vserver fpolicy policy external-engine modify

Modify an external engine

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

The vserver fpolicy policy external-engine modify command modifies an FPolicy external engine. The cluster uses the external engine to hold configuration information that it needs in order to send notification information to the FPolicy servers. It specifies the primary servers and secondary servers to which the cluster will send notifications. It also specifies FPolicy server related configuration information.

Parameters

-vserver <Vserver Name> - Vserver
This parameter specifies the name of the Vserver on which you want to modify an FPolicy external engine.
-engine-name <Engine name> - Engine
This parameter specifies the name of the FPolicy external engine that you want to modify. An external engine name can be up to 256 characters long. An external engine name is a string that can only contain any combination of ASCII-range alphanumeric characters (a-z, A-Z, 0-9), "_", and "." .
[-primary-servers <IP Address>, ...] - Primary FPolicy Servers
This parameter specifies a list of IP addresses for the primary FPolicy servers to which you want the external engine you modify to apply. The -primary-servers parameter is used to specify a list of servers to which to send file access events for a given FPolicy policy. When an administrator configures multiple servers as primary servers, notifications are sent to the FPolicy servers in a round-robin fashion.
[-port <integer>] - Port Number of FPolicy Service
This parameter specifies the port number for the FPolicy service.
[-secondary-servers <IP Address>, ...] - Secondary FPolicy Servers
This parameter specifies a list of IP addresses for the secondary FPolicy servers to which you want the external engine you modify to apply. Secondary servers will be used only when all the primary servers are not reachable. When an administrator configures multiple servers as secondary servers, notifications are sent to FPolicy server in a round-robin fashion. By default, no secondary server is selected.
[-extern-engine-type <External Engine Type>] - External Engine Type
This parameter specifies the type of the external engine. This specifies how the FPolicy server should behave, synchronously or asynchronously. By default, it is synchronous in nature. When set to synchronous, after sending a notification to the external FPolicy server, request processing does not continue until after receiving a response from the FPolicy server. At that point request flow either continues or processing results in denial, depending on whether the response from the FPolicy server permits the requested action. When set to asynchronous, after sending a notification to the external FPolicy server, file request processing continues.
[-ssl-option {no-auth|server-auth|mutual-auth}] - SSL Option for External Communication
This parameter specifies the SSL option for external communication with the FPolicy server. Possible values include the following:
  • no-auth : When set to no-auth, no authentication takes place. The communication link is established over the TCP protocol.
  • server-auth : When set to server-auth, only the FPolicy server is authenticated by the Vserver. With this option, before creating the FPolicy external engine, the administrator must install the public certificate of the certificate authority (CA) that signed the FPolicy server certificate.
  • mutual-auth : When set to mutual-auth, mutual authentication takes place between the Vserver and the FPolicy server, i.e. authentication of the FPolicy server by the Vserver along with authentication of the Vserver by the FPolicy server. With this option, before creating the FPolicy external engine, the administrator must install the public certificate of the certificate authority (CA) that signed the FPolicy server certificate along with the public certificate and key file for authentication of the Vserver.

The public certificate of certificate authority (CA) that is used to sign the FPolicy server certificate is installed using the security certificate install command with -type set to client_ca. The private key and public certificate required for authentication of the Vserver is installed using the security certificate install command with -type set to server.

