The Livermore Computing (LC) file interchange service (FIS) allows LC users to transfer files between the unclassified Open Computing Facility (OCF)—both the Collaboration Zone (CZ) and the Restricted Zone (RZ)—and the classified iSNSI and Secure Computing Facility (SCF). This document describes how FIS works and how to use it effectively.
Two implementations of FIS are available. One implementation uses an electronic One Way Link (OWL), and the other uses tape technology. The OWL implementation is unidirectional, is much faster, and is used for transfers from the OCF CZ and RZ to either the iSNSI or SCF networks. The tape technology FIS is bidirectional and is primarily used for transfers from the SCF to the OCF. On the iSNSI network, OWL is available for transfer from the OCF to the iSNSI network and Pinot cluster, as well as a tape implementation for transfer between the OCF and the iSNSI network and Pinot cluster .
Note: Throughout this document, the OWL implementation of FIS is referred to as FastFIS, while the tape implementation of FIS is referred to as TapeFIS.
For help, contact the LC Hotline at 925-422-4531 or via e-mail (OCF: lc-hotline@llnl.gov, SCF: lc-hotline@llnl.gov).
Quick Start Guide to FIS
Open to Secure (SCF)
Step 1: Request FIS account
- Choose “Transfer from OCF to SCF” or “Transfer from OCF to SNSI” service
- Be sure to obtain the signature of your specific computer coordinator
Step 2: Put files into open-side FIS:
CZ-only Users | RZ Users |
---|---|
sftp fis (PIN and LLNL RSA token) cd TO put <filename> exit |
sftp rzfis (PIN and RZ RSA token) cd TO put <filename> exit |
Step 3: Retrieve files from closed-side FIS:
SCF Users |
---|
sftp fis (PIN and LLNL RSA token) cd FROM get <filename> exit |
Secure to Open
Step 1: Request FIS account
- Choose “Transfer from SCF to OCF” or “Transfer from SNSI to OCF” service
- Be sure to obtain the signature of your specific computer coordinator
Step 2: Put files into closed-side FIS
SCF Users |
---|
ftp tapefis (PIN and LLNL RSA token) cd TO put <filename> exit |
Step 3: Contact your designated FIS DC to perform the classification review and processing. Once they inform you the review is complete and the file was submitted, wait 1-2 hours for the transfer to occur.
Step 4: Retrieve file from open-side FIS
CZ-only Users |
RZ Users |
---|---|
ftp tapefis (PIN and LLNL RSA token) |
ftp rztapefis (PIN and RZ RSA token) |
FIS Overview
There are four FIS servers, one in each environment (i.e., CZ, RZ, iSNSI, and SCF). For the user, each server represents the place to which files are submitted for transfer and the place from which to retrieve files that have been transferred.
To utilize the OWL FIS, users should connect to the fis.llnl.gov server. To utilize the tape FIS system, users should connect to the tapefis.llnl.gov server. Please also note that the server name fastfis.llnl.gov is an alias for fis.llnl.gov.
FastFIS service is unidirectional from the OCF to the SCF or from the OCF to the iSNSI; there is no SCF to OCF FastFIS. Files are queued for transfer within 5 minutes of submission to FastFIS, and typically arrive within 10-15 minutes. No user notification will be sent when the files reach their destination. TapeFIS service is bidirectional, and although the transfer mechanism is the same in both directions, the user interface and operational aspects are different for SCF to OCF transfers. This is because of the asymmetric need to verify that only unclassified content moves from the secure to the open network - this need is met by having your organization's Derivative Classifiers (DCs) inspect the transferred files and approve their transfer before they are sent. For users on the iSNSI network, both TapeFIS and OWL FIS are available. See the section in this manual on the iSNSI Network for more information.
Users cannot have accounts on both CZFastFIS and RZFastFIS. To connect to a FIS server, an FTP or SFTP/SCP client must be used, either from the command line or via Hopper - note that ssh login connections to FIS servers are not allowed.
The table below provides the hostnames for the various FIS services. Use TapeFIS only for very large one-time data transfers from the OCF to the SCF or when moving files from the SCF to the OCF. For details about file transfers from the SCF to the OCF using TapeFIS, see Secure-to-Open Transfers
FIS (aka. FastFIS) Hostnames
Transfer Originating From | Server Name | Alias |
---|---|---|
OCF CZ | fis.llnl.gov | fastfis fis |
OCF RZ | rzfis.llnl.gov | rzfastfis rzfis |
SCF retrieval | fis.llnl.gov | fastfis fis |
See the (Using FIS) section below for details.
TapeFIS Hostnames
Use TapeFIS only for very large one-time data transfers from the OCF to the SCF or when moving files from the SCF to the OCF.
Transfer Originating From | Server Name | Alias |
---|---|---|
OCF CZ | tapefis.llnl.gov | tapefis |
OCF RZ | rztapefis.llnl.gov | rztapefis |
SCF retrieval | tapefis.llnl.gov | tapefis |
See the (Using FIS) section below for details.
