Server Setting Items

Setting Item List

The setting items for the hcpd daemon are below.

System Operating Environment Settings, Transmission Method Related

Description	Configuration Name
Protocol version (fixed to 2)	ProtocolVersion
TCP service listen address setting	TCPListenAddress
HpFP service listen address	HPFPListenAddress
HpFP service listen address (bi-port type, deprecated)	UDPListenAddress
WebSocket(SSL/TLS) service listen address	WSSListenAddress
WSS options	WSSOptions
WSS TLS 1.3 Cipher Suites	WSSCipherSuites
WSS TLS 1.2 or earlier Cipher Suites	WSSCipherList
WebSocket(no SSL/TLS) service listen address	WSListenAddress
Listen service bonding	ListenServiceBonding

Communication Data Compression Function

Description	Configuration Name
Header compression (reserved)	HeaderCompress
Content compression (reserved)	ContentCompress

Data Flow Control, Bandwidth Control

Description	Configuration Name
Maximum total receiving rate (entire system)	MaxTotalReceiveRate
Maximum total sending rate (entire system)	MaxTotalSendRate
Maximum receiving rate (per session)	MaxReceiveRate
Maximum sending rate (per session)	MaxSendRate
Maximum receiving rate (per connection)	MaxConnectionReceiveRate
Maximum sending rate (per connection)	MaxConnectionSendRate

Data Flow Control, File Lock Function

Description	Configuration Name
Use file lock	FileLock
Number of trials to lock files	FileLockTrials
The trial interval (in seconds)	FileLockTrialInterval

Data Flow Control, Temporary File Save Function (Atomic File Save)

Description	Configuration Name
Atomically file saving	AtomicLikeSaving
Threshold for atomically file saving	AtomicLikeSavingThreshold
Reject requests to overwriting temporary files which already exist when atomically file saving	AtomicLikeSavingRejectOverwriteRequest

Data Flow Control, Data Buffer Setting

Description	Configuration Name
Maximum buffer allocation size (entire system)	MaxTotalBufferSize
Maximum buffer allocation size (per connection)	MaxBufferSizePerConnection
TCP sending buffer	TCPServiceSocketSendBuffer
HpFP service extension buffer size	UDPServiceExtensionBufferSize

Data Flow Control, Transfer File Size Control

Description	Configuration Name
Maximum receiving file size	MaxReceiveFileSize
Maximum sending file size	MaxSendFileSize

Data Flow Control, Message Data Size Control

Description	Configuration Name
Initial header block size	InitHeaderBlockSize
Initial content block size	InitContentBlockSize
Maximum header block size	MaxHeaderBlockSize
Maximum content block size	MaxContentBlockSize
Max file entry request	MaxRequestFileEntryAtOnce

Data Flow Control, Disk I/O Speed Control

Description	Configuration Name
Disk I/O reading rate per session	MaxReadRate
Disk I/O writing rate per session	MaxWriteRate

Code Transformation, Communication Encoding Negotiation

Description	Configuration Name
Transport character encoding	TransportCharEncoding

Code Transformation, Host Character Encoding

Description	Configuration Name
Host character encoding	HostEncoding

Authentication

Description	Configuration Name
LPA (Local Password Authentication) authentication	LocalPasswordAuthentication
PAM (Pluggable Authenticaton Module) authentication	PAMAuthentication
Public key authentication	PubkeyAuthentication
Windows authentication	WinLogonUserAuthentication
Maximum number of authentication tries	MaxAuthTries
Control applying system authentication (PAM auth, Windows logon)	PerformSystemAuthenticationRegardlessUsers
Specify directory for searching public keys (RSA auth)	AuthorizedKeysSearchDir
Specify file for finding a public key (RSA auth)	AuthorizedKeysFile
Specify command for finding a public key (RSA auth)	AuthorizedKeysCommand
Specify user to run the command (RSA auth)	AuthorizedKeysCommandUser
Specify file of CA (Certificate Authorities) certificates	CACertificateFile
Specify directory including CA (Certificate Authorities) certificates (Reserved)	CACertificatePath
Specify file of CRL (Certificate Revocation List)	CARevocationFile
Specify directory including CRLs (Reserved)	CARevocationPath
Control performing OCSP (Online Certificate Status Protocol) on client authentication	OCSPRevocationEnabled
Specify file configuring users hcpd recognizes	LocalUserFile
Specify file holding credentials of LPA (Local Password Authentication)	LocalPasswordFile
Specify user name pattern to allow login	AllowUsers
Specify group name pattern to allow login	AllowGroups
Specify user name pattern to deny login	DenyUsers
Specify group name pattern to deny login	DenyGroups

Encryption

Description	Configuration Name
Encryption method for message communication	AcceptableCryptMethod
Digest method for validation of message and file data	AcceptableDigestMethod
Setting requirement of MAC (Message Authentication Code)	RequireDataIntegrityChecking

Security Negotiation by Encryption Communications

Description	Configuration Name
Enable server certificate security or not	UseServerCertificateSecurity
Set requirement of the security to clients	RequireServerCertificateSecurity
Server key path for the server certificate security	ServerKeyFile
Server certificate path for the server certificate security	ServerCertificateFile
Path of intermediate certificates for the server certificate (one or more)	ServerCertificateChainFile

Access Control

Description	Configuration Name
Fallback control from user home (for backward compatibility)	UserDirectoryFallbackAvailable
Access rejection when a directory of user home is not found	RejectOnUserHomeDirectoryNotFound
Disable restricted access on Windows server	WinLogonUserNoRestrictedAccess

Access Control, Privilege Separation

Description	Configuration Name
Set privilege separation	UsePrivilegeSeparation
Minimum UID applicable for privilege separated sessions	PrivilegeSeparationMinimumUID
Minimum GID applicable for privilege separated sessions	PrivilegeSeparationMinimumGID
Default user on privilege separation (applied when any user is not determined)	PrivilegeSeparationUser
Umask on privilege separation for authenticated users	PrivilegeSeparationUmask
Umask on privilege separation for anonymous	PrivilegeSeparationUmaskAnonymous
Apply user's access rights to file permissions on destination (not on privilege separation)	ApplyUserPermission
Disable supplemental groups	NoSupplementalGroupInPrivilegeSeparation

Access Control, ACL（Access Control List）Function

Description	Configuration Name
Define ACL (Access Control List)	AccessList
Define Allow rules on ACL	Allow
Define Deny rules on ACL	Deny

Access Control, Admission Control

Description	Configuration Name
Limit of connections (total)	MaxTotalConnection
Limit of TCP connections	MaxTcpConnection
Limit of UDP (HpFP) connections	MaxUdpConnection
Limit of Web Socket connections	MaxWsConnection
Limit of connections each user	MaxConnectionPerUser
Limit of connections to accept each second	MaxConnectionPerSec

Access Control, Document Point

Description	Configuration Name
Define a document point	DocPoint
Specify a path on file system on the document point	DocPath
Set user home isolation	HomeIsolation
Set reading access configuration	PermitAccessRead
Set writing access configuration	PermitAccessWrite
Set overwriting access configuration	PermitAccessOverwrite
Set deleting access configuration	PermitAccessDelete
Set reading in random access configuration (Reserved)	PermitAccessRandomRead
Set writing in random access configuration (Reserved)	PermitAccessRandomWrite

Various Monitoring, Timeout Control

Description	Configuration Name
Set transport timeout	TransportTimeout
Set idling timeout	IdleTimeout

Performance Evaluation

Description	Configuration Name
How to make pre-allocation in disk benchmark	DiskBenchmarkPreAllocation
A unit size for the pre-allocation	DiskBenchmarkPreAllocationSize
Direct I/O benchmark, alignment size specification	DiskBenchmarkDirectAlignmentSize
Async I/O benchmark, NO_WAIT(reserved)	DiskBenchmarkAsyncNoWait
Async I/O benchmark, maximum number of I/O events at once	DiskBenchmarkAsyncMaxEvents
Async I/O benchmark, maximum number of taking event results at once	DiskBenchmarkAsyncMaxGetEvents
Async I/O benchmark, a size of pool holding request buffers	DiskBenchmarkAsyncRequestPoolSize
File size on additional disk benchmarks	DeepDiskBenchmarkFileSize
Required free space on the benchmarks	DeepDiskBenchmarkFreeSpaceRequired
A set of block sizes on the benchmarks	DeepDiskBenchmarkBlockSizes
Memory copy parallelism (when disabling local disk I/O)	MemoryTransferConcurrency

Log Management

Description	Configuration Name
Set syslog option	SyslogOption
Set syslog facility	SyslogFacility
System log configuration	SystemLog
System log level	SystemLogLevel
Application statistics configuration	ApplicationStatLog
Transport statistics configuration	TransportStatLog
System statistics configuration	SystemStatLog
File operation logging configuration	FileOperationLog
Save statistics logs to files determined from each user (when privilege separation being enabled)	StatLogPerUserInPrivilegeSeparation
Set to output a security detail on application statistics	ApplicationStatLogSecurityEx

System Operating Environment Settings, CPU Thread Control

Description	Configuration Name
Limit number of threads to use (Linux)	MaxConcurrentThread

System Operating Environment Settings, Application Linked Function

Description	Configuration Name
Specify a script to call when running a command is finished	CallbackScript
Call back script home isolation	CallbackScriptHomeIsolation
Call back script ignores symbolic links	CallbackScriptNoSymbolicLink

Others

Description	Configuration Name
Ensure to transfer files to the destination directory (for backward compatibility)	EnsureDestinationInFileTransfer

System Operating Environment Settings, Transmission Method Related

TCPListenAddress

=========================================================================
Supported OS : Linux.x86 / Windows
Format : TCPListenAddress <tcp_service_addr>[:<tcp_service_port>[:<mcd>]][ <acl_name>]
-------------------------------------------------------------------------
tcp_service_addr
Default : none
Range of Values : IP address
-------------------------------------------------------------------------
tcp_service_port
Format : <decimal_number>
Default : 874
Range of Values : decimal_number is 1-65535.
-------------------------------------------------------------------------
mcd
Default : physical-CPUs + 1, logical-CPUs/2 + 1, 25 or 1
Range of Values : 1 - 65535
-------------------------------------------------------------------------
acl_name
Default : none
Range of Values : name of access control list
=========================================================================

The available TCP services to allow to connect from client computers are defined.

tcp_service_addr is available IP address for TCP service.

tcp_service_port is available port for TCP service.

mcd is optional. This options specifies a number of connections provided for each client session on the service. When 1 is set, sessions will work with a single connection. When 2 or more are set, they will do with the number of connections. When you do not specify it, hcpd will determine a value from the number of physical cores, the number of logical cores and the license configuration.

• physical-CPUs + 1 (physical-CPUs \< logical-CPUs and physical-CPUs > 1 under 25 maximum)
• logical-CPUs/2 + 1 (physical-CPUs = logical-CPUs and logical-CPUs/2 > 1 under 25 maximum)
• 1 (Otherwise. For example, the license dose not include this function or physical-CPUs and logical-CPUs do not meet the above conditions)

acl_name is an optional setting. It is a name of an access control list (see AccessList) that you would like to set to the TCP service. When this option is not set or the specified name is not found in access control lists, an unamed access control list will be set to the TCP service.

--
Example :
TCPListenAddress 0.0.0.0:1874
--

HPFPListenAddress

=========================================================================
Supported OS : Linux.x86 / Windows
Format : HPFPListenAddress <hpfp_service_addr>[:<hpfp_service_port>[:<hpfp_sndbuf>[:<hpfp_rcvbuf>[:<hpfp_mss>[:<mcd>]]]]][ <acl_name>]
-------------------------------------------------------------------------
hpfp_service_addr
Default : none
Range of Values : IP address
-------------------------------------------------------------------------
hpfp_service_port
Format : <decimal_number>
Default : 65520
Range of Values : decimal_number is 1-65535.
-------------------------------------------------------------------------
hpfp_sndbuf
Format : ( DEFAULT | D | <decimal_number>[[(T|G|M|K)]B] )
Default : 100MB
Range of Values : unsigned double-length integer (byte) D stands for DEFAULT.
-------------------------------------------------------------------------
hpfp_rcvbuf
Format : ( DEFAULT | D | <decimal_number>[[(T|G|M|K)]B] )
Default : 200MB
Range of Values : unsigned double-length integer (byte) D stands for DEFAULT.
-------------------------------------------------------------------------
hpfp_mss
Format : ( DEFAULT | D | NONE | N | <decimal_number>[[(T|G|M|K)]B] )
Default : NONE
Range of Values : unsigned integer (byte) D stands for DEFAULT. N stands for NONE.
-------------------------------------------------------------------------
mcd
Default : physical-CPUs + 1, logical-CPUs/2 + 1, 25 or 1
Range of Values : 1 - 65535
-------------------------------------------------------------------------
mcmp (Windows)
Default : no
Range of Values : yes, no
-------------------------------------------------------------------------
acl_name
Default : none
Range of Values : name of access control list
=========================================================================

The available HpFP services to allow to connect from client computers are defined.

hpfp_service_addr specifies the IP address for HpFP service.

hpfp_service_port is the port number of UDP transport for HpFP protocol in the optional setting.

hpfp_sndbuf is the transmission buffer size in the optional setteing. “D” stands for default.

hpfp_rcvbuf is the buffer size for received data by HpFP protocol in the optional setting. “D” stands for default.

hpfp_mss is the MSS for HpFP protocol in the optional setting. “D” stands for default.In “N”, the setting value is determined by the MTU searching using HpFP protocol.

mcd is optional. This options specifies a number of connections provided for each client session on the service. When 1 is set, sessions will work with a single connection. When 2 or more are set, they will do with the number of connections. When you do not specify it, hcpd will determine a value from the number of physical cores, the number of logical cores and the license configuration.

