AstroCyte.ai

1. Introduction
2. About Data Gateway
3. Key Features
4. Glossary
5. System Requirements
6. Application Access
- 6.1 Authentication Process
- 6.2 Application Swagger UI
7. Roles
8. Dashboard Reports (Statistics)
9. Cloud Configurations
- 9.1 GCS Cloud Configurations
- 9.2 Amazon Web Services (AWS) Configuration
  - 9.2.1 IAM User Creation
  - 9.2.2 Steps to Configure AWS
- 9.3 Microsoft Azure Configuration
  - 9.3.1 Storage Account Creation
  - 9.3.2 Steps to Configure Azure
- 9.4 IBM Cloud Configuration
  - 9.4.1 Service Credential Creation
  - 9.4.2 Steps to Configure IBM Cloud
10. Access Management
- 10.1 Accessing the Access Management Module
- 10.2 Create User
- 10.3 Manage User
- 10.4 Create Group
- 10.5 Manage Group
11. Endpoint Management Module
- 11.1 Create Endpoint
- 11.2 Manage Endpoint
- 11.3 Protocols
- 11.4 GUID
12. File Management Module
- 12.1 Search
- 12.2 Error codes and Debug steps
- 12.3 Upload
- 12.4 Download
- 12.5 File Replay
13. Settings
- 13.1 Scheduler Configuration
- 13.2 PGP Manager
- 13.3 Application Configuration
  - 13.3.1 Log Level Configuration
  - 13.3.2 File Transfer Chunk Size Configuration
- 13.4 Queue Management
- 13.4.1 Queue Management – Field Descriptions
- 13.4.2 Operational Summary
- 13.4.3 Key Benefits
- 13.5 Priority Handling
- 13.5.1 Priority Handling – Field Descriptions
- 13.5.2 Operational Summary
- 13.5.3 Key Benefits
- 13.6 Adapter Configuration
- 13.6.1 Adapter Configurations – Field Descriptions
- 13.6.2 Operational Behavior Example
- 13.6.3 Key Benefits
- 13.7 License Module
- 13.7.1 License Management – Field Descriptions
- 13.7.2 Operational Workflow
- 13.7.3 Key Benefits
14. Data Gateway Components
- 14.1 Data Gateway API
- 14.2 Data Gateway Server
- 14.3 Data Gateway Proxy
- 14.4 Data Gateway UI
15. Connectivity and Authentication
- 15.1 Scenario: File Transfer through File Client, where Partner Connects to Your Server
- 15.2 Scenario: File Transfer through File Client, where You connect to Partner’s Remote Server
- 15.3 Push-Push Scenario
- 15.4 Scenario: File Transfer through AS2, push to partner and push to gateway
- 15.5 IP Allowlist & Rate Limiting
- 15.5.1 IP allowlisting
- 15.5.2 Rate Limiting
16. SAML Authentication and Authorization with Okta
- 16.1 What is SAML?
- 16.2 What is SAML Used For?
- 16.3 How SAML Works
- 16.4 Configuring SAML Authentication and Authorization in Okta
- 16.4.1 Prerequisites
- 16.4.2 Steps to Configure SAML in Okta
- 16.4.3 Download Identity Provider Metadata
- 16.4.4 Application Configuration (application.yml)
- 16.5 User Management for IDP Users
- 16.6 Common Troubleshooting Issues
17. Alert Management
- 17.1 File Not Received (FNR) Alert
- 17.2 File Not Received (FNR) Alert Timing Options
- 17.2.1 FNR Current Day Minutes
- 17.2.2 FNR Current Day Hours Scenario
- 17.2.3 FNR Daily Days Scenario
- 17.2.4 FNR Daily Weekdays Scenario
- 17.2.5 FNR Weekly Between Scenario
- 17.2.6 FNR Weekly Day of Week Scenario
- 17.2.7 FNR Monthly Specific Day Scenario
- 17.2.8 FNR Monthly On Scenario
- 17.2.9 FNR Monthly Interval Check Scenario
- 17.2.10 FNR Quarterly Scenario
- 17.2.11 FNR Yearly Every Scenario
- 17.2.12 FNR Yearly On The Scenario
- 17.3 File Load Alert (FLA Alert)
- 17.4 Manage Alerts
18. Cloud-Cloud File Transfer
- 18.1 Scenario: GCS-AWS_S3 Transfer
19. OAuth 2.0 Authentication
- 19.1 What is OAuth 2.0?
- 19.2 What is OAuth 2.0 Used For?
- 19.3 How OAuth 2.0 Works
- 19.4 Configuring OAuth 2.0 Authentication in Okta
- 19.4.1 Prerequisites
- 19.4.2 Steps to Configure OAuth 2.0 in Okta
- 19.5 Application Configuration (application.yml)
20. ICAP Integration
- 20.1 Configuration
- 20.2 Virus Scan Status Handling
- 20.3 Supported Upload Methods
- 20.4 Logging
21. Data Gateway APIs

