Adjusts DCE remote procedure call (RPC) authentication levels for communications between the Cache Manager and File Servers
Synopsis
cm setprotectlevels [-initiallocalprotectlevel level]
[-minlocalprotectlevel level] [-initialremoteprotectlevel level]
[-minremoteprotect level] [-help]
Options
-initiallocalprotectlevel level
Specifies the initial DCE RPC authentication level for communications between the Cache Manager and File Servers
within the same cell. The level is set either as an integer value between 0 and 6, the complete string defining the authentication level, or an abbreviation of that string. For a
description of the various DCE RPC levels, see the Description topic.
-minlocalprotectlevel level
Specifies the minimum acceptable DCE RPC authentication level for communications between the Cache Manager and File Servers within the same
cell. The level is set either as an integer value between 0 and 6, the complete string defining the authentication level, or an abbreviation of that string. For a description of the
various DCE RPC levels, see the Description topic.
-initialremoteprotectlevel level
Specifies the initial DCE RPC authentication level for communications between the Cache Manager and File Serverswithin foreign cells
The level is set either as an integer value between 0 and 6, the complete string defining the authentication level, or an abbreviation of that string. For a description of the various DCE
RPC levels, see the Description topic.
-minremoteprotectlevel level
Specifies the minimum acceptable DCE RPC authentication level for communications between the Cache Manager and File Servers within foreign
cells. The level is set either as an integer value between 0 and 6, the complete string defining the authentication level, or an abbreviation of that string. For a description of the
various DCE RPC levels, see the Description topic.
-help
Prints the online help for this command. All other valid options specified with this option are ignored.
Description
The cm setprotectlevels command adjusts the DCE RPC security level for RPCs sent between a Cache Manager and DFS File Servers. The command adjusts two levels: an initial DCE RPC security level used as a starting point in security level negotiations between the Cache Manager and a File Server and the minimum DCE RPC security level the Cache Manager will accept for such communications. Two sets of these levels are maintained: one set specifies the security levels for communications with File Servers within the local cell and the other set specifies the security levels for communications with File Servers within foreign cells. Both sets of security levels are initially set through the dfsd command.
In operation, the Cache Manager and File Server interact to arrive at a mutually acceptable authentication level for communications. The negotiation starts with an RPC using the initial authentication level sent from the Cache Manager to the File Server. If the initial authentication level is outside the minimum or maximum bounds set at the File Server, the File Server returns a response to the Cache Manager specifying that the authentication level is either too low or too high. The Cache Manager then decreases or increases its authentication level accordingly and retries the RPC. This process continues until the Cache Manager either adjusts its RPCs to an acceptable security level or the File Server requests a security level below the minimum set at the Cache Manager (causing the Cache Manager to refuse communications with the File Server). Once the Cache Manager and File Server have negotiated a security level, the Cache Manager stores this information so that it does not need to renegotiate this level for further communications with the File Server.
The authentication bounds for communications at the File Server itself is set through the fxd command. The Cache Manager and fxd default settings are such that communications occur at the Packet Integrity authentication level.
In addition to a general pair of upper and lower bounds for all communications between the File Server and Cache Manager, administrators can also set advisory bounds on a per fileset basis. At present, these advisory levels serve only to bias the Cache Manager's selection of an initial authentication level (they may be enforced in a future version of DFS). Advisory bounds are set through the fts setprotectlevels command and are stored in the FLDB record for that fileset.
Note that the use of this command does not preclude communications with File Servers running earlier versions of DFS.
The various authentication levels are set by specifying either an integer value between 0 and 6, a complete string specifying the uthentication level, or an abbreviation of that string as the level argument for the various command options. The following lists the various authentication levels:
· 0 or default or rpc_protect_level_default
Use the DCE default authentication level.
· 1 or none or rpc_protect_level_none
Perform no authentication.
· 2 or connect or rpc_protect_level_connect
Authenticate only when the Cache Manager establishes a connection with the File Server.
· 3 or call or rpc_protect_level_call
Authenticate only at the beginning of each RPC received.
· 4 or pkt or rpc_protect_level_pkt
Ensure that all data received is from the expected host.
· 5 or pkt_integrity or rpc_protect_level_pkt_integrity
Authenticate and verify that none of the data transferred has been modified.
· 6 or pkt_privacy or rpc_protect_level_pkt_privacy
Perform authentication as specified by all of the previous levels and also encrypt each RPC
argument value.
Note that there is a trade-off between selecting higher security and performance. The higher levels of security require more overhead and increase the response time in file operations with File Servers.
Privilege Required
The issuer must be logged in as root on the local machine.
Examples
The following command sets the following authentication values:
· The initial authentication level for communications with File Servers in the local cell is set to packet integrity.
· The minimum authentication level for communications with File Servers in the local cell is set to packet.
· The initial authentication level for communications with File Servers in foreign cells is set to packet privacy.
· The minimum authentication level for communications with File Servers in foreign cells is set to packet privacy.$
$ cm setprotectlevels -initiallocalprotectlevel 5 -minlocalprotectlevel 4 -initialremoteprotectlevel 6 -minremoteprotectlevel 6
Related Information
Commands: