1ISNS_CONFIG(8)              System Manager's Manual             ISNS_CONFIG(8)
2
3
4

NAME

6       isns_config - iSNS configuration file
7

SYNOPSIS

9       /etc/isns/isnsadm.conf
10       /etc/isns/isnsd.conf
11       /etc/isns/isnsdd.conf
12
13

DESCRIPTION

15       All  Open-iSNS  utilities  read  their  configuration  from  a  file in
16       /etc/isns.  There is a separate configuration file  for  each  applica‐
17       tion,  isnsd, isnsadm, and isnsdd.  The syntax and the set of supported
18       options is identical, even though some options are specific to e.g. the
19       server.  Unless indicated, options are applicable to all utilities.
20
21       An  Open-iSNS  configuration  file contains keyword-argument pairs, one
22       per line.  All keywords are case insensitive.
23
24       A # character introduces a comment, which extends until the end of  the
25       line. Empty lines are ignored.
26
27       There are no line continuations, and you cannot use quotes around argu‐
28       ments.
29
30       Some options specify timeout values, which are given in units  of  sec‐
31       onds  by  default. You can specify an explicit unit, however, such as d
32       (days), h (hours), m (minutes), or s (seconds).
33
34   Generic Options
35       HostName
36              By default, Open-iSNS applications will retrieve  the  machine's
37              hostname  using  the  gethostname(3)  system call, and use a DNS
38              lookup to look  up  the  canonical  name.   Using  the  HostName
39              option, you can overried this. This option is rarely needed.
40
41       SourceName
42              This  option  is mandatory for all Open-iSNS applications.  This
43              should be a name which identifies the  client  uniquely.   There
44              are two readings of RFC 4171; one requires that this is an iSCSI
45              qualified name  such  as  iqn.2001-04.com.example.host,  whereas
46              other  language  in  the RFC suggests that this is pretty much a
47              free-format string that just has to be unique  (using  e.g.  the
48              client's fully qualified domain name).
49
50              When  using DSA authentication, Open-iSNS currently requires the
51              source name to match the key identifier (SPI)  of  the  client's
52              public key.
53
54              If  left  empty,  the  source  name is derived from the client's
55              hostname.
56
57       ServerAddress (client):
58              This options specifies the host name  or  address  of  the  iSNS
59              server to talk to. It can optionally be followed by a colon, and
60              a port number.
61
62              Instead of a hostname, IPv4 or IPv6 addresses can be  used.   In
63              order  to avoid ambiguities, literal IPv6 addresses must be sur‐
64              rounded by square brackets, as in [2001:4e5f::1].
65
66              When specifying a port number, you can use  either  the  numeric
67              port,  or  a string name to be looked up in /etc/services.  When
68              the port is omitted, it defaults to 3205, the IANA assigned port
69              number of iSNS.
70
71              If  the  special  string  SLP:  is  used, the client will try to
72              locate the iSNS server through SLP.
73
74       SLPRegister (server):
75              If set to 1, the iSNS daemon will register itself will  the  SLP
76              service.  This allows clients to contact the server without hav‐
77              ing to configure its address statically.
78
79       PIDFile (server):
80              This specifies the name of  the  server's  PID  file,  which  is
81              /var/run/isnsd.pid by default.
82
83   Database Related Options
84       These  options  apply to the iSNS server only, and control operation of
85       the iSNS database.
86
87       Database
88              This option is used to specify how the database is stored.  Set‐
89              ting  this  to  an  absolute  path name will make isnsd keep its
90              database in the specified directory.
91
92              If you leave this empty, isnsd will keep its database in memory.
93              This is also the default setting.
94
95       DefaultDiscoveryDomain
96              iSNS  scopes visibility of other nodes using so-called Discovery
97              Domains. A storage node A will only "see"  storage  node  B,  if
98              both are members of the same discovery domain.
99
100              So if a storage node is registered which is not part of any dis‐
101              covery domain, it will not see any other nodes.
102
103              By setting DefaultDiscoveryDomain=1, you can tell isnsd to  cre‐
104              ate  a virtual "default discovery domain", which holds all nodes
105              that are not part of any administratively  configured  discovery
106              domain.
107
108              By default, there is no default discovery domain.
109
110       RegistrationPeriod
111              The  iSNS  server  can purge registered entities after a certain
112              period of inactivity. This is called  the  registration  period.
113              Clients  who register objects are supposed to refresh their reg‐
114              istration within this period.
115
116              The default value is 1 hour. Setting it to 0 disables expiry  of
117              entities from the database.
118
119       ESIRetries
120              Open-iSNS  is  able to monitor the reachability of storage nodes
121              and their portals by using a protocol feature called ESI (Entity
122              status  inquiry).  Clients request ESI monitoring by registering
