Server Setting Items

Setting Item List#

The setting items for the hcpd daemon are below.

System Operating Environment Settings, Transmission Method Related

Description	Configuration Name
Protocol version (fixed to 2)	ProtocolVersion
TCP service listen address setting	TCPListenAddress
HpFP service listen address	HPFPListenAddress
HpFP service listen address (bi-port type, deprecated)	UDPListenAddress
WebSocket(SSL/TLS) service listen address	WSSListenAddress
WSS options	WSSOptions
WSS TLS 1.3 Cipher Suites	WSSCipherSuites
WSS TLS 1.2 or earlier Cipher Suites	WSSCipherList
WebSocket(no SSL/TLS) service listen address	WSListenAddress
Listen service bonding	ListenServiceBonding

Communication Data Compression Function

Description	Configuration Name
Header compression (reserved)	HeaderCompress
Content compression (reserved)	ContentCompress

Data Flow Control, Bandwidth Control

Description	Configuration Name
Maximum total receiving rate (entire system)	MaxTotalReceiveRate
Maximum total sending rate (entire system)	MaxTotalSendRate
Maximum receiving rate (per connection)	MaxReceiveRatePerConnection
Maximum sending rate (per connection)	MaxSendRatePerConnection

Data Flow Control, File Lock Function

Description	Configuration Name
Use file lock	FileLock
Number of trials to lock files	FileLockTrials
The trial interval (in seconds)	FileLockTrialInterval

Data Flow Control, Temporary File Save Function (Atomic File Save)

Description	Configuration Name
Atomically file saving	AtomicLikeSaving
Threshold for atomically file saving	AtomicLikeSavingThreshold
Reject requests to overwriting temporary files which already exist when atomically file saving	AtomicLikeSavingRejectOverwriteRequest

Data Flow Control, Data Buffer Setting

Description	Configuration Name
Maximum buffer allocation size (entire system)	MaxTotalBufferSize
Maximum buffer allocation size (per connection)	MaxBufferSizePerConnection
TCP sending buffer	TCPServiceSocketSendBuffer
HpFP service extension buffer size	UDPServiceExtensionBufferSize

Data Flow Control, Transfer File Size Control

Description	Configuration Name
Maximum receiving file size	MaxReceiveFileSize
Maximum sending file size	MaxSendFileSize

Data Flow Control, Message Data Size Control

Description	Configuration Name
Initial header block size	InitHeaderBlockSize
Initial content block size	InitContentBlockSize
Maximum header block size	MaxHeaderBlockSize
Maximum content block size	MaxContentBlockSize
Max file entry request	MaxRequestFileEntryAtOnce

Data Flow Control, Disk I/O Speed Control

Description	Configuration Name
Disk I/O reading rate per session	MaxReadRatePerConnection
Disk I/O writing rate per session	MaxWriteRatePerConnection

Code Transformation, Communication Encoding Negotiation

Description	Configuration Name
Transport character encoding	TransportCharEncoding

Code Transformation, Host Character Encoding

Description	Configuration Name
Host character encoding	HostEncoding

Authentication

Description	Configuration Name
LPA (Local Password Authentication) authentication	LocalPasswordAuthentication
PAM (Pluggable Authenticaton Module) authentication	PAMAuthentication
RSA (Rivest-Shamir-Adleman cryptosystem) authentication	PubkeyAuthentication
Windows authentication	WinLogonUserAuthentication
Control applying system authentication (PAM auth, Windows logon)	PerformSystemAuthenticationRegardlessUsers
Specify directory for searching public keys (RSA auth)	AuthorizedKeysSearchDir
Specify file for finding a public key (RSA auth)	AuthorizedKeysFile
Specify command for finding a public key (RSA auth)	AuthorizedKeysCommand
Specify user to run the command (RSA auth)	AuthorizedKeysCommandUser
Specify file of CA (Certificate Authorities) certificates	CACertificateFile
Specify directory including CA (Certificate Authorities) certificates (Reserved)	CACertificatePath
Specify file of CRL (Certificate Revocation List)	CARevocationFile
Specify directory including CRLs (Reserved)	CARevocationPath
Control performing OCSP (Online Certificate Status Protocol) on client authentication	OCSPRevocationEnabled
Specify file configuring users hcpd recognizes	LocalUserFile
Specify file holding credentials of LPA (Local Password Authentication)	LocalPasswordFile
Specify user name pattern to allow login	AllowUsers
Specify group name pattern to allow login	AllowGroups
Specify user name pattern to deny login	DenyUsers
Specify group name pattern to deny login	DenyGroups

Encryption

Description	Configuration Name
Encryption method for message communication	AcceptableCryptMethod
Digest method for validation of message and file data	AcceptableDigestMethod
Setting requirement of MAC (Message Authentication Code)	RequireDataIntegrityChecking

Security Negotiation by Encryption Communications

Description	Configuration Name
Enable server certificate security or not	UseServerCertificateSecurity
Set requirement of the security to clients	RequireServerCertificateSecurity
Server key path for the server certificate security	ServerKeyFile
Server certificate path for the server certificate security	ServerCertificateFile
Path of intermediate certificates for the server certificate (one or more)	ServerCertificateChainFile

Access Control

Description	Configuration Name
Fallback control from user home (for backward compatibility)	UserDirectoryFallbackAvailable
Access rejection when a directory of user home is not found	RejectOnUserHomeDirectoryNotFound

Access Control, Privilege Separation

Description	Configuration Name
Set privilege separation	UsePrivilegeSeparation
Minimum UID applicable for privilege separated sessions	PrivilegeSeparationMinimumUID
Minimum GID applicable for privilege separated sessions	PrivilegeSeparationMinimumGID
Default user on privilege separation (applied when any user is not determined)	PrivilegeSeparationUser
Umask on privilege separation for authenticated users	PrivilegeSeparationUmask
Umask on privilege separation for anonymous	PrivilegeSeparationUmaskAnonymous
Apply user's access rights to file permissions on destination (not on privilege separation)	ApplyUserPermission
Disable supplemental groups	NoSupplementalGroupInPrivilegeSeparation

Access Control, ACL（Access Control List）Function

Description	Configuration Name
Define ACL (Access Control List)	AccessList
Define Allow rules on ACL	Allow
Define Deny rules on ACL	Deny

Access Control, Admission Control

Description	Configuration Name
Limit of connections (total)	MaxTotalConnection
Limit of TCP connections	MaxTcpConnection
Limit of UDP (HpFP) connections	MaxUdpConnection
Limit of Web Socket connections	MaxWsConnection
Limit of connections each user	MaxConnectionPerUser
Limit of connections to accept each second	MaxConnectionPerSec

Access Control, Document Point

Description	Configuration Name
Define a document point	DocPoint
Specify a path on file system on the document point	DocPath
Set reading access configuration	PermitAccessRead
Set writing access configuration	PermitAccessWrite
Set overwriting access configuration	PermitAccessOverwrite
Set deleting access configuration	PermitAccessDelete
Set reading in random access configuration (Reserved)	PermitAccessRandomRead
Set writing in random access configuration (Reserved)	PermitAccessRandomWrite

Various Monitoring, Timeout Control

Description	Configuration Name
Set transport timeout	TransportTimeout
Set idling timeout	IdleTimeout

Performance Evaluation

Description	Configuration Name
Memory copy parallelism (when disabling local disk I/O)	MemoryTransferConcurrency

Log Management

Description	Configuration Name
Set syslog option	SyslogOption
Set syslog facility	SyslogFacility
System log configuration	SystemLog
System log level	SystemLogLevel
Application statistics configuration	ApplicationStatLog
Transport statistics configuration	TransportStatLog
System statistics configuration	SystemStatLog
File operation logging configuration	FileOperationLog
Save statistics logs to files determined from each user (when privilege separation being enabled)	StatLogPerUserInPrivilegeSeparation
Set to output a security detail on application statistics	ApplicationStatLogSecurityEx

System Operating Environment Settings, CPU Thread Control

Description	Configuration Name
Limit number of threads to use (Linux)	MaxConcurrentThread

System Operating Environment Settings, Application Linked Function

Description	Configuration Name
Specify a script to call when running a command is finished	CallbackScript

Others

Description	Configuration Name
Ensure to transfer files to the destination directory (for backward compatibility)	EnsureDestinationInFileTransfer

System Operating Environment Settings, Transmission Method Related#

TCPListenAddress#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : TCPListenAddress <tcp_service_addr>[:<tcp_service_port>[:<mcd>]][ <acl_name>]-------------------------------------------------------------------------tcp_service_addrDefault : noneRange of Values : IP address-------------------------------------------------------------------------tcp_service_portFormat : <decimal_number>Default : 874Range of Values : decimal_number is 1-65535.-------------------------------------------------------------------------mcdDefault : physical-CPUs + 1, logical-CPUs/2 + 1, 25 or 1Range of Values : 1 - 65535-------------------------------------------------------------------------acl_nameDefault : noneRange of Values : name of access control list=========================================================================

The available TCP services to allow to connect from client computers are defined.

tcp_service_addr is available IP address for TCP service.

tcp_service_port is available port for TCP service.

mcd is optional. This options specifies a number of connections provided for each client session on the service. When 1 is set, sessions will work with a single connection. When 2 or more are set, they will do with the number of connections. When you do not specify it, hcpd will determine a value from the number of physical cores, the number of logical cores and the license configuration.

physical-CPUs + 1 (physical-CPUs \< logical-CPUs and physical-CPUs > 1 under 25 maximum)
logical-CPUs/2 + 1 (physical-CPUs = logical-CPUs and logical-CPUs/2 > 1 under 25 maximum)
1 (Otherwise. For example, the license dose not include this function or physical-CPUs and logical-CPUs do not meet the above conditions)

acl_name is an optional setting. It is a name of an access control list (see AccessList) that you would like to set to the TCP service. When this option is not set or the specified name is not found in access control lists, an unamed access control list will be set to the TCP service.

--Example :TCPListenAddress 0.0.0.0:1874--

HPFPListenAddress#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : HPFPListenAddress <hpfp_service_addr>[:<hpfp_service_port>[:<hpfp_sndbuf>[:<hpfp_rcvbuf>[:<hpfp_mss>[:<mcd>]]]]][ <acl_name>]-------------------------------------------------------------------------hpfp_service_addrDefault : noneRange of Values : IP address-------------------------------------------------------------------------hpfp_service_portFormat : <decimal_number>Default : 65520Range of Values : decimal_number is 1-65535.-------------------------------------------------------------------------hpfp_sndbufFormat : ( DEFAULT | D | <decimal_number>[[(T|G|M|K)]B] )Default : 100MBRange of Values : unsigned double-length integer (byte) D stands for DEFAULT.-------------------------------------------------------------------------hpfp_rcvbufFormat : ( DEFAULT | D | <decimal_number>[[(T|G|M|K)]B] )Default : 200MBRange of Values : unsigned double-length integer (byte) D stands for DEFAULT.-------------------------------------------------------------------------hpfp_mssFormat : ( DEFAULT | D | NONE | N | <decimal_number>[[(T|G|M|K)]B] )Default : NONERange of Values : unsigned integer (byte) D stands for DEFAULT. N stands for NONE.-------------------------------------------------------------------------mcdDefault : physical-CPUs + 1, logical-CPUs/2 + 1, 25 or 1Range of Values : 1 - 65535-------------------------------------------------------------------------acl_nameDefault : noneRange of Values : name of access control list=========================================================================

The available HpFP services to allow to connect from client computers are defined.

hpfp_service_addr specifies the IP address for HpFP service.

hpfp_service_port is the port number of UDP transport for HpFP protocol in the optional setting.

hpfp_sndbuf is the transmission buffer size in the optional setteing. “D” stands for default.

hpfp_rcvbuf is the buffer size for received data by HpFP protocol in the optional setting. “D” stands for default.

hpfp_mss is the MSS for HpFP protocol in the optional setting. “D” stands for default.In “N”, the setting value is determined by the MTU searching using HpFP protocol.

physical-CPUs + 1 (physical-CPUs \< logical-CPUs and physical-CPUs > 1 under 25 maximum)
logical-CPUs/2 + 1 (physical-CPUs = logical-CPUs and logical-CPUs/2 > 1 under 25 maximum)
1 (Otherwise. For example, the license dose not include this function or physical-CPUs and logical-CPUs do not meet the above conditions)

acl_name is an optional setting, as in TCP service. It is a name of an access control list (see AccessList) that you would like to set to the HpFP service. When this option is not set or the specified name is not found in access control lists, an unamed access control list will be set to the HpFP service.