• physical-CPUs + 1 (physical-CPUs \< logical-CPUs and physical-CPUs > 1 under 25 maximum)
• logical-CPUs/2 + 1 (physical-CPUs = logical-CPUs and logical-CPUs/2 > 1 under 25 maximum)
• 1 (Otherwise. For example, the license dose not include this function or physical-CPUs and logical-CPUs do not meet the above conditions)

mcmp is optional. This option specifies whether Windows servers make the above session having multiple connections with multiple port numbers or not (single port). When you set this option to ‘yes’, the servers makes communication of HpFP protocol over other port numbers additional to the port number of it, e.g. a port range of 65520 - 65523 will be used when using the default port of 65520 and having 4 connections in the session. It is useful for cases where the session having multiple connections could not make an expected performance in throughput due to high CPU loads.

acl_name is an optional setting, as in TCP service. It is a name of an access control list (see AccessList) that you would like to set to the HpFP service. When this option is not set or the specified name is not found in access control lists, an unamed access control list will be set to the HpFP service.

--
Example :
HPFPListenAddress 0.0.0.0:10000
--

UDPListenAddress

=========================================================================
Supported OS : Linux.x86 / Windows
Format : UDPListenAddress <hpfp_service_addr>[:<hpfp_service_port>[:<hpfp_udp_port>[:<hpfp_sndbuf>[:<hpfp_rcvbuf>[:<hpfp_mss>[:<mcd>]]]]]][ <acl_name>]
-------------------------------------------------------------------------
hpfp_service_addr
Default : none
Range of Values : IP address
-------------------------------------------------------------------------
hpfp_service_port
Format : <decimal_number>
Default : 884
Range of Values : decimal_number is 1-65535.
-------------------------------------------------------------------------
hpfp_udp_port
Format : ( DEFAULT | D | <decimal_number> )
Default : 65520
Range of Values : decimal_number is 1-65535. D stands for DEFAULT.
-------------------------------------------------------------------------
hpfp_sndbuf
Format : ( DEFAULT | D | <decimal_number>[[(T|G|M|K)]B] )
Default : 100MB
Range of Values : unsigned double-length integer (byte) D stands for DEFAULT.
-------------------------------------------------------------------------
hpfp_rcvbuf
Format : ( DEFAULT | D | <decimal_number>[[(T|G|M|K)]B] )
Default : 200MB
Range of Values : unsigned double-length integer (byte) D stands for DEFAULT.
-------------------------------------------------------------------------
hpfp_mss
Format : ( DEFAULT | D | NONE | N | <decimal_number>[[(T|G|M|K)]B] )
Default : NONE
Range of Values : unsigned integer (byte)D stands for DEFAULT. N stands for NONE.
-------------------------------------------------------------------------
mcd
Default : physical-CPUs + 1, logical-CPUs/2 + 1, 25 or 1
Range of Values : 1 - 65535
-------------------------------------------------------------------------
acl_name
Default : none
Range of Values : name of access control list
=========================================================================

This option is deprecated.

The available HpFP (UDP) services to allow to connect from client computers are defined. This provides a manner of using HpFP services where a service’s port number and a UDP transport’s port number are defined respectively, but not a single UDP transport’s number.

hpfp_service_addr specifies the IP address for HpFP service.

hpfp_service_port is a port number of the HpFP service in the optional setting.

hpfp_udp_port is the port number of UDP transport for HpFP protocol in the optional setting. “D” stands for default.

hpfp_sndbuf is the transmission buffer size in the optional setteing. “D” stands for default.

hpfp_rcvbuf is the buffer size for received data by HpFP protocol in the optional setting. “D” stands for default.

hpfp_mss is the MSS for HpFP protocol in the optional setting. “D” stands for default.In “N”, the setting value is determined by the MTU searching using HpFP protocol.

mcd is optional. This options specifies a number of connections provided for each client session on the service. When 1 is set, sessions will work with a single connection. When 2 or more are set, they will do with the number of connections. When you do not specify it, hcpd will determine a value from the number of physical cores, the number of logical cores and the license configuration.

• physical-CPUs + 1 (physical-CPUs \< logical-CPUs and physical-CPUs > 1 under 25 maximum)
• logical-CPUs/2 + 1 (physical-CPUs = logical-CPUs and logical-CPUs/2 > 1 under 25 maximum)
• 1 (Otherwise. For example, the license dose not include this function or physical-CPUs and logical-CPUs do not meet the above conditions)

acl_name is an optional setting, as in TCP service. It is a name of an access control list (see AccessList) that you would like to set to the HpFP(UDP) service. When this option is not set or the specified name is not found in access control lists, an unamed access control list will be set to the HpFP(UDP) service.

--
Example :
UDPListenAddress 0.0.0.0:1884:10000
--

WSSListenAddress

=========================================================================
Supported OS : Linux.x86 / Windows
Format : WSSListenAddress <wss_service_addr>[:<wss_service_port>[:<wss_opt_name>[:<wss_cs_name>[:<wss_clist_name>[:<wss_privkey_name>[:<wss_cert_name>[:<mcd>[:<use_hcpcm>]]]]]]]][ <acl_name>]
-------------------------------------------------------------------------
wss_service_addr
Default : none
Range of Values : IP address
-------------------------------------------------------------------------
wss_service_port
Default : 443
Range of Values : port number
-------------------------------------------------------------------------
wss_opt_name
Format : ( DEFAULT | D | <opt_name> )
Default : empty string
Range of Values : name of WSSOptions. D stands for DEFAULT.
-------------------------------------------------------------------------
wss_cs_name
Format : ( DEFAULT | D | <cipher_suites_name> )
Default : empty string
Range of Values : name of WSSCipherSuites. D stands for DEFAULT.
-------------------------------------------------------------------------
wss_clist_name
Format : ( DEFAULT | D | <cipher_list_name> )
Default : empty string
Range of Values : name of WSSCipherLlist. D stands for DEFAULT.
-------------------------------------------------------------------------
wss_privkey_name
Format : ( DEFAULT | D | <server_key_file_name> )
Default : empty string
Range of Values : name of ServerKeyFile
-------------------------------------------------------------------------
wss_cert_name
Format : ( DEFAULT | D | <server_cert_file_name> )
Default : empty string
Range of Values : name of ServerCertificateFile
-------------------------------------------------------------------------
mcd
Default : physical-CPUs + 1, logical-CPUs/2 + 1, 25 or 1
Range of Values : 1 - 65535
-------------------------------------------------------------------------
use_hcpcm
Default : no
Range of Values : yes, no
-------------------------------------------------------------------------
acl_name
Default : none
Range of Values : name of access control list
=========================================================================

The available WebSocket services (SSL/TLS) to allow to connect from client computers are defined.

wss_service_addr specifies the IP address for WebSocket service.

wss_service_port is available port for WebSocket service in the optional settings. A port number of 443 will be chosen when you omit this option.

wss_opt_name is optinal. This option specifies a name of WSSOptions. D indicates the default value. When this is the empty string, the WSSOptions that dose not have any name will be chosen.

wss_cs_name is optinal. This option specifies a name of WSSCipherSuites. D indicates the default value. When this is the empty string, the WSSCipherSuites that dose not have any name will be chosen.

wss_clist_name is optinal. This option specifies a name of WSSCipherList. D indicates the default value. When this is the empty string, the WSSCipherList that dose not have any name will be chosen.

wss_privkey_name is optional. This option specifies a name of ServerKeyFile that includes a server key (a private key) for SSL/TLS communication. D indicates the default value. When this is the empty string, the ServerKeyFile that dose not have any names will be chosen.

wss_cert_name is optional. This option specifies a name of ServerCertificateFile that includes a server certificate for SSL/TLS communication. D indicates the default value. When this is the empty string, the ServerCertificateFile that dose not have any names will be chosen.

mcd is optional. This options specifies a number of connections provided for each client session on the service. When 1 is set, sessions will work with a single connection. When 2 or more are set, they will do with the number of connections. When you do not specify it, hcpd will determine a value from the number of physical cores, the number of logical cores and the license configuration.

• physical-CPUs + 1 (physical-CPUs \< logical-CPUs and physical-CPUs > 1 under 25 maximum)
• logical-CPUs/2 + 1 (physical-CPUs = logical-CPUs and logical-CPUs/2 > 1 under 25 maximum)
• 1 (Otherwise. For example, the license dose not include this function or physical-CPUs and logical-CPUs do not meet the above conditions)

use_hcpcm is optional. This option enables encryption on application layer by AcceptableCryptMethod in addtion to SSL/TLS communication. D indicates the default value.

acl_name is an optional setting, as in TCP service. It is a name of an access control list (see AccessList) that you would like to set to the WebSocket services (SSL/TLS). When this option is not set or the specified name is not found in access control lists, an unamed access control list will be set to the WebSocket services (SSL/TLS).

--
Example :
WSSListenAddress 0.0.0.0:8443
--

WSSOptions

=========================================================================
Supported OS : Linux.x86 / Windows
Format : WSSOptions <opt_value>[ <opt_name>]
-------------------------------------------------------------------------
opt_value
Format : ( NONE | <openssl_opt_values> )
Default : NONE
Range of Values : list of SSL/TLS option names defined by OpenSSL
-------------------------------------------------------------------------
opt_name
Default : none
Range of Values : string
=========================================================================

This option specified OpenSSL options that will be used on SSL/TLS communication. Please use names described in the following URL.

https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_options.html
SSL_CTX_set_options

--
Example :
WSSOptions SSL_OP_NO_COMPRESSION:SSL_OP_NO_SSLv3
--

WSSCipherSuites

=========================================================================
Supported OS : Linux.x86 / Windows
Format : WSSCipherSuites <cs_value>[ <cs_name>]
-------------------------------------------------------------------------
cs_value
Format : ( NONE | <openssl_cipher_suite_values> )
Default : NONE
Range of Values : list of Cipher Suites parameters defined by OpenSSL
-------------------------------------------------------------------------
cs_name
Default : none
Range of Values : string
=========================================================================

This options specifie Cipher Suites parameters of OpenSSL that will be used on TLS v1.3 communication. Please use names described in the following URL.

https://www.openssl.org/docs/man1.1.1/man1/ciphers.html
ciphers

Ciphte Suite names defined by "TLS v1.3 cipher suites"

--
Example :
WSSCipherSuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
--

WSSCipherList

=========================================================================
Supported OS : Linux.x86 / Windows
Format : WSSCipherList <clist_value>[ <clist_name>]
-------------------------------------------------------------------------
clist_value
Format : ( NONE | <openssl_cipher_list> )
Default : NONE
Range of Values : Cipher List parameters defined by OpenSSL
-------------------------------------------------------------------------
clist_name
Default : none
Range of Values : string
=========================================================================

This option specifies Cipher List parameters of OpenSSL that will be used on SSL/TLS communication under TLS 1.2. Please use names described in the following URL.

https://www.openssl.org/docs/man1.1.1/man1/ciphers.html
ciphers

Cipher List in a format defined by "CIPHER LIST FORMAT2 and "CIPHER STRINGS".

--
Example :
WSSCipherList RC4-MD5:RC4-SHA:AES128-SHA:AES256-SHA:HIGH:!DSS:!aNULL
--

WSListenAddress

=========================================================================
Supported OS : Linux.x86 / Windows
Format : WSListenAddress <ws_service_addr>[:<ws_service_port>[:<mcd>]][ <acl_name>]
-------------------------------------------------------------------------
ws_service_addr
Default : none
Range of Values : IP address
-------------------------------------------------------------------------
ws_service_port
Default : 80
Range of Values : 1 - 65535
-------------------------------------------------------------------------
mcd
Default : physical-CPUs + 1, logical-CPUs/2 + 1, 25 or 1
Range of Values : 1 - 65535
-------------------------------------------------------------------------
acl_name
Default : none
Range of Values : name of access control list
=========================================================================

The available WebSocket services (no SSL/TLS) to allow to connect from client computers are defined.

ws_service_addr specifies an IP address for the WebSocket service.

ws_service_port specifies a port number of the WebSocket service.

mcd is optional. This options specifies a number of connections provided for each client session on the service. When 1 is set, sessions will work with a single connection. When 2 or more are set, they will do with the number of connections. When you do not specify it, hcpd will determine a value from the number of physical cores, the number of logical cores and the license configuration.

• physical-CPUs + 1 (physical-CPUs \< logical-CPUs and physical-CPUs > 1 under 25 maximum)
• logical-CPUs/2 + 1 (physical-CPUs = logical-CPUs and logical-CPUs/2 > 1 under 25 maximum)
• 1 (Otherwise. For example, the license dose not include this function or physical-CPUs and logical-CPUs do not meet the above conditions)

acl_name is an optional setting, as in TCP service. It is a name of an access control list (see AccessList) that you would like to set to the WebSocket services (no SSL/TLS). When this option is not set or the specified name is not found in access control lists, an unamed access control list will be set to the WebSocket services (no SSL/TLS).

--
Example :
WSListenAddress 0.0.0.0:8080
--

ListenServiceBonding

=========================================================================
Supported OS : Linux / Windows
Format : ListenServiceBonding <service_name>[ ... <service_name>]
-------------------------------------------------------------------------
service_name
Default : none
Range of Values : names of TCPListenAddress, HpFPListenAddress, etc.
=========================================================================

This specifies how hcpd makes bonding of services under multiple connection mode on sessions. Please specifies a name of service or names of services over which you want to make bonding of connections for sessions. You can see the names by -t option.

You can also use this option to make hybrid connections using TCP and HpFP for sessions.

Only one option can be described.

Clients connect to a server in oridinary way specifying the server host name and its port number of TCP or HpFP, etc. After the connection established, clients automatically make a nubmer of new connections with the server up to the limit defined at services counting the first connection.

--
Example :
ListenServiceBonding tcp1 udp1
--

Communication Data Compression Function

HeaderCompress (reserved)

ContentCompress (reserved)

Data Flow Control, Bandwidth Control

MaxTotalReceiveRate

=========================================================================
Supported OS : Linux.x86 / Windows
Format : MaxTotalReceiveRate <bandwidth>
-------------------------------------------------------------------------
bandwidth
Default : 100Gbit
Range of Values : unsigned double-length integer
=========================================================================

The traffic shaping control on the receiving bandwidth for the transport is configured (entire system). This function realizes the bandwidth control between the TCP/HpFP (UDP) layer and the application layer.

--
Example :
MaxTotalReceiveRate 1Gbit
--

This function realizes the bandwidth control between the TCP/HpFP (UDP)/WebSocket layer and the application layer.When the value is over 10Gbps, it is processed as unlimited (without shaping). Other bandwidth shaping options are as well.