15. Connectivity and Authentication

All the connections and authentications are made in the Data Gateway Proxy/Secure component which sits in the DMZ Zone. The security standards are ensured in the Proxy layer. The scanning of files, validation based on IP address, restricting file types and so on are performed in the Proxy. Proxy sends the request to Data Gateway API and API internally would co-ordinate with Data Gateway Server component and perform the operations.

15.1 Scenario: File Transfer through File Client, where Partner Connects to Your Server

Create an SFTP Partner Connect to Hub Endpoint from the Endpoint menu.

Once the partner is onboarded, the partner can connect to the Data Gateway through proxy by providing the proxy host name, proxy port, partner id as username and password by using any client application such as WinSCP, FileZilla.
In the File Transfer client, provide the Data Gateway Host, Port and the username, password which was used during the Endpoint setup and connect.

Traverse to the drop directory and drop the file.

The file will be routed to the appropriate cloud storage.

The partner can pull the files from the pickup directories, when the files are available in the appropriate cloud buckets.

Connect to the File Transfer client and traverse to the pickup directory. You will be able to see the file which was available in the cloud storage.

Once the files are downloaded, those are moved to non-current versions in the cloud storage until the archive period specified in the Endpoint. After which, it will be removed.
The file activity (Pull from Hub) can be viewed in File Transaction Search.

15.2 Scenario: File Transfer through File Client, where You connect to Partner’s Remote Server

Onboard a partner with type Hub Connect to Partner by providing the required data.

The connection is established based on the specified polling interval.
Example:- If the polling interval is 2 Minutes, for every 2 minutes connection with the remote partner server is established and if there are any files in the pickup directories they will be picked and moved to the respective cloud storage, it is considered as Pull from Partner.
In case of the other direction, when the file is available in the cloud bucket to be sent to Partner’s Remote Server, it will be sent immediately based on the cloud event trigger configuration, it is considered as Push to Partner.
Partner remote server has files in the pickup directory:

When the Schedulers are run based upon the Polling Interval the files are moved to Cloud storage and are deleted in the partner’s remote server if delete after collection is turned on.

This file activity can be viewed in the File Transaction Search.

In case of the other direction, if the hub drops file in the cloud storage drop directories the files will be pushed to the partner’s remote server.

Once the files are pushed to remote server, these files will be deleted from the cloud storage.
This file activity can be viewed in File Transaction Search

15.3 Push-Push Scenario

Onboard a partner with type as Push-Push. In this scenario the hub can push a file to partner’s remote server and the partner can also push the file to hub. It is the combination of push to Gateway and push to Partner.
Create an Endpoint with Push-Push configurations.

Provide the details in Push to Partner Tab, which are the details of the remote server to which the files need to be sent.

Similarly, click on the Push to Gateway tab and provide the details for the account, directories and other required details.
Push to Partner:-
Drop files in the Drop Directory which are available in Cloud Storage. The files would be picked up and moved to the Drop Directory of the Partner’s remote server.

