but no button for file push transfers. If the push transfer fail, what is the best way to activate the push?
[66:46] Can't
[66:46] you go to the tracking table?
[66:49] So
[66:50] so here is what's what you do. Sorry.
[66:53] The best way for pushes, you go to the tracking table.
[67:01] Do let me see if do I if I have any.
[67:05] See, I do have any.
[67:07] And you just click resubmit over there on the outbound.
[67:10] If it is just on the outbound, it will just do the final delivery as long as you have an archive copy,
[67:17] or the file is still in the subscription folder.
[67:20] So it really depends.
[67:21] The reason why we don't have a push button inside of the directories
[67:26] is because
[67:29] pushes are one by one, file by file. And
[67:34] if there are 20 files in the so when you do a there are three files. We just connect to someone else's server, and we just pull whatever we find there.
[67:44] But if you if we have a button for push and you have thousands of files in the directory, do you really want to send all of them out?
[67:52] Or just the failing one is how we'll fill it out. So it's logistically on because
[67:57] it's an OS level folder, someone might have just put 20 files from somewhere else that or not even ours.
[68:04] So as long as pushes are
[68:06] concerned,
[68:07] if you need to resubmit
[68:10] or resend them after failure, you work with the resubmit buttons.
[68:15] Or
[68:16] and so on the resubmit outbound
[68:19] will
[68:20] sorry. Will require
[68:22] an archive copy to be enabled so that we know what to send out.
[68:26] Inbound or you can resubmit the whole inbound again, which is reprocess the file
[68:32] depending on your use case. Makes
[68:34] sense?
[68:35] Yes.
[68:37] Okay. Yes. Okay. Thank you. Absolutely.
[68:40] Okay. Arpit?
[68:42] Yeah. So I have two questions. One, with regards to the flat file writing of the logs.
[68:49] So when we enable the t m dot log,
[68:52] writing of the logs with a flat file,
[68:54] will it include everything
[68:57] with regards to whatever happens in the server server logs,
[69:01] what we see in on on the admin GUI?
[69:04] Or the
[69:06] separate log that we have for SSHD and FTP, the the separate daemon?
[69:10] There's so each, yeah, each daemon
[69:13] so if you just enable the TM Log four j to do double logging, all you'll see is the one that is coming from the TM itself.
[69:20] But you can
[69:21] enable it on each of the demos as well. Okay. So each of the demos, when we enable that, will it, have a subset of the logs which are already available in the tm. Log? Or will there be, additional logs that will start getting a little
[69:34] No. It's it's so it is exactly the same logs that you're seeing on the UI. However, you see here where it says component?
[69:42] Mhmm. So if it says HTPD here, this is controlled by the HTPD
[69:46] Log four j, so it will go into the HTPD Log four j log file. Okay. If you say TM,
[69:53] it goes to the TM and so on. Okay. The audit log is in the audit. So the components of each of the components
[69:59] have its own Log four j file, and you can forward
[70:04] or you can set to write both to database and to file or whatever
[70:09] on each of the components separately.
[70:12] Okay. Okay. Understood. So if you so if you sent TM only,
[70:17] then all you'll be seeing is as if you click this one over here.
[70:22] So you only see that in the TMWalk project.
[70:27] Okay.
[70:28] Understood. That clarifies my doubt.
[70:30] Yeah. So then the next question is with regards to the certificates that we have, especially the private certificates, the private SSH keys authentication via transfer site and the private PGP keys that we use for for encryption.
[70:45] The
[70:46] from a performance point of view, if you do, for example, 100,000 transfers
[70:51] a day, even more than that, to have a system level private key, like one key that is utilized by all the transfer sites and
[70:59] all the decryption happens using the the private PGP at the system level?
[71:04] Or will it be better if we have that at the account level private certificates?
[71:09] Doesn't make a difference. So my rule yeah. My rule is if you can stick it in one place so everyone can reuse it, you'll do that. So you don't need to replace. So when it needs changing, you don't need to replace it in 7,000 places.