MaxTotalSendRate

=========================================================================
Supported OS : Linux.x86 / Windows
Format : MaxTotalSendRate <bandwidth>
-------------------------------------------------------------------------
bandwidth
Default : 100Gbit
Range of Values : unsigned double-length integer
=========================================================================

The traffic shaping control on the sending bandwidth for the transport is configured (entire system). This function realizes the bandwidth control between the TCP/HpFP (UDP) layer and the application layer.

--
Example :
MaxTotalSendRate 1Gbit
--

MaxReceiveRate

=========================================================================
Supported OS : Linux.x86 / Windows
Format : MaxReceiveRate <bandwidth>
-------------------------------------------------------------------------
bandwidth
Default : 100Gbit
Range of Values : unsigned double-length integer
=========================================================================

The traffic shaping control on the receiving bandwidth for the transport by each client session is configured.

--
Example：
MaxReceiveRate 100Mbit
--

MaxSendRate

=========================================================================
Supported OS : Linux.x86 / Windows
Format : MaxSendRate <bandwidth>
-------------------------------------------------------------------------
bandwidth
Default : 100Gbit
Range of Values : unsigned double-length integer
=========================================================================

The traffic shaping control on the sending bandwidth for the transport by each client session is configured.

--
Example：
MaxSendRate 100Mbit
--

MaxConnectionReceiveRate

=========================================================================
Supported OS : Linux.x86 / Windows
Format : MaxConnectionReceiveRate <bandwidth>
-------------------------------------------------------------------------
bandwidth
Default : 100Gbit
Range of Values : unsigned double-length integer
=========================================================================

The traffic shaping control on the receiving bandwidth for the transport by each client session is configured (per connection). This function realizes the bandwidth control between the TCP/HpFP (UDP) layer and the application layer.

--
Example :
MaxConnectionReceiveRate 100Mbit
--

The old name of 'MaxReceiveRatePerConnection' is available.

MaxConnectionSendRate

=========================================================================
Supported OS : Linux.x86 / Windows
Format : MaxConnectionSendRate <bandwidth>
-------------------------------------------------------------------------
bandwidth
Default : 100Gbit
Range of Values : unsigned double-length integer
=========================================================================

The traffic shaping control on the sending bandwidth for the transport by each client session is configured (per connection). This function realizes the bandwidth control between the TCP/HpFP (UDP) layer and the application layer.

--
Example :
MaxConnectionSendRate 100Mbit
--

The old name of 'MaxSendRatePerConnection' is available.

Data Flow Control, File Lock Function

FileLock

=========================================================================
Supported OS : Linux.x86 / Windows
Format : FileLock <flag-available>
-------------------------------------------------------------------------
flag-available
Default : no
Range of Values : yes, no
=========================================================================

In writing /reading files, whether to use the file lock is configured.

When yes is set, hcp acquires a file lock to write to files and read from them. On the Linux platform, this locking mechanism works well among softwares which use the same one since it is advisory lock.

When it is “no”, hcp dose not acuqire the lock to do. This option is usable when some hang-ups occurs on network filesystems like NFS or some errors occurs on acquiring file locks. Please be careful of conflicts on destinations when multiple hcp commands run at one time.

When the lock request is processed properly and in waiting just to acquire the lock,the following log will be recorded (FileLockRetries is 0) or the processing will be stopped by detecting the maximum number of trials (FileLockRetries is more than 0).

2018/07/05 16:34:10 00007f638bd97740:INFO :Acquiring a lock to the file was rejected at the first trial.
2018/07/05 16:34:13 00007f638bd97740:INFO :Acquiring a lock to the file continues to be rejected about few seconds.

The operation is stopped by detecting the attempts have reached to the maximum number (FileLockRetries is over 0).

--
Example :
FileLock yes
--

FileLockTrials

=========================================================================
Supported OS : Linux.x86 / Windows
Format : FileLockTrials <num-trials>
-------------------------------------------------------------------------
num-trials
Default : 0
Range of Values : unsigned integer
=========================================================================

The number of the maximum trials of acquiring the file lock is set. When 0, it is locked until the file lock acquired.

--
Example :
FileLockTrials 5
--

The old name of FileLockRetries is available.

FileLockTrialInterval

=========================================================================
Supported OS : Linux.x86 / Windows
Format : FileLockTrialInterval <trial-interval>
-------------------------------------------------------------------------
trial-interval
Default : 3
Range of Values : unsigned integer
=========================================================================

The interval time to request the file lock is set (sec).

--
Example :
FileLockTrialInterval 10
--

The old name of FileLockRetryInterval is available.

Data Flow Control, Temporary File Save Function (Atomic File Save)

AtomicLikeSaving

=========================================================================
Supported OS : Linux.x86 / Windows
Format : AtomicLikeSaving <flag-available> <temp-file-suffix>[ <temp-file-prefix>]
-------------------------------------------------------------------------
flag-available
Default : no
Range of Values : yes, no
-------------------------------------------------------------------------
temp-file-suffix
Default : .tmp
Range of Values : up to 16 characters, NONE, RANDn
-------------------------------------------------------------------------
temp-file-prefix
Default : NONE
Range of Values : up to 16 characters, NONE, RANDn
=========================================================================

It configures the settings for atomically file saving (two-step file saving by creating a temporary file) when transferring files.

flag-available specifies enabled/disenabled for atomically file saving.

temp-file-suffix specifies the suffix of temporary files created when enabled. When “NONE”, the suffix is not added.

temp-file-prefix specifies the prefix of temporary files created when enabled. When “NONE”, the prefix is not added.

On the Linux versions, the write access right in the final destination is checked before creating temporary files.

With the resume function (-r option), files transferred part of the way are transferred from the beginning.

When RANDn is set, a file name which dose not conflict to existing files will be produced using a random string. The default length of the random string is 6.

AtomicLikeSavingThreshold

=========================================================================
Supported OS : Linux.x86 / Windows
Format : AtomicLikeSavingThreshold <threshold>
-------------------------------------------------------------------------
threshold
Default : 100KB
Range of Values : signed double-length integer
=========================================================================

The file size threshold is set to enable file saving atomically.

This setting does not cover files under the threshold. “0 bytes” means all files are covered.

AtomicLikeSavingRejectOverwriteRequest

=========================================================================
Supported OS : Linux.x86 / Windows
Format : AtomicLikeSavingRejectOverwriteRequest <flag-available>
-------------------------------------------------------------------------
flag-available
Default : yes
Range of Values : yes, no
=========================================================================

It configures whether to reject a request (specified by client’s setting) to overwrite temporary files created in atomically saving.

It should be set to “no” to accept overwriting requests when there is no risk of collision of the temporary file name, by checking the application rules on file name, and the prefix/suffix string.

Data Flow Control, Data Buffer Setting

MaxTotalBufferSize

=========================================================================
Supported OS : Linux.x86 / Windows
Format : MaxTotalBufferSize <max-total-buf-size>
-------------------------------------------------------------------------
max-total-buf-size
Default : 4GB
Range of Values : signed double-length integer
=========================================================================

The maximum memory buffer size for file data processing on the hcpd daemon is configured.

--
Example :
MaxTotalBufferSize 8GB
--

MaxBufferSizePerConnection

=========================================================================
Supported OS : Linux.x86 / Windows
Format : MaxBufferSizePerConnection <max-buf-size-per-con>
-------------------------------------------------------------------------
max-buf-size-per-con
Default : 100MB
Range of Values : unsigned double-length integer
=========================================================================

The maximum memory buffer size for file data processing by each client session is configured.

--
Example :
MaxBufferSizePerConnection 512MB
--

TCPServiceSocketSendBuffer

=========================================================================
Supported OS : Linux.x86 / Windows
Format : TCPServiceSocketSendBuffer <snd-buf-size>
-------------------------------------------------------------------------
snd-buf-size
Format : <decimal_number>[[(T|G|M|K)]B]
Default : 0
Range of Values : unsigned double-length integer (byte)
=========================================================================

Specifies a TCP sending buffer size in bytes. 0 indicates no specification of this option.

You need this option to make a performance tuning of TCP on 100G environment. No need to use in ordinary cases.

--
Example :
TCPServiceSocketSendBuffer 128MB
--

UDPServiceExtensionBufferSize

=========================================================================
Supported OS : Linux.x86 / Windows
Format : UDPServiceExtensionBufferSize <ext-buf-size>
-------------------------------------------------------------------------
ext-buf-size
Default : 2GB
Range of Values : unsigned double-length integer (byte)
=========================================================================

The extension buffer size for HpFP (UDP) service is specified.

The size of the buffer for the traffic in the HpFP session is extended up to the specified size (hpfp_sndbuf or hpfp_rcvbuf in UDPListenAddress) by adjusting to coincide with the increase of the latency, packet loss, and the volume of the traffic. The maximum total buffer size to extend is specified by this value.

When “0”, this extension doesn’t work.

The initial buffer size (the buffer size before extended) is 1MB.

--
Example :
UDPServiceExtensionBufferSize 4GB
--

Data Flow Control, Transfer File Size Control

MaxReceiveFileSize

=========================================================================
Supported OS : Linux.x86 / Windows
Format : MaxReceiveFileSize <file-size>
-------------------------------------------------------------------------
file-size
Default : 8EB - 1B (Unlimited. The maximum value of signed double-length integer)
Range of Values : signed double-length integer
=========================================================================

The maximum file size to allow to receive is configured.

--
Example :
MaxReceiveFileSize 1GB
--

MaxSendFileSize

=========================================================================
Supported OS : Linux.x86 / Windows
Format : MaxSendFileSize <file-size>
-------------------------------------------------------------------------
file-size
Default : 8EB - 1B (Unlimited. The maximum value of signed double-length integer)
Range of Values : signed double-length integer
=========================================================================

The maximum file size to allow to send is configured.

--
Example :
MaxSendFileSize 1GB
--

Data Flow Control, Message Data Size Control

InitHeaderBlockSize

=========================================================================
Supported OS : Linux.x86 / Windows
Format : InitHeaderBlockSize <block-size>
-------------------------------------------------------------------------
block-size
Default : 50KB
Range of Values : unsigned double-length integer
=========================================================================

The initial header block size is configured.

--
Example :
InitHeaderBlockSize　10KB
--

The maximum size of the header block including plural massages such as file request is given. This option is applied as soon as the transmission starts.

InitContentBlockSize

=========================================================================
Supported OS : Linux.x86 / Windows
Format : InitContentBlockSize <block-size>
-------------------------------------------------------------------------
block-size
Default : 1MB
Range of Values : unsigned double-length integer
=========================================================================

The initial content block size is configured.

In environments over 10Gbps, when the communication performance hits a peak by making the most of it, changing InitContentBlockSize along with MaxContentBlockSize may reach an even better performance.

--
Example :
InitContentBlockSize　2MB
--

The maximum size of the header block including file data is given. This option is applied as soon as the transmission starts.

MaxHeaderBlockSize

=========================================================================
Supported OS : Linux.x86 / Windows
Format : MaxHeaderBlockSize <block-size>
-------------------------------------------------------------------------
block-size
Default : 50KB
Range of Values : unsigned double-length integer
=========================================================================

The maximum size of the header block to expand is configured.

--
Example :
MaxHeaderBlockSize 100KB
--

Once the transmission starts, the occupied bandwidth is measured and the header block size is changed into the available size.

MaxContentBlockSize

=========================================================================
Supported OS : Linux.x86 / Windows
Format : MaxContentBlockSize <block-size>
-------------------------------------------------------------------------
block-size
Default : 1MB
Range of Values : unsigned double-length integer
=========================================================================

The maximum size of the content block to expand is configured.

In environments over 10Gbps, when the communication performance hits a peak by making the most of it, changing MaxContentBlockSize along with InitContentBlockSize may reach an even better performance.

--
Example :
MaxContentBlockSize 4MB
--

Once the transmission starts, the occupied bandwidth is measured and the content block size is changed into the available size.

MaxRequestFileEntryAtOnce

=========================================================================
Supported OS : Linux.x86 / Windows
Format : MaxRequestFileEntryAtOnce <max-file-req-at-once>
-------------------------------------------------------------------------
max-file-req-at-once
Default : 50
Range of Values : signed integer
=========================================================================

The maximum number of requested files to allow to send simultaneously is configured.

--
Example :
MaxRequestFileEntryAtOnce 1000
--

Data Flow Control, Disk I/O Speed Control

MaxReadRate

=========================================================================
Supported OS : Linux.x86 / Windows
Format : MaxReadRate <read-rate>
-------------------------------------------------------------------------
read-rate
Default : 10Ebit (Unlimited)
Range of Values : unsigned double-length integer (up to 10Ebit)
=========================================================================

This option specifies limitation of reading data from files on file transfer. This will be applied to each session which performs the file transfer. It is recognized as unlimited when the value is the maximum value in bps or over it.

In some environment, long time running of reading and writing might make overheat on SSDs (especially the writing side). So this option is useful for avoiding it.

--
Example :
MaxReadRate 10Gbit
--

The old name of 'MaxReadRatePerConnection' is available.

MaxWriteRate

=========================================================================
Supported OS : Linux.x86 / Windows
Format : MaxWriteRate <write-rate>
-------------------------------------------------------------------------
write-rate
Default : 10Ebit (Unlimited)
Range of Values : unsigned double-length integer (up to 10Ebit)
=========================================================================

This option specifies limitation of writing data to files on file transfer. This will be applied to each session which performs the file transfer. It is recognized as unlimited when the value is the maximum value in bps or over it.

In some environment, long time running of reading and writing might make overheat on SSDs (especially the writing side). So this option is useful for avoiding it.

--
Example :
MaxWriteRate 10Gbit
--

The old name of 'MaxWriteRatePerConnection' is available.

Code Transformation, Communication Encoding Negotiation

TransportCharEncoding

=========================================================================
Supported OS : Linux.x86 / Windows
Format : TransportCharEncoding <encodings>
-------------------------------------------------------------------------
encodings
Format : <encoding>[ ...]
Default : UTF8
-------------------------------------------------------------------------
encoding
Range of Values : US-ASCII, UTF8, UTF16, UTF32
=========================================================================

The string encoding method used in the transport is configured.

--
Example :
TransportCharEncoding UTF8 UTF16 US-ASCII
--

It is applied to strings, such as file paths exchanged between clients. The encoding which is consistent with the one in the client configuration is chosen.