--Example :HPFPListenAddress 0.0.0.0:10000--

UDPListenAddress#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : UDPListenAddress <hpfp_service_addr>[:<hpfp_service_port>[:<hpfp_udp_port>[:<hpfp_sndbuf>[:<hpfp_rcvbuf>[:<hpfp_mss>[:<mcd>]]]]]][ <acl_name>]-------------------------------------------------------------------------hpfp_service_addrDefault : noneRange of Values : IP address-------------------------------------------------------------------------hpfp_service_portFormat : <decimal_number>Default : 884Range of Values : decimal_number is 1-65535.-------------------------------------------------------------------------hpfp_udp_portFormat : ( DEFAULT | D | <decimal_number> )Default : 65520Range of Values : decimal_number is 1-65535. D stands for DEFAULT.-------------------------------------------------------------------------hpfp_sndbufFormat : ( DEFAULT | D | <decimal_number>[[(T|G|M|K)]B] )Default : 100MBRange of Values : unsigned double-length integer (byte) D stands for DEFAULT.-------------------------------------------------------------------------hpfp_rcvbufFormat : ( DEFAULT | D | <decimal_number>[[(T|G|M|K)]B] )Default : 200MBRange of Values : unsigned double-length integer (byte) D stands for DEFAULT.-------------------------------------------------------------------------hpfp_mssFormat : ( DEFAULT | D | NONE | N | <decimal_number>[[(T|G|M|K)]B] )Default : NONERange of Values : unsigned integer (byte)D stands for DEFAULT. N stands for NONE.-------------------------------------------------------------------------mcdDefault : physical-CPUs + 1, logical-CPUs/2 + 1, 25 or 1Range of Values : 1 - 65535-------------------------------------------------------------------------acl_nameDefault : noneRange of Values : name of access control list=========================================================================

This option is deprecated.

The available HpFP (UDP) services to allow to connect from client computers are defined. This provides a manner of using HpFP services where a service’s port number and a UDP transport’s port number are defined respectively, but not a single UDP transport’s number.

hpfp_service_addr specifies the IP address for HpFP service.

hpfp_service_port is a port number of the HpFP service in the optional setting.

hpfp_udp_port is the port number of UDP transport for HpFP protocol in the optional setting. “D” stands for default.

hpfp_sndbuf is the transmission buffer size in the optional setteing. “D” stands for default.

hpfp_rcvbuf is the buffer size for received data by HpFP protocol in the optional setting. “D” stands for default.

hpfp_mss is the MSS for HpFP protocol in the optional setting. “D” stands for default.In “N”, the setting value is determined by the MTU searching using HpFP protocol.

physical-CPUs + 1 (physical-CPUs \< logical-CPUs and physical-CPUs > 1 under 25 maximum)
logical-CPUs/2 + 1 (physical-CPUs = logical-CPUs and logical-CPUs/2 > 1 under 25 maximum)
1 (Otherwise. For example, the license dose not include this function or physical-CPUs and logical-CPUs do not meet the above conditions)

acl_name is an optional setting, as in TCP service. It is a name of an access control list (see AccessList) that you would like to set to the HpFP(UDP) service. When this option is not set or the specified name is not found in access control lists, an unamed access control list will be set to the HpFP(UDP) service.

--Example :UDPListenAddress 0.0.0.0:1884:10000--

WSSListenAddress#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : WSSListenAddress <wss_service_addr>[:<wss_service_port>[:<wss_opt_name>[:<wss_cs_name>[:<wss_clist_name>[:<wss_privkey_name>[:<wss_cert_name>[:<mcd>[:<use_hcpcm>]]]]]]]][ <acl_name>]-------------------------------------------------------------------------wss_service_addrDefault : noneRange of Values : IP address-------------------------------------------------------------------------wss_service_portDefault : 443Range of Values : port number-------------------------------------------------------------------------wss_opt_nameFormat : ( DEFAULT | D | <opt_name> )Default : empty stringRange of Values : name of WSSOptions. D stands for DEFAULT.-------------------------------------------------------------------------wss_cs_nameFormat : ( DEFAULT | D | <cipher_suites_name> )Default : empty stringRange of Values : name of WSSCipherSuites. D stands for DEFAULT.-------------------------------------------------------------------------wss_clist_nameFormat : ( DEFAULT | D | <cipher_list_name> )Default : empty stringRange of Values : name of WSSCipherLlist. D stands for DEFAULT.-------------------------------------------------------------------------wss_privkey_nameFormat : ( DEFAULT | D | <server_key_file_name> )Default : empty stringRange of Values : name of ServerKeyFile-------------------------------------------------------------------------wss_cert_nameFormat : ( DEFAULT | D | <server_cert_file_name> )Default : empty stringRange of Values : name of ServerCertificateFile-------------------------------------------------------------------------mcdDefault : physical-CPUs + 1, logical-CPUs/2 + 1, 25 or 1Range of Values : 1 - 65535-------------------------------------------------------------------------use_hcpcmDefault : noRange of Values : yes, no-------------------------------------------------------------------------acl_nameDefault : noneRange of Values : name of access control list=========================================================================

The available WebSocket services (SSL/TLS) to allow to connect from client computers are defined.

wss_service_addr specifies the IP address for WebSocket service.

wss_service_port is available port for WebSocket service in the optional settings. A port number of 443 will be chosen when you omit this option.

wss_opt_name is optinal. This option specifies a name of WSSOptions. D indicates the default value. When this is the empty string, the WSSOptions that dose not have any name will be chosen.

wss_cs_name is optinal. This option specifies a name of WSSCipherSuites. D indicates the default value. When this is the empty string, the WSSCipherSuites that dose not have any name will be chosen.

wss_clist_name is optinal. This option specifies a name of WSSCipherList. D indicates the default value. When this is the empty string, the WSSCipherList that dose not have any name will be chosen.

wss_privkey_name is optional. This option specifies a name of ServerKeyFile that includes a server key (a private key) for SSL/TLS communication. D indicates the default value. When this is the empty string, the ServerKeyFile that dose not have any names will be chosen.

wss_cert_name is optional. This option specifies a name of ServerCertificateFile that includes a server certificate for SSL/TLS communication. D indicates the default value. When this is the empty string, the ServerCertificateFile that dose not have any names will be chosen.

physical-CPUs + 1 (physical-CPUs \< logical-CPUs and physical-CPUs > 1 under 25 maximum)
logical-CPUs/2 + 1 (physical-CPUs = logical-CPUs and logical-CPUs/2 > 1 under 25 maximum)
1 (Otherwise. For example, the license dose not include this function or physical-CPUs and logical-CPUs do not meet the above conditions)

use_hcpcm is optional. This option enables encryption on application layer by AcceptableCryptMethod in addtion to SSL/TLS communication. D indicates the default value.

acl_name is an optional setting, as in TCP service. It is a name of an access control list (see AccessList) that you would like to set to the WebSocket services (SSL/TLS). When this option is not set or the specified name is not found in access control lists, an unamed access control list will be set to the WebSocket services (SSL/TLS).

--Example :WSSListenAddress 0.0.0.0:8443--

WSSOptions#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : WSSOptions <opt_value>[ <opt_name>]-------------------------------------------------------------------------opt_valueFormat : ( NONE | <openssl_opt_values> )Default : NONERange of Values : list of SSL/TLS option names defined by OpenSSL-------------------------------------------------------------------------opt_nameDefault : noneRange of Values : string=========================================================================

This option specified OpenSSL options that will be used on SSL/TLS communication. Please use names described in the following URL.

https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_options.htmlSSL_CTX_set_options
--Example :WSSOptions SSL_OP_NO_COMPRESSION:SSL_OP_NO_SSLv3--

WSSCipherSuites#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : WSSCipherSuites <cs_value>[ <cs_name>]-------------------------------------------------------------------------cs_valueFormat : ( NONE | <openssl_cipher_suite_values> )Default : NONERange of Values : list of Cipher Suites parameters defined by OpenSSL-------------------------------------------------------------------------cs_nameDefault : noneRange of Values : string=========================================================================

This options specifie Cipher Suites parameters of OpenSSL that will be used on TLS v1.3 communication. Please use names described in the following URL.

https://www.openssl.org/docs/man1.1.1/man1/ciphers.htmlciphers
Ciphte Suite names defined by "TLS v1.3 cipher suites"
--Example :WSSCipherSuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256--

WSSCipherList#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : WSSCipherList <clist_value>[ <clist_name>]-------------------------------------------------------------------------clist_valueFormat : ( NONE | <openssl_cipher_list> )Default : NONERange of Values : Cipher List parameters defined by OpenSSL-------------------------------------------------------------------------clist_nameDefault : noneRange of Values : string=========================================================================

This option specifies Cipher List parameters of OpenSSL that will be used on SSL/TLS communication under TLS 1.2. Please use names described in the following URL.

https://www.openssl.org/docs/man1.1.1/man1/ciphers.htmlciphers
Cipher List in a format defined by "CIPHER LIST FORMAT2 and "CIPHER STRINGS".
--Example :WSSCipherList RC4-MD5:RC4-SHA:AES128-SHA:AES256-SHA:HIGH:!DSS:!aNULL--

WSListenAddress#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : WSListenAddress <ws_service_addr>[:<ws_service_port>[:<mcd>]][ <acl_name>]-------------------------------------------------------------------------ws_service_addrDefault : noneRange of Values : IP address-------------------------------------------------------------------------ws_service_portDefault : 80Range of Values : 1 - 65535-------------------------------------------------------------------------mcdDefault : physical-CPUs + 1, logical-CPUs/2 + 1, 25 or 1Range of Values : 1 - 65535-------------------------------------------------------------------------acl_nameDefault : noneRange of Values : name of access control list=========================================================================

The available WebSocket services (no SSL/TLS) to allow to connect from client computers are defined.

ws_service_addr specifies an IP address for the WebSocket service.

ws_service_port specifies a port number of the WebSocket service.

physical-CPUs + 1 (physical-CPUs \< logical-CPUs and physical-CPUs > 1 under 25 maximum)
logical-CPUs/2 + 1 (physical-CPUs = logical-CPUs and logical-CPUs/2 > 1 under 25 maximum)
1 (Otherwise. For example, the license dose not include this function or physical-CPUs and logical-CPUs do not meet the above conditions)

acl_name is an optional setting, as in TCP service. It is a name of an access control list (see AccessList) that you would like to set to the WebSocket services (no SSL/TLS). When this option is not set or the specified name is not found in access control lists, an unamed access control list will be set to the WebSocket services (no SSL/TLS).

