Secure File Transfer FAQ
Part 1: For prospective customers
Part 2: For customers:
Part 3: For end users:
Part 1: For Prospective customers
What is the Secure File Transfer (SFT) service?
SFT is a secure way to move files between almost any two computers across open
networks. It is a turnkey, field-tested solution based on the Tumbleweed Secure
Transport product. The service is being used by several agencies to comply with
the Health Insurance Portability and Accountability Act (HIPAA).
How does it work?
Users can connect to the service using a standard Web browser, SFTP client,
RFC2228 compatible FTP client, or the Tumbleweed Secure Transport Client. Once
connected, they upload the file that will be picked up later by the intended
recipient. A transfer requires both an upload and a download. Depending
on the client and the OS, the transfers can be fully automatic.
Why is it secure?
There are several features in the service that make file transfers secure:
-
Encryption – Data is encrypted when it travels over open networks.
-
When the data is stored in the Secure File Transfer service, it is also
encrypted.
-
Userid/Password – Ensure all passwords are strong by using special characters
and numbers.
-
Secure Data Repository – Users can only see the file structures they are
allowed to access. They cannot see directories that are higher in the
hierarchical directory structure. Users cannot move into directories for other
users.
-
Server Hardening – The Secure File Transfer service is hosted on computer
platforms that are hardened to known risks.
-
Firewall Protection – The service is protected by a dedicated network firewall.
-
Change Control –Tripwire change control software used in this service detects
and logs unauthorized software and changes to configuration files.
-
Customization – DIS can customize processes to enhance security and
functionality of the service depending on the business requirements.
-
Test Environment – DIS can use a test environment to test file transfer
processes.
-
Center – DIS monitors the service 24X7.
-
State Auditor Review – The State Auditor reviewed the Secure File Transfer
service and DIS has implemented the auditor's recommendations
Back to Part 1
Back to the Top
What products are used and what features does it have?
DIS uses the SecureTransport product from Tumbleweed Communications for the SFT
service. For more information on the SecureTransport product, visit:
http://www.tumbleweed.com/products/securetransport/securetransport_server.html
What does it cost?
There is no additional usage cost for state agencies, as the cost is
distributed among all of the agencies. Set up costs may be charged if
additional customization is needed, such as complex agents or automation, For
more information, contact the DIS Service Desk (servicedesk@dis.wa.gov)
How can I get started?
To sign up for the SFT service, go to http://techmall.dis.wa.gov/services/secfiletxap.doc
and e-mail the completed form to the DIS Service Desk (servicedesk@dis.wa.gov).
Who should I contact to get more information about this service?
For general service related questions, contact the DIS Service Desk (servicedesk@dis.wa.gov) .
Back to Part 1
Back to the Top
Part 2: For customers
Where should I start once I submit the SFT application?
The DIS team will contact you. The team will meet with your project management
team, security contacts, business experts, and IT development team members to
give you a detailed technical overview and collect your requirements. After all
requirements are collected and understood, the DIS team will set up appropriate
data structure and give you the necessary authorization to access the server.
How do I get support from DIS?
To get support on any SFT related issues, contact the DIS Service Desk at
360-753-2454, toll-free (888) 241-7597 or an email to
servicedesk@dis.wa.gov .
How can I get support from Tumbleweed?
Tumbleweed requires their customers to purchase software maintenance agreements
and technical support packages when you purchase their client software. DIS has
maintenance and support agreement with the vendor on the server software only.
Back to Part 2
Back to the Top
What is the response time for service requests from DIS?
Your agency security administrator can complete most of the day-to-day
administration such as password resets and unlocking users without DIS
assistance. Depending on the type of service request, DIS can take up to 3-5
days to respond.
| Initial setup of a directory structure and user IDs without agent |
5 working days |
| Modify existing directory structure |
3 working days |
| Additional userID in existing directory structure |
3 working days |
| New or modified agent |
Negotiated |
What should I consider when I design data structures for my business?
Contact
servicedesk@dis.wa.gov to
request a copy of the File Structure Design Guideline document.
How can I get an account set up?
Ask your agency security contact staff to send DIS a new account setup request
using this form: http://techmall.dis.wa.gov/services/sftnewacctfm.doc
How can I get a password changed, or a locked account unlocked?
Accounts can only be unlocked or reset by your agency security administrator.
DIS cannot perform unlocks and resets on normal user accounts. If you are an
agency security administrator, you can submit an account update form to request
changes to your administrator account:
http://techmall.dis.wa.gov/services/sftacctupdtfm.doc
Back to Part 2
Back to the Top
How long is the expiration period for a user’s password?
The default is 90 days, but this can be set to a maximum of 120 days for
accounts that use non-interactive logins (i.e. automatic transfers).
What is a SFT agent?
A SFT agent is basically a script written in one of scripting languages on the
server to automate tasks related to user authentication, encryption,
post-processing, and other tasks for the data transfer activity on the server.
It provides a means to simplify user tasks and make it very flexible for
certain types of business processes. The Tumbleweed Secure Transport product
has many pre-built and enabled agents in the default installation.
How can I get a custom agent?
