ONTAP 9.15.1 commands

vserver fpolicy policy external-engine create

Create an external engine

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

The vserver fpolicy policy external-engine create command creates an FPolicy external engine. The cluster uses the external engine to hold configuration information that it needs in order to send notification information to the FPolicy servers. It specifies the primary servers and secondary servers to which the cluster will send notifications. It also specifies FPolicy server related configuration information.

Parameters

-vserver <Vserver Name> - Vserver

This parameter specifies the name of the Vserver on which you want to create an FPolicy external engine.

-engine-name <Engine name> - Engine

This parameter specifies the name of the FPolicy external engine that you want to create. An external engine name can be up to 256 characters long. An external engine name is a string that can only contain any combination of ASCII-range alphanumeric characters (a-z, A-Z, 0-9), "_", and "." .

-primary-servers <IP Address>,…​ - Primary FPolicy Servers

This parameter specifies a list of IP addresses for the primary FPolicy servers to which you want the external engine you create to apply. The -primary-servers parameter is used to specify a list of servers to which to send file access events for a given FPolicy policy. When an administrator configures multiple servers as primary servers, notifications are sent to the FPolicy servers in a round-robin fashion.

-port <integer> - Port Number of FPolicy Service

This parameter specifies the port number for the FPolicy service.

[-secondary-servers <IP Address>,…​] - Secondary FPolicy Servers

This parameter specifies a list of IP addresses for the secondary FPolicy servers to which you want the external engine you create to apply. Secondary servers will be used only when all the primary servers are not reachable. When an administrator configures multiple servers as secondary servers, notifications are sent to FPolicy server in a round-robin fashion. By default, no secondary server is selected.

[-extern-engine-type <External Engine Type>] - External Engine Type

This parameter specifies the type of the external engine. This specifies how the FPolicy server should behave, synchronously or asynchronously. By default, it is synchronous in nature. When set to synchronous , after sending a notification to the external FPolicy server, request processing does not continue until after receiving a response from the FPolicy server. At that point request flow either continues or processing results in denial, depending on whether the response from the FPolicy server permits the requested action. When set to asynchronous , after sending a notification to the external FPolicy server, file request processing continues.

-ssl-option {no-auth|server-auth|mutual-auth} - SSL Option for External Communication

This parameter specifies the SSL option for external communication with the FPolicy server. Possible values include the following:

  • no-auth : When set to no-auth, no authentication takes place. The communication link is established over the TCP protocol.

  • server-auth : When set to server-auth, only the FPolicy server is authenticated by the Vserver. With this option, before creating the FPolicy external engine, the administrator must install the public certificate of the certificate authority (CA) that signed the FPolicy server certificate.

  • mutual-auth : When set to mutual-auth, mutual authentication takes place between the Vserver and the FPolicy server, i.e. authentication of the FPolicy server by the Vserver along with authentication of the Vserver by the FPolicy server. With this option, before creating the FPolicy external engine, the administrator must install the public certificate of the certificate authority (CA) that signed the FPolicy server certificate along with the public certificate and key file for authentication of the Vserver.

The public certificate of certificate authority (CA) that is used to sign the FPolicy server certificate is installed using the security certificate install command with -type set to client_ca . The private key and public certificate required for authentication of the Vserver is installed using the security certificate install command with -type set to server .

[-reqs-cancel-timeout <[<integer>d][<integer>h][<integer>m][<integer>s]>] - Timeout for Canceling a Request (privilege: advanced)

This parameter specifies the timeout for canceling a request. It is used to specify the time interval in which the node waits for a response from the FPolicy server. Beyond this timeout, a cancel request is sent to the FPolicy server to cancel the pending request. The request is then sent to an alternate FPolicy server that is registered for the policy. This timeout helps in handling a FPolicy server that is not responding, which can improve CIFS/NFS client response. Also, this feature can help in releasing of system resources since the request is moved from a down/bad FPolicy server to an alternate FPolicy server. The value for this field must be between 0s and 100s. By default, it is 20s.

[-reqs-abort-timeout <[<integer>d][<integer>h][<integer>m][<integer>s]>] - Timeout for Aborting a Request (privilege: advanced)

This parameter specifies the timeout for aborting a request. The value for this field must be between 0s and 200s. By default, it is 40s.

[-status-req-interval <[<integer>d][<integer>h][<integer>m][<integer>s]>] - Interval for Sending Status Requests (privilege: advanced)

This parameter specifies the interval for sending status requests. It is used to specify the interval after which a status request will be send to the FPolicy server. The value for this field must be between 0s and 50s. By default, it is 10s.

[-max-connection-retries <integer>] - Max Reconnect Attempt (privilege: advanced)

This parameter specifies the maximum number of attempts to reconnect to the FPolicy server from a Vserver. It is used to specify the number of times a broken connection will be retried. The value for this field must be between 0 and 20. By default, it is 5.

[-max-server-reqs <integer>] - Maximum Outstanding Requests for FPolicy Server (privilege: advanced)

This parameter specifies the maximum number of outstanding requests for the FPolicy server. It is used to specify maximum outstanding requests that will be queued up for the FPolicy server. The value for this field must be between 1 and 10000. The default values are 500, 1000 or 2000 for Low-end(< 64 GB memory), Mid-end(>=64 GB memory) and High-end(>=128 GB memory) Platforms respectively.