--Example :WSListenAddress 0.0.0.0:8080--

ListenServiceBonding#

=========================================================================Supported OS : Linux / WindowsFormat : ListenServiceBonding <service_name>[ ... <service_name>]-------------------------------------------------------------------------service_nameDefault : noneRange of Values : names of TCPListenAddress, HpFPListenAddress, etc.=========================================================================

This specifies how hcpd makes bonding of services under multiple connection mode on sessions. Please specifies a name of service or names of services over which you want to make bonding of connections for sessions. You can see the names by -t option.

You can also use this option to make hybrid connections using TCP and HpFP for sessions.

Only one option can be described.

Clients connect to a server in oridinary way specifying the server host name and its port number of TCP or HpFP, etc. After the connection established, clients automatically make a nubmer of new connections with the server up to the limit defined at services counting the first connection.

--Example :ListenServiceBonding tcp1 udp1--

Communication Data Compression Function#

HeaderCompress (reserved)#

ContentCompress (reserved)#

Data Flow Control, Bandwidth Control#

MaxTotalReceiveRate#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : MaxTotalReceiveRate <bandwidth>-------------------------------------------------------------------------bandwidthDefault : 10GbitRange of Values : unsigned double-length integer=========================================================================

The traffic shaping control on the receiving bandwidth for the transport is configured (entire system). This function realizes the bandwidth control between the TCP/HpFP (UDP) layer and the application layer.

--Example :MaxTotalReceiveRate 1Gbit--

This function realizes the bandwidth control between the TCP/HpFP (UDP) layer and the application layer.When the value is over 5Gbps, it is processed as unlimited (without shaping). Other bandwidth shaping options are as well.

MaxTotalSendRate#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : MaxTotalSendRate <bandwidth>-------------------------------------------------------------------------bandwidthDefault : 10GbitRange of Values : unsigned double-length integer=========================================================================

The traffic shaping control on the sending bandwidth for the transport is configured (entire system). This function realizes the bandwidth control between the TCP/HpFP (UDP) layer and the application layer.

--Example :MaxTotalSendRate 1Gbit--

MaxReceiveRatePerConnection#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : MaxReceiveRatePerConnection <bandwidth>-------------------------------------------------------------------------bandwidthDefault : 10GbitRange of Values : unsigned double-length integer=========================================================================

The traffic shaping control on the receiving bandwidth for the transport by each client session is configured (per connection). This function realizes the bandwidth control between the TCP/HpFP (UDP) layer and the application layer.

--Example :MaxReceiveRatePerConnection 100Mbit--

MaxSendRatePerConnection#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : MaxSendRatePerConnection <bandwidth>-------------------------------------------------------------------------bandwidthDefault : 10GbitRange of Values : unsigned double-length integer=========================================================================

The traffic shaping control on the sending bandwidth for the transport by each client session is configured (per connection). This function realizes the bandwidth control between the TCP/HpFP (UDP) layer and the application layer.

--Example :MaxSendRatePerConnection 100Mbit--

Data Flow Control, File Lock Function#

FileLock#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : FileLock <flag-available>-------------------------------------------------------------------------flag-availableDefault : noRange of Values : yes, no=========================================================================

In writing /reading files, whether to use the file lock is configured.

When yes is set, hcp acquires a file lock to write to files and read from them. On the Linux platform, this locking mechanism works well among softwares which use the same one since it is advisory lock.

When it is “no”, hcp dose not acuqire the lock to do. This option is usable when some hang-ups occurs on network filesystems like NFS or some errors occurs on acquiring file locks. Please be careful of conflicts on destinations when multiple hcp commands run at one time.

When the lock request is processed properly and in waiting just to acquire the lock,the following log will be recorded (FileLockRetries is 0) or the processing will be stopped by detecting the maximum number of trials (FileLockRetries is more than 0).

2018/07/05 16:34:10 00007f638bd97740:INFO :Acquiring a lock to the file was rejected at the first trial.2018/07/05 16:34:13 00007f638bd97740:INFO :Acquiring a lock to the file continues to be rejected about few seconds.

The operation is stopped by detecting the attempts have reached to the maximum number (FileLockRetries is over 0).

--Example :FileLock yes--

FileLockTrials#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : FileLockTrials <num-trials>-------------------------------------------------------------------------num-trialsDefault : 0Range of Values : unsigned integer=========================================================================

The number of the maximum trials of acquiring the file lock is set. When 0, it is locked until the file lock acquired.

--Example :FileLockTrials 5--

The old name of FileLockRetries is available.

FileLockTrialInterval#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : FileLockTrialInterval <trial-interval>-------------------------------------------------------------------------trial-intervalDefault : 3Range of Values : unsigned integer=========================================================================

The interval time to request the file lock is set (sec).

--Example :FileLockTrialInterval 10--

The old name of FileLockRetryInterval is available.

Data Flow Control, Temporary File Save Function (Atomic File Save)#

AtomicLikeSaving#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : AtomicLikeSaving <flag-available> <temp-file-suffix>[ <temp-file-prefix>]-------------------------------------------------------------------------flag-availableDefault : noRange of Values : yes, no-------------------------------------------------------------------------temp-file-suffixDefault : .tmpRange of Values : up to 16 characters, NONE, RANDn-------------------------------------------------------------------------temp-file-prefixDefault : NONERange of Values : up to 16 characters, NONE, RANDn=========================================================================

It configures the settings for atomically file saving (two-step file saving by creating a temporary file) when transferring files.

flag-available specifies enabled/disenabled for atomically file saving.

temp-file-suffix specifies the suffix of temporary files created when enabled. When “NONE”, the suffix is not added.

temp-file-prefix specifies the prefix of temporary files created when enabled. When “NONE”, the prefix is not added.

On the Linux versions, the write access right in the final destination is checked before creating temporary files.

With the resume function (-r option), files transferred part of the way are transferred from the beginning.

When RANDn is set, a file name which dose not conflict to existing files will be produced using a random string. The default length of the random string is 6.

AtomicLikeSavingThreshold#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : AtomicLikeSavingThreshold <threshold>-------------------------------------------------------------------------thresholdDefault : 100KBRange of Values : signed double-length integer=========================================================================

The file size threshold is set to enable file saving atomically.

This setting does not cover files under the threshold. “0 bytes” means all files are covered.

AtomicLikeSavingRejectOverwriteRequest#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : AtomicLikeSavingRejectOverwriteRequest <flag-available>-------------------------------------------------------------------------flag-availableDefault : yesRange of Values : yes, no=========================================================================

It configures whether to reject a request (specified by client’s setting) to overwrite temporary files created in atomically saving.

It should be set to “no” to accept overwriting requests when there is no risk of collision of the temporary file name, by checking the application rules on file name, and the prefix/suffix string.

Data Flow Control, Data Buffer Setting#

MaxTotalBufferSize#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : MaxTotalBufferSize <max-total-buf-size>-------------------------------------------------------------------------max-total-buf-sizeDefault : 4GBRange of Values : signed double-length integer=========================================================================

The maximum memory buffer size for file data processing on the hcpd daemon is configured.

--Example :MaxTotalBufferSize 8GB--

MaxBufferSizePerConnection#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : MaxBufferSizePerConnection <max-buf-size-per-con>-------------------------------------------------------------------------max-buf-size-per-conDefault : 100MBRange of Values : unsigned double-length integer=========================================================================

The maximum memory buffer size for file data processing by each client session is configured.

--Example :MaxBufferSizePerConnection 512MB--

TCPServiceSocketSendBuffer#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : TCPServiceSocketSendBuffer <snd-buf-size>-------------------------------------------------------------------------snd-buf-sizeFormat : <decimal_number>[[(T|G|M|K)]B]Default : 0Range of Values : unsigned double-length integer (byte)=========================================================================

Specifies a TCP sending buffer size in bytes. 0 indicates no specification of this option.

You need this option to make a performance tuning of TCP on 100G environment. No need to use in ordinary cases.

--Example :TCPServiceSocketSendBuffer 128MB--

UDPServiceExtensionBufferSize#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : UDPServiceExtensionBufferSize <ext-buf-size>-------------------------------------------------------------------------ext-buf-sizeDefault : 2GBRange of Values : unsigned double-length integer (byte)=========================================================================

The extension buffer size for HpFP (UDP) service is specified.

The size of the buffer for the traffic in the HpFP session is extended up to the specified size (hpfp_sndbuf or hpfp_rcvbuf in UDPListenAddress) by adjusting to coincide with the increase of the latency, packet loss, and the volume of the traffic. The maximum total buffer size to extend is specified by this value.

When “0”, this extension doesn’t work.

The initial buffer size (the buffer size before extended) is 1MB.

--Example :UDPServiceExtensionBufferSize 4GB--

Data Flow Control, Transfer File Size Control#

MaxReceiveFileSize#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : MaxReceiveFileSize <file-size>-------------------------------------------------------------------------file-sizeDefault : 8EB - 1B (Unlimited. The maximum value of signed double-length integer)Range of Values : signed double-length integer=========================================================================

The maximum file size to allow to receive is configured.

--Example :MaxReceiveFileSize 1GB--

MaxSendFileSize#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : MaxSendFileSize <file-size>-------------------------------------------------------------------------file-sizeDefault : 8EB - 1B (Unlimited. The maximum value of signed double-length integer)Range of Values : signed double-length integer=========================================================================

The maximum file size to allow to send is configured.

--Example :MaxSendFileSize 1GB--

Data Flow Control, Message Data Size Control#

InitHeaderBlockSize#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : InitHeaderBlockSize <block-size>-------------------------------------------------------------------------block-sizeDefault : 50KBRange of Values : unsigned double-length integer=========================================================================

The initial header block size is configured.

--Example :InitHeaderBlockSize　10KB--

The maximum size of the header block including plural massages such as file request is given. This option is applied as soon as the transmission starts.

InitContentBlockSize#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : InitContentBlockSize <block-size>-------------------------------------------------------------------------block-sizeDefault : 1MBRange of Values : unsigned double-length integer=========================================================================

The initial content block size is configured.

In environments over 10Gbps, when the communication performance hits a peak by making the most of it, changing InitContentBlockSize along with MaxContentBlockSize may reach an even better performance.

--Example :InitContentBlockSize　2MB--

The maximum size of the header block including file data is given. This option is applied as soon as the transmission starts.

MaxHeaderBlockSize#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : MaxHeaderBlockSize <block-size>-------------------------------------------------------------------------block-sizeDefault : 50KBRange of Values : unsigned double-length integer=========================================================================

The maximum size of the header block to expand is configured.

--Example :MaxHeaderBlockSize 100KB--

Once the transmission starts, the occupied bandwidth is measured and the header block size is changed into the available size.

MaxContentBlockSize#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : MaxContentBlockSize <block-size>-------------------------------------------------------------------------block-sizeDefault : 1MBRange of Values : unsigned double-length integer=========================================================================

The maximum size of the content block to expand is configured.

In environments over 10Gbps, when the communication performance hits a peak by making the most of it, changing MaxContentBlockSize along with InitContentBlockSize may reach an even better performance.

--Example :MaxContentBlockSize 4MB--

Once the transmission starts, the occupied bandwidth is measured and the content block size is changed into the available size.

MaxRequestFileEntryAtOnce#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : MaxRequestFileEntryAtOnce <max-file-req-at-once>-------------------------------------------------------------------------max-file-req-at-onceDefault : 50Range of Values : signed integer=========================================================================

The maximum number of requested files to allow to send simultaneously is configured.

--Example :MaxRequestFileEntryAtOnce 1000--

Data Flow Control, Disk I/O Speed Control#

MaxReadRatePerConnection#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : MaxReadRatePerConnection <read-rate>-------------------------------------------------------------------------read-rateDefault : 10Ebit (Unlimited)Range of Values : unsigned double-length integer (up to 10Ebit)=========================================================================

This option specifies limitation of reading data from files on file transfer. This will be applied to each session which performs the file transfer. It is recognized as unlimited when the value is the maximum value in bps or over it.

