DFS includes administrative commands to establish and modify RPC authentication levels for communications between Cache Managers and File Servers. DFS provides very flexible tools for managing these RPC authentication levels, allowing you to set RPC authentication levels for each Cache Manager and RPC authentication bounds for each File Server. You can also set advisory RPC authentication bounds for each fileset.
The default values for security settings at the Cache Manager and File Server ensure that communications between a Cache Manager and File Server are authenticated at the DCE packet integrity security level. All data received has been authenticated as originating at the expected host and has been verified to have not been modified during transmission. However, you can choose to set higher or lower RPC authentication levels for each Cache Manager and File Server. Note that higher authentication levels result in some degradation of performance (due to increased overhead).
Each Cached Manager maintains a pair of initial RPC authentication level settings and RPC authentication lower bound settings. One pair governs Cache Manager communications with File Servers in the same cell, while the second set governs communications with File Servers in foreign cells. Similarly, each File Server maintains a pair of RPC authentication lower and upper bound settings. Again, one pair governs communications with Cache Managers in the same cell, while the second pair controls communications with Cache Managers in foreign cells.
When a Cache Manager must contact a File Server to access a given fileset, the Cache Manager and File Server negotiate for a mutually acceptable RPC authentication level. In operation, the process works as follows.
The Cache Manager sends an RPC to the File Server that is using the Cache Manager's initial RPC authentication level. The File Server checks the RPC and compares it to the authentication level range determined by the File Server's upper and lower authentication level bounds. If the RPC falls within the authentication level range, communications between the Cache Manager and File Server are established. However, if the RPC authentication level is above or below the File Server's range, the File Server responds with an instruction to increase or decrease the authentication level accordingly. This negotiation continues until the Cache Manager and File Server arrive at a mutually agreeable RPC authentication level or until the File Server requests an authentication level below the minimum allowed for the Cache Manager (causing the Cache Manager to refuse communications with the File Server).
After arriving at a mutually agreeable RPC authentication level, the Cache Manager stores that information so that it does not need to renegotiate an authentication level during further communications with that particular file server.
Note that Cache Managers in versions of DFS earlier than 1.2.2 cannot negotiate RPC authentication levels. Setting the minimum authentication level bound at a File Exporter higher than packet integrity prevents the File Server from communicating with Cache Managers based on earlier versions of DFS.
You can establish a Cache Manager's initial and lower bound RPC authentication levels by using the dfsd command. You must assume the root identity on the Cache Manager machine to issue this command. You can adjust these settings by using the cm setprotectlevels command. You can check the Cache Manager's current RPC authentication level settings with the cm setprotectlevels command.
You can establish the upper and lower File Exporter RPC authentication bounds by using the fxd command. You cannot display a File Exporter's RPC authentication bound settings. For more information about setting the File Exporter's authentication bounds with the fxd command, see Part 2 of this guide and reference.
More:
Fileset Advisory RPC Authentication Bounds