IBM Hub/Switch 2.8.4.3 FTP/PFTP, 2.8.4.4 DFS, 2.8.4.5 NFS, 2.8.4.6 Bitle

Chapter 2 HPSS Planning

88 September 2002 HPSS Installation Guide

Release 4.5, Revision 2

2.8.4.3 FTP/PFTP

By default, FTP and Parallel FTP (PFTP) interfaces use a username/password mechanism to

authenticate and authorize end users. The end user identity credentials are obtained from the

principal and account records in the DCE security registry. However, FTP and PFTP users do not

requiremaintenance of a login password in the DCE registry. The FTP/PFTP interfaces allow sites

touse site-supplied algorithms for end user authentication. This mechanism is enabled by running

an appropriate authentication manager such asauth_dcegss.

Alternatively, authentication may be performed using the DCE Registry or using password-less

mechanisms such as MIT Kerberos.

2.8.4.4 DFS

DFS uses DCE authentication and authorization.

2.8.4.5 NFS

Though the HPSS NFS client interface does not directly support an end user login authorization

mechanism, standard NFS export security features are supported to allow speciﬁcation of read-

only, read-mostly, read-write, and root access to HPSS subtrees for identiﬁed client hosts. HPSS

NFS does not support Sun MicroSystems’ Network Information Services to validate client hosts.

HPSS NFS does provide an option to validate the network address of hosts attempting to mount

HPSSdirectories. The default conﬁguration disables this check. To enable client address validation,

export the variable HPSS_MOUNTD_IPCHECK in the HPSS environments ﬁle (hpss_env). An

optionto specify mediation of user access to HPSS ﬁles by a credentials mapping is also provided.

Export entry options are described further in Section 7.4: NFS Daemon Conﬁguration (page 431).

If the user mapping option is speciﬁed, user access requires an entry in the NFS credentials map

cache and user credentials are obtained from that cache. Entries in the credentials map cache,

maintained by the NFS Daemon, are generated based on site policy. For instance, entries may be

established by allowing users to run a site-deﬁned map administration utility, or they may be set

up at NFS startup time by reading a ﬁle. They can also be added by running a privileged map

administration utility such as thenfsmap utility.

2.8.4.6 Bitﬁle

Enforcement of access to HPSS bitﬁle data is accomplished through a ticketing mechanism. An

HPSS security ticket, which contains subject, object, and permission information, is generated by

theHPSS Name Server. Ticket integrity is certiﬁed througha checksum that is encrypted with a key

shared by the Name Server and Bitﬁle Server. When access to ﬁle data is requested, the ticket is

presentedto the HPSS Bitﬁle Server, which checks the ticket for authenticity and appropriate user

permissions.The Name Server/Bitﬁle Server shared key is generated at Name Server startup, and

issent to the Bitﬁle Server using an encrypted DCE remote procedure call to set up a shared security

context.If the DCE cell in which HPSS resides does not support packet integrity, it is recommended

that the Name Server and Bitﬁle Server components run on the same platform.