In some environment, long time running of reading and writing might make overheat on SSDs (especially the writing side). So this option is useful for avoiding it.

--Example :MaxReadRatePerConnection 10Gbit--

MaxWriteRatePerConnection#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : MaxWriteRatePerConnection <write-rate>-------------------------------------------------------------------------write-rateDefault : 10Ebit (Unlimited)Range of Values : unsigned double-length integer (up to 10Ebit)=========================================================================

This option specifies limitation of writing data to files on file transfer. This will be applied to each session which performs the file transfer. It is recognized as unlimited when the value is the maximum value in bps or over it.

In some environment, long time running of reading and writing might make overheat on SSDs (especially the writing side). So this option is useful for avoiding it.

--Example :MaxWriteRatePerConnection 10Gbit--

Code Transformation, Communication Encoding Negotiation#

TransportCharEncoding#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : TransportCharEncoding <encodings>-------------------------------------------------------------------------encodingsFormat : <encoding>[ ...]Default : UTF8-------------------------------------------------------------------------encodingRange of Values : US-ASCII, UTF8, UTF16, UTF32=========================================================================

The string encoding method used in the transport is configured.

--Example :TransportCharEncoding UTF8 UTF16 US-ASCII--

It is applied to strings, such as file paths exchanged between clients. The encoding which is consistent with the one in the client configuration is chosen.

Code Transformation, Host Character Encoding#

HostEncoding#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : HostEncoding <encoding>-------------------------------------------------------------------------encodingDefault : UTF-8 (Linux) CP932 (Windows)Range of Values : encoding name supported by system and encoding conversion library (platform-dependent)=========================================================================

The string encoding method for the host computer is configured.

--Example :HostEncoding EUC-JP--

It is used to translate file paths into inner strings descriptions for the software.

Authentication#

LocalPasswordAuthentication#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : LocalPasswordAuthentication <flag-available>-------------------------------------------------------------------------flag-availableDefault : noRange of Values : yes, no=========================================================================

LPA(Local Password Authentication) authentication is specified. LPA authentication is enabled by inputting “yes”. If even one authentication is enabled including this authentication method of inputting “yes”, the authentication is always required to access from clients.(Anonymous access prohibited)

--Example :LocalPasswordAuthentication yes--

PAMAuthentication#

=========================================================================Supported OS : Linux.x86Format : PAMAuthentication <flag-available>-------------------------------------------------------------------------flag-availableDefault : yesRange of Values : yes, no=========================================================================

PAM(Pluggable Authenticaton Module) authentication is specified. PAM authentication is enabled by inputting “yes”.

--Example :PAMAuthentication no--

PAM authentication is valid for software distributed in RPM packages for Linux platforms.

PAM authentication depends on the system configuration. The PAM configuration files as below are appropriately configured according to the operating system environment where the service runs.

/etc/pam.d/hcpd

PubkeyAuthentication#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : PubkeyAuthentication <flag-available>-------------------------------------------------------------------------flag-availableDefault : yes (Linux.x86), no (Windows)Range of Values : yes, no=========================================================================

RSA(Rivest-Shamir-Adleman cryptosystem) authentication is specified. RSA authentication is enabled by inputting “yes”.

--Example :PubkeyAuthentication no--

WinLogonUserAuthentication#

=========================================================================Supported OS : WindowsFormat : WinLogonUserAuthentication <flag-available>-------------------------------------------------------------------------flag-availableDefault : yesRange of Values : yes, no=========================================================================

Windows authentication is specified. Windows authentication is enabled by inputting “yes”.

--Example :WinLogonUserAuthentication no--

Windows authentication is valid for software distributed in RPM packages for Windows platforms.

In the Windows authentication, the user ID and the password (including the domain name) will be just passed to the system standard API authentication function.

PerformSystemAuthenticationRegardlessUsers#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : PerformSystemAuthenticationRegardlessUsers <flag-available>-------------------------------------------------------------------------flag-availableDefault : noRange of Values : yes, no=========================================================================

This option specifies wheter hcpd executes the system authentication (PAM or Windows Logon) regardless of the user definitions at /etc/hcp/users.

--Example :PerformSystemAuthenticationRegardlessUsers yes--

AuthorizedKeysSearchDir#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : AuthorizedKeysSearchDir <search-dir>-------------------------------------------------------------------------search-dirDefault : /etc/hcp/authkeys (Linux.x86) C:/ProgramData/Clealink/HCP Tools/authkeys (Windows)Range of Values : path string of file system or NONE=========================================================================

This option specifies a search directory to find out a user’s public key for RSA authentication. Please set NONE if you do not want to perform the search.

--Example :AuthorizedKeysSearchDir /etc/hcp/authkeys--

The file name as below in the specified directory is searched as the file which the public key is stored in.

<user name>.pub

The old name of ‘AuthorizedKeySearchDir’ is available.

AuthorizedKeysFile#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : AuthorizedKeysFile <file-path>-------------------------------------------------------------------------file-pathDefault : ~/.hcp/authorized_keys (Linux.x86) ~/_hcp/authorized_keys (Windows)Range of Values : file path with a tilde which shows the user directory or NONE=========================================================================

Specifies the key store file in the user home directory to find the user’s public key for the RSA authentication. Please set NONE if you do not want to perform the search.

TOKENS of %h, %U and %u is available defined under the following sshd_config.

https://man7.org/linux/man-pages/man5/sshd_config.5.htmlTOKENS - AuthorizedKeysFile

The old name of ‘AuthorizedKeyFile’ is available.

AuthorizedKeysCommand#

=========================================================================Supported OS : Linux.x86Format : AuthorizedKeysCommand <cmd-path>-------------------------------------------------------------------------cmd-pathDefault : noneRange of Values : command (or script) path to search for user's public keys=========================================================================

Specifies the path of command (or script) to find the user’s public key for the RSA authentication. A username will be given to the command as the first argument. If you enable this configuration, hcpd requires AuthorizedKeysCommandUser.

--Example :AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys--

TOKENS of %h, %U and %u is available defined under the following sshd_config.

https://man7.org/linux/man-pages/man5/sshd_config.5.htmlTOKENS - AuthorizedKeysCommand

AuthorizedKeysCommandUser#

=========================================================================Supported OS : Linux.x86Format : AuthorizedKeysCommandUser <username>-------------------------------------------------------------------------usernameDefault : noneRange of Values : user name that runs the command to search for user's public keys=========================================================================

Specifies the user name that runs the command, specified by AuthorizedKeysCommand, to find the user’s public key.

--Example：AuthorizedKeysCommandUser nobody--

In general, it is recommended to use a user that works only for finding the public key and dose not have any other role on the system.

https://man7.org/linux/man-pages/man5/sshd_config.5.htmlAuthorizedKeysCommandUser

CACertificateFile#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : CACertificateFile <file-path>-------------------------------------------------------------------------file-pathDefault : /etc/hcp/cacert.pem (Linux.x86) C:/ProgramData/Clealink/HCP Tools/cacert.pem (Windows)Range of Values : path string of file system=========================================================================

The file path of the CA certificate for the client authentication is specified.

--Example :CACertificateFile /etc/hcp/cacert.pem--

The certificate in the PEM format is supported.

CACertificatePath (reserved)#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : CACertificatePath <dir-path>-------------------------------------------------------------------------dir-pathDefault : /etc/ssl (Linux.x86) C:/ProgramData/Clealink/HCP Tools/ssl (Windows)Range of Values : path string of file system=========================================================================

p. The directory path of the CA certificate for the server certificate is specified.

--Example :CACertificatePath /etc/ssl--

The certificate in the PEM format is supported.

CARevocationFile#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : CARevocationFile <file-path>-------------------------------------------------------------------------file-pathDefault : /etc/hcp/crl.pem (Linux.x86) C:/ProgramData/Clealink/HCP Tools/crl.pem (Windows)Range of Values : path string of file system =========================================================================

The file where CRL for client authentication is stored is configured.

--Example :CARevocationFile /etc/hcp/crl.pem--

The certification revocation list (CRL) in the PEM format is supported.

CARevocationPath (reserved)#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : CARevocationPath <dir-path>-------------------------------------------------------------------------dir-pathDefault : /etc/ssl (Linux.x86) C:/ProgramData/Clealink/HCP Tools/ssl (Windows)Range of Values : path string of file system=========================================================================

the directory where CRL for client authentication is stored is configured.

--Example :CARevocationPath /etc/ssl--

The certification revocation list (CRL) in the PEM format is supported.

OCSPRevocationEnabled#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : OCSPRevocationEnabled <flag-available>-------------------------------------------------------------------------flag-availableDefault : yesRange of Values : yes, no=========================================================================

OCSP (Online Certificate Status Protocol) for client authentication is configured. It is enabled by inputting “yes”.

--Example :OCSPRevocationEnabled no--

LocalUserFile#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : LocalUserFile <file-path>[ <usage>]-------------------------------------------------------------------------file-pathDefault : /etc/hcp/users (Linux.x86) C:/ProgramData/Clealink/HCP Tools/users (Windows)Range of Values : path string of file system-------------------------------------------------------------------------usageDefault : overwriteRange of Values : overwrite, define=========================================================================

The file which defines the user information is configured.

file-path specifies a path of the file.

usage specifies how to use the file from the following options.

overwrite
define

When overwrite is set, the file will be used to overwrite how to authenticate users.

When define is set, hcpd recognizes users described in the file are available to login. So it rejects users who are not described in the file.

--Example :LocalUserFile /etc/hcp/users define--

LocalPasswordFile#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : LocalPasswordFile <file-path>-------------------------------------------------------------------------file-pathDefault : /etc/hcp/passwd (Linux.x86) C:/ProgramData/Clealink/HCP Tools/passwd (Windows)Range of Values : path string of file system=========================================================================

The file which defines the user credentials (password hash) used in LPA authentication is configured.

--Example :LocalPasswordFile /etc/hcp/passwd--

AllowUsers#

=========================================================================Supported OS : Linux.x86Format : AllowUsers [<username-pattern>...]-------------------------------------------------------------------------username-patternFormat : <name-pattern>[@<host-pattern>]-------------------------------------------------------------------------name-patternDefault : noneRange of Values : string including wildcards ('*' or '?')-------------------------------------------------------------------------host-patternDefault : noneRange of Values : CIDR form network address string=========================================================================

This option specifies a name pattern of system users who are accepted to login (multiple specification is available).

username-pattern specifies a user name pattern and a CIDR form network address as option.

name-pattern specifies a pattern string representing user names. You can use a wildcard ‘*’ representing any strings and another wildcard ‘?’ representing any one character. When a user name input by a user matches with this pattern, hcpd accepts the login trial and performs authentication.

host-pattern specifies a CIDR form network address string. When the option is set, hcpd accepts the login trial if the name-pattern matches with the input user name and the network address includes the peer address of clients.

If hcpd confirms a pattern meets the above conditions, it terminates evaluation of patters and accepts the login trial. When DenyUsers is also configured, the evaluation will be performed in the order from DenyUsers to AllowUsers. If no patterns meet the conditions when AllowUsers or AllowGroups are set, hcpd rejects the login trial.

The following configurations will be disabled whem this option is set.

PrivilegeSeparationMinimumUID
PrivilegeSeparationMinimumGID

--Example :AllowUsers seg1-*@192.168.0.0/24--

AllowGroups#

=========================================================================Supported OS : Linux.x86Format : AllowGroups [<groupname-pattern>...]-------------------------------------------------------------------------groupname-patternDefault : noneRange of Values : string including wildcards ('*' or '?')=========================================================================

This option specifies a name pattern of system groups who are accepted to login (multiple specification is available).

groupname-pattern specifies a pattern string representing group names. You can use a wildcard ‘*’ representing any strings and another wildcard ‘?’ representing any one character. When a primary group or supplemental groups the user belongs to matches with this pattern, hcpd accepts the login trial and performs authentication.