Code Transformation, Host Character Encoding

HostEncoding

=========================================================================
Supported OS : Linux.x86 / Windows
Format : HostEncoding <encoding>
-------------------------------------------------------------------------
encoding
Default :
 UTF-8 (Linux)
 CP932 (Windows)
Range of Values : encoding name supported by system and encoding conversion library (platform-dependent)
=========================================================================

The string encoding method for the host computer is configured.

--
Example :
HostEncoding EUC-JP
--

It is used to translate file paths into inner strings descriptions for the software.

Authentication

LocalPasswordAuthentication

=========================================================================
Supported OS : Linux.x86 / Windows
Format : LocalPasswordAuthentication <flag-available>
-------------------------------------------------------------------------
flag-available
Default : no
Range of Values : yes, no
=========================================================================

LPA(Local Password Authentication) authentication is specified. LPA authentication is enabled by inputting “yes”. If even one authentication is enabled including this authentication method of inputting “yes”, the authentication is always required to access from clients.(Anonymous access prohibited)

--
Example :
LocalPasswordAuthentication yes
--

PAMAuthentication

=========================================================================
Supported OS : Linux.x86
Format : PAMAuthentication <flag-available>
-------------------------------------------------------------------------
flag-available
Default : yes
Range of Values : yes, no
=========================================================================

PAM(Pluggable Authenticaton Module) authentication is specified. PAM authentication is enabled by inputting “yes”.

--
Example :
PAMAuthentication no
--

PAM authentication is valid for software distributed in RPM packages for Linux platforms.

PAM authentication depends on the system configuration. The PAM configuration files as below are appropriately configured according to the operating system environment where the service runs.

/etc/pam.d/hcpd

PubkeyAuthentication

=========================================================================
Supported OS : Linux.x86 / Windows
Format : PubkeyAuthentication <flag-available>
-------------------------------------------------------------------------
flag-available
Default : yes (Linux.x86), no (Windows)
Range of Values : yes, no
=========================================================================

Public key authentication is specified. It is enabled by inputting “yes”.

--
Example :
PubkeyAuthentication no
--

WinLogonUserAuthentication

=========================================================================
Supported OS : Windows
Format : WinLogonUserAuthentication <flag-available>
-------------------------------------------------------------------------
flag-available
Default : yes
Range of Values : yes, no
=========================================================================

Windows authentication is specified. Windows authentication is enabled by inputting “yes”.

--
Example :
WinLogonUserAuthentication no
--

Windows authentication is valid for software distributed in RPM packages for Windows platforms.

In the Windows authentication, the user ID and the password (including the domain name) will be just passed to the system standard API authentication function.

MaxAuthTries

=========================================================================
Supported OS : Linux.x86 / Windows
Format : MaxAuthTries <max-tries>
-------------------------------------------------------------------------
max-tries
Default : 6
Range of Values : signed integer
=========================================================================

This options specifies the number of authentication tries that the server accepts when users connect to it. It will respond a failure of authentication when all tries are not successful up to the number of tries.

If you specify 0 as this option, the server will respond the failure without any authentication tries. And it won't count tries when clients dose not send a request for authentication because of decryption failure of a private key or other reasons.

--
Example：
MaxAuthTries 3
--

PerformSystemAuthenticationRegardlessUsers

=========================================================================
Supported OS : Linux.x86 / Windows
Format : PerformSystemAuthenticationRegardlessUsers <flag-available>
-------------------------------------------------------------------------
flag-available
Default : no
Range of Values : yes, no
=========================================================================

This option specifies wheter hcpd executes the system authentication (PAM or Windows Logon) regardless of the user definitions at /etc/hcp/users.

--
Example :
PerformSystemAuthenticationRegardlessUsers yes
--

AuthorizedKeysSearchDir

=========================================================================
Supported OS : Linux.x86 / Windows
Format : AuthorizedKeysSearchDir <search-dir>
-------------------------------------------------------------------------
search-dir
Default : NONE
Range of Values : path string of file system or NONE
=========================================================================

This option specifies a search directory to find out a user’s public key for public key authentication. Please set NONE if you do not want to perform the search.

--
Example :
AuthorizedKeysSearchDir /etc/hcp/authkeys
--

The file name as below in the specified directory is searched as the file which the public key is stored in.

<user name>.pub

On the Linux platform, some files having writable permission on its Group and Other will be skipped with logging warnings.

The old name of ‘AuthorizedKeySearchDir’ is available.

AuthorizedKeysFile

=========================================================================
Supported OS : Linux.x86 / Windows
Format : AuthorizedKeysFile <file-path>
-------------------------------------------------------------------------
file-path
Default :
 ~/.hcp/authorized_keys (Linux.x86)
 ~/_hcp/authorized_keys (Windows)
Range of Values : file path with a tilde which shows the user directory or NONE
=========================================================================

Specifies the key store file in the user home directory to find the user’s public key for the public key authentication. Please set NONE if you do not want to perform the search.

On the Linux platform, some files having writable permission on its Group and Other will be skipped with logging warnings.

TOKENS of %%, %h, %U and %u is available defined under the following sshd_config.

https://man7.org/linux/man-pages/man5/sshd_config.5.html
TOKENS - AuthorizedKeysFile

Multiple entries are available separated with whitespaces or describing two or more configuration entries.

AuthorizedKeysFile ~/.ssh/my_authorized_keys2 ~/.hcp/my_authorized_keys2

AuthorizedKeysFile ~/.ssh/my_authorized_keys3
AuthorizedKeysFile ~/.hcp/my_authorized_keys3

The old name of ‘AuthorizedKeyFile’ is available.

AuthorizedKeysCommand

=========================================================================
Supported OS : Linux.x86
Format : AuthorizedKeysCommand <cmd-path>
-------------------------------------------------------------------------
cmd-path
Default : none
Range of Values : command (or script) path to search for user's public keys
=========================================================================

Specifies the path of command (or script) to find the user’s public key for the public key authentication. A username will be given to the command as the first argument. If you enable this configuration, hcpd requires AuthorizedKeysCommandUser.

--
Example :
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
--

TOKENS of %%, %h, %U and %u is available defined under the following sshd_config.

https://man7.org/linux/man-pages/man5/sshd_config.5.html
TOKENS - AuthorizedKeysCommand

AuthorizedKeysCommandUser

=========================================================================
Supported OS : Linux.x86
Format : AuthorizedKeysCommandUser <username>
-------------------------------------------------------------------------
username
Default : none
Range of Values : user name that runs the command to search for user's public keys
=========================================================================

Specifies the user name that runs the command, specified by AuthorizedKeysCommand, to find the user’s public key.

--
Example：
AuthorizedKeysCommandUser nobody
--

In general, it is recommended to use a user that works only for finding the public key and dose not have any other role on the system.

https://man7.org/linux/man-pages/man5/sshd_config.5.html
AuthorizedKeysCommandUser

CACertificateFile

=========================================================================
Supported OS : Linux.x86 / Windows
Format : CACertificateFile <file-path>
-------------------------------------------------------------------------
file-path
Default :
 /etc/hcp/cacert.pem (Linux.x86)
 C:/ProgramData/Clealink/HCP Tools/cacert.pem (Windows)
Range of Values : path string of file system
=========================================================================

The file path of the CA certificate for the client authentication is specified.

--
Example :
CACertificateFile /etc/hcp/cacert.pem
--

The certificate in the PEM format is supported.

CACertificatePath (reserved)

=========================================================================
Supported OS : Linux.x86 / Windows
Format : CACertificatePath <dir-path>
-------------------------------------------------------------------------
dir-path
Default :
 /etc/ssl (Linux.x86)
 C:/ProgramData/Clealink/HCP Tools/ssl (Windows)
Range of Values : path string of file system
=========================================================================

p. The directory path of the CA certificate for the server certificate is specified.

--
Example :
CACertificatePath /etc/ssl
--

The certificate in the PEM format is supported.

CARevocationFile

=========================================================================
Supported OS : Linux.x86 / Windows
Format : CARevocationFile <file-path>
-------------------------------------------------------------------------
file-path
Default :
 /etc/hcp/crl.pem (Linux.x86)
 C:/ProgramData/Clealink/HCP Tools/crl.pem (Windows)
Range of Values : path string of file system 
=========================================================================

The file where CRL for client authentication is stored is configured.

--
Example :
CARevocationFile /etc/hcp/crl.pem
--

The certification revocation list (CRL) in the PEM format is supported.

CARevocationPath (reserved)

=========================================================================
Supported OS : Linux.x86 / Windows
Format : CARevocationPath <dir-path>
-------------------------------------------------------------------------
dir-path
Default :
 /etc/ssl (Linux.x86)
 C:/ProgramData/Clealink/HCP Tools/ssl (Windows)
Range of Values : path string of file system
=========================================================================

the directory where CRL for client authentication is stored is configured.

--
Example :
CARevocationPath /etc/ssl
--

The certification revocation list (CRL) in the PEM format is supported.

OCSPRevocationEnabled

=========================================================================
Supported OS : Linux.x86 / Windows
Format : OCSPRevocationEnabled <flag-available>
-------------------------------------------------------------------------
flag-available
Default : yes
Range of Values : yes, no
=========================================================================

OCSP (Online Certificate Status Protocol) for client authentication is configured. It is enabled by inputting “yes”.

--
Example :
OCSPRevocationEnabled no
--

LocalUserFile

=========================================================================
Supported OS : Linux.x86 / Windows
Format : LocalUserFile <file-path>[ <usage>]
-------------------------------------------------------------------------
file-path
Default :
 /etc/hcp/users (Linux.x86)
 C:/ProgramData/Clealink/HCP Tools/users (Windows)
Range of Values : path string of file system
-------------------------------------------------------------------------
usage
Default : overwrite
Range of Values : overwrite, define
=========================================================================

The file which defines the user information is configured.

file-path specifies a path of the file.

usage specifies how to use the file from the following options.

• overwrite
• define

When overwrite is set, the file will be used to overwrite how to authenticate users.

When define is set, hcpd recognizes users described in the file are available to login. So it rejects users who are not described in the file.

--
Example :
LocalUserFile /etc/hcp/users define
--

LocalPasswordFile

=========================================================================
Supported OS : Linux.x86 / Windows
Format : LocalPasswordFile <file-path>
-------------------------------------------------------------------------
file-path
Default :
 /etc/hcp/passwd (Linux.x86)
 C:/ProgramData/Clealink/HCP Tools/passwd (Windows)
Range of Values : path string of file system
=========================================================================

The file which defines the user credentials (password hash) used in LPA authentication is configured.

--
Example :
LocalPasswordFile /etc/hcp/passwd
--

AllowUsers

=========================================================================
Supported OS : Linux.x86
Format : AllowUsers [<username-pattern>...]
-------------------------------------------------------------------------
username-pattern
Format : <name-pattern>[@<host-pattern>]
-------------------------------------------------------------------------
name-pattern
Default : none
Range of Values : string including wildcards ('*' or '?')
-------------------------------------------------------------------------
host-pattern
Default : none
Range of Values : CIDR form network address string
=========================================================================

This option specifies a name pattern of system users who are accepted to login (multiple specification is available).

username-pattern specifies a user name pattern and a CIDR form network address as option.

name-pattern specifies a pattern string representing user names. You can use a wildcard ‘*’ representing any strings and another wildcard ‘?’ representing any one character. When a user name input by a user matches with this pattern, hcpd accepts the login trial and performs authentication.

host-pattern specifies a CIDR form network address string. When the option is set, hcpd accepts the login trial if the name-pattern matches with the input user name and the network address includes the peer address of clients.

If hcpd confirms a pattern meets the above conditions, it terminates evaluation of patters and accepts the login trial. When DenyUsers is also configured, the evaluation will be performed in the order from DenyUsers to AllowUsers. If no patterns meet the conditions when AllowUsers or AllowGroups are set, hcpd rejects the login trial.

The following configurations will be disabled whem this option is set.

• PrivilegeSeparationMinimumUID
• PrivilegeSeparationMinimumGID

--
Example :
AllowUsers seg1-*@192.168.0.0/24
--

AllowGroups

=========================================================================
Supported OS : Linux.x86
Format : AllowGroups [<groupname-pattern>...]
-------------------------------------------------------------------------
groupname-pattern
Default : none
Range of Values : string including wildcards ('*' or '?')
=========================================================================

This option specifies a name pattern of system groups who are accepted to login (multiple specification is available).

groupname-pattern specifies a pattern string representing group names. You can use a wildcard ‘*’ representing any strings and another wildcard ‘?’ representing any one character. When a primary group or supplemental groups the user belongs to matches with this pattern, hcpd accepts the login trial and performs authentication.

If hcpd confirms a pattern meets the above conditions, it terminates evaluation of patters and accepts the login trial. When DenyGroups is also configured, the evaluation will be performed in the order from DenyGroups to AllowGroups. If no patterns meet the conditions when AllowUsers or AllowGroups are set, hcpd rejects the login trial.

The following configurations will be disabled whem this option is set.

• PrivilegeSeparationMinimumUID
• PrivilegeSeparationMinimumGID

--
Example :
AllowGroups seg1-users
--

DenyUsers

=========================================================================
Supported OS : Linux.x86
Format : DenyUsers [<username-pattern>...]
-------------------------------------------------------------------------
username-pattern
Format : <name-pattern>[@<host-pattern>]
-------------------------------------------------------------------------
name-pattern
Default : none
Range of Values : string including wildcards ('*' or '?')
-------------------------------------------------------------------------
host-pattern
Default : none
Range of Values : CIDR form network address string
=========================================================================

This option specifies a name pattern of system users who are rejected to login (multiple specification is available).

username-pattern specifies a user name pattern and a CIDR form network address as option.

name-pattern specifies a pattern string representing user names. You can use a wildcard ‘*’ representing any strings and another wildcard ‘?’ representing any one character. When a user name input by a user matches with this pattern, hcpd rejects the login trial and performs authentication.

host-pattern specifies a CIDR form network address string. When the option is set, hcpd rejects the login trial if the name-pattern matches with the input user name and the network address includes the peer address of clients.

When AllowUsers is also configured, the evaluation will be performed in the order from DenyUsers to AllowUsers. If a pattern meets the conditions, hcpd rejects the login trial without evaluating the remaining patterns.

The following configurations will be disabled whem this option is set.

