Seon oftp2 offlinehandling

From Seon
Revision as of 09:28, 4 December 2007 by Admin (talk | contribs) (security considerations)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

What is it?

"seon_oftp2_offlinehandling" is a daemon which runs on a seperate machine, without needing an Seon license. It needs an Seon configuration file (default: "/etc/seon.conf") in order to access the database, containing the Seon configuration and parameters.

When the configuration flag " Enable offline handling of OFTP2 transfered files?" is enabled, all received files via OFTP2 will be added to a special table. This table, filled with all file parameters, will be traversed by the daemon. The main task is to handle (decrypt, decompress and/or check signature) the incoming files asynchronously on another machine, achieving the highest security.

requirements

If the daemon is used on a remote machine, it depends on the same paths and filenames as the entries were on the receiving machine. You should therefor assure that the file paths and names during transfer don't change.

parameters

There are several ways to customize the behaviour of this daemon. Please have a look at the configuration settings with all subsections here.

scripts

There are two script, which get executed when accessible. These scripts have the following parameters:

pre-script

  1. real filename
  2. server ID

post-script

  1. real filename
  2. server ID
  3. returncode of OFTP2 handling process (0=no error)

The configuration switch remove successfully handled offline OFTP2 file entries influences the daemon how to handle the lines of the database table when the file is handled successfully.

Behaviour

The main behaviour is as follows:

  1. check database table for new entry ('status=0' and its own server ID, configured in the main configuration file)
  2. if entry exists:
    1. run pre-script
      1. if pre-scripts return with error abort
      2. if not, continue
    2. handle file
    3. run post-script with returncode of handling
  3. check for next entry
  4. if no entry exists, sleep for defined timeslice

So, the following return code states are:

pre-script returncode handling

If the returncode of the pre-script is not 0, further handling will not occur. The error (command call, returncode & output) will be logged in the receive log. The status of the entry will be set to "2".

If the returncode is zero, handling continues.

post-script returncode handling

If the returncode of the post-script is not 0, the error (command call, returncode & output) will be logged in the receive log. The status of the entry will be set to "6". The entry will not be removed from the table.

If the returncode is zero, the configuration flag Seon Core configuration#remove successfully handled offline OFTP2 file entries influences the next behaviour. If enabled (non-zero), the entry will be removed, otherwise it will be set to "7".

security considerations

  • You should not use a mounted filesystem exported from the DMZ machine, because the successfully handled files will be stored on this volume.
  • The configured temporary directory is the same as configured in the Seon basic configuration (temporary directory). On the machine running this daemon, it should be a seperate local filesystem, because the files handled by the OFTP2 file handler will be located for a specific time here.
  • The database should be the same as the DMZ machine uses. In any case, the same information are used, especially partner configuration, cipher suite definitions etc.