The host on which the GridFTP
door is running has several
network interfaces and is supposed to accept client
connections via all those interfaces. The interfaces might
even belong to separate networks with no routing from one
network to the other.
As long as the data connection is opened by the GridFTP
server (passive FTP mode), there is no problem with having
more than one interface. However, when the client opens the
data connection (active FTP mode), the door (FTP server) has
to supply it with the correct interface it should connect
to. If this is the wrong interface, the client might not be
able to connect to it, because there is no route or the
connection might be inefficient.
Also, since a GridFTP
server has to authenticate with an
X.509
grid certificate and key, there needs to be a separate
certificate and key pair for each name of the host or a
certificate with alternative names. Since each network
interface might have a different name, several certificates
and keys are needed and the correct one has to be used, when
authenticating via each of the interfaces.
Define two domains, one for the internal and one for the
external use. Start a separate loginbroker
, srm
and gridftp
service in these domains.
The srm
and the gridftp
service have to be
configured with the property listen
, only
to listen on the interface they should serve. The locations of
the grid host certificate and key files for the interface have
to be specified explicitly with the properties
dcache.authn.hostcert.cert
and
dcache.authn.hostcert.key
.
Example:
In this example we show a setup for two GridFTP
doors
serving two network interfaces with the hostnames
door-internal
(111.111.111.5) and
door-external
(222.222.222.5) which are
served by two GridFTP
doors in two domains.
[internalDomain] listen=111.111.111.5 dcache.authn.hostcert.cert=/opt/d-cache/etc/interface-cert-internal.pem dcache.authn.hostcert.key=/opt/d-cache/etc/interface-key-internal.pem [internalDomain/loginbroker] loginbroker.cell.name=loginbroker-internal [internalDomain/srm] srm.cell.name=srm-internal srm.protocols.loginbroker=loginbroker-internal srm.net.host=door-internal [internalDomain/ftp] ftp.authn.protocol = gsi ftp.cell.name=GFTP-door-internal dcache.service.loginbroker=loginbroker-internal [externalDomain] listen=222.222.222.5 dcache.authn.hostcert.cert=/opt/d-cache/etc/interface-cert-external.pem dcache.authn.hostcert.key=/opt/d-cache/etc/interface-key-external.pem [externalDomain/loginbroker] loginbroker.cell.name=loginbroker-external [externalDomain/srm] srm.cell.name=srm-external srm.protocols.loginbroker=loginbroker-external srm.net.host=door-external [externalDomain/ftp] ftp.authn.protocol = gsi ftp.cell.name=GFTP-door-external dcache.service.loginbroker=loginbroker-external