• PrivilegeSeparationMinimumUID
• PrivilegeSeparationMinimumGID

--
Example :
DenyUsers seg1-*@192.168.0.0/24
--

DenyGroups

=========================================================================
Supported OS : Linux.x86
Format : DenyGroups [<groupname-pattern>...]
-------------------------------------------------------------------------
groupname-pattern
Default : none
Range of Values : string including wildcards ('*' or '?')
=========================================================================

This option specifies a name pattern of system groups who are rejected to login (multiple specification is available).

groupname-pattern specifies a pattern string representing group names. You can use a wildcard ‘*’ representing any strings and another wildcard ‘?’ representing any one character. When a primary group or supplemental groups the user belongs to matches with this pattern, hcpd rejects the login trial and performs authentication.

When AllowGroups is also configured, the evaluation will be performed in the order from DenyGroups to AllowGroups. If a pattern meets the conditions, hcpd rejects the login trial without evaluating the remaining patterns.

The following configurations will be disabled whem this option is set.

• PrivilegeSeparationMinimumUID
• PrivilegeSeparationMinimumGID

--
Example :
DenyGroups guest-users
--

Encryption

AcceptableCryptMethod

=========================================================================
Supported OS : Linux.x86 / Windows
Format : AcceptableCryptMethod <method-names>
-------------------------------------------------------------------------
method-names
Format : <method-name>[ ...]
Default : AES256/GCM AES256/CTR/VMAC AES256/CBC AES128/CBC
-------------------------------------------------------------------------
method-name
Range of Values : PLAIN, AES128/CBC, AES192/CBC, AES256/CBC, AES128/CBC/HMAC,
AES192/CBC/HMAC, AES256/CBC/HMAC, AES128/CBC/VMAC, AES192/CBC/VMAC,
AES256/CBC/VMAC, AES128/CBC/VMAC64, AES192/CBC/VMAC64, AES256/CBC/VMAC64,
AES128/CTR/HMAC, AES192/CTR/HMAC, AES256/CTR/HMAC, AES128/CTR/VMAC,
AES192/CTR/VMAC, AES256/CTR/VMAC, AES128/CTR/VMAC64, AES192/CTR/VMAC64,
AES256/CTR/VMAC64, AES128/GCM, AES192/GCM, AES256/GCM
=========================================================================

The cryptographic algorithm is configured.

When specified AES128/CBC, it is interpreted as AES128/CBC/HMAC.(They are the same algorithm. AES192/CBC and AES256/CBC are as well.)

When communicating with a host with versions that do not support the new algorithms, such as CTR/GCM mode and VMAC mode, these new algorithms that don’t match the other host are ignored in the connection negotiation. However, still, the communications don’t go to errors.

CTR/VMAC or GCM are recommended on network over 1Gbps, e.g. AES256/GCM, AES256/CTR/VMAC. Encrypted communication using CBC or HMAC, e.g. AES256/CTR/HMAC, AES256/CBC/HMAC, might make a bottle neck in performance on network over 1Gbps generally. VMAC64 checks data integrity with 64 bit, less than 128 bit in VMAC mode, which leads to better performance but less secured data integrity.

--
Example :
AcceptableCryptMethod AES256/CBC PLAIN
--

It is used to encrypt the messages communicated with a client. The algorithm is chosen to match the client configuration.

AcceptableDigestMethod

=========================================================================
Supported OS : Linux.x86 / Windows
Format : AcceptableDigestMethod <method-names>
-------------------------------------------------------------------------
method-names
Format : <method-name>[ ...]
Default : XXH3 SHA256 SHA160
-------------------------------------------------------------------------
method-name
Range of Values : NONE, SHA160, SHA224, SHA256, SHA384, SHA512, MD5, MM32, MM128,
XXH3, XXH128, XXH64, XXH32
=========================================================================

The digest algorithm for data communication and verification of transferred files is configured.

--
Example :
AcceptableDigestMethod SHA256 SHA160 NONE
--

It is used to verify the messages, files, and data blocks communicated between clients. The algorithm which is consistent with the one in the client configuration is chosen.

In the case of encryption communications using HMAC like AES256/CBC/HMAC, the algorithms (MD5, MM32, MM128, XXH3, XXH128, XXH64, XXH32) other than the security digest algorithms are regarded as nothing configured.

MM32 and MM128 are discarded (, but its definition is kept for configuration compatibility). Please use XXH3 instead.

RequireDataIntegrityChecking

=========================================================================
Supported OS : Linux.x86 / Windows
Format : RequireDataIntegrityChecking <flag-available>
-------------------------------------------------------------------------
flag-available
Default : yes
Range of Values : yes, no
=========================================================================

When encrypted communication between server and clients, whether the server requests to check the integrity of communicating data (Data integrity test) by MAC (Message Authentication Code) is set.

When “no”, in the case that clients request not to check the data, accept the request and keep communicating.

When “yes”, reject the request.

“yes” (default) is recommended. This commnad is used to improve the performance in encrypted communication. Please be aware of the risk that the communicating data is not supposed to be check when elected “no.”

--
Example :
RequireDataIntegrityChecking no
--

Security Negotiation by Encryption Communications

UseServerCertificateSecurity

=========================================================================
Supported OS : Linux.x86 / Windows
Format : UseServerCertificateSecurity <flag-available>
-------------------------------------------------------------------------
flag-available
Default : yes
Range of Values : yes, no
=========================================================================

The server certificate security function is available. When “yes” is set, secured communications based on the PKI technology between clients are provided by the server certification specified in ServerCertificateFile or the public key resolved by the ServerKeyFile path.

--
Example :
UseServerCertificateSecurity no
--

RequireServerCertificateSecurity

=========================================================================
Supported OS : Linux.x86 / Windows
Format : RequireServerCertificateSecurity <flag-available>
-------------------------------------------------------------------------
flag-available
Default : yes
Range of Values : yes, no
=========================================================================

Security communications for clients by server certification security function is available. When “yes” is set and the client requests the communication without this function (plain communicaion), the connection is denied.

--
Example :
RequireServerCertificateSecurity no
--

ServerKeyFile

=========================================================================
Supported OS : Linux.x86 / Windows
Format : ServerKeyFile <file-path>[ <serv-key-name>]
-------------------------------------------------------------------------
file-path
Default :
  /etc/hcp/key/server.key (Linux.x86)
  C:/ProgramData/Clealink/HCP Tools/key/server.key (Windows)
Range of Values : path string of file system
-------------------------------------------------------------------------
serv-key-name
Default : none
Range of Values : string
=========================================================================

The server private key path used in server certification security function is specified. When the public key exists in the private key path with the suffix “pub”, secured communications are provided by using this pair of keys, not by the setting of ServerCertificateFile.

server-key-name is optional. This option sets a name to the key. WSSListenAddress services use the name to refer to the key.

--
Example :
ServerKeyFile /etc/hcp/key/server.key
ServerKeyFile /etc/hcp/key/server.wss.key wss-key
--

When client users accesse to the server for the first time, the following question is asked to make sure that the public key is registered as known_hosts.

A secure connection for host 127.0.0.1 can't be established.
RSA key fingerprint is SHA256: 0fzb9DY4qxXWPm/L/4cBKKK+FQ9577NIRYxRquZ6eWA=.
Are you sure you want to continue connecting [yes/no] ?

By inputting “yes”, the key is supposed to be registered as a registered host in the path. In the case of the same public key of the same host, this procedure is skipped from next time.

<userhomedirectory>/.hcp/known_hosts (Linux)
<userhomedirectory>/_hcp/known_hosts (Windows)

ServerCertificateFile

=========================================================================
Supported OS : Linux.x86 / Windows
Format : ServerCertificateFile <file-path>[ <serv-cert-name>]
-------------------------------------------------------------------------
file-path
Default :
 /etc/hcp/cert/server.crt (Linux.x86)
 C:/ProgramData/Clealink/HCP Tools/cert/server.crt (Windows)
Range of Values : path string of file system
-------------------------------------------------------------------------
serv-cert-name
Default : none
Range of Values : string
=========================================================================

the server certificate path is specified.

serv-cert-name is optional. This option sets a name to the certificate. WSSListenAddress use the name to refer to the certificate.

If you need intermedate certificates, please place certificates into the file in the order from the server certificate to the intermediate one.

--
Example :
ServerCertificateFile /etc/hcp/cert/server.crt
ServerCertificateFile /etc/hcp/cert/server.wss.crt wss-cert
--

ServerCertificateChainFile

=========================================================================
Supported OS : Linux.x86 / Windows
Format : ServerCertificateChainFile <file-path>
-------------------------------------------------------------------------
file-path
Default :
 /etc/hcp/cert/chain.crt (Linux.x86)
 C:/ProgramData/Clealink/HCP Tools/cert/chain.crt (Windows)
Range of Values : path string of file system
=========================================================================

Multiple intermediate certificates in the server certificate path are specified.Intermediate certificates are sent to clients in the order they are stored in the fil after sending the server certificate.

--
Example :
ServerCertificateChainFile /etc/hcp/cert/chain.crt
--

Access Control

UserDirectoryFallbackAvailable

=========================================================================
Supported OS : Linux.x86 / Windows
Format : UserDirectoryFallbackAvailable <flag-available>
-------------------------------------------------------------------------
flag-available
Default : no
Range of Values : yes, no
=========================================================================

Whether to allow the fallbacks of the user home directory and the working directory is configured. When the home directory recognized as the registered authentication doesn’t exist, whether to move backward to the directory described in the root document is specified. This option is invalid (no) in software version 1.1.0 and later on the client.

--
Example :
UserDirectoryFallbackAvailable yes
--

RejectOnUserHomeDirectoryNotFound

=========================================================================
Supported OS : Linux.x86 / Windows
Format : RejectOnUserHomeDirectoryNotFound <flag-available>
-------------------------------------------------------------------------
flag-available
Default : no
Range of Values : yes, no
=========================================================================

When the user home directory can’t be found, whether to reject is set. This option is set to enable (yes) on the software before Ver.1.2.0.

--
Example :
RejectOnUserHomeDirectoryNotFound yes
--

WinLogonUserNoRestrictedAccess

=========================================================================
Supported OS : Windows
Format : WinLogonUserNoRestrictedAccess <flag-available>
-------------------------------------------------------------------------
flag-available
Default : no
Range of Values : yes, no
=========================================================================

This options switches how to make user’s access on Windows servers with restricted access rights (without elevation of privilege) or not.

When you set ‘yes’ on this option, the servers might apply elevated privileges to users belonging to the ‘Administrators’ group.

It is useful to avoid errors of accessing files or other resources due to access rights problem when users belonging to that group meet such errors. Please keep ‘no’ for this option normaly.

--
Example :
WinLogonUserNoRestrictedAccess yes
--

Access Control, Privilege Separation

UsePrivilegeSeparation

=========================================================================
Supported OS : Linux.x86 / Windows
Format : UsePrivilegeSeparation <flag-available>
-------------------------------------------------------------------------
flag-available
Default : yes
Range of Values : yes, no
=========================================================================

The privilege separation for the client sessions is configured. In “yes”, processing in the sessions is executed in a process different from the server standby process. In the divided processes, the user identification information (UID/GID and supplemental groups) based on the authentication result is set as user’s access rights. If you want to change the specification of UID/GID from the default, please add an entry to /etc/hcp/users to overwrite it.

--
Example :
UsePrivilegeSeparation no
--

Supplemental groups can be applied up to 1000 groups. When they are over the number of groups, supplemental groups will be ignored (only UID and primary group GID applied). When the privilege separation is disabled, the processes on client sessions are operated following execution rights of each service.

On the Windows services, when authentication is performed by LPA or public key authentication rather than Windows logon authentication, client sessions works in the service’s access rights (privilege separation will not applied to them).

PrivilegeSeparationMinimumUID

=========================================================================
Supported OS : Linux.x86
Format : PrivilegeSeparationMinimumUID <min-uid>
-------------------------------------------------------------------------
min-uid
Default : 0
Range of Values : unsigned integer
=========================================================================

The minimum value of UID in which sessions can be executed in privilege separation enabled is configured, which is useful to control executions by users who has special rights.

This option will be disabled when the following options are configured.

• AllowUsers
• AllowGroups
• DenyUsers
• DenyGroups

--
Example :
PrivilegeSeparationMinimumUID 1000
--

PrivilegeSeparationMinimumGID

=========================================================================
Supported OS : Linux.x86
Format : PrivilegeSeparationMinimumGID <min-gid>
-------------------------------------------------------------------------
min-gid
Default : 0
Range of Values : unsigned integer
=========================================================================

The minimum value of GID in which sessions can be executed in privilege separation enabled is configured, which is useful to control executions by users who has special rights.

This option will be disabled when the following options are configured.

• AllowUsers
• AllowGroups
• DenyUsers
• DenyGroups

--
Example :
PrivilegeSeparationMinimumGID 1000
--

PrivilegeSeparationUser

=========================================================================
Supported OS : Linux.x86 / Windows
Format : PrivilegeSeparationUser <username>
-------------------------------------------------------------------------
username
Default : none
Range of Values : user names in the system
=========================================================================

In privilege separation working, the specified user’s identification information will be applied when hcpd cannot determine any user’s access rights to apply.

When user name isn’t specified, a user name (nobody or everyone) depend on the platform is used.

--
Example :
PrivilegeSeparationUser nobody
--

PrivilegeSeparationUmask

=========================================================================
Supported OS : Linux.x86 / Windows
Format : PrivilegeSeparationUmask <umask_val>[ <dir_umask_val>]
-------------------------------------------------------------------------
umask_val
Default : 0022
Range of Values : from 0000 to 0777 in octal values
-------------------------------------------------------------------------
dir_umask_val
Default : none
Range of Values : from 0000 to 0777 in octal values
- dir_umask_val is experimantal.
=========================================================================

This option specifies a umask value applied to processes executing different from the server stanby process on privilege separation.

umask_val specifies a umask value to apply. When dir_umask_val is not set, this value will be applied to both files and directories in the process.

dir_umask_val specifies a umask value to apply for directories. When this option is set, umask_val will be applied to files and dir_umask_val will be applied to directories. A common value of umask (umask_val & dir_umask_val) will be applied to the process and differenct from the common value will be applied respectively by HCP on creating files and directories. Please be careful of application of unexpected umask to files and directories which are not handled by HCP (so, this option is experimental).

If you want to set umask each user, please edit /etc/hcp/users.

--
Example :
PrivilegeSeparationUmask 0002
--

PrivilegeSeparationUmaskAnonymous

=========================================================================
Supported OS : Linux.x86 / Windows
Format : PrivilegeSeparationUmaskAnonymous <umask_val>[ <dir_umask_val>]
-------------------------------------------------------------------------
umask_val
Default : 0002
Range of Values : from 0000 to 0777 in octal values
-------------------------------------------------------------------------
dir_umask_val
Default : none
Range of Values : from 0000 to 0777 in octal values
- dir_umask_val is experimental.
=========================================================================

This option specifies a umask value applied to processes executing in anonymous different from the server stanby process on privilege separation.

umask_val specifies a umask value to apply. When dir_umask_val is not set, this value will be applied to both files and directories in the process.

dir_umask_val specifies a umask value to apply for directories. When this option is set, umask_val will be applied to files and dir_umask_val will be applied to directories. A common value of umask (umask_val & dir_umask_val) will be applied to the process and differenct from the common value will be applied respectively by HCP on creating files and directories. Please be careful of application of unexpected umask to files and directories which are not handled by HCP (so, this option is experimental).

--
Example :
PrivilegeSeparationUmaskAnonymous 0022
--

ApplyUserPermission

=========================================================================
Supported OS : Linux.x86
Format : ApplyUserPermission <flag-available>
-------------------------------------------------------------------------
flag-available
Default : yes
Range of Values : yes, no
=========================================================================

When privilege separation isn’t used, whether to use the authenticated user identification information (UID/GID) is applied for the file permission to the destination is configured.

--
Example :
ApplyUserPermission yes
--

NoSupplementalGroupInPrivilegeSeparation

=========================================================================
Supported OS : Linux.x86
Format : NoSupplementalGroupInPrivilegeSeparation <flag-available>
-------------------------------------------------------------------------
flag-available
Default : no
Range of Values : yes, no
=========================================================================

This option disables supplemental groups on the privilege separation.

--
Example :
NoSupplementalGroupInPrivilegeSeparation yes
--

Access Control, ACL（Access Control List）Function

AccessList

=========================================================================
Supported OS : Linux.x86 / Windows
Format : AccessList <acl_name>
-------------------------------------------------------------------------
acl_name
Default : none
Range of Values : characters
=========================================================================

The access control list is defined.

acl_name is an optional setting. The access control list is specified.

--
Example :
AccessList acl1
--

When acl_name is not used, it is treated as the unnamed access control list. Only one unnamed access control list can be defined.

Allow

=========================================================================
Supported OS : Linux.x86 / Windows
Format : Allow (<ip_addr> <net_mask>|any)[ <hpfp_cong_mode_modifier>]
-------------------------------------------------------------------------
ip_addr
Default : none
Range of Values : IP address
-------------------------------------------------------------------------
net_mask
Default : none
Range of Values : subnet mask
-------------------------------------------------------------------------
hpfp_cong_mode_modifier
Format : <modifier>[...]
 modifier := (+|-)(M|S|A)[...]
Default : none
=========================================================================

The access permission on the access control list is defined.

ip_addr is IP address.

net_mask is net mask.

“any” means all network.

hpfp_cong_mode_modifier specifys the overwriting of the HpFP congestion control mode.

In the HpFP congestion control mode, M, S, and A stands for MODEST, FAIR_FAST_START, and AGGRESSIVE respectively.

“+” means enabling the HpFP congestion control mode which is described after “+”, when the connection which matches with one of this allowed access list is received.

“-” means canceling the HpFP congestion control mode which is described after “-”.

--
Example :
    Allow 192.168.1.0 255.255.255.0 -A+M
--

When the input network includes the client IP address, it is allowed to be accessed.

Deny

=========================================================================
Supported OS : Linux.x86 / Windows
Format : Deny (<ip_addr> <net_mask>|any)
-------------------------------------------------------------------------
ip_addr
Default : none
Range of Values : IP address
-------------------------------------------------------------------------
net_mask
Default : none
Range of Values : subnet mask
=========================================================================

Denying to access is defined in the access control list.

--
Example :
    Deny 192.168.1.0 255.255.255.0
--

When the input network includes the client IP address, it is denied to be accessed.

Access Control, Admission Control

MaxTotalConnection

=========================================================================
Supported OS : Linux.x86 / Windows
Format : MaxTotalConnection <max-total-con>
-------------------------------------------------------------------------
max-total-con
Default : 150
Range of Values : signed integer
=========================================================================

The maximum number of connections is configured.

--
Example :
MaxTotalConnection 5
--

MaxTcpConnection

=========================================================================
Supported OS : Linux.x86 / Windows
Format : MaxTcpConnection <max-tcp-con>
-------------------------------------------------------------------------
max-tcp-con
Default : 50
Range of Values : signed integer
=========================================================================

The maximum number of TCP connections is configured.

--
Example :
MaxTcpConnection 5
--

MaxUdpConnection

=========================================================================
Supported OS : Linux.x86 / Windows
Format : MaxUdpConnection <max-udp-con>
-------------------------------------------------------------------------
max-udp-con
Default : 50
Range of Values : signed integer
=========================================================================

The maximum number of HpFP (UDP) connections is configured.

--
Example :
MaxUdpConnection 5
--

MaxWsConnection

=========================================================================
Supported OS : Linux.x86 / Windows
Format : MaxWsConnection <max-ws-con>
-------------------------------------------------------------------------
max-ws-con
Default : 50
Range of Values : signed integer
=========================================================================

The maximum number of WebSocket connections is configured.

--
Example :
MaxWsConnection 5
--

MaxConnectionPerUser

=========================================================================
Supported OS : Linux.x86 / Windows
Format : MaxConnectionPerUser <max-con-per-user>
-------------------------------------------------------------------------
max-con-per-user
Default : 50
Range of Values : signed integer
=========================================================================

The maximum number of connections by each user is configured.

--
Example :
MaxConnectionPerUser 1
--

MaxConnectionPerSec

=========================================================================
Supported OS : Linux.x86 / Windows
Format : MaxConnectionPerSec <max-con-per-sec>
-------------------------------------------------------------------------
max-con-per-sec
Default : 50
Range of Values : signed integer
=========================================================================

The maximum number of connections per second is configured.

--
Example :
MaxConnectionPerSec 10
--

Access Control, Document Point

DocPoint

=========================================================================
Supported OS : Linux.x86 / Windows
Format : DocPoint <doc_point_name>
-------------------------------------------------------------------------
doc_point_name
Default : none
Range of Values : characters
=========================================================================

This option specifies an area on the file system of the server to provide available accesses to clients under a directory and its children. It includes some configurations to set write and read permission.

doc_point_name shows the name of this document point.

When the user home directory can’t be found, this document point is used as the home directory.

--
Example :
DocPoint /home
    DocPath /home
    PermitAccessRead yes
    PermitAccessWrite yes
    PermitAccessOverwrite yes
    PermitAccessDelete yes
DocPointEnd
--

DocPath, PermitAccessRead, PermitAccessWrite, PermitAccessOverwrite, PermitAccessDelete

When you configure two or more DocPoints, list the descriptions like the following example.

--
Example :
DocPoint /home
    ......
DocPointEnd

DocPoint /dev
    ......
DocPointEnd
--

DocPath

=========================================================================
Supported OS : Linux.x86 / Windows
Format : DocPath <doc_path>
-------------------------------------------------------------------------
doc_path
Default : none
Range of Values : path string of file system
=========================================================================

The directory path for the document point is specified.

--
Example :
    DocPath /home
--

The access to the files and directories is permitted by this directory path.

HomeIsolation

=========================================================================
Supported OS : Linux.x86 / Windows
Format : HomeIsolation <flag-available>
-------------------------------------------------------------------------
flag-available
Default : no
Range of Values : yes, no
=========================================================================

User's home isolation is set on a document point.

--
Example：
    HomeIsolation yes
--

When you specify this option to 'yes' and the path of this document point includes a path of the user home directory, access validation will be performed to the path of user home (home isolation), but not the path of this document point.

PermitAccessRead

=========================================================================
Supported OS : Linux.x86 / Windows
Format : PermitAccessRead <flag-available>
-------------------------------------------------------------------------
flag-available
Default : no
Range of Values : yes, no
=========================================================================

The permission to read the files in the document point is set.

--
Example :
    PermitAccessRead yes
--

When “no” is set, the files in the document point are prohibited to read. For example, it makes reading errors of files on file transfer.

PermitAccessWrite

=========================================================================
Supported OS : Linux.x86 / Windows
Format : PermitAccessWrite <flag-available>
-------------------------------------------------------------------------
flag-available
Default : no
Range of Values : yes, no
=========================================================================

The permission to write the files in the document point is set.

--
Example :
    PermitAccessWrite yes
--

When “no” is set, the files in the document point are prohibited to write. For example, it makes writing errors of files on file transfer.

PermitAccessOverwrite

=========================================================================
Supported OS : Linux.x86 / Windows
Format : PermitAccessOverwrite <flag-available>
-------------------------------------------------------------------------
flag-available
Default : no
Range of Values : yes, no
=========================================================================

The permission to overwrite the files in the document point is set.

--
Example :
    PermitAccessOverwrite yes
--

When “no” is set, the files in the document point are prohibited to overwrite. For example, it makes errors on overwriting to files which already exist.

PermitAccessDelete

=========================================================================
Supported OS : Linux.x86 / Windows
Format : PermitAccessDelete <flag-available>
-------------------------------------------------------------------------
flag-available
Default : no
Range of Values : yes, no
=========================================================================

The permission to delete the files in the document point is set.

--
Example :
    PermitAccessDelete yes
--

When “no” is set, the files in the document point are prohibited to delete.

PermitAccessRandomRead (reserved)

=========================================================================
Supported OS : Linux.x86 / Windows
Format : PermitAccessRandomRead <flag-available>
-------------------------------------------------------------------------
flag-available
Default : no
Range of Values : yes, no
=========================================================================

The permission for the random read access in the document point is set.

--
Example :
    PermitAccessRandomRead yes
--

PermitAccessRandomWrite (reserved)

=========================================================================
Supported OS : Linux.x86 / Windows
Format : PermitAccessRandomWrite <flag-available>
-------------------------------------------------------------------------
flag-available
Default : no
Range of Values : yes, no
=========================================================================

The permission for the random write access in the document point is set.

--
Example :
    PermitAccessRandomRead yes
--

Various Monitoring, Timeout Control

TransportTimeout

=========================================================================
Supported OS : Linux.x86 / Windows
Format : TransportTimeout <timeout>
-------------------------------------------------------------------------
timeout
Default : 180
Range of Values : unsigned integer
=========================================================================

The timeout in seconds of the transport is set. When communication data including Keep-Alive data is unreached in the specified time on a session, it will end closing its connections as it is supposed to be unavailable to continue communication.

0 indicates disabling the timeout.

--
Example :
TransportTimeout 60
--

IdleTimeout

=========================================================================
Supported OS : Linux.x86 / Windows
Format : IdleTimeout <timeout>
-------------------------------------------------------------------------
timeout
Default : 0 (no timeout)
Range of Values : unsigned integer
=========================================================================

The timeout in seconds of the idle time for a session is set. When operations (command basis execution) in connection to the server is not taken place for the specified time, the connection from the server is closed. It is applied when users operate simultaneously from remote by the terminal function (provided by API library), where user can input plural commands.

0 indicates disabling the timeout.

--
Example :
IdleTimeout 180 
--

Performance Evaluation

DiskBenchmarkPreAllocation

=========================================================================
Supported OS : Linux.x86
Format : DiskBenchmarkPreAllocation <how-to-pre-alloc>
-------------------------------------------------------------------------
how-to-pre-alloc
Default : none 
Range of Values : none, native, posix
=========================================================================

This option specifies how to make pre-allcation of sotrage in some disk writing benchmarks performed by the run-host-benchmark option.

‘none’ disables the pre-allocation on the benchmarks.

‘native’ indicates making the pre-allocation by the platform dependent function, e.g., fallocate function on Linux.

‘posix’ indicates making the pre-allocation by the POSIX function as the posix_fallocate function.

This option will be used when peforming benchmarks of Async I/O. Writing performance with the pre-allocation might be better than one without.

--
Example：
DiskBenchmarkPreAllocation native
--

DiskBenchmarkPreAllocationSize

=========================================================================
Supported OS : Linux.x86
Format : DiskBenchmarkPreAllocationSize <pre-allocation-size>
-------------------------------------------------------------------------
pre-allocation-size
Default : 0 
Range of Values : signed double-length integer
=========================================================================

This option specifies a unit size in bytes for the pre-allocation of sotrage described above.

When 0 or negative values are specified, the pre-allocation will be performed in a file size to write each benchmarks (one time allocation).

--
Example：
DiskBenchmarkPreAllocationSize 1GB
--

DiskBenchmarkDirectAlignmentSize

=========================================================================
Supported OS : Linux.x86
Format : DiskBenchmarkDirectAlignmentSize <alignment-size>
-------------------------------------------------------------------------
alignment-size
Default : 0 
Range of Values : unsigned double-length integer
=========================================================================

This option specified an alignment size in memory for writing and reading buffers used for some disk benchmarks with Direct I/O performed by the run-host-benchmark option.

Specification of 0 incidates to detect the size by querying to the system and use its result.

--
Example：
DiskBenchmarkDirectAlignmentSize 8KB
--

DiskBenchmarkAsyncNoWait (Reserved)

DiskBenchmarkAsyncMaxEvents

=========================================================================
Supported OS : Linux.x86
Format : DiskBenchmarkAsyncMaxEvents <num-max-events>
-------------------------------------------------------------------------
num-max-events
Default : 16 
Range of Values : signed integer
=========================================================================

This option specifies a maximum number of events processed at once in some disk benchmarks with Asynchronous I/O performed by the run-host-benchmark option.

For example, when a result of writing performance is under an expected one with striped storages, the result might be improved increasing the maximum number.

