You can set the RPC authentication level for communications between the Cache Manager and File Servers. By default, such communications use the packet integrity DCE RPC authentication level (each RPC is authenticated and the data is checked to ensure that it was not modified in transit). However, circumstances at your site may require higher security or permit lower security for File Server communications. The following lists the range of authentication levels:
Default
Use the DCE default authentication level.
None
Perform no authentication.
Connect
Authenticate only when the Cache Manager establishes a connection with the File Server.
Call
Authenticate only at the beginning of each RPC received.
Packet
Ensure that all data received is from the expected host (authenticate).
Packet Integrity
Ensure that all data received is from the expected host and verify that none of the data has been modified.
Packet Privacy
Perform authentication as specified by all of the previous levels and also encrypt each RPC argument value.
Note that higher authentication levels do incur some overhead and therefore cause some degradation in performance. Lower security levels, while more efficient, do carry an additional risk of attack.
You can set separate authentication levels for dealing with File Servers in the local cell and for dealing with File Servers in foreign cells. These authentication levels are set through two pairs of values. Each pair of values consists of the following:
· An initial RPC authentication level. This value sets the initial RPC authentication level used by the Cache Manager when it attempts to establish communications with a File Server. The initial level is used as a starting point in negotiating an RPC authentication level with the File Server.
· A minimum RPC authentication level. This value defines a lower bound RPC authentication level for the Cache Manager. Should a File Server request an authentication level below this level, the Cache Manager will refuse communications with that File Server.
For a complete description of how the Cache Manager negotiates the RPC authentication level, see the topic Data Access Security in DFS. In short, each File Server (File Exporter) maintains its own pairs of security values. These pairs set maximum and minimum bounds that control RPC authentication for communications with Cache Managers. As with the Cache Manager, one pair controls communications with Cache Managers within the local cell while the other controls communications with Cache Managers in foreign cells. By default, the RPC authentication settings at the File Server and Cache Manager will negotiate to the packet integrity authentication level.
The Cache Manager begins the negotiation by sending an RPC to the File Server at the authentication level determined by its initial RPC setting. The File Manager then replies in one of the following three ways:
· The File Server accepts the RPC authentication level it received (the level fell within the range defined by its upper and lower bounds) and begins the process of sending and receiving fileset data with the Cache Manager.
· The File Server finds that the RPC authentication level is above its upper bound and sends a response to the Cache Manager instructing it to lower its authentication level. If the Cache Manager is currently using an authentication level equal to the Cache Manager's lower bound, the Cache Manager will cease attempts to communicate with the File Server.
· The File Server finds that the RPC authentication level is below its lower bound and sends a response to the Cache Manager instructing it to raise its authentication level.
The following topics detail how to initially configure the Cache Manager RPC authentication levels and how to adjust those levels for a running Cache Manager.
More:
Configuring RPC Authentication Levels
Changing the RPC Authentication Levels Temporarily
Checking RPC Authentication Levels