123              an ESI port along with each portal. The  server  will  send  ESI
124              messages  to  these portals at regular intervals.  If the portal
125              fails to reply several times in a row, it  is  considered  dead,
126              and will be removed from the database.
127
128              ESIRetries  specifies  the maximum number of attempts the server
129              will make at contacting the portal before pronouncing  it  dead.
130              If  set  to 0, the server will disable ESI and reject any regis‐
131              trations that specify an ESI port with an error code of "ESI not
132              supported".
133
134              The default value is 3.
135
136       ESIMinInterval
137              This  timeout  value  specifies  the minimum ESI interval.  If a
138              client requests an ESI interval less  than  this  value,  it  is
139              silently rounded up.
140
141              The default value is 60 seconds.
142
143       ESIMaxInterval
144              This  timeout  value  specifies  the maximum ESI interval.  If a
145              client requests an ESI interval greater than this value,  it  is
146              silently rounded down.
147
148              The default value is 10 minutes.
149
150              The  maximum  ESI interval must not exceed half the value of the
151              registration period.
152
153       SCNRetries
154              iSNS clients can register to receive State  Change  Notification
155              (SCN)  messages  to  learn  about  changes in the iSNS database.
156              This value specifies how often the server will try to retransmit
157              an SCN message until giving up.
158
159              The default value is 3.
160
161       SCNCallout
162              This  is  the  path  name  of  a helper program that isnsdd will
163              invoke whenever it processes a state  change  notification  from
164              the  server. The helper program will be invoked with an argument
165              indicating the type of event,  being  one  of  add,  update,  or
166              remove.   This is followed by a list of attributes in name=value
167              notation,  using  the  names  and   conventions   described   in
168              isnsadm(8).
169
170   Security Related Options
171       The  iSNS  standard  defines  an authentication method based on the DSA
172       algorithm. Participants in a message exchange authenticate messages  by
173       adding  an  "authentication  block"  containing  a time stamp, a string
174       identifying the key used, and a digital signature of the message.   The
175       same method is also used by SLP, the Service Location Protocol.
176
177       The  string contained in the authentication block is referred to as the
178       Security Policy Index(SPI).  This string can be used by the  server  to
179       look  up  the  client's public key by whatever mechanism; so the string
180       could be used as the name of a public key file in a  directory,  or  to
181       retrieve an X509 certificate from LDAP.
182
183       From  the  perspective of Open-iSNS client applications, there are only
184       two keys: the client's own (private) key, used to sign the messages  it
185       sends  to  the  server, and the server's public key, used to verify the
186       signatures of incoming server messages.
187
188       The iSNS server needs, in addition to its own private  key,  access  to
189       all  public keys of clients that will communicate to it. The latter are
190       kept in what is called a key store. Key stores and their operation will
191       be discussed in section Key Stores and Policy below.
192
193       The following configuration options control authentication:
194
195       Security
196              This enables or disables DSA authentication.  When set to 1, the
197              client will sign all messages, and expect all server messages to
198              be signed.
199
200              When  enabling  security  in  the  server, incoming messages are
201              checked for the presence of an auth block. If none  is  present,
202              or  if  the server cannot find a public key corresponding to the
203              SPI, the message is treated as  originating  from  an  anonymous
204              source.  If the SPI is known but the signature is incorrect, the
205              message is dropped silently.
206
207              Messages from an  anonymous  source  will  be  assigned  a  very
208              restrictive policy that allows database queries only.
209
210              Setting this option to 0 will turn off authentication.
211
212              The  default value is -1, which tells iSNS to use authentication
213              if the required keys are installed, and use unauthenticated iSNS
214              otherwise.
215
216       AuthName
217              This  is the string that will be used as the SPI in all outgoing
218              messages that have an auth block. It defaults to the  host  name
219              (please refer to option HostName).
220
221       AuthKeyFile
222              This  is  the  path  name of a file containing a PEM encoded DSA
223              key.  This key is used to sign outgoing messages.   The  default
224              is /etc/isns/auth_key.
225
226       ServerKeyFile
227              This  option  is used by client applications only, and specifies
228              the path name of a file containing a PEM encoded DSA key.   This
229              key  is  used to authenticate the server's replies.  The default
230              is /etc/isns/server_key.pub.
231
232       KeyStore
233              This  server-side  option  specifies  the  key  store  to   use,
234              described in the next section.
235
236       The  following  two options control how iSNS will verify the time stamp
237       contained in the authentication block, which  is  supposed  to  prevent
238       replay attacks.
239
240       Auth.ReplayWindow
241              In  order  to  compensate  for  clock  drift  between  two hosts
242              exchanging iSNS messages, Open-iSNS will  apply  a  little  fuzz
243              when  comparing  the  time stamp contained in the message to the
244              local system time. If the  difference  between  time  stamp  and
245              local  system  time  is less than the number of seconds given by
246              this  option,  the  message  is  acceptable.  Otherwise,  it  is
247              rejected.
248
249              The default value is 5m.
250
251       Auth.TimestampJitter
252              When verifying incoming messages, Open-iSNS checks that the time
253              stamps sent by the peer are increasing monotonically.  In  order
254              to  compensate for the reordering of messages by the network (eg
255              when using UDP as transport), a certain  time  stamp  jitter  is
256              accepted.   If the time stamp of an incoming messages is no ear‐
257              lier than TimestampJitter seconds before  the  last  time  stamp
258              received,  then  the  message  is  acceptable.  Otherwise, it is
259              rejected.
260
261              The default value is 1s.
262
263   Key Stores and Policy
264       The current implementation supports two types of key stores.
265
266       The simple key store uses a flat directory to store public  keys,  each
267       key  in  a  file  of its own. The file is expected to hold the client's
268       PEM-encoded public key, and it must use the client's SPI as  the  name.
269       This  type of key store is not really recommended, as it does not store
270       any policy information.
271
272       A simple key store can be configured by setting the KeyStore option  to
273       the path name of the directory.
274
275       The recommended approach is to use the database as key store. This uses
276       vendor-specific policy objects to tie SPI string,  public  key,  entity
277       name,  source name and other bits of policy together, and store them in
278       a persistent way.
279
280       The database key store is configured by setting the KeyStore option  to
281       the reserved value DB:, which is also the default.
282
283       Currently,  Open-iSNS  policy  objects  have  the following attributes,
284       besides the SPI:
285
286       Source:
287              This is the source node name the client must use. It defaults to
288              the SPI string.
289
290       Functions:
291              This is a bitmap detailing which functions the client is permit‐
292              ted to invoke. The bit names correspond to the  shorthand  names
293              used  in  RFC  4711,  such  as  DevAttrReg, DevAttrQry, etc. The
294              default is to allow registration, query and  deregistration,  as
295              well as SCNRegister.
296
297       Entity name:
298              This is the entity name assigned to the client. If set, a regis‐
299              tration by the client is not permitted to use a different entity
300              name.  If the client sends a registration without Entity identi‐
301              fier, the server will assign the entity name given in  the  pol‐
302              icy.  The default is to not restrict the entity name.
303
304       Object access:
305              This is a bitfield describing access permissions for each object
306              type.  For each object type, you can  grant  Read  and/or  Write
307              permissions.   Read  access  applies  to  the  Query and GetNext
308              calls; all  other  operations  require  write  permission.   The
309              default  grants read and write access to objects of type Entity,
310              Storage Node, Portal and Portal Group; and read access  to  Dis‐
311              covery Domains.
312
313       Node types:
314              This bitfield describes which types of storage nodes a client is
315              allowed to register; the valid bit names are  target,  initiator
316              and  control.  The default is to restrict nodes to register ini‐
317              tiators only.
318
319   Network Related Options
320       Network.MaxSockets
321              This  is  the  number  of  incoming  connections  accepted,  and
322              defaults  to 1024. This usually applies to server side only, but
323              is relevant if you create a passive TCP socket for ESI or SCN.
324
325       Network.ConnectTimeout
326              This is a timeout value, which specifies the time to wait for  a
327              TCP connection to be established.  It defaults to 60s.
328
329       Network.ReconnectTimeout
330              When  a  connection  attempt  failed,  we  wait for a short time
331              before we try connecting again. This is  intended  to  take  the
332              pressure off overloaded servers. The default value is 10s.
333
334       Network.CallTimeout
335              Total  amount  of  time  to wait before timing out a call to the
336              iSNS server.  The default value is 60s.
337

SEE ALSO

339       RFC 4171, isnsd(8), isnsadm(8).
340

AUTHORS

342       Olaf Kirch <olaf.kirch@oracle.com>
343
344
345
346                                  11 May 2007                   ISNS_CONFIG(8)
Impressum