If hcpd confirms a pattern meets the above conditions, it terminates evaluation of patters and accepts the login trial. When DenyGroups is also configured, the evaluation will be performed in the order from DenyGroups to AllowGroups. If no patterns meet the conditions when AllowUsers or AllowGroups are set, hcpd rejects the login trial.

The following configurations will be disabled whem this option is set.

PrivilegeSeparationMinimumUID
PrivilegeSeparationMinimumGID

--Example :AllowGroups seg1-users--

DenyUsers#

=========================================================================Supported OS : Linux.x86Format : DenyUsers [<username-pattern>...]-------------------------------------------------------------------------username-patternFormat : <name-pattern>[@<host-pattern>]-------------------------------------------------------------------------name-patternDefault : noneRange of Values : string including wildcards ('*' or '?')-------------------------------------------------------------------------host-patternDefault : noneRange of Values : CIDR form network address string=========================================================================

This option specifies a name pattern of system users who are rejected to login (multiple specification is available).

username-pattern specifies a user name pattern and a CIDR form network address as option.

name-pattern specifies a pattern string representing user names. You can use a wildcard ‘*’ representing any strings and another wildcard ‘?’ representing any one character. When a user name input by a user matches with this pattern, hcpd rejects the login trial and performs authentication.

host-pattern specifies a CIDR form network address string. When the option is set, hcpd rejects the login trial if the name-pattern matches with the input user name and the network address includes the peer address of clients.

When AllowUsers is also configured, the evaluation will be performed in the order from DenyUsers to AllowUsers. If a pattern meets the conditions, hcpd rejects the login trial without evaluating the remaining patterns.

The following configurations will be disabled whem this option is set.

PrivilegeSeparationMinimumUID
PrivilegeSeparationMinimumGID

--Example :DenyUsers seg1-*@192.168.0.0/24--

DenyGroups#

=========================================================================Supported OS : Linux.x86Format : DenyGroups [<groupname-pattern>...]-------------------------------------------------------------------------groupname-patternDefault : noneRange of Values : string including wildcards ('*' or '?')=========================================================================

This option specifies a name pattern of system groups who are rejected to login (multiple specification is available).

groupname-pattern specifies a pattern string representing group names. You can use a wildcard ‘*’ representing any strings and another wildcard ‘?’ representing any one character. When a primary group or supplemental groups the user belongs to matches with this pattern, hcpd rejects the login trial and performs authentication.

When AllowGroups is also configured, the evaluation will be performed in the order from DenyGroups to AllowGroups. If a pattern meets the conditions, hcpd rejects the login trial without evaluating the remaining patterns.

The following configurations will be disabled whem this option is set.

PrivilegeSeparationMinimumUID
PrivilegeSeparationMinimumGID

--Example :DenyGroups guest-users--

Encryption#

AcceptableCryptMethod#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : AcceptableCryptMethod <method-names>-------------------------------------------------------------------------method-namesFormat : <method-name>[ ...]Default : AES256/GCM AES256/CTR/VMAC AES256/CBC AES128/CBC-------------------------------------------------------------------------method-nameRange of Values : PLAIN, AES128/CBC, AES192/CBC, AES256/CBC, AES128/CBC/HMAC,AES192/CBC/HMAC, AES256/CBC/HMAC, AES128/CBC/VMAC, AES192/CBC/VMAC,AES256/CBC/VMAC, AES128/CBC/VMAC64, AES192/CBC/VMAC64, AES256/CBC/VMAC64,AES128/CTR/HMAC, AES192/CTR/HMAC, AES256/CTR/HMAC, AES128/CTR/VMAC,AES192/CTR/VMAC, AES256/CTR/VMAC, AES128/CTR/VMAC64, AES192/CTR/VMAC64,AES256/CTR/VMAC64, AES128/GCM, AES192/GCM, AES256/GCM=========================================================================

The cryptographic algorithm is configured.

When specified AES128/CBC, it is interpreted as AES128/CBC/HMAC.(They are the same algorithm. AES192/CBC and AES256/CBC are as well.)

When communicating with a host with versions that do not support the new algorithms, such as CTR/GCM mode and VMAC mode, these new algorithms that don’t match the other host are ignored in the connection negotiation. However, still, the communications don’t go to errors.

CTR/VMAC or GCM are recommended on network over 1Gbps, e.g. AES256/GCM, AES256/CTR/VMAC. Encrypted communication using CBC or HMAC, e.g. AES256/CTR/HMAC, AES256/CBC/HMAC, might make a bottle neck in performance on network over 1Gbps generally. VMAC64 checks data integrity with 64 bit, less than 128 bit in VMAC mode, which leads to better performance but less secured data integrity.

--Example :AcceptableCryptMethod AES256/CBC PLAIN--

It is used to encrypt the messages communicated with a client. The algorithm is chosen to match the client configuration.

AcceptableDigestMethod#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : AcceptableDigestMethod <method-names>-------------------------------------------------------------------------method-namesFormat : <method-name>[ ...]Default : XXH3 SHA256 SHA160-------------------------------------------------------------------------method-nameRange of Values : NONE, SHA160, SHA224, SHA256, SHA384, SHA512, MD5, MM32, MM128,XXH3, XXH128, XXH64, XXH32=========================================================================

The digest algorithm for data communication and verification of transferred files is configured.

--Example :AcceptableDigestMethod SHA256 SHA160 NONE--

It is used to verify the messages, files, and data blocks communicated between clients. The algorithm which is consistent with the one in the client configuration is chosen.

In the case of encryption communications using HMAC like AES256/CBC/HMAC, the algorithms (MD5, MM32, MM128, XXH3, XXH128, XXH64, XXH32) other than the security digest algorithms are regarded as nothing configured.

MM32 and MM128 are deprecated. Please use XXH3 instaed.

RequireDataIntegrityChecking#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : RequireDataIntegrityChecking <flag-available>-------------------------------------------------------------------------flag-availableDefault : yesRange of Values : yes, no=========================================================================

When encrypted communication between server and clients, whether the server requests to check the integrity of communicating data (Data integrity test) by MAC (Message Authentication Code) is set.

When “no”, in the case that clients request not to check the data, accept the request and keep communicating.

When “yes”, reject the request.

“yes” (default) is recommended. This commnad is used to improve the performance in encrypted communication. Please be aware of the risk that the communicating data is not supposed to be check when elected “no.”

--Example :RequireDataIntegrityChecking no--

Security Negotiation by Encryption Communications#

UseServerCertificateSecurity#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : UseServerCertificateSecurity <flag-available>-------------------------------------------------------------------------flag-availableDefault : yesRange of Values : yes, no=========================================================================

The server certificate security function is available. When “yes” is set, secured communications based on the PKI technology between clients are provided by the server certification specified in ServerCertificateFile or the public key resolved by the ServerKeyFile path.

--Example :UseServerCertificateSecurity no--

RequireServerCertificateSecurity#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : RequireServerCertificateSecurity <flag-available>-------------------------------------------------------------------------flag-availableDefault : yesRange of Values : yes, no=========================================================================

Security communications for clients by server certification security function is available. When “yes” is set and the client requests the communication without this function (plain communicaion), the connection is denied.

--Example :RequireServerCertificateSecurity no--

ServerKeyFile#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : ServerKeyFile <file-path>[ <serv-key-name>]-------------------------------------------------------------------------file-pathDefault :  /etc/hcp/key/server.key (Linux.x86)  C:/ProgramData/Clealink/HCP Tools/key/server.key (Windows)Range of Values : path string of file system-------------------------------------------------------------------------serv-key-nameDefault : noneRange of Values : string=========================================================================

The server private key path used in server certification security function is specified. When the public key exists in the private key path with the suffix “pub”, secured communications are provided by using this pair of keys, not by the setting of ServerCertificateFile.

server-key-name is optional. This option sets a name to the key. WSSListenAddress services use the name to refer to the key.

--Example :ServerKeyFile /etc/hcp/key/server.keyServerKeyFile /etc/hcp/key/server.wss.key wss-key--

When client users accesse to the server for the first time, the following question is asked to make sure that the public key is registered as known_hosts.

A secure connection for host 127.0.0.1 can't be established.RSA key fingerprint is SHA256: 0fzb9DY4qxXWPm/L/4cBKKK+FQ9577NIRYxRquZ6eWA=.Are you sure you want to continue connecting [yes/no] ?

By inputting “yes”, the key is supposed to be registered as a registered host in the path. In the case of the same public key of the same host, this procedure is skipped from next time.

<userhomedirectory>/.hcp/known_hosts (Linux)<userhomedirectory>/_hcp/known_hosts (Windows)

ServerCertificateFile#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : ServerCertificateFile <file-path>[ <serv-cert-name>]-------------------------------------------------------------------------file-pathDefault : /etc/hcp/cert/server.crt (Linux.x86) C:/ProgramData/Clealink/HCP Tools/cert/server.crt (Windows)Range of Values : path string of file system-------------------------------------------------------------------------serv-cert-nameDefault : noneRange of Values : string=========================================================================

the server certificate path is specified.

serv-cert-name is optional. This option sets a name to the certificate. WSSListenAddress use the name to refer to the certificate.

If you need intermedate certificates, please place certificates into the file in the order from the server certificate to the intermediate one.

--Example :ServerCertificateFile /etc/hcp/cert/server.crtServerCertificateFile /etc/hcp/cert/server.wss.crt wss-cert--

ServerCertificateChainFile#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : ServerCertificateChainFile <file-path>-------------------------------------------------------------------------file-pathDefault : /etc/hcp/cert/chain.crt (Linux.x86) C:/ProgramData/Clealink/HCP Tools/cert/chain.crt (Windows)Range of Values : path string of file system=========================================================================

Multiple intermediate certificates in the server certificate path are specified.Intermediate certificates are sent to clients in the order they are stored in the fil after sending the server certificate.

--Example :ServerCertificateChainFile /etc/hcp/cert/chain.crt--

Access Control#

UserDirectoryFallbackAvailable#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : UserDirectoryFallbackAvailable <flag-available>-------------------------------------------------------------------------flag-availableDefault : noRange of Values : yes, no=========================================================================

Whether to allow the fallbacks of the user home directory and the working directory is configured. When the home directory recognized as the registered authentication doesn’t exist, whether to move backward to the directory described in the root document is specified. This option is invalid (no) in software version 1.1.0 and later on the client.

--Example :UserDirectoryFallbackAvailable yes--

RejectOnUserHomeDirectoryNotFound#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : RejectOnUserHomeDirectoryNotFound <flag-available>-------------------------------------------------------------------------flag-availableDefault : noRange of Values : yes, no=========================================================================

When the user home directory can’t be found, whether to reject is set. This option is set to enable (yes) on the software before Ver.1.2.0.

--Example :RejectOnUserHomeDirectoryNotFound yes--

Access Control, Privilege Separation#

UsePrivilegeSeparation#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : UsePrivilegeSeparation <flag-available>-------------------------------------------------------------------------flag-availableDefault : yesRange of Values : yes, no=========================================================================

The privilege separation for the client sessions is configured. In “yes”, processing in the sessions is executed in a process different from the server standby process. In the divided processes, the user identification information (UID/GID and supplemental groups) based on the authentication result is set as user’s access rights. If you want to change the specification of UID/GID from the default, please add an entry to /etc/hcp/users to overwrite it.

