Using multiple security levels for remote access

A cluster that owns a file system whose access is to be permitted from other clusters, can designate a different security level for each connecting cluster.

When multiple security levels are specified, each connection must use the security level of the connecting node unless that security level is AUTHONLY. In this case, the security level of the node that accepts the connection is used instead. This means that a connection must use AUTHONLY if both nodes exist in clusters that are required to use the AUTHONLY security method.

To specify a different security level for different clusters that request access to a specified cluster, use the mmauth -l cipherList command. Several examples follow to illustrate:
  1. In this example, cluster1 and cluster2 are on the same trusted network, and cluster3 is connected to both of them with an untrusted network. The system administrator chooses these security levels:
    • A cipherList of AUTHONLY for connections between cluster1 and cluster2
    • A cipherList of AES128-SHA for connections between cluster1 and cluster3
    • A cipherList of AES128-SHA for connections between cluster2 and cluster3
    The administrator of cluster1 issues these commands: 
    mmauth add cluster2 -k keyFile -l AUTHONLY
mmauth add cluster3 -k keyFile -l AES128-SHA
  2. In this example, cluster2 is accessing file systems that are owned by cluster1 by using a cipherList of AUTHONLY, but the administrator of cluster1 decides to require a more secure cipherList. The administrator of cluster1 issues this command: 
    mmauth update cluster2 -l AES128-SHA

    Existing connections is upgraded from AUTHONLY to AES128-SHA.

Parent topic: Accessing a remote GPFS file system