HPE Community
Operating System - HP-UX
1833056 Members
2399 Online
110049 Solutions
New Discussion

Re: NFS encrypted version?

 
SOLVED
Go to solution
TwoProc
Honored Contributor

‎11-17-2006 09:39 AM

‎11-17-2006 09:39 AM

NFS encrypted version?

Is there a way to use NFS, but the traffic be encrytped between server and client?

If it exists, is it backwards compatible? That is, can some mount points be non encrypted and some of them be encrypted, in order to keep older connections still running?

Any info appreciated.
We are the people our parents warned us about --Jimmy Buffett
0 Kudos
Reply
10 REPLIES 10
TwoProc
Honored Contributor

‎11-17-2006 09:43 AM

‎11-17-2006 09:43 AM

Re: NFS encrypted version?

I forgot to mention that the question is for use from HPUX 11.0 server to a RedHat 3.x or 4.x client Linux box.
We are the people our parents warned us about --Jimmy Buffett
0 Kudos
Reply
Olivier Masse
Honored Contributor

‎11-17-2006 11:05 AM

‎11-17-2006 11:05 AM

Solution

Re: NFS encrypted version?

NFS doesn't support encryption per se. And I wouldn't try a stunt such as NFS-over-SSH as it depends too much on RPC. But IPSec will definitely work.

IPSec is fairly complex to set up initially (especially from one platform to another, e.g. between HP-UX and Solaris), but once it's there, any network application can be easily encrypted and authentified -- so you'll save time on the long run as you won't need to mess with SSL and custom encryption schemes if you want to add security to something else.

The documentation is here:
http://docs.hp.com/en/internet.html#IPSec

If you stick with HP-UX clients and servers, just follow the examples in the documentation and you'll be set up quickly.

Olivier
Reply
Olivier Masse
Honored Contributor

‎11-17-2006 11:08 AM

‎11-17-2006 11:08 AM

Re: NFS encrypted version?

Er, as you can see, I read your question quickly... I'm pretty sure it will work with Linux but you'll have to spend more time making things work since you won't be able to plug directly the example configuration files.
0 Kudos
Reply
Dave Olker
Neighborhood Moderator

‎11-17-2006 12:16 PM

‎11-17-2006 12:16 PM

Re: NFS encrypted version?

Hi John,

The "real" encrypted NFS stuff will arrive in HP-UX 11.31 where we'll support various KRB5 flavors for NFS traffic including krb5p. From the nfssec(5) man page:


krb5p User Kerberos V5 authentication, integrity check-
sums, and privacy protection (encryption) on the
shared filesystem. This provides the most secure
filesystem sharing, as all traffic is encrypted. It
should be noted that performance might suffer on
some systems when using krb5p, depending on the
computational intensity of the encryption algorithm
and the amount of data being transferred.


Both the NFS client and server would need to support this security flavor in order for it to work so you'd need to make sure the Red Hat version you're using supports this if you wanted to use it.

Again, this arrives in 11.31. We have no plans to roll this back to 11.0.

Regards,

Dave


I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
Reply
Ivan Pechorin
Advisor

‎11-19-2006 05:34 AM

‎11-19-2006 05:34 AM

Re: NFS encrypted version?

Hi Dave

Were can I find information on the date when HP-UX 11.31 will be available for HP's business partners (ISV)? Is there something like early access for test and development purposes?

Thanks
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎11-19-2006 06:23 AM

‎11-19-2006 06:23 AM

Re: NFS encrypted version?

Shalom,

Those of thus that aren't going to even think of 11.31 for production unless its been out a year resepctfully ask a question:

What are you thinking HP? The end of life for 11.11 and 11.23 is nearly a decade away. These systems are going to be around for a while. We want this feature in supported versions of the OS.

Its not going to encourage anyone to upgrade by witholding features, its going to encourage the flight to Linux.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Dave Olker
Neighborhood Moderator

‎11-19-2006 07:58 AM

‎11-19-2006 07:58 AM

Re: NFS encrypted version?

Hi Ivan,

I'll investigate how customers and ISVs gain early access to 11.31 bits and get back to you.

Regards,

Dave


I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
TwoProc
Honored Contributor

‎11-21-2006 05:02 AM

‎11-21-2006 05:02 AM

Re: NFS encrypted version?

Steven, I agree with you.

Let's face it - it is imperative that ALL vendors become more sensitive to a wide range of compliance issues ( you name, and you're beholden to 'em). And, not offering it for currently supported OS releases is simply not good enough.

It's one of things that one could bring up at around hardware upgrade/contract renewal time, etc (when big dollars are striking the table), that one may make mention that "some other vendor" supplies this product in a secure manner, and suddenly it becomes important to HP.

I'm certainly going to start complaining and pushing for this one real soon now, as I need it to run on HPUX 11.11 TODAY.

Thanks all for the info, and ITWOULDBEGREAT if Steven and others also pushed for this to be back-ported to the other current HPUX releases.
We are the people our parents warned us about --Jimmy Buffett
0 Kudos
Reply
Dave Olker
Neighborhood Moderator

‎11-30-2006 09:22 AM

‎11-30-2006 09:22 AM

Re: NFS encrypted version?

Ivan Pechorin wrote:
______________________________________________

Were can I find information on the date when HP-UX 11.31 will be available for HP's business partners (ISV)? Is there something like early access for test and development purposes?

______________________________________________


I researched this with the 11.31 team and learned that ISVs can register themselves on HP's Developer & Solution Partner Program site ( http://hp.com/dspp ). Once registered as an ISV, the DSPP folks will qualify the ISV and assist them on getting early 11.31 access.

Hope this helps,

Dave


I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
Ivan Pechorin
Advisor

‎11-30-2006 11:02 AM

‎11-30-2006 11:02 AM

Re: NFS encrypted version?

Thanks, Dave.

We are in contact with DSPP guys now...
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.