--Example :UsePrivilegeSeparation no--

Supplemental groups can be applied up to 1000 groups. When they are over the number of groups, supplemental groups will be ignored (only UID and primary group GID applied). When the privilege separation is disabled, the processes on client sessions are operated following execution rights of each service.

On the Windows services, when authentication is performed by LPA or RSA authentication rather than Windows logon authentication, client sessions works in the service’s access rights (privilege separation will not applied to them).

PrivilegeSeparationMinimumUID#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : PrivilegeSeparationMinimumUID <min-uid>-------------------------------------------------------------------------min-uidDefault : 0Range of Values : unsigned integer=========================================================================

The minimum value of UID in which sessions can be executed in privilege separation enabled is configured, which is useful to control executions by users who has special rights.

This option will be disabled when the following options are configured.

AllowUsers
AllowGroups
DenyUsers
DenyGroups

--Example :PrivilegeSeparationMinimumUID 1000--

PrivilegeSeparationMinimumGID#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : PrivilegeSeparationMinimumGID <min-gid>-------------------------------------------------------------------------min-gidDefault : 0Range of Values : unsigned integer=========================================================================

The minimum value of GID in which sessions can be executed in privilege separation enabled is configured, which is useful to control executions by users who has special rights.

This option will be disabled when the following options are configured.

AllowUsers
AllowGroups
DenyUsers
DenyGroups

--Example :PrivilegeSeparationMinimumGID 1000--

PrivilegeSeparationUser#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : PrivilegeSeparationUser <username>-------------------------------------------------------------------------usernameDefault : noneRange of Values : user names in the system=========================================================================

In privilege separation working, the specified user’s identification information will be applied when hcpd cannot determine any user’s access rights to apply.

When user name isn’t specified, a user name (nobody or everyone) depend on the platform is used.

--Example :PrivilegeSeparationUser nobody--

PrivilegeSeparationUmask#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : PrivilegeSeparationUmask <umask_val>[ <dir_umask_val>]-------------------------------------------------------------------------umask_valDefault : 0022Range of Values : from 0000 to 0777 in octal values-------------------------------------------------------------------------dir_umask_valDefault : noneRange of Values : from 0000 to 0777 in octal values- dir_umask_val is experimantal.=========================================================================

This option specifies a umask value applied to processes executing different from the server stanby process on privilege separation.

umask_val specifies a umask value to apply. When dir_umask_val is not set, this value will be applied to both files and directories in the process.

dir_umask_val specifies a umask value to apply for directories. When this option is set, umask_val will be applied to files and dir_umask_val will be applied to directories. A common value of umask (umask_val & dir_umask_val) will be applied to the process and differenct from the common value will be applied respectively by HCP on creating files and directories. Please be careful of application of unexpected umask to files and directories which are not handled by HCP (so, this option is experimental).

If you want to set umask each user, please edit /etc/hcp/users.

--Example :PrivilegeSeparationUmask 0002--

PrivilegeSeparationUmaskAnonymous#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : PrivilegeSeparationUmaskAnonymous <umask_val>[ <dir_umask_val>]-------------------------------------------------------------------------umask_valDefault : 0002Range of Values : from 0000 to 0777 in octal values-------------------------------------------------------------------------dir_umask_valDefault : noneRange of Values : from 0000 to 0777 in octal values- dir_umask_val is experimental.=========================================================================

This option specifies a umask value applied to processes executing in anonymous different from the server stanby process on privilege separation.

umask_val specifies a umask value to apply. When dir_umask_val is not set, this value will be applied to both files and directories in the process.

--Example :PrivilegeSeparationUmaskAnonymous 0022--

ApplyUserPermission#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : ApplyUserPermission <flag-available>-------------------------------------------------------------------------flag-availableDefault : yesRange of Values : yes, no=========================================================================

When privilege separation isn’t used, whether to use the authenticated user identification information (UID/GID) is applied for the file permission to the destination is configured.

--Example :ApplyUserPermission yes--

NoSupplementalGroupInPrivilegeSeparation#

=========================================================================Supported OS : Linux.x86Format : NoSupplementalGroupInPrivilegeSeparation <flag-available>-------------------------------------------------------------------------flag-availableDefault : noRange of Values : yes, no=========================================================================

This option disables supplemental groups on the privilege separation.

--Example :NoSupplementalGroupInPrivilegeSeparation yes--

Access Control, ACL（Access Control List）Function#

AccessList#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : AccessList <acl_name>-------------------------------------------------------------------------acl_nameDefault : noneRange of Values : characters=========================================================================

The access control list is defined.

acl_name is an optional setting. The access control list is specified.

--Example :AccessList acl1--

When acl_name is not used, it is treated as the unnamed access control list. Only one unnamed access control list can be defined.

Allow#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : Allow (<ip_addr> <net_mask>|any)[ <hpfp_cong_mode_modifier>]-------------------------------------------------------------------------ip_addrDefault : noneRange of Values : IP address-------------------------------------------------------------------------net_maskDefault : noneRange of Values : subnet mask-------------------------------------------------------------------------hpfp_cong_mode_modifierFormat : <modifier>[...] modifier := (+|-)(M|S|A)[...]Default : none=========================================================================

The access permission on the access control list is defined.

ip_addr is IP address.

net_mask is net mask.

“any” means all network.

hpfp_cong_mode_modifier specifys the overwriting of the HpFP congestion control mode.

In the HpFP congestion control mode, M, S, and A stands for MODEST, FAIR_FAST_START, and AGGRESSIVE respectively.

“+” means enabling the HpFP congestion control mode which is described after “+”, when the connection which matches with one of this allowed access list is received.

“-” means canceling the HpFP congestion control mode which is described after “-”.

--Example :    Allow 192.168.1.0 255.255.255.0 -A+M--

When the input network includes the client IP address, it is allowed to be accessed.

Deny#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : Deny (<ip_addr> <net_mask>|any)-------------------------------------------------------------------------ip_addrDefault : noneRange of Values : IP address-------------------------------------------------------------------------net_maskDefault : noneRange of Values : subnet mask=========================================================================

Denying to access is defined in the access control list.

--Example :    Deny 192.168.1.0 255.255.255.0--

When the input network includes the client IP address, it is denied to be accessed.

Access Control, Admission Control#

MaxTotalConnection#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : MaxTotalConnection <max-total-con>-------------------------------------------------------------------------max-total-conDefault : 150Range of Values : signed integer=========================================================================

The maximum number of connections is configured.

--Example :MaxTotalConnection 5--

MaxTcpConnection#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : MaxTcpConnection <max-tcp-con>-------------------------------------------------------------------------max-tcp-conDefault : 50Range of Values : signed integer=========================================================================

The maximum number of TCP connections is configured.

--Example :MaxTcpConnection 5--

MaxUdpConnection#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : MaxUdpConnection <max-udp-con>-------------------------------------------------------------------------max-udp-conDefault : 50Range of Values : signed integer=========================================================================

The maximum number of HpFP (UDP) connections is configured.

--Example :MaxUdpConnection 5--

MaxWsConnection#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : MaxWsConnection <max-ws-con>-------------------------------------------------------------------------max-ws-conDefault : 50Range of Values : signed integer=========================================================================

The maximum number of WebSocket connections is configured.

--Example :MaxWsConnection 5--

MaxConnectionPerUser#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : MaxConnectionPerUser <max-con-per-user>-------------------------------------------------------------------------max-con-per-userDefault : 50Range of Values : signed integer=========================================================================

The maximum number of connections by each user is configured.

--Example :MaxConnectionPerUser 1--

MaxConnectionPerSec#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : MaxConnectionPerSec <max-con-per-sec>-------------------------------------------------------------------------max-con-per-secDefault : 25Range of Values : signed integer=========================================================================

The maximum number of connections per second is configured.

--Example :MaxConnectionPerSec 10--

Access Control, Document Point#

DocPoint#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : DocPoint <doc_point_name>-------------------------------------------------------------------------doc_point_nameDefault : noneRange of Values : characters=========================================================================

This option specifies an area on the file system of the server to provide available accesses to clients under a directory and its children. It includes some configurations to set write and read permission.

doc_point_name shows the name of this document point.

When the user home directory can’t be found, this document point is used as the home directory.

--Example :DocPoint /home    DocPath /home    PermitAccessRead yes    PermitAccessWrite yes    PermitAccessOverwrite yes    PermitAccessDelete yesDocPointEnd--

DocPath, PermitAccessRead, PermitAccessWrite, PermitAccessOverwrite, PermitAccessDelete

When you configure two or more DocPoints, list the descriptions like the following example.

--Example :DocPoint /home    ......DocPointEnd
DocPoint /dev    ......DocPointEnd--

DocPath#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : DocPath <doc_path>-------------------------------------------------------------------------doc_pathDefault : noneRange of Values : path string of file system=========================================================================

The directory path for the document point is specified.

--Example :    DocPath /home--

The access to the files and directories is permitted by this directory path.

PermitAccessRead#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : PermitAccessRead <flag-available>-------------------------------------------------------------------------flag-availableDefault : noRange of Values : yes, no=========================================================================

The permission to read the files in the document point is set.

--Example :    PermitAccessRead yes--

When “no” is set, the files in the document point are prohibited to read. For example, it makes reading errors of files on file transfer.

PermitAccessWrite#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : PermitAccessWrite <flag-available>-------------------------------------------------------------------------flag-availableDefault : noRange of Values : yes, no=========================================================================

The permission to write the files in the document point is set.

--Example :    PermitAccessWrite yes--

When “no” is set, the files in the document point are prohibited to write. For example, it makes writing errors of files on file transfer.

PermitAccessOverwrite#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : PermitAccessOverwrite <flag-available>-------------------------------------------------------------------------flag-availableDefault : noRange of Values : yes, no=========================================================================

The permission to overwrite the files in the document point is set.

--Example :    PermitAccessOverwrite yes--

When “no” is set, the files in the document point are prohibited to overwrite. For example, it makes errors on overwriting to files which already exist.

PermitAccessDelete#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : PermitAccessDelete <flag-available>-------------------------------------------------------------------------flag-availableDefault : noRange of Values : yes, no=========================================================================

The permission to delete the files in the document point is set.

--Example :    PermitAccessDelete yes--

When “no” is set, the files in the document point are prohibited to delete.

PermitAccessRandomRead (reserved)#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : PermitAccessRandomRead <flag-available>-------------------------------------------------------------------------flag-availableDefault : noRange of Values : yes, no=========================================================================

The permission for the random read access in the document point is set.

--Example :    PermitAccessRandomRead yes--

PermitAccessRandomWrite (reserved)#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : PermitAccessRandomWrite <flag-available>-------------------------------------------------------------------------flag-availableDefault : noRange of Values : yes, no=========================================================================

The permission for the random write access in the document point is set.

--Example :    PermitAccessRandomRead yes--

Various Monitoring, Timeout Control#

TransportTimeout#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : TransportTimeout <timeout>-------------------------------------------------------------------------timeoutDefault : 180Range of Values : unsigned integer=========================================================================

The timeout in seconds of the transport is set. When communication data including Keep-Alive data is unreached in the specified time on a session, it will end closing its connections as it is supposed to be unavailable to continue communication.

0 indicates disabling the timeout.

--Example :TransportTimeout 60--

IdleTimeout#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : IdleTimeout <timeout>-------------------------------------------------------------------------timeoutDefault : 0 (no timeout)Range of Values : unsigned integer=========================================================================

The timeout in seconds of the idle time for a session is set. When operations (command basis execution) in connection to the server is not taken place for the specified time, the connection from the server is closed. It is applied when users operate simultaneously from remote by the terminal function (provided by API library), where user can input plural commands.

0 indicates disabling the timeout.