--
Example：
DiskBenchmarkAsyncMaxEvents 32
--

DiskBenchmarkAsyncMaxGetEvents

=========================================================================
Supported OS : Linux.x86
Format : DiskBenchmarkAsyncMaxGetEvents <num-max-get-events>
-------------------------------------------------------------------------
num-max-get-events
Default : 1 
Range of Values : signed integer
=========================================================================

This option specified a maximum number of events to take its results at once in the benchmarks with Asynchronous I/O performed by the run-host-benchmark option.

It is used for observing changes of performance characteristics increasing the number of results being taken at once.

--
Example：
DiskBenchmarkAsyncMaxGetEvents 4
--

DiskBenchmarkAsyncRequestPoolSize

=========================================================================
Supported OS : Linux.x86
Format : DiskBenchmarkAsyncRequestPoolSize <pool-size>
-------------------------------------------------------------------------
pool-size
Default : 32 
Range of Values : unsigned integer
=========================================================================

This option specifies a size of a pool holding user buffers as I/O requests in some disk benchmarks with Asynchronous I/O performed by the run-host-benchmark option.

--
Example：
DiskBenchmarkAsyncRequestPoolSize 64
--

DeepDiskBenchmarkFileSize

=========================================================================
Supported OS : Linux.x86
Format : DeepDiskBenchmarkFileSize <file-size>
-------------------------------------------------------------------------
file-size
Default : 16GB 
Range of Values : signed double-length integer
=========================================================================

This option specifies a file size used in some additional disk benchmarks performed by the run-host-benchmark option.

--
Example：
DeepDiskBenchmarkFileSize 32GB
--

DeepDiskBenchmarkFreeSpaceRequired

=========================================================================
Supported OS : Linux.x86
Format : DeepDiskBenchmarkFreeSpaceRequired <free-space-size>
-------------------------------------------------------------------------
free-space-size
Default : 32GB 
Range of Values : unsigned double-length integer
=========================================================================

This option specifies a disk free space required in some additional disk benchmarks performed by the run-host-benchmark option.

--
Example：
DeepDiskBenchmarkFreeSpaceRequired 64GB
--

DeepDiskBenchmarkBlockSizes

=========================================================================
Supported OS : Linux.x86
Format : DeepDiskBenchmarkBlockSizes <block-size-set-desc>
-------------------------------------------------------------------------
block-size-set-desc
Default : 16KB 32KB 64KB 128KB 256KB　512KB 1MB 2MB
Range of Values : a set of block sizes separated with white spaces
=========================================================================

This option specifies a set of block sizes used in some additional disk benchmarks performed by the run-host-benchmark option.

--
Example：
DeepDiskBenchmarkBlockSizes 64KB 256KB 512KB 1MB
--

MemoryTransferConcurrency

=========================================================================
Supported OS : Linux.x86 / Windows
Format : MemoryTransferConcurrency <num-concur> <wait-type> <busy-sleep-nsec>
-------------------------------------------------------------------------
num-concur
Default : auto (smaller value of physical-CPUs/2 or 16) 
Range of Values : unsigned integer
-------------------------------------------------------------------------
wait-type
Default : cond
Range of Values : cond, busy
-------------------------------------------------------------------------
busy-sleep-nsec
Default : 1
Range of Values : unsigned integer
=========================================================================

When you use -n option on the hcp command which starts the command on memory-to-memory transfer mode, this option configures how to copy memory data of file payloads in concurrent way at the sender side.

num-concur specifies a number of concurrent copies. 1 indicates the standar memory copy by memcpy without concurrency.

wait-type specifies a waiting method on memory copy threads in its idling state. cond is to perform a conditinal wait on that idling state and busy is to perform a busy wait on it. When busy is set, CPU usage might be up to a multiplication of the number of CPUs and 100%.

busy-sleep-nsec specifies a waiting time in nano seconds on the busy wait.

This options is defined for a performance tuning to remove performance limitation by a single threaded memory copy on 100Gbps network environment.

--
Example :
MemoryTransferConcurrency 1 cond 1 # To disable
MemoryTransferConcurrency 12 busy 1 # Busy wait, 4 concurrent and wait in 1 nano seconds
--

Log Management

SyslogOption

=========================================================================
Supported OS : Linux.x86 / Windows
Format : SyslogOption <syslog-options>
-------------------------------------------------------------------------
syslog-options
Format : syslog-option[ ...]
Default : CONS PID
-------------------------------------------------------------------------
syslog-option
Range of Values : CONS, NDELAY, NOWAIT, ODELAY, PERROR, PID
=========================================================================

Syslog option (or options) are configured.

Each option is available for syslog option with prefix “LOG_”.

--
Example :
SyslogOption PID
--

SyslogFacility

=========================================================================
Supported OS : Linux.x86 / Windows
Format : SyslogFacility <syslog-facility>
-------------------------------------------------------------------------
syslog-facility
Default : DAEMON
Range of Values : AUTH, CRON, DAEMON, FTP, LOCAL0 - LOCAL7, LPR, MAIL, NEWS, USER, UUCP
=========================================================================

Syslog facility is set.

Each facility is available for syslog facility with prefix “LOG_”.

--
Example :
SyslogFacility FTP
--

SystemLog

=========================================================================
Supported OS : Linux.x86 / Windows
Format : SystemLog <log-level>[ <flag-available>][ <log-rotation-conf>][ <log-path>]
-------------------------------------------------------------------------
log-level
Default : INFO
Range of Values : EMERG, ALERT, CRIT, ERR, WARNING, INFO, DEBUG
-------------------------------------------------------------------------
flag-available
Default : yes
Range of Values : yes, no
-------------------------------------------------------------------------
log-rotation-conf
Format : ( FileSize <file-size> <backups> | DatePattern <date-pattern> )
-------------------------------------------------------------------------
file-size
Default : none
Range of Values : signed double-length integer
-------------------------------------------------------------------------
backups
Default : none
Range of Values : unsigned integer
-------------------------------------------------------------------------
date-pattern
Default : none
Range of Values : yyyy-MM, yyyy-MM-dd, yyyy-MM-dd-HH, yyyy-MM-dd-HH-mm
-------------------------------------------------------------------------
log-path
Default : /var/log/hcpd.log
Range of Values : path string of file system
=========================================================================

System log settings

log-level is set.

When “yes” in flag-available, logs are output.

log-rotation-conf specifies on log rotation. When this option is not specified, log rotations don’t take place. When FileSize is set, log rotations take place setting the file-size to the threshold. When DatePattern is set, log rotations take place based on the date.

file-size specifies the threshold of the file size in bytes.

backups specifies the maximum number of generations for log rotation to store when FileSize is set.

date-pattern specifies the pattern of the log rotation based on the date.

When FileSize is set, the number of the generations is supposed to be added as the suffix to the pathname of the log files as follows during log rotation.

<specified path> // the path of the log currently being written
<specified path>.1
<specified path>.2
...
<specified path>.n // "n" is the number set in backups

When the number of the log rotations exceeds the number specified in “backups”, the exceeded generation’s files are deleted.

When DatePattern is specified, the time and date are supposed to be added as the suffix to the pathname of the log files, following the specified pattern during log rotation.

// in the case of yyyy-MM-dd
<specified path> // the path of the log currently being written
<specified path>.2019-12-10 // the log for 2019/12/10
<specified path>.2019-12-09
...
<specified path>.2019-11-30
...

Log rotation takes place based on the unit of the specified pattern. In the month unit case, a log file records throughout that month, starting at 0:00 on the first day of that month and ending at right before 0:00 on the first day of the following month.

Example :
from 2019/11/01 00:00:00 to 2019/12/01 00:00:00
(It doesn't include 2019/12/01 00:00:00)

In the minute unit, a log file records throughout the minute, from 0 seconds in that minute to right before 0 seconds in the following minute.

Example :
from 2019/11/01 10:30:00 to 2019/11/01 10:31:00
(It doesn't include 2019/11/01 10:31:00)

After the specified duration, the log writing request triggers the log to rotate before the log writing. The log file is renamed by adding a suffix of that duration.

// yyyy-MM-dd-HH-mm rotation case
2019/12/10 00:00 the server starts
2019/12/10 00:05 the server stops
2019/12/10 00:07 the server restarts
...
--
<specified path>
<specified path>.2019-12-10-00-11
<specified path>.2019-12-10-00-10 // No record from 00:09 to 00:10
<specified path>.2019-12-10-00-08
<specified path>.2019-12-10-00-07 // recorded from the server-restart
<specified path>.2019-12-10-00-05 // recorded until the server-stop in 00:05 (In restarting, the log rotation is judged based on the update time of the log file.)
...
<specified path>.2019-12-10-00-00

The server using the privilege separation rotates logs periodically (about each 128 ms). Therefore the log content which should be in the following file may be output in the current file, because rotations may be delayed due to this 128 ms delay.

log-path specifies the log path. When specified together with the command parameter “-l”, the command parameter is effective.

--
Example1 :
SystemLog WARNING FileSize 10MB 10
Example2 :
SystemLog WARNING DatePattern yyyy-MM-dd
Example3 :
SystemLog WARNING // the same as SystemLogLevel
--

SystemLogLevel

=========================================================================
Supported OS : Linux.x86 / Windows
Format : SystemLogLevel <log-level>
-------------------------------------------------------------------------
log-level
Default : INFO
Range of Values : EMERG, ALERT, CRIT, ERR, WARNING, INFO, DEBUG
=========================================================================

The system log level is set, which does not affect any syslog functions.

When you describe SystemLog, this option override the log level.

--
Example :
SystemLogLevel WARNING
--

ApplicationStatLog

=========================================================================
Supported OS : Linux.x86 / Windows
Format : ApplicationStatLog <flag-available>[ <log-rotation-conf>]
-------------------------------------------------------------------------
flag-available
Default : yes
Range of Values : yes, no
-------------------------------------------------------------------------
log-rotation-conf
Format : ( FileSize <file-size> <backups> | DatePattern <date-pattern> )
-------------------------------------------------------------------------
file-size
Default : none
Range of Values : signed double-length integer
-------------------------------------------------------------------------
backups
Default : none
Range of Values : unsigned integer
-------------------------------------------------------------------------
date-pattern
Default : none
Range of Values : yyyy-MM, yyyy-MM-dd, yyyy-MM-dd-HH, yyyy-MM-dd-HH-mm
=========================================================================

The configuration on the application statistics is set.

When “yes” in “flag-available”, the application statistics information is output.

log-rotation-conf specifies the rotation rule. It works in the same way as the rotation behavior set in “SystemLog”. However, unlike the “SystemLog” logs don’t rotate periodically when using the privilege separation.

Based on the paths specified in “FileSize” and “DatePatternas” as each criterion, the rotations are carried out as below.

// FileSize cases
<specified path>.application
<specified path>.application.1
<specified path>.application.2
...
<specified path>.application.n
// DatePattern cases
<specified path>.application
<specified path>.application.2019-12-10
<specified path>.application.2019-12-09
...

The header of the statistics information is not included in rotated files.

--
Example1 :
ApplicationStatLog no
Example2 :
ApplicationStatLog yes FileSize 10MB 10
Example3 :
ApplicationStatLog yes DatePattern yyyy-MM-dd
--

TransportStatLog

=========================================================================
Supported OS : Linux.x86 / Windows
Format : TransportStatLog <flag-available>[ <log-rotation-conf>]
-------------------------------------------------------------------------
flag-available
Default : no
Range of Values : yes, no
-------------------------------------------------------------------------
log-rotation-conf
Format : ( FileSize <file-size> <backups> | DatePattern <date-pattern> )
-------------------------------------------------------------------------
file-size
Default : none
Range of Values : signed double-length integer
-------------------------------------------------------------------------
backups
Default : none
Range of Values : unsigned integer
-------------------------------------------------------------------------
date-pattern
Default : none
Range of Values : yyyy-MM, yyyy-MM-dd, yyyy-MM-dd-HH, yyyy-MM-dd-HH-mm
=========================================================================

The configuration on the transport statistics is set.

When “yes” in flag-available, the transport statistics data is output.

log-rotation-conf specifies the rotation rule. It works in the same way as the rotation behavior set in “SystemLog”. When using the privilege separation, logs rotate periodically.

Based on the paths specified in “FileSize” and “DatePatternas” as each criterion, the rotations are carried out as below.

// FileSize cases
<specified path>.transport.tcp.service_<service number>.<service port number>.thread_<thread number>
<specified path>.transport.tcp.service_<service number>.<service port number>.thread_<thread number>.1
<specified path>.transport.tcp.service_<service number>.<service port number>.thread_<thread number>.2
...
<specified path>.transport.tcp.service_<service number>.<service port number>.thread_<thread number>.n
// DatePattern cases
<specified path>.transport.tcp.service_<service number>.<service port number>.thread_<thread number>
<specified path>.transport.tcp.service_<service number>.<service port number>.thread_<thread number>.2019-12-10
<specified path>.transport.tcp.service_<service number>.<service port number>.thread_<thread number>.2019-12-09
...

The header of the statistics information is not included in rotated files.

--
Example1 :
TransportStatLog yes
Example2 :
TransportStatLog yes FileSize 10MB 10
Example3 :
TransportStatLog yes DatePattern yyyy-MM-dd
--

SystemStatLog

=========================================================================
Supported OS : Linux.x86 / Windows
Format : SystemStatLog <flag-available>[ <log-rotation-conf>]
-------------------------------------------------------------------------
flag-available
Default : yes
Range of Values : yes, no
-------------------------------------------------------------------------
log-rotation-conf
Format : ( FileSize <file-size> <backups> | DatePattern <date-pattern> )
-------------------------------------------------------------------------
file-size
Default : none
Range of Values : signed double-length integer
-------------------------------------------------------------------------
backups
Default : none
Range of Values : unsigned integer
-------------------------------------------------------------------------
date-pattern
Default : none
Range of Values : yyyy-MM, yyyy-MM-dd, yyyy-MM-dd-HH, yyyy-MM-dd-HH-mm
=========================================================================

The configuration on the system statistics is set.

When “yes” in flag-available, the system statistics data is output.

log-rotation-conf specifies the rotation rule. It works in the same way as the rotation behavior set in “SystemLog”. However, unlike the “SystemLog” logs don’t rotate periodically when using the privilege separation.

Based on the paths specified in “FileSize” and “DatePatternas” as each criterion, the rotations are carried out as below.