[71:22] If it cannot,
[71:23] then, you know, you do whatever you need to. But performance wise,
[71:28] it does not make any difference whatsoever
[71:31] because it's a database line. So we don't we're not using
[71:35] oh, even though it looks like we're using key stores, we don't. We basically have them in the database.
[71:41] So for us, it doesn't matter if we read the same database. If anything,
[71:45] less object in the database is actually better from us from load and caching perspective.
[71:51] So
[71:53] but perform but, again, that doesn't during the transfer itself, it doesn't make much of a difference. The biggest challenge with using the same key
[72:02] is that, of course, if
[72:05] someone steals it or someone manages to do something weird, you need to tell all the partners, but that's the business and security risk and usability
[72:14] versus security and who wins the game. Security seems to always win these days. That's right. So we have to run the security risk. So if you have a
[72:24] key that you are using from everywhere, I will just put it on the server a lot on the server level.
[72:31] Understood. I got You know? Or
[72:34] it's just
[72:36] between the usability key area, the usability, and so on, it makes sense.
[72:40] Okay. Yeah. Because otherwise, we'll have, like, thousands of fees that we'll have to to continue to to renew every every few months. Okay. Yeah. Thank you for that. And don't forget so one one thing to remind you. So the account account maintenance application I was showing earlier actually have a section that will send you notifications if you have expiring keys,
[73:02] which is very, very nice,
[73:04] except it doesn't work for server level keys.
[73:07] So if it is a server level key
[73:11] Mhmm. It will still show up,
[73:14] you know, on our first page, on the landing page. If you have any expiring or expired certificates,
[73:20] they will show over here. So this will show you all the expired certificates in the system. You can use the account maintenance application to send you a mail when you or something under the account is expiring.
[73:33] But for the ones that are in the setup menu
[73:37] Mhmm. The only place you'll see a warning will be here.
[73:40] Okay. I will see the expired
[73:43] certificates.
[73:45] If you want expired
[73:47] in two weeks instead of already expired,
[73:53] Or is that
[73:55] I don't want to see the ones that are already expired. I want to see them before they expire.
[74:01] I don't have ex I don't have expiring ones over here, but we have a file for that. Yes.
[74:10] Okay. So you you so look at your server. If you have any, you should be seeing a tile.
[74:16] If we don't have one that matches what you need, please open an idea because Remi was looking for more tiles to not.
[74:27] K.
[74:30] Okay.
[74:32] I
[74:33] know that I have more questions. Let me see.
[74:37] Shashikanth.
[74:38] Okay. That name I cannot pronounce. I apologize. I mangled it.
[74:42] Suppose if there is a student application is down or unable to open the UI page, so before starting the servers to make the application up, what are the details we need to gather, commands to execute?
[74:52] Oh, how to figure out? So,
[74:55] if it is production environment,
[74:57] the first thing that support will ask you will be to do stop all, clean all the processes, and start all anyway. So there is pretty much nothing that you really need to do before that.
[75:10] If it so if it is a enterprise cluster,
[75:13] so the database is out of ST, I would do a full ball bonus talk. So
[75:19] it really depends on what really is not connecting. If it is just the admin UI, just stop and start on the admin UI. It might clear clear it. If it's all the services,
[75:29] then a full blown stop all that start start just the admin. And I see that Kamish had pretty much mentioned the same thing as well just to see if we can bring it up.
[75:38] But there is nothing that
[75:41] depending
[75:42] it it the locks will be there. They're either in the database or on the file level,
[75:46] and restart is your clearest way.
[75:49] So
[75:55] makes sense?
[75:59] Yes. Thanks, Annie.
[76:01] Absolutely.
[76:02] Rahul,
[76:03] the admin oh, the admin UI. I love this question. So in the bin folder,
[76:08] there is a rotate DB script.
[76:13] On top of it, there is a parameter that tells you how many days of locks
[76:18] we wrote or you would keep in the edges database.
[76:21] Change that value, that's it. It will keep more.
[76:29] As far as how many days you can keep, it really depends on the number of transfers
[76:34] and
[76:35] how busy the locks are. Remember that it's a local database.