An agent is generally developed for the customer by DIS staff. Please think
through your business requirements including security requirements, data
structure, and data flows. Please contact servicedesk@dis.wa.gov
to request a copy of the Sample Template for Agent Requirements document.
How do I use the test server?
DIS provides a test server for customers to test business process, user
authentication, data flow, agents, and others. DIS also uses it to test new
products, bug fixes, new agents, etc.
You will first need a user ID on the production server to use the test
server (DIS will synchronize the IDs over to the test server. See below). The
access methods are the same as you would use to access the production server,
except for the test server’s URL: https://sftserver-test.wa.gov
(For IGN customers) or, https://sft_test.wa.govBack
to Part 2
Back to the Top
What are the policies regarding the test server?
Please, remember that the test server is shared by all SFT customers. If you
need exclusive access to guarantee the accuracy of your testing, make sure you
notify DIS and we will plan for a date and communicate it to all customers. The
test server environment is nearly identical to the production server. However
due to the daily synchronization schedule (see next question), you will have to
wait until the next business day for exactly the same settings, especially if
you changed you password on the production server.
How does synchronization between production and test server work?
Current synchronization occurs at the end of each business day, i.e. any change
made to the production server will be brought over to the test server except
data.
Please note that if you changed the password during the day on the test server,
this synchronization will make the new password on the test server revert back
to the one on the production server. We recommend that if you want the change
to become permanent, you need to change the password on both servers.
Are log files available to me?
Yes, DIS will extract the log for your agency on the 15th of each
month and place it in your agency’s home directory.
Back to Part 2
Back to the Top
Part 3: For end users
Where can I get help?
To ask for technical assistance, please send an e-mail to the DIS Service Desk (servicedesk@dis.wa.gov
) or call them at 360-753-2454 or toll-free 888-241-7597.
How can I connect to the SFT server?
*Note: The https//prefix is only needed when using a web browser to connect.
The difference between the Internet and the SGN is that you cannot use the ftp
protocol when connecting to SFT if you are on the Internet. The State
Governmental Network firewall will block the ftp connection.
This may change in the future as technology evolves.
Back to Part 3
Back to the Top
What clients can I use?
You have many choices depending on the type of computer platform your agency
uses:
| Windows: |
Any modern Web browser capable of using a 40 bit encryption key
An RFC-2228 compliant FTP client that can understand a SSL connection
The Tumbleweed Secure Transport Client software
Any SFTP or SCP client that supports SSH
|
| On OS/390: |
IBM offers a build-in z/OS ftp client |
| UNIX: |
Tumbleweed Secure Transport Client
Any SFTP or SCP client that supports SSH |
What features are supported by different clients?
All clients are capable of communicating with SFT securely using either SSL or
SSH. A Web browser client is free and works best for interactive applications.
Other clients allow scripting and batch job processing. The Tumbleweed clients
also supports guaranteed file delivery and can restart interrupted transfers at
the point of failure.
Back to Part 3
Back to the Top
How do I use the mainframe client?
Use the FTP “open” command for IBM s/390 Native FTP Client
-r TLS sftserver.wa.gov(exit
user id
password
locsite fwfriendly
The sample JCL below initiates a transfer using the get command to receive a
file from the SFT server. The FTPOPEN in the JCL sample contains the FTP
open listed above.
//your jobcard statements here
//*
//*********************************************************
//*GETTING A FILE FROM THE SFT SERVER
//*********************************************************
//STEP1 EXEC FTP
//SYSPRINT DD SYSOUT=(,)
//INPUT DDDSN=XX99999.your.datafile(FTPOPEN),DISP=SHR
// DD *
ascii
cd folder name
ls
locsite primary=200
locsite secondary=10
locsite blk=0
locsite lrecl=354
locsite recfm=vb
get yourfile.D*.T* 'your.mainframe.dataset'
quit
/*
Back to Part 3
Back to the Top
Where do I find the documentation about the clients?
Contact Tumbleweed for client documentation at:
http://www.tumbleweed.com
Which protocol should I use: HTTPS, FTPS, or SSH?
SFT offers three main protocols: HTTPS, FTPS, and SSH. The HTTPS protocol is a
state-less protocol and is limited in functionalities. FTPS protocol is more
functional in manipulating directories, but may be blocked by some firewalls.
The SSH protocol is widely used in Linux/Unix environments to securely transfer
data and encrypt communications. It offers roughly the same advantages and
disadvantages as FTPS.
Where can I get a Tumbleweed client? What does it cost?
You should contact Tumbleweed directly for a client license and support. If you
represent a state government agency or political subdivision, you can take
advantage of the
DIS Technology Brokering Services contract for pricing.
How can I change my password?
If you are asked to reset your password, you can visit the SFT Web site and
click on “change password.”
Where do I go if I forget my password or my password expires?
If you forget your password, contact your agency security administrator.
Where did my uploaded file go?
SFT has a feature called “agent.” The agent is software that is developed to
facilitate special application needs. Sometimes an agent will move your
uploaded file immediately after a completed upload to an area that is not
visible to you. Contact your agency security administrators for details.
Back to Part 3
Back to the Top