Example of AFM support for Kerberos-enabled NFS protocol exports

AFM supports CES-enabled NFS protocol services and configuration without CES NFS (NFS shipped with OS)

AFM can use support of file access protocol authentication by using AD & LDAP setup. Kerberos can be used to add higher security for data transfer between Home/Secondary & Cache/Primary servers. As an administrator, you can configure file access for protocol authentication along with Kerberos configuration for client access. AFM & AFM-DR require all gateway nodes at the cache or primary cluster to be configured and authenticated as a Kerberos client. Home/Secondary cluster must be configured to export Kerberos-enabled NFS mounts.

Complete the following steps:
  1. Ensure that the AFM home or secondary cluster is NFS service-enabled - Cluster Export Services (CES) protocol services or default NFS service.
  2. Configure authentication and ID mapping for file-access by using LDAP or AD because it is required for Kerberos-enabled exports at AFM home or secondary fileset.
  3. At cache or primary clusters, all gateway nodes must be configured and authenticated as a Kerberos client to enable mounting Kerberos-enabled NFS exports at cache or primary. Run the following command to export NFS Target mount paths in order of security levels like sys, krb5, krb5i, or krb5p.
    mmnfs export add <Target_Path_Home>  -c ‘[GatewayIPAddresses|*]
(Access_Type=RW,Squash=no_root_squash,SECTYPE=krb5i)'
  4. Run the following command to enable clients to mount above export paths at gateway nodes by using NFS V3.
    mount -t nfs -o vers=3,sec=krb5i <Home>:/<Target_Path_Home> /mnt1
  5. Enable afmEnableNFSSec at cache or primary cluster to yes. Run the following command: 
    mmchconfig afmEnableNFSSec=yes  -i
  6. Create an AFM fileset for the prepared target and link the fileset to the target. Run the following commands: 
    mmcrfileset filesystemname Fileset -p afmTarget=Home:/<Target_Path_Home>
--inode-space=new -p afmMode=single-writer | read-only | local-updates | independent-writer

    mmlinkfileset filesystemname fileset -J /filesystem-path/fileset
  7. You can access this fileset: 
    mmafmctl <fs name> getstate -j <Fileset>