[76:40] And if you have multiple edges that are syncing, each of the edges will have its own. So
[76:45] I don't like keeping a lot of locks on the edges, but about a week of them is usually safe enough on low low
[76:53] low volume environments.
[76:56] How many days of server logs do you keep on the servers, Rahul?
[77:06] Sorry.
[77:06] You mean
[77:08] on edges?
[77:10] No. On the servers.
[77:12] SD?
[77:13] Mhmm.
[77:14] Yes.
[77:15] In the database,
[77:17] we keep about sixty days.
[77:19] Of server locks?
[77:21] Yep.
[77:22] Oh, boy. You shouldn't be doing that. Okay. So
[77:27] I don't like seeing more than about a week of logs anywhere
[77:32] just because that that
[77:34] overhelms a little bit the server even though they're in their own space and so on. It's a lot of data because of the way we are writing the server logs. Unfortunately, we
[77:45] get requests that
[77:48] that the files are transferred more than a month also sometimes.
[77:52] Not I mean,
[77:54] so that doesn't usually keep. But Okay.
[77:57] So what are you doing in your case would be to keep the tracking table for sixty days,
[78:03] put the server log down to about seven,
[78:06] but also do the double log in to flat files so that if something gets older, someone can go to the flat files. The flat files are rotating overnight,
[78:15] so you'll have the flat file from that day and you can still troubleshoot. It's a little harder.
[78:20] But especially on high volume, I don't know how many files you have, but sixty days of server lock can be a huge amount of data, and it can destabilize the server, especially if you have an attack from somewhere that increases.
[78:33] Remember that we'll write everything in there. So if you have a
[78:38] attack, you know, someone is trying to get into your server, all of that locks will be now there and will kept stay there for a long time.
[78:47] So
[78:48] but there is no limit per se from best practices perspective. I wouldn't keep too many.
[78:55] I up to a week on low low volume environment,
[78:58] two to three days
[79:00] to on high volumes.
[79:02] That's why the default is so, by the way, on the edges, the default is one day. You see two days because we rotate overnight,
[79:09] and we rotate based on the date. So you basically have anywhere between twenty four hours and forty eight hours depending on what time of the day it is.
[79:17] But if you go to the rotate DB script, which is lit in the bin folder of the edge,
[79:23] you can change that value a little bit. So put it to seven or something that should give you a good idea and see how it behaves.
[79:31] Okay.
[79:33] And one more thing, how easy it is to
[79:36] access that flat
[79:37] files?
[79:39] Oh, it is just a file on the file system. It's basically a text file. It's not a database export.
[79:45] It's literally a text file.
[79:47] It's it's a Log four j text file, so you can even control the formatting, but it has the date, the IDs, and everything else.
[79:54] So it as long as your admins have access to the OS level, it's pretty straightforward.
[79:59] Just go and overnight, the Log four j files rotate overnight.
[80:04] So admit the first message for the next day
[80:07] will rotate the yesterday's log into what we call the it's a history directory, historical directory.
[80:16] Okay. And then
[80:17] and then you can find and they each file so for each of the log files
[80:23] has a
[80:25] date
[80:26] file. So if you're looking for the logs from a specific date, all you need is to basically filter on the date itself,
[80:33] and the date is in the file name.
[80:35] So it's very easy to find it, and it's literally
[80:38] just a text file.
[80:40] I think they get compressed when they move to history folder. Right? Nope. Nope. Not this ones.
[80:47] We so we compress the data database exports,
[80:51] but not these files. These files stay flat views.
[80:54] And,
[80:57] of course, that means that you if you do that, please please please set up a process that cleans those every six months of something
[81:04] because
[81:05] or
[81:06] otherwise, you can run out of space or just monitor your space on the edges, especially on the edges.
[81:12] So And and and one more thing, if you are exporting the database
[81:16] into the DBF files.
[81:19] Right? Those, yeah, those are unreadable.
[81:23] I cannot read read them. So they're there, technically.
[81:27] What did they use?
[81:29] Well, they are used for archiving,
[81:31] but they're very hard to work with because we're not exporting them the way they are shown on the admin UI or in any stretch of format. So our server log contains multiple different tables.