// FileSize cases
<specified path>.system
<specified path>.system.1
<specified path>.system.2
...
<specified path>.system.n
// DatePattern cases
<specified path>.system
<specified path>.system.2019-12-10
<specified path>.system.2019-12-09
...

The header of the statistics information is not included in rotated files.

--
Example1 :
SystemStatLog yes
Example2 :
SystemStatLog yes FileSize 10MB 10
Example3 :
SystemStatLog yes DatePattern yyyy-MM-dd
--

FileOperationLog

=========================================================================
Supported OS : Linux.x86 / Windows
Format : FileOperationLog <flag-available>[ <log-rotation-conf>][ <log-path>]
-------------------------------------------------------------------------
flag-available
Default : no
Range of Values : yes, no
-------------------------------------------------------------------------
log-rotation-conf
Format : ( FileSize <file-size> <backups> | DatePattern <date-pattern> )
-------------------------------------------------------------------------
file-size
Default : none
Range of Values : signed double-length integer
-------------------------------------------------------------------------
backups
Default : none
Range of Values : unsigned integer
-------------------------------------------------------------------------
date-pattern
Default : none
Range of Values : yyyy-MM, yyyy-MM-dd, yyyy-MM-dd-HH, yyyy-MM-dd-HH-mm
-------------------------------------------------------------------------
log-path
Default : none
Range of Values : path string of file system
=========================================================================

The configuration on the file operation logging is set.

When “yes” in flag-available, the file operation logs are output.

log-rotation-conf specifies the rotation rule. It works in the same way as the rotation behavior set in “SystemLog”. When using the privilege separation, logs rotate periodically.

Based on the paths specified in “FileSize” and “DatePatternas” as each criterion, the rotations are carried out as below.

// FileSize cases
<log path>
<log path>.1
<log path>.2
...
<log path>.n
// DatePattern cases
<log path>
<log path>.2019-12-10
<log path>.2019-12-09
...

The header of the statistics information is not included in rotated files.

log-path specifies a path of a file to which you want to output file operation logs. When it is not set, the following value will be used.

/var/log/hcpd.file.operation.log (Linux.x86)
C:/ProgramData/Clealink/HCP Tools/hcpd.file.operation.log (Windows)

The file operation logs include the following I/O processing records.

• Finish of reading a file
• Finish of writing a file
• Remove a file (including removing by synchronization)
• Creation of a directory
• Rename a file
• Creation of a hard link
• Creation of a symbolic link
• List files

And the following records will be produced as records including acknowledgements by the application (HCP).

• Completion of a file upload
• Completion of a file download
• Completion of synchronization of files
• Completion of removing a file
• Completion of creating a directory
• Completion of renaming a file
• Completion of creating a hard link
• Completion of creating a symbolic link

The records include the following fields in common.

• Date and time
• Peer IP address and port number
• User name

Paths of files are recorded in the specification of each operation.

The format of the logs is in the following specification.

=========================================================================
Format:
yyyy/mm/dd HH:MM:SS.<usec> <remote-ip> <username> <hcp-operation-name>[ <sub-operation-label>] <path>...
yyyy/mm/dd HH:MM:SS.<usec> <remote-ip> <username> <file-io-operation-name>\[<hcp-operation-name>\] <path>...
-------------------------------------------------------------------------
usec
Range of Values : micro seconds (000000 - 999999)
-------------------------------------------------------------------------
remote-ip
Range of Values : peer IP address and port number
-------------------------------------------------------------------------
username
Range of Values : User name and authentication method
-------------------------------------------------------------------------
hcp-operation-name
Range of Values : FT, FS, FR, LR, DC, FM, FL
-------------------------------------------------------------------------
sub-operation-label
Range of Values : U, D, H, S
-------------------------------------------------------------------------
file-io-operation-name
Range of Values : FileRead, FileWritten, FileDeleted, DirectoryCreated,
 FileRenamed, LinkCreated, SymbolicLinkCreated, ListFilesRawFormat
=========================================================================

hcp-operation-name indicates a type of the following applications.

• FT (File transfer)
• FS (Delete file on file synchronization)
• FR (File remove)
• LR (List files. Output of ls or dir)
• DC (Directory creation)
• FM (File move)
• FL (Link creation)

sub-operation-label indicates a sub type of some applications.

• U (Upload. Used in FT)
• D (Download. Used in FT)
• H (Hard link creation. Used in FL)
• S (Symbolic link creation. Used in FL)

file-io-operation-name indicates a type of the following file I/O operations.

• FileRead (Finish of reading a file)
• FileWritten (Finish of wrting a file)
• FileDeleted (Finish of removing a file)
• DirectoryCreated (Finish of creating a directory)
• FileRenamed (Finish of renaming a file)
• LinkCreated (Finish of creating a hard link)
• SymbolicLinkCreated (Finish of creating a symbolic link)
• ListFilesRawFormat (To run ls or dir)

--
Output example:
2020/01/31 10:34:52.277120 127.0.0.1:51660 user[PAM] FileWritten[FT] /home/user/file_nodiskio_0
2020/01/31 10:34:52.277175 127.0.0.1:51660 user[PAM] FT U /home/user/file_nodiskio_0
2020/01/31 10:35:14.946750 127.0.0.1:51662 user[PAM] FileRead[FT] /home/user/file_nodiskio_0
2020/01/31 10:35:15.002770 127.0.0.1:51662 user[PAM] FT D /home/user/file_nodiskio_0
2020/01/31 10:35:30.002700 127.0.0.1:51662 user[PAM] FS /home/user/dir_sync/stat.log
2020/01/31 10:35:30.013558 127.0.0.1:51664 user[PAM] FileDeleted[FS] /home/user/dir_sync/stat.log
2020/01/31 10:35:47.713558 127.0.0.1:51664 user[PAM] FileDeleted[FR] /home/user/stat.3.log
2020/01/31 10:35:47.765413 127.0.0.1:51664 user[PAM] FR /home/user/stat.3.log
2020/01/31 10:38:45.686206 127.0.0.1:51670 user[PAM] DirectoryCreated[DC] /home/user/hmkdir13
2020/01/31 10:38:45.789370 127.0.0.1:51670 user[PAM] DC /home/user/hmkdir13
2020/01/31 10:39:22.411968 127.0.0.1:51674 user[PAM] FileRenamed[FM] /home/user/stat.log /home/user/stat2.log
2020/01/31 10:39:22.463710 127.0.0.1:51674 user[PAM] FM /home/user/stat.log /home/user/stat2.log
2020/01/31 10:40:00.087660 127.0.0.1:51678 user[PAM] SymbolicLinkCreated[FL] /home/user/stat2.log /home/user/stat.log
2020/01/31 10:40:00.165831 127.0.0.1:51678 user[PAM] FL S /home/user/stat2.log /home/user/stat.log
2020/01/31 10:40:13.693415 127.0.0.1:51680 user[PAM] LinkCreated[FL] /home/user/stat2.log /home/user/stat.h.log
2020/01/31 10:40:13.746160 127.0.0.1:51680 user[PAM] FL H /home/user/stat2.log /home/user/stat.h.log
2020/02/06 13:54:21.282066 127.0.0.1:50186 user[PAM] ListFilesRawFormat[LR] /home/user/hmkdir4
2020/02/06 13:54:21.282104 127.0.0.1:50186 user[PAM] ListFilesRawFormat[LR] /home/user/hmkdir5
--

--
Example1 :
FileOperationLog yes
Example2 :
FileOperationLog yes FileSize 10MB 10
Example3 :
FileOperationLog yes DatePattern yyyy-MM-dd
Example4 :
FileOperationLog yes FileSize 10MB 10 /var/tmp/hcpd.file.operation.log
--

StatLogPerUserInPrivilegeSeparation

=========================================================================
Supported OS : Linux.x86 / Windows
Format : StatLogPerUserInPrivilegeSeparation <flag-available>
-------------------------------------------------------------------------
flag-available
Default : no
Range of Values : yes, no
=========================================================================

In the case of the privilege separation, whether to record the statistics log for each user, is chosen.

--
Example :
StatLogPerUserInPrivilegeSeparation yes
--

ApplicationStatLogSecurityEx

=========================================================================
Supported OS : Linux.x86 / Windows
Format : ApplicationStatLogSecurityEx <flag-available>
-------------------------------------------------------------------------
flag-available
Default : yes
Range of Values : yes, no
=========================================================================

Whether to output the detailed information on the security in the application statistics log is set.

--
Example :
ApplicationStatLogSecurityEx no
--

System Operating Environment Settings, CPU Thread Control

MaxConcurrentThread

=========================================================================
Supported OS : Linux.x86
Format : MaxConcurrentThread <max-threads>
-------------------------------------------------------------------------
max-threads
Default : 0
Range of Values : signed integer
=========================================================================

The maximum number of threads is configured.

System Operating Environment Settings, Application Linked Function

CallbackScript

=========================================================================
Supported OS : Linux.x86
Format : CallbackScript <flag-available>[ <script-path>[ <data-store-path>]]
-------------------------------------------------------------------------
flag-available
Default : no
Range of Values : yes, no
-------------------------------------------------------------------------
script-path
Default : none
Range of Values : path string of file system
-------------------------------------------------------------------------
data-store-path
Default : none
Range of Values : path string of file system
=========================================================================

This option specifies a script (or a binary program) to run after application runs.

flag-available enables this option. ‘yes’ means calling the script.

script-path specifies a path of the script. When a tilde(~) is described at the head, it will be expanded to the home directory of a user who runs the application.

data-store-path specifies a path of saving data given at the run-time of the script which is information of parameters or a result of application running. When a tilde(~) is described at the head, it will be expanded to the home directory of a user who runs the application.

After all of processing on each application running is finished, hcpd runs the following command line.

=========================================================================
Command format : <script-path> <exit-code> <start-date-and-time> <end-date-and-time> <remote-ip> <username> <hcp-operation-name> <param-saved-path> <output-saved-path>
-------------------------------------------------------------------------
script-path
Range of Values : path string of file system (already expanded of tilde)
-------------------------------------------------------------------------
exit-code
Range of Values : exit code
-------------------------------------------------------------------------
start-date-and-time
Range of Values : date and time in the format of YYYY/MM/DD hh:mm:ss
-------------------------------------------------------------------------
end-date-and-time
Range of Values : date and time in the format of YYYY/MM/DD hh:mm:ss
-------------------------------------------------------------------------
remote-ip
Range of Values : peer IP address and port number
-------------------------------------------------------------------------
username
Range of Values : user name and authentication method
-------------------------------------------------------------------------
hcp-operation-name
Range of Values : hcp, hrm, hcp-ls, hmkdir, hpwd, hmv, hln, transfer, remove,
 listraw, mkd, pwd, move, link, cwd
-------------------------------------------------------------------------
param-saved-path
Range of Values : path string of file system
-------------------------------------------------------------------------
output-saved-path
Range of Values : path string of file system
=========================================================================

script-path is a script path on hcpd.conf with expanding tilde(~).

exit-code is a reason code representing a result that application runs. The reason code is identical to a reason code recorded in the application statistics.

start-date-and-time is a date and time that application starts.

end-date-and-time is a date and time that application finishes.

hcp-operation-name indicates a type of the following applications (or operations of API).

• hcp (File transfer command)
• hrm (File removing command)
• hcp-ls (File listing command)
• hmkdir (Directory creation command)
• hpwd (Working directory printing command)
• hmv (File moving command)
• hln (Link creation command)
• transfer (API file transfer operation)
• remove (API file removing operation)
• listraw (API file listing operation)
• mkd (API directory creation operation)
• pwd (API working directory printing operation)
• move (API file moving operation)
• link (API link creation operation)

param-saved-path is a path of a file where information of input parameters is saved. The file includes options of the operation and path information from running result records (.hcp.out) the server recognizes.

--
Output example:
[user@localhost ~]$ cat .hcp/callback/hcp.cb.20200206_152252_468.13521.param
OPT copy_mode ALLCOPY
OPT overwrite_mode FORCE
OPT fail_action_mode HALT
OPT preserve_permission no
OPT recursive yes
OPT any_dirs no
OPT regex no
OPT verify_payload no
OPT copy_symlink no
OPT follow_symlink no
OPT no_copy_empty_file no
OPT no_copy_empty_dir no
OPT no_copy_dot_file no
OPT no_copy_dot_dir no
OPT copy_hidden no
OPT check_archive no
OPT resuming no
OPT no_app_io yes num_files 1 file_size 1024
OPT no_sess_io no
SRC /home/user
--

output-saved-path is a path of a file where a running result is saved. The file includes records representing a running result of each file.

--
Output example:
[user@localhost ~]$ cat .hcp/callback/hcp.cb.20200206_152252_468.13521.out 
OK 0000 FT 00000001 /home/user/file_nodiskio_0
--

--
Example :
CallbackScript yes /var/tmp/hcp_callback.sh /var/tmp/hcp_callback
--

CallbackScriptHomeIsolation

=========================================================================
Supported OS : Linux.x86
Format : CallbackScriptHomeIsolation <flag-available>[ <logical-opt>]
-------------------------------------------------------------------------
flag-available
Default : no
Range of Values : yes, no
-------------------------------------------------------------------------
logical-opt
Default : none
Range of Values : logical
=========================================================================

This option prevents callback scripts out of user home directory from being called.

When logical-opt is set to 'logical', the validation of being out of it will be performed by a logical path (a path without dereference for symbolic links).

--
Example :
CallbackScriptHomeIsolation yes logical
--

CallbackScriptNoSymbolicLink

=========================================================================
Supported OS : Linux.x86
Format : CallbackScriptNoSymbolicLink <flag-available>
-------------------------------------------------------------------------
flag-available
Default : no
Range of Values : yes, no
=========================================================================

This option prevents callback scripts as symbolic links from being called.

--
Example :
CallbackScriptNoSymbolicLink yes
--

Others

EnsureDestinationInFileTransfer

=========================================================================
Supported OS : Linux.x86 / Windows
Format : EnsureDestinationInFileTransfer <flag-available>
-------------------------------------------------------------------------
flag-available
Default : yes
Range of Values : yes, no
=========================================================================

When the destination directory doesn’t exist during file transfers, how to control the file transfer, whether a new directory is created is set. This option is fixed to “no” from the software version 1.1.0.

 --
Example :
EnsureDestinationInFileTransfer no
--