[-server-progress-timeout <[<integer>d][<integer>h][<integer>m][<integer>s]>] - Timeout for Disconnecting Non-responsive Server (privilege: advanced)

This parameter specifies the timeout for disconnecting non-responsive FPolicy servers. It is used to specify the time interval after which the connection to the FPolicy server is terminated. This happens only when the FPolicy server’s queue contains the maximum allowed number of requests that it can hold in its queue and no response is received within this timeout. The maximum allowed number of requests is either 50 (the default) or the number specified by the -max-server-reqs parameter. The value for this field must be between 1s and 100s. By default, it is 60s.

[-keep-alive-interval <[<integer>d][<integer>h][<integer>m][<integer>s]>] - Interval for Sending Keep-Alive Messages (privilege: advanced)

This parameter specifies the interval in hours (h), minutes (m), or seconds (s) at which keep-alive messages are sent to the FPolicy server. Keep-alive messages are used to detect half-open connections. The range of supported values for this field is 10 through 600 (h, m, or s). Alternatively, the value can be set to 0, which disables keep-alive messages and prevents them from being sent to the FPolicy servers. The default value for this field is 120s.

[-certificate-common-name <FQDN or Custom Common Name>] - FQDN or Custom Common Name

This parameter specifies the certificate name as a fully qualified domain name (FQDN) or custom common name. The certificate is used if SSL authentication between the Vserver and the FPolicy server is configured.

[-certificate-serial <text>] - Serial Number of Certificate

This parameter specifies the serial number of the certificate used for authentication if SSL authentication between the Vserver and the FPolicy server is configured.

[-certificate-ca <text>] - Certificate Authority

This parameter specifies the certificate authority (CA) name of the certificate used for authentication if SSL authentication between the Vserver and the FPolicy server is configured.

[-recv-buffer-size <integer>] - Receive Buffer Size (privilege: advanced)

This parameter specifies the receive buffer size of the connected socket for the FPolicy server. The default value is set to 256 kilobytes (Kb). When the value is set to 0, the size of the receive buffer is set to a value defined by the system. For example, if the default receive buffer size of the socket is 65536 bytes, by setting the tunable value to 0, the socket buffer size is set to 65536 bytes. You can use any non-default value to set the size (in bytes) of the receive buffer.

[-send-buffer-size <integer>] - Send Buffer Size (privilege: advanced)

This parameter specifies the send buffer size of the connected socket for the FPolicy server. The default value is set to 1 Mb. When the value is set to 0, the size of the send buffer is set to a value defined by the system. For example, if the default send buffer size of the socket is set to 65536 bytes, by setting the tunable value to 0, the socket buffer size is set to 65536 bytes. You can use any non-defualt value to set the size (in bytes) of the send buffer.

[-session-timeout <[<integer>d][<integer>h][<integer>m][<integer>s]>] - Session ID Purge Timeout During Reconnection (privilege: advanced)

This parameter specifies the interval after which a new session ID is sent to the FPolicy server during reconnection attempts. The value for this field must be between 0s and 200s. The default value is set to 10 seconds. If the connection between the storage controller and the FPolicy server is terminated and reconnection is made within the -session-timeout interval, the old session ID is sent to FPolicy server so that it can send responses for old notifications.

[-is-resiliency-enabled {true|false}] - Is Resiliency Feature Enabled

This parameter specifies whether the resiliency feature is enabled. When this parameter is set to true and all the primary and secondary servers are down, or no response is received from the FPolicy servers, file access events are stored inside the storage controller under the specified -resiliency-directory-path . To deny the file access events from being stored under these circumstances, set this parameter to false . By default, it is false .

[-resiliency-max-retention-duration <[<integer>d][<integer>h][<integer>m][<integer>s]>] - Maximum Notification Retention Duration

This parameter specifies the duration for which the notifications are written to files inside the storage controller during network outage. The value for this field must be between 0s and 600s. By default, it is set to 180s.

[-resiliency-directory-path <text>] - Directory for Notification Storage

This parameter specifies the directory path under the -vserver namespace, where notifications are stored in the files whenever network outage happens.

[-extern-engine-format {xml|protobuf}] - External Engine Format

This parameter specifies the format of the Fpolicy notification messages sent to the external engine. Valid values: xml or protobuf . Default value for this paramter is xml . When set to protobuf , the notification messages are encoded in binary form using Google Protobuf. Before setting this to protobuf , ensure that the Fpolicy server also supports Protobuf deserialization.

Examples

The following example creates an FPolicy external engine.

cluster1::> vserver fpolicy policy external-engine create -vserver vs1.example.com -engine-name new_engine -primary-servers 1.1.1.1 -port 10 -secondary-servers 2.2.2.2 -ssl-option mutual-auth -extern-engine-type synchronous -extern-engine-format xml -certificate-serial 8DDE112A114D1FBC -certificate-common-name Sample1-FPolicy-Client -certificate-ca TASample1

cluster1::> vserver fpolicy policy external-engine show -vserver vs1.example.com -engine-name new_engine
Vserver: vs1.example.com
                               Engine: new_engine
              Primary FPolicy Servers: 1.1.1.1
       Port Number of FPolicy Service: 10
            Secondary FPolicy Servers: 2.2.2.2
                 External Engine Type: synchronous
               External Engine Format: xml
SSL Option for External Communication: mutual-auth
           FQDN or Custom Common Name: Sample1-FPolicy-Client
                        Serial Number: 8DDE112A114D1FBC
                Certificate Authority: TASample1
Top of Page