Users and Authentication
The diagram below identifies the FIS servers and the authentication and login methods on the OCF.
Which FIS server to use on the OCF depends upon whether a user is CZ-only, RZ-only, or both CZ and RZ.
CZ-only Users
- Connect to fis.llnl.gov located on the CZ.
- May connect to FIS from the CZ or the EN.
- Allowed connection methods: FTP, SFTP, SCP, Hopper (use the "Connect to FastFIS" menu option).
- Authentication methods: LLNL RSA token/OTP password, Kerberos password of the day (POD), or SSH keys from a CZ cluster.
- NOTE Off-site access, even over VPN, is prohibited
RZ-only Users or CZ/RZ Users
- Connect to rzfis.llnl.gov located on the RZ.
- May connect to FIS from the RZ or the EN.
- Allowed connection methods: FTP, SFTP, SCP, Hopper (use the Connect to Rzfastfis (RZFIS) menu option).
- Authentication methods: RZ RSA Token, SSH keys from an RZ cluster only
- NOTE Off-site access, even over VPN, is prohibited
Usage Restrictions
- You cannot use NFT to connect to FIS.
- LC uses its hardware/software security firewalls to block FTP connections from machines outside the llnl.gov domain to LC machines within llnl.gov (including FIS). Such FTP blocking means that you must start your FTP client on a host within the LLNL domain (i.e., llnl.gov).
- FIS automatically changes some characters in a file's name (not body) during transfer. See the section on "FIS and File Names" for details and a work-around.
- FIS will not accept connections from hosts which aren't registered properly in DNS. If a reverse lookup of a connecting host's IP address fails, the connection will fail.
- There is no per-file FIS size limit, but there are system limitations (e.g., available disk, checksumming time). FastFIS capacity is 1 TB and TapeFIS is 3 TB.
- FIS cannot process a directory. Make a TAR file instead.
- The maximum number of simultaneous FTP connections to FastFIS is 25 (with SFTP, no maximum). While often an invisible limit, this may prevent your reaching the FastFIS server during busy file-exchange periods.
Requesting a FIS Account
To use FIS, you must already have an account and valid password for at least one open and one secure machine. Before your first use of FIS, you must request access via the File Interchange Service form. This form creates your FIS account. It needs Computer Coordinator approval for open-to-secure transfers, and it needs division or department head approval for secure-to-open transfers (which a DC always monitors). OCF (CZ/RZ)-to-SCF FIS and OCF (CZ/RZ)-to-iSNSI accounts do not expire once approved; however, SCF-to-OCF FIS accounts must be renewed annually, and failure to promptly renew them will cause LC to close the account.
Any user can receive authorization to move files from the open to the secure network. To receive authorization to move files from the secure to the open network, you must specify the kinds of files to be moved and obtain the approval of your division leader or department head (in the appropriate places on the FIS form). The instructions on the FIS form remind you of these requirements in relation to each blank.
Once you are authorized, you will be able to use your current authenticator-generated one-time password (RSA SecurID OTP for CZ-only users; RZ OTP for RZ-only and CZ/RZ users) to access the corresponding FIS server. On the SCF, the FIS server uses the password you use for SCF production machines. Each user of FIS has an account on both OCF (CZ or RZ) and SCF servers. A prerequisite for this is an established user record for LC's SCF. The user name for your FIS account is the same as your user name for any LC machine.
How To Use FIS
All users of FIS are permitted to transfer from the OCF (CZ/RZ) to the SCF. On the FIS server, each user has a private work space. The work space on the CZ and RZ FIS servers consists of two subdirectories named TO and FROM. The TO directory is where a user places files to be transferred to the SCF. The FROM directory is where files will appear on the SCF after transfer.
Only the procedure for a FastFIS transfer from the OCF (CZ/RZ) to the SCF is described in this section. The TapeFIS transfer from the SCF to the OCF follows a similar pattern but requires DC review. See Secure-to-Open Transfers for more information.
FIS and File Name Restrictions
When FIS moves files from one server to another, it automatically changes some characters in each file name (not in the body of the file, just in the file name) to avoid characters troublesome to some UNIX file-handling utilities. The table below shows which file name characters are changed during a transfer.
File Name Character | Changes To |
---|---|
alphabetic | no change |
numeric | no change |
internal . (dot) | no change |
leading . (dot) | _ (underscore) |
All others (includes space, hyphen, quote) |
_ (underscore) |
Users' file-handling scripts and commands need to take account of these changes in file name characters (on the receiving side) to avoid losing or omitting some FastFIS-transferred files. To preserve the special characters in a file's name unchanged, use the UNIX TAR utility to embed the file inside a TAR output file, transfer the TAR file with FTP (in Binary mode, required) to FastFIS, then run TAR again on the receiving side to extract the original file with its original name. (Changing your FastFIS access software from FTP to SFTP or Hopper has no effect on the file name changes described here.)
Depositing Open-to-Secure Files
FastFIS does not accