You can set upper and lower advisory RPC authentication bounds for any DCE LFS fileset. These bounds serve to bias a Cache Manager's initial RPC authentication level when transferring data to or from the fileset. The bound RPC authentication level values are stored in the FLDB by the fts setprotectlevels command. Currently these bounds are only advisory, but a future release of DFS may enforce these bounds.
In operation, a Cache Manager contacts an FL Server to learn which File Servers house the required fileset (or replicas of the fileset). Along with the location, the Cache Manager also receives the upper and lower RPC authentication bounds for that fileset. The Cache Manager then compares its initial RPC authentication level with the range defined by the advisory bounds. If the initial level falls within the range, the Cache Manager begins the process of negotiating an RPC authentication level with the File Server by using the initial level. If the initial level falls outside the range, the Cache Manager adjusts the initial level upward or downward to the closest bound value (though not below its own minimum setting) before beginning the process of negotiating an RPC authentication level.
For example, suppose the following values represent the Cache Manager and fileset authentication level settings:
· The Cache Manager initial RPC authentication level is set to packet.
· The fileset upper bound is set to packet privacy.
· The fileset lower bound is set to packet integrity.
When the Cache Manager compares its initial level to the range defined by the fileset advisory bounds, it discovers that its initial level is set below the lower bound. The Cache Manager then adjusts its initial level to packet integrity and uses this RPC authentication level to begin the process of negotiating the RPC authentication level with the File Server. If the File Server upper bound is below the Cache Manager's initial level (adjusted through the fileset advisory bounds), the Cache Manager then lowers its initial level. Thus, the fileset bounds serve only to bias the selection of the RPC authentication level to a higher or lower level; however, the settings for the File Server and Cache Manager can override this bias.
Issue the fts setprotectlevels command to set advisory authentication bounds for filesets.
$ fts setprotectlevels -fileset {name|ID}
[-maxlocalprotectlevel level]
[-minlocalprotectlevel
level]
[-maxremoteprotectlevel level]
[-minremoteprotectlevellevel]
[-cell cellname]
The following options set the various advisory RPC authentication bounds:
· The -maxlocalprotectlevel option specifies the upper bound for use by Cache Managers in the local cell.
· The -minlocalprotectlevel option specifies the lower bound for use by Cache Managers in the local cell.
· The -maxremoteprotectlevel option specifies the upper bound for use by Cache Managers in foreign cells.
· The -minremoteprotectlevel option specifies the lower bound for use by Cache Managers in foreign cells.
The level argument is set as follows:
· 0 or rpc_protect_level_default or default
Use the DCE default authentication level.
· 1 or rpc_protect_level_none or none
Perform no authentication.
· 2 or rpc_protect_level_connect or connect
Authenticate only when the Cache Manager establishes a connection with the File Server.
· 3 or rpc_protect_level_call or call
Authenticate only at the beginning of each RPC received.
· 4 or rpc_protect_level_pkt or pkt
Ensure that all data received is from the expected host.
· 5 or rpc_protect_level_pkt_integrity or pkt_integrity
Authenticate and verify that none of the data transferred has been modified.
· 6 or rpc_protect_level_pkt_privacy or pkt_privacy
Perform authentication as specified by all of the previous levels and also encrypt
each RPC argument value.
The following command sets the authentication values as follows:
· The maximum authentication level for communication with Cache Managers in the local cell is set to packet integrity.
· The minimum authentication level for communication with Cache Managers in the local cell is set to packet.
· The maximum authentication level for communication with Cache Managers in foreign cells is set to packet security.
· The minimum authentication level for communication with Cache Managers in foreign cells is set to packet security.
$ fts setprotectlevels -fileset richland.12 -maxlocalprotectlevel 5
-minlocalprotectlevel 4 -maxremoteprotectlevel 6
-minremoteprotectlevel 6