[81:43] And when you do a database export,
[81:45] we export each table individually.
[81:48] So in order to read through that,
[81:51] you need to find all of the pieces for a specific line.
[81:56] So for example, if there is an error message with a,
[82:00] tracks stack trace, the stack trace will be in a separate file altogether.
[82:04] So you need to find both of them and connect them. I never find them useful too for troubleshooting.
[82:10] This is useful for, usually, if you need to keep logs for six years because of regulations,
[82:16] because technically they contain everything you need, but they are very hard to be used for troubleshooting.
[82:22] So if you need to troubleshoot all the transfers, I much prefer to do flat file logging in in addition to the database logging and then use those files as opposed to database exports.
[82:36] Thank you.
[82:37] Okay.
[82:39] I don't think we have any more questions, and we are almost at the end of time.
[82:44] So and, by the way, Nicole posted the link to the user groups for q one that we already scheduled.
[82:52] We're trying to do first Thursday of the month except when it's very early, like, in January. I'm not showing up on the January 2.
[82:59] Sorry. I'm off.
[83:01] But,
[83:03] Nicole posted the link. And unless someone has anything else,
[83:08] I want to wish everyone happy holidays and give it back to Nicole, and thanks everyone for joining us this year.
[83:15] And we'll do the same next year,
[83:19] every month, and I'll be very, very happy to see all of you again. And I hope this whole sec session,
[83:25] this one and the earlier ones in the year were useful for everyone.
[83:29] And, Nicole, back to you.
[83:32] Thank you very much, Annie.
[83:35] Great job again. And thank you all for joining.
[83:39] Thank you for your time. Just a few slides to finish up this one and and the year. It is the very last
[83:49] for all
[83:50] portfolio,
[83:52] the the the last of the of the year.
[83:54] So if you're new, if you've been joining several times,
[83:59] you know what I'm going to talk about. But if you're new, please stay one or two
[84:05] or three more minutes.
[84:07] I just want to remind everyone that we have this online
[84:11] collaboration
[84:12] portal called Axway Community.
[84:16] Annie did refer to it a few times about posting an idea
[84:21] or raise your questions. So this is where you can do all that.
[84:26] So post an idea,
[84:29] have the
[84:30] road maps,
[84:33] about the a a view of the future road maps.
[84:37] You can raise questions
[84:40] and get answers from our experts
[84:43] or from your peers.
[84:45] So use and abuse from it,
[84:48] community. There's the link there,
[84:51] community.axeway.com.
[84:54] And the presentation
[84:56] will be shared also with the recording of the session, so you'll have access to that.
[85:04] We
[85:05] you will also have access to some videos posted on YouTube.
[85:11] So the what's new and
[85:14] interesting
[85:14] things like this.
[85:16] You'll have also the link. It's a YouTube
[85:20] at Sway NFT
[85:21] videos.
[85:26] Also,
[85:27] I wanted to talk a little bit about the g two platform.
[85:31] This is a platform
[85:33] where
[85:34] in people that are
[85:37] looking for a product
[85:39] similar
[85:41] than the one that we
[85:43] have,
[85:44] They go and look for the the the the notation.
[85:50] And so it is an anonymous
[85:53] when you leave a
[85:55] review, but it helps your
[85:58] peers
[85:59] that have not acquired
[86:01] this product yet. So if you want to leave a review
[86:06] about our
[86:07] product, you can go there. It's g2.com
[86:12] and you look for fun. You click on this link. And and if you do so, you'll be rewarded
[86:19] with a little gift card of €25.
[86:23] So with the holidays coming up, maybe this is something that
[86:28] will be helpful for you.
[86:31] And that's
[86:32] all I wanted to share,
[86:34] and, really,
[86:35] I want to thank you all for being here.
[86:38] I
[86:39] wish you all happy holidays
[86:42] and
[86:43] wishing to
[86:45] see you again next year. Thank you very much. Bye bye.
[86:50] Bye.
[86:53] Everyone, happy holidays.
[86:57] Thank you. Bye. You do have a happy holiday.
[87:00] Thank you.
[87:07] See you after New Year. Thank you. Bye.