--Example :IdleTimeout 180 --

Performance Evaluation#

MemoryTransferConcurrency#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : MemoryTransferConcurrency <num-concur> <wait-type> <busy-sleep-nsec>-------------------------------------------------------------------------num-concurDefault : auto (smaller value of physical-CPUs/2 or 16) Range of Values : unsigned integer-------------------------------------------------------------------------wait-typeDefault : condRange of Values : cond, busy-------------------------------------------------------------------------busy-sleep-nsecDefault : 1Range of Values : unsigned integer=========================================================================

When you use -n option on the hcp command which starts the command on memory-to-memory transfer mode, this option configures how to copy memory data of file payloads in concurrent way at the sender side.

num-concur specifies a number of concurrent copies. 1 indicates the standar memory copy by memcpy without concurrency.

wait-type specifies a waiting method on memory copy threads in its idling state. cond is to perform a conditinal wait on that idling state and busy is to perform a busy wait on it. When busy is set, CPU usage might be up to a multiplication of the number of CPUs and 100%.

busy-sleep-nsec specifies a waiting time in nano seconds on the busy wait.

This options is defined for a performance tuning to remove performance limitation by a single threaded memory copy on 100Gbps network environment.

--Example :MemoryTransferConcurrency 1 cond 1 # To disableMemoryTransferConcurrency 12 busy 1 # Busy wait, 4 concurrent and wait in 1 nano seconds--

Log Management#

SyslogOption#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : SyslogOption <syslog-options>-------------------------------------------------------------------------syslog-optionsFormat : syslog-option[ ...]Default : CONS PID-------------------------------------------------------------------------syslog-optionRange of Values : CONS, NDELAY, NOWAIT, ODELAY, PERROR, PID=========================================================================

Syslog option (or options) are configured.

Each option is available for syslog option with prefix “LOG_”.

--Example :SyslogOption PID--

SyslogFacility#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : SyslogFacility <syslog-facility>-------------------------------------------------------------------------syslog-facilityDefault : DAEMONRange of Values : AUTH, CRON, DAEMON, FTP, LOCAL0 - LOCAL7, LPR, MAIL, NEWS, USER, UUCP=========================================================================

Syslog facility is set.

Each facility is available for syslog facility with prefix “LOG_”.

--Example :SyslogFacility FTP--

SystemLog#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : SystemLog <log-level>[ <flag-available>][ <log-rotation-conf>][ <log-path>]-------------------------------------------------------------------------log-levelDefault : INFORange of Values : EMERG, ALERT, CRIT, ERR, WARNING, INFO, DEBUG-------------------------------------------------------------------------flag-availableDefault : yesRange of Values : yes, no-------------------------------------------------------------------------log-rotation-confFormat : ( FileSize <file-size> <backups> | DatePattern <date-pattern> )-------------------------------------------------------------------------file-sizeDefault : noneRange of Values : signed double-length integer-------------------------------------------------------------------------backupsDefault : noneRange of Values : unsigned integer-------------------------------------------------------------------------date-patternDefault : noneRange of Values : yyyy-MM, yyyy-MM-dd, yyyy-MM-dd-HH, yyyy-MM-dd-HH-mm-------------------------------------------------------------------------log-pathDefault : /var/log/hcpd.logRange of Values : path string of file system=========================================================================

System log settings

log-level is set.

When “yes” in flag-available, logs are output.

log-rotation-conf specifies on log rotation. When this option is not specified, log rotations don’t take place. When FileSize is set, log rotations take place setting the file-size to the threshold. When DatePattern is set, log rotations take place based on the date.

file-size specifies the threshold of the file size in bytes.

backups specifies the maximum number of generations for log rotation to store when FileSize is set.

date-pattern specifies the pattern of the log rotation based on the date.

When FileSize is set, the number of the generations is supposed to be added as the suffix to the pathname of the log files as follows during log rotation.

<specified path> // the path of the log currently being written<specified path>.1<specified path>.2...<specified path>.n // "n" is the number set in backups

When the number of the log rotations exceeds the number specified in “backups”, the exceeded generation’s files are deleted.

When DatePattern is specified, the time and date are supposed to be added as the suffix to the pathname of the log files, following the specified pattern during log rotation.

// in the case of yyyy-MM-dd<specified path> // the path of the log currently being written<specified path>.2019-12-10 // the log for 2019/12/10<specified path>.2019-12-09...<specified path>.2019-11-30...

Log rotation takes place based on the unit of the specified pattern. In the month unit case, a log file records throughout that month, starting at 0:00 on the first day of that month and ending at right before 0:00 on the first day of the following month.

Example :from 2019/11/01 00:00:00 to 2019/12/01 00:00:00(It doesn't include 2019/12/01 00:00:00)

In the minute unit, a log file records throughout the minute, from 0 seconds in that minute to right before 0 seconds in the following minute.

Example :from 2019/11/01 10:30:00 to 2019/11/01 10:31:00(It doesn't include 2019/11/01 10:31:00)

After the specified duration, the log writing request triggers the log to rotate before the log writing. The log file is renamed by adding a suffix of that duration.

// yyyy-MM-dd-HH-mm rotation case2019/12/10 00:00 the server starts2019/12/10 00:05 the server stops2019/12/10 00:07 the server restarts...--<specified path><specified path>.2019-12-10-00-11<specified path>.2019-12-10-00-10 // No record from 00:09 to 00:10<specified path>.2019-12-10-00-08<specified path>.2019-12-10-00-07 // recorded from the server-restart<specified path>.2019-12-10-00-05 // recorded until the server-stop in 00:05 (In restarting, the log rotation is judged based on the update time of the log file.)...<specified path>.2019-12-10-00-00

The server using the privilege separation rotates logs periodically (about each 128 ms). Therefore the log content which should be in the following file may be output in the current file, because rotations may be delayed due to this 128 ms delay.

log-path specifies the log path. When specified together with the command parameter “-l”, the command parameter is effective.

--Example1 :SystemLog WARNING FileSize 10MB 10Example2 :SystemLog WARNING DatePattern yyyy-MM-ddExample3 :SystemLog WARNING // the same as SystemLogLevel--

SystemLogLevel#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : SystemLogLevel <log-level>-------------------------------------------------------------------------log-levelDefault : INFORange of Values : EMERG, ALERT, CRIT, ERR, WARNING, INFO, DEBUG=========================================================================

The system log level is set, which does not affect any syslog functions.

When you describe SystemLog, this option override the log level.

--Example :SystemLogLevel WARNING--

ApplicationStatLog#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : ApplicationStatLog <flag-available>[ <log-rotation-conf>]-------------------------------------------------------------------------flag-availableDefault : yesRange of Values : yes, no-------------------------------------------------------------------------log-rotation-confFormat : ( FileSize <file-size> <backups> | DatePattern <date-pattern> )-------------------------------------------------------------------------file-sizeDefault : noneRange of Values : signed double-length integer-------------------------------------------------------------------------backupsDefault : noneRange of Values : unsigned integer-------------------------------------------------------------------------date-patternDefault : noneRange of Values : yyyy-MM, yyyy-MM-dd, yyyy-MM-dd-HH, yyyy-MM-dd-HH-mm=========================================================================

The configuration on the application statistics is set.

When “yes” in “flag-available”, the application statistics information is output.

log-rotation-conf specifies the rotation rule. It works in the same way as the rotation behavior set in “SystemLog”. However, unlike the “SystemLog” logs don’t rotate periodically when using the privilege separation.

Based on the paths specified in “FileSize” and “DatePatternas” as each criterion, the rotations are carried out as below.

// FileSize cases<specified path>.application<specified path>.application.1<specified path>.application.2...<specified path>.application.n// DatePattern cases<specified path>.application<specified path>.application.2019-12-10<specified path>.application.2019-12-09...

The header of the statistics information is not included in rotated files.

--Example1 :ApplicationStatLog noExample2 :ApplicationStatLog yes FileSize 10MB 10Example3 :ApplicationStatLog yes DatePattern yyyy-MM-dd--

TransportStatLog#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : TransportStatLog <flag-available>[ <log-rotation-conf>]-------------------------------------------------------------------------flag-availableDefault : noRange of Values : yes, no-------------------------------------------------------------------------log-rotation-confFormat : ( FileSize <file-size> <backups> | DatePattern <date-pattern> )-------------------------------------------------------------------------file-sizeDefault : noneRange of Values : signed double-length integer-------------------------------------------------------------------------backupsDefault : noneRange of Values : unsigned integer-------------------------------------------------------------------------date-patternDefault : noneRange of Values : yyyy-MM, yyyy-MM-dd, yyyy-MM-dd-HH, yyyy-MM-dd-HH-mm=========================================================================

The configuration on the transport statistics is set.

When “yes” in flag-available, the transport statistics data is output.

log-rotation-conf specifies the rotation rule. It works in the same way as the rotation behavior set in “SystemLog”. When using the privilege separation, logs rotate periodically.

Based on the paths specified in “FileSize” and “DatePatternas” as each criterion, the rotations are carried out as below.

// FileSize cases<specified path>.transport.tcp.service_<service number>.<service port number>.thread_<thread number><specified path>.transport.tcp.service_<service number>.<service port number>.thread_<thread number>.1<specified path>.transport.tcp.service_<service number>.<service port number>.thread_<thread number>.2...<specified path>.transport.tcp.service_<service number>.<service port number>.thread_<thread number>.n// DatePattern cases<specified path>.transport.tcp.service_<service number>.<service port number>.thread_<thread number><specified path>.transport.tcp.service_<service number>.<service port number>.thread_<thread number>.2019-12-10<specified path>.transport.tcp.service_<service number>.<service port number>.thread_<thread number>.2019-12-09...

The header of the statistics information is not included in rotated files.

--Example1 :TransportStatLog yesExample2 :TransportStatLog yes FileSize 10MB 10Example3 :TransportStatLog yes DatePattern yyyy-MM-dd--

SystemStatLog#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : SystemStatLog <flag-available>[ <log-rotation-conf>]-------------------------------------------------------------------------flag-availableDefault : yesRange of Values : yes, no-------------------------------------------------------------------------log-rotation-confFormat : ( FileSize <file-size> <backups> | DatePattern <date-pattern> )-------------------------------------------------------------------------file-sizeDefault : noneRange of Values : signed double-length integer-------------------------------------------------------------------------backupsDefault : noneRange of Values : unsigned integer-------------------------------------------------------------------------date-patternDefault : noneRange of Values : yyyy-MM, yyyy-MM-dd, yyyy-MM-dd-HH, yyyy-MM-dd-HH-mm=========================================================================

The configuration on the system statistics is set.

When “yes” in flag-available, the system statistics data is output.

Based on the paths specified in “FileSize” and “DatePatternas” as each criterion, the rotations are carried out as below.

// FileSize cases<specified path>.system<specified path>.system.1<specified path>.system.2...<specified path>.system.n// DatePattern cases<specified path>.system<specified path>.system.2019-12-10<specified path>.system.2019-12-09...

The header of the statistics information is not included in rotated files.

--Example1 :SystemStatLog yesExample2 :SystemStatLog yes FileSize 10MB 10Example3 :SystemStatLog yes DatePattern yyyy-MM-dd--

FileOperationLog#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : FileOperationLog <flag-available>[ <log-rotation-conf>][ <log-path>]-------------------------------------------------------------------------flag-availableDefault : noRange of Values : yes, no-------------------------------------------------------------------------log-rotation-confFormat : ( FileSize <file-size> <backups> | DatePattern <date-pattern> )-------------------------------------------------------------------------file-sizeDefault : noneRange of Values : signed double-length integer-------------------------------------------------------------------------backupsDefault : noneRange of Values : unsigned integer-------------------------------------------------------------------------date-patternDefault : noneRange of Values : yyyy-MM, yyyy-MM-dd, yyyy-MM-dd-HH, yyyy-MM-dd-HH-mm-------------------------------------------------------------------------log-pathDefault : noneRange of Values : path string of file system=========================================================================

The configuration on the file operation logging is set.

