Manualshelf

NFS Services Administrator's Guide (B.11.31.04) March 2009

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 ONC and NFS Software
21222324252627282930
Secure Sharing of Directories
In earlier versions of HP-UX, NFS used the AUTH_SYS authentication, which uses
UNIX style authentication, (uid/gid), to allow access to the shared files. It is fairly
simple to develop an application or server that can masquerade as a user because the
gid/uid ownership of a file can be viewed.
The AUTH_DH authenticating method was introduced to address the vulnerabilities
of the AUTH_SYS authentication method. The AUTH_DH security model is stronger,
because it authenticates the user by using the users private key.
Kerberos is an authentication system that provides secure transactions over networks.
It offers strong user authentication, integrity and privacy. Kerberos support has been
added to provide authentication and encryption capabilities. For information on how
to share directories in a secure manner, see “Secure Sharing of Directories ” (page 35).
Client Failover
By using client-side failover, an NFS client can specify redundant servers that are
making the same data available and switch to an alternate server when the current
server becomes unavailable. The filesystems on the current server can become
unavailable for the following reasons:
If the filesystem is connected to a server that crashes
If the server is overloaded
If a network fault occurs
A failover occurs when the filesystem is unavailable. The failover is transparent to the
user. The failover can occur at any time without disrupting processes that are running
on the client.
Consider the following points before enabling client-side failover:
The filesystem must be mounted with read-only permissions.
The filesystems must be identical on all the redundant servers for the failover to
occur successfully. For information on identical filesystems, see “Replicated
Filesystems” (page 23).
A static filesystem or one that is not modified often is used for failover.
File systems that are mounted using CacheFS are not supported for use with
failover.
If client-side failover is enabled using the command-line option, the listed servers
must support the same version of the NFS protocol. For example, onc21 and
onc23 must support the same version of NFS protocol, either NFSv2, NFSv3, or
NFSv4.
For information on how to enable client-side failover, see “Enabling Client-Side Failover
(page 50).
22 Introduction