Push to Gateway:-
Partners can connect to Data Gateway Proxy using the details provided.

Traverse to the Drop Directory available, which is the one configured in the Push to Gateway tab of the Endpoint creation and drop the files.

The files would be instantly moved to the appropriate cloud buckets which is the destination.

These file activities can be viewed in file transaction search.

15.4 Scenario: File Transfer through AS2, push to partner and push to gateway

Create an AS2 Organization, AS2 Endpoint with the trading partner’s AS2 server details (URL, certificates, security settings), and AS2 Relationship from the Endpoint menu.

Once the partner is onboarded, the trading partner must configure their AS2 system with your Data Gateway proxy AS2 URL, your organization’s AS2 identifier, and your public certificates.

Drop a file in your cloud storage pickup directory configured in the AS2 Relationship.

The Data Gateway AS2 polling mechanism automatically detects the file, processes it as per configuration, and sends the AS2 message to the trading partner’s configured AS2 receiving URL.

The file will be routed to the trading partner’s AS2 system, where it is decrypted, verified, and stored in their inbound directory.

The trading partner can send files to your Data Gateway by dropping files in their outbound directory configured in their AS2 relationship.
Their AS2 system processes it and sends the AS2 message to Data Gateway proxy AS2 receiving URL.

The Data Gateway receives the AS2 message, decrypts and verifies it, and stores the file in your cloud storage drop directory configured in the AS2 Relationship.

The file activity (both sending and receiving) can be viewed in File Transaction Search.

15.5 IP Allowlist and Session Rate Limiting

IP allowlisting and session rate limiting are two security features in Data Gateway to restrict access from unauthorized IP addresses and prevent creation of more sessions than allowed.

15.5.1 IP allowlisting

The IP allowlisting feature in data gateway provides an additional layer of security by restricting access to the gateway based on a predefined list of allowed IP addresses. This ensures that only trusted and verified sources can connect to the data gateway, significantly reducing the risk of unauthorized access.
Key Features
1. Access Control: Only IP addresses included in the IP range can establish a connection to the data gateway, blocking all other IPs.
2. Flexibility: Administrators can easily add, remove, or update IP addresses in the allowlist through the user interface.
3. Logging and Monitoring: All access attempts, both successful and unsuccessful, are logged in to file transaction search and monitoring purposes.
IP allowlisting and Session rate limiting features are applicable to partner connecting to hub scenario and push to push scenario (only Push to Gateway).
To allow an IP address or a range of IP addresses, during onboarding the partner in IP Range field provide the comma separated IP values or range of IP values or CIDR based IP range or combination of all.
Example values for IP whitelist fields:
• Comma separated: 192.168.0.33, 192.168.0.36, 192.168.0.37
• Range of IP: 192.168.0.33- 192.168.0.33
• CIDR based IP range: 192.168.1.0/24 (allows a range of IP 192.168.1.0 – 192.168.1.255)
• Combination: 192.168.0.33, 192.168.0.36, 192.168.1.0/24, 192.168.0.33- 192.168.0.33

While opening a session from a non-allowed IP address the session is terminated and the user won’t be able to connect to data gateway server.

The failed attempt of creating a session from a non-whitelisted IP address will be logged in file transaction search:

15.5.2. Rate Limiting

The session rate limiting feature in data gateway is designed to control the number of concurrent sessions a Partner can establish. This helps to prevent abuse and ensures fair usage of resources, enhancing the overall stability and performance of the data gateway.
Key Features
1. Concurrent Session Control: Restricts the number of concurrent sessions per user.
2. Customizable Limits: Administrators can set different session limits for different end points.
3. Real-time Enforcement: Limits are enforced in real-time, preventing new sessions once the limit is reached.
4. Monitoring and Alerts: Administrators can monitor session usage through File Transaction Search.

In the above case, the rate limit is provided as 2, which means only 2 sessions can be established concurrently. The application throws error, in case a 3rd session is initiated.

All the activities are being tracked, and you can see all the entries in the File Management -> Search module.