When “yes” in flag-available, the file operation logs are output.

log-rotation-conf specifies the rotation rule. It works in the same way as the rotation behavior set in “SystemLog”. When using the privilege separation, logs rotate periodically.

Based on the paths specified in “FileSize” and “DatePatternas” as each criterion, the rotations are carried out as below.

// FileSize cases<log path><log path>.1<log path>.2...<log path>.n// DatePattern cases<log path><log path>.2019-12-10<log path>.2019-12-09...

The header of the statistics information is not included in rotated files.

log-path specifies a path of a file to which you want to output file operation logs. When it is not set, the following value will be used.

/var/log/hcpd.file.operation.log (Linux.x86)C:/ProgramData/Clealink/HCP Tools/hcpd.file.operation.log (Windows)

The file operation logs include the following I/O processing records.

Finish of reading a file
Finish of writing a file
Remove a file (including removing by synchronization)
Creation of a directory
Rename a file
Creation of a hard link
Creation of a symbolic link
List files

And the following records will be produced as records including acknowledgements by the application (HCP).

Completion of a file upload
Completion of a file download
Completion of synchronization of files
Completion of removing a file
Completion of creating a directory
Completion of renaming a file
Completion of creating a hard link
Completion of creating a symbolic link

The records include the following fields in common.

Date and time
Peer IP address and port number
User name

Paths of files are recorded in the specification of each operation.

The format of the logs is in the following specification.

=========================================================================Format:yyyy/mm/dd HH:MM:SS.<usec> <remote-ip> <username> <hcp-operation-name>[ <sub-operation-label>] <path>...yyyy/mm/dd HH:MM:SS.<usec> <remote-ip> <username> <file-io-operation-name>\[<hcp-operation-name>\] <path>...-------------------------------------------------------------------------usecRange of Values : micro seconds (000000 - 999999)-------------------------------------------------------------------------remote-ipRange of Values : peer IP address and port number-------------------------------------------------------------------------usernameRange of Values : User name and authentication method-------------------------------------------------------------------------hcp-operation-nameRange of Values : FT, FS, FR, LR, DC, FM, FL-------------------------------------------------------------------------sub-operation-labelRange of Values : U, D, H, S-------------------------------------------------------------------------file-io-operation-nameRange of Values : FileRead, FileWritten, FileDeleted, DirectoryCreated, FileRenamed, LinkCreated, SymbolicLinkCreated, ListFilesRawFormat=========================================================================

hcp-operation-name indicates a type of the following applications.

FT (File transfer)
FS (Delete file on file synchronization)
FR (File remove)
LR (List files. Output of ls or dir)
DC (Directory creation)
FM (File move)
FL (Link creation)

sub-operation-label indicates a sub type of some applications.

U (Upload. Used in FT)
D (Download. Used in FT)
H (Hard link creation. Used in FL)
S (Symbolic link creation. Used in FL)

file-io-operation-name indicates a type of the following file I/O operations.

FileRead (Finish of reading a file)
FileWritten (Finish of wrting a file)
FileDeleted (Finish of removing a file)
DirectoryCreated (Finish of creating a directory)
FileRenamed (Finish of renaming a file)
LinkCreated (Finish of creating a hard link)
SymbolicLinkCreated (Finish of creating a symbolic link)
ListFilesRawFormat (To run ls or dir)

--Output example:2020/01/31 10:34:52.277120 127.0.0.1:51660 user[PAM] FileWritten[FT] /home/user/file_nodiskio_02020/01/31 10:34:52.277175 127.0.0.1:51660 user[PAM] FT U /home/user/file_nodiskio_02020/01/31 10:35:14.946750 127.0.0.1:51662 user[PAM] FileRead[FT] /home/user/file_nodiskio_02020/01/31 10:35:15.002770 127.0.0.1:51662 user[PAM] FT D /home/user/file_nodiskio_02020/01/31 10:35:30.002700 127.0.0.1:51662 user[PAM] FS /home/user/dir_sync/stat.log2020/01/31 10:35:30.013558 127.0.0.1:51664 user[PAM] FileDeleted[FS] /home/user/dir_sync/stat.log2020/01/31 10:35:47.713558 127.0.0.1:51664 user[PAM] FileDeleted[FR] /home/user/stat.3.log2020/01/31 10:35:47.765413 127.0.0.1:51664 user[PAM] FR /home/user/stat.3.log2020/01/31 10:38:45.686206 127.0.0.1:51670 user[PAM] DirectoryCreated[DC] /home/user/hmkdir132020/01/31 10:38:45.789370 127.0.0.1:51670 user[PAM] DC /home/user/hmkdir132020/01/31 10:39:22.411968 127.0.0.1:51674 user[PAM] FileRenamed[FM] /home/user/stat.log /home/user/stat2.log2020/01/31 10:39:22.463710 127.0.0.1:51674 user[PAM] FM /home/user/stat.log /home/user/stat2.log2020/01/31 10:40:00.087660 127.0.0.1:51678 user[PAM] SymbolicLinkCreated[FL] /home/user/stat2.log /home/user/stat.log2020/01/31 10:40:00.165831 127.0.0.1:51678 user[PAM] FL S /home/user/stat2.log /home/user/stat.log2020/01/31 10:40:13.693415 127.0.0.1:51680 user[PAM] LinkCreated[FL] /home/user/stat2.log /home/user/stat.h.log2020/01/31 10:40:13.746160 127.0.0.1:51680 user[PAM] FL H /home/user/stat2.log /home/user/stat.h.log2020/02/06 13:54:21.282066 127.0.0.1:50186 user[PAM] ListFilesRawFormat[LR] /home/user/hmkdir42020/02/06 13:54:21.282104 127.0.0.1:50186 user[PAM] ListFilesRawFormat[LR] /home/user/hmkdir5--
--Example1 :FileOperationLog yesExample2 :FileOperationLog yes FileSize 10MB 10Example3 :FileOperationLog yes DatePattern yyyy-MM-ddExample4 :FileOperationLog yes FileSize 10MB 10 /var/tmp/hcpd.file.operation.log--

StatLogPerUserInPrivilegeSeparation#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : StatLogPerUserInPrivilegeSeparation <flag-available>-------------------------------------------------------------------------flag-availableDefault : noRange of Values : yes, no=========================================================================

In the case of the privilege separation, whether to record the statistics log for each user, is chosen.

--Example :StatLogPerUserInPrivilegeSeparation yes--

ApplicationStatLogSecurityEx#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : ApplicationStatLogSecurityEx <flag-available>-------------------------------------------------------------------------flag-availableDefault : yesRange of Values : yes, no=========================================================================

Whether to output the detailed information on the security in the application statistics log is set.

--Example :ApplicationStatLogSecurityEx no--

System Operating Environment Settings, CPU Thread Control#

MaxConcurrentThread#

=========================================================================Supported OS : Linux.x86Format : MaxConcurrentThread <max-threads>-------------------------------------------------------------------------max-threadsDefault : 0Range of Values : signed integer=========================================================================

The maximum number of threads is configured.

System Operating Environment Settings, Application Linked Function#

CallbackScript#

=========================================================================Supported OS : Linux.x86Format : CallbackScript <flag-available>[ <script-path>[ <data-store-path>]]-------------------------------------------------------------------------flag-availableDefault : noRange of Values : yes, no-------------------------------------------------------------------------script-pathDefault : noneRange of Values : path string of file system-------------------------------------------------------------------------data-store-pathDefault : noneRange of Values : path string of file system=========================================================================

This option specifies a script (or a binary program) to run after application runs.

flag-available enables this option. ‘yes’ means calling the script.

script-path specifies a path of the script. When a tilde(~) is described at the head, it will be expanded to the home directory of a user who runs the application.

data-store-path specifies a path of saving data given at the run-time of the script which is information of parameters or a result of application running. When a tilde(~) is described at the head, it will be expanded to the home directory of a user who runs the application.

After all of processing on each application running is finished, hcpd runs the following command line.

=========================================================================Command format : <script-path> <exit-code> <start-date-and-time> <end-date-and-time> <remote-ip> <username> <hcp-operation-name> <param-saved-path> <output-saved-path>-------------------------------------------------------------------------script-pathRange of Values : path string of file system (already expanded of tilde)-------------------------------------------------------------------------exit-codeRange of Values : exit code-------------------------------------------------------------------------start-date-and-timeRange of Values : date and time in the format of YYYY/MM/DD hh:mm:ss-------------------------------------------------------------------------end-date-and-timeRange of Values : date and time in the format of YYYY/MM/DD hh:mm:ss-------------------------------------------------------------------------remote-ipRange of Values : peer IP address and port number-------------------------------------------------------------------------usernameRange of Values : user name and authentication method-------------------------------------------------------------------------hcp-operation-nameRange of Values : hcp, hrm, hcp-ls, hmkdir, hpwd, hmv, hln, transfer, remove, listraw, mkd, pwd, move, link, cwd-------------------------------------------------------------------------param-saved-pathRange of Values : path string of file system-------------------------------------------------------------------------output-saved-pathRange of Values : path string of file system=========================================================================

script-path is a script path on hcpd.conf with expanding tilde(~).

exit-code is a reason code representing a result that application runs. The reason code is identical to a reason code recorded in the application statistics.

start-date-and-time is a date and time that application starts.

end-date-and-time is a date and time that application finishes.

hcp-operation-name indicates a type of the following applications (or operations of API).

hcp (File transfer command)
hrm (File removing command)
hcp-ls (File listing command)
hmkdir (Directory creation command)
hpwd (Working directory printing command)
hmv (File moving command)
hln (Link creation command)
transfer (API file transfer operation)
remove (API file removing operation)
listraw (API file listing operation)
mkd (API directory creation operation)
pwd (API working directory printing operation)
move (API file moving operation)
link (API link creation operation)

param-saved-path is a path of a file where information of input parameters is saved. The file includes options of the operation and path information from running result records (.hcp.out) the server recognizes.

--Output example:[user@localhost ~]$ cat .hcp/callback/hcp.cb.20200206_152252_468.13521.paramOPT copy_mode ALLCOPYOPT overwrite_mode FORCEOPT fail_action_mode HALTOPT preserve_permission noOPT recursive yesOPT any_dirs noOPT regex noOPT verify_payload noOPT copy_symlink noOPT follow_symlink noOPT no_copy_empty_file noOPT no_copy_empty_dir noOPT no_copy_dot_file noOPT no_copy_dot_dir noOPT copy_hidden noOPT check_archive noOPT resuming noOPT no_app_io yes num_files 1 file_size 1024OPT no_sess_io noSRC /home/user--

output-saved-path is a path of a file where a running result is saved. The file includes records representing a running result of each file.

--Output example:[user@localhost ~]$ cat .hcp/callback/hcp.cb.20200206_152252_468.13521.out OK 0000 FT 00000001 /home/user/file_nodiskio_0--
--Example :CallbackScript yes /var/tmp/hcp_callback.sh /var/tmp/hcp_callback--

Others#

EnsureDestinationInFileTransfer#

=========================================================================Supported OS : Linux.x86 / WindowsFormat : EnsureDestinationInFileTransfer <flag-available>-------------------------------------------------------------------------flag-availableDefault : yesRange of Values : yes, no=========================================================================

When the destination directory doesn’t exist during file transfers, how to control the file transfer, whether a new directory is created is set. This option is fixed to “no” from the software version 1.1.0.

 --Example :EnsureDestinationInFileTransfer no--