[-reqs-cancel-timeout <[<integer>h][<integer>m][<integer>s]>] - Timeout for Canceling a Request (privilege: advanced)
This parameter specifies the timeout for canceling a request. It is used to specify the time interval in which the node waits for a response from the FPolicy server. Beyond this timeout, a cancel request is sent to the FPolicy server to cancel the pending request. The request is then sent to an alternate FPolicy server that is registered for the policy. This timeout helps in handling a FPolicy server that is not responding, which can improve CIFS/NFS client response. Also, this feature can help in releasing of system resources since the request is moved from a down/bad FPolicy server to an alternate FPolicy server. The value for this field must be between 0s and 100s. By default, it is 20s.
[-reqs-abort-timeout <[<integer>h][<integer>m][<integer>s]>] - Timeout for Aborting a Request (privilege: advanced)
This parameter specifies the timeout for aborting a request. The value for this field must be between 0s and 200s. By default, it is 40s.
[-status-req-interval <[<integer>h][<integer>m][<integer>s]>] - Interval for Sending Status Requests (privilege: advanced)
This parameter specifies the interval for sending status requests. It is used to specify the interval after which a status request will be send to the FPolicy server. The value for this field must be between 0s and 50s. By default, it is 10s.
[-max-connection-retries <integer>] - Max Reconnect Attempt (privilege: advanced)
This parameter specifies the maximum number of attempts to reconnect to the FPolicy server from a Vserver. It is used to specify the number of times a broken connection will be retried. The value for this field must be between 0 and 20. By default, it is 5.
[-max-server-reqs <integer>] - Maximum Outstanding Requests for FPolicy Server (privilege: advanced)
This parameter specifies the maximum number of outstanding requests for the FPolicy server. It is used to specify the maximum outstanding requests that will be queued up for the FPolicy server. The value for this field must be between 1 and 10000. By default, it is 50.
[-server-progress-timeout <[<integer>h][<integer>m][<integer>s]>] - Timeout for Disconnecting Non-responsive Server (privilege: advanced)
This parameter specifies the timeout for disconnecting non-responsive FPolicy servers. It is used to specify the time interval after which the connection to the FPolicy server is terminated. This happens only when the FPolicy server's queue contains the maximum allowed number of requests that it can hold in its queue and no response is received within this timeout. The maximum allowed number of requests is either 50 (the default) or the number specified by the -max-server-reqs parameter. The value for this field must be between 1s and 100s. By default, it is 60s.
[-keep-alive-interval <[<integer>h][<integer>m][<integer>s]>] - Interval for Sending Keep-Alive Messages (privilege: advanced)
This parameter specifies the interval in hours (h), minutes (m), or seconds (s) at which keep-alive messages are sent to the FPolicy server. Keep-alive messages are used to detect half-open connections. The range of supported values for this field is 10 through 600 (h, m, or s). Alternatively, the value can be set to 0, which disables keep-alive messages and prevents them from being sent to the FPolicy servers. The default value for this field is 120s.
[-certificate-common-name <FQDN or Custom Common Name>] - FQDN or Custom Common Name
This parameter specifies the certificate name as a fully qualified domain name (FQDN) or custom common name. The certificate is used if SSL authentication between the Vserver and the FPolicy server is configured.
[-certificate-serial <text>] - Serial Number of Certificate
This parameter specifies the serial number of the certificate used for authentication if SSL authentication between the Vserver and the FPolicy server is configured.
[-certificate-ca <text>] - Certificate Authority
This parameter specifies the certificate authority (CA) name of the certificate used for authentication if SSL authentication between the Vserver and the FPolicy server is configured.
[-recv-buffer-size <integer>] - Receive Buffer Size (privilege: advanced)
This parameter specifies the receive buffer size of the connected socket for the FPolicy server. The default value is set to 256 kilobytes (Kb). When the value is set to 0, the size of the receive buffer is set to a value defined by the system. For example, if the default receive buffer size of the socket is 65536 bytes, by setting the tunable value to 0, the socket buffer size is set to 65536 bytes. You can use any non-default value to set the size (in bytes) of the receive buffer.
[-send-buffer-size <integer>] - Send Buffer Size (privilege: advanced)
This parameter specifies the send buffer size of the connected socket for the FPolicy server. The default value is set to 256 kilobytes (Kb). When the value is set to 0, the size of the send buffer is set to a value defined by the system. For example, if the default send buffer size of the socket is set to 65536 bytes, by setting the tunable value to 0, the socket buffer size is set to 65536 bytes. You can use any non-defualt value to set the size (in bytes) of the send buffer.
[-session-timeout <[<integer>h][<integer>m][<integer>s]>] - Session ID Purge Timeout During Reconnection (privilege: advanced)
This parameter specifies the interval after which a new session ID is sent to the FPolicy server during reconnection attempts. The value for this field must be between 0s and 200s. The default value is set to 10 seconds. If the connection between the storage controller and the FPolicy server is terminated and reconnection is made within the -session-timeout interval, the old session ID is sent to FPolicy server so that it can send responses for old notifications.
[-is-resiliency-enabled {true|false}] - Is Resiliency Feature Enabled
This parameter specifies whether the resiliency feature is enabled. When this parameter is set to true and all the primary and secondary servers are down, or no response is received from the FPolicy servers, file access events are stored inside the storage controller under the specified -resiliency-directory-path. To deny the file access events from being stored under these circumstances, set this parameter to false. By default, it is false.
[-resiliency-max-retention-duration <[<integer>h][<integer>m][<integer>s]>] - Maximum Notification Retention Duration
This parameter specifies the duration for which the notifications are written to files inside the storage controller during network outage. The value for this field must be between 0s and 600s. By default, it is set to 180s.
[-resiliency-directory-path <text>] - Directory for Notification Storage
This parameter specifies the directory path under the -vserver namespace, where notifications are stored in the files whenever network outage happens.

Examples

The following example modifies an FPolicy external engine.

cluster1::> vserver fpolicy policy external-engine modify -vserver vs1.example.com -engine-name new_engine -primary-servers 1.1.1.1 -port 10 -secondary-servers 2.2.2.2

cluster1::> vserver fpolicy policy external-engine show -vserver vs1.example.com -engine-name new_engine

                              Vserver: vs1.example.com
                               Engine: new_engine
              Primary FPolicy Servers: 1.1.1.1
       Port Number of FPolicy Service: 10
            Secondary FPolicy Servers: 2.2.2.2
                 External Engine Type: synchronous
SSL Option for External Communication: mutual-auth
           FQDN or Custom Common Name: Sample1-FPolicy-Client
                        Serial Number: 8DDE112A114D1FBC
                Certificate Authority: TASample1
        

The following example shows how to modify -recv-buffer-size and -send-buffer-size to a non-default value of 0.

cluster1::*> vserver fpolicy policy external-engine modify -vserver vs1.example.com -engine-name new_engine -recv-buffer-size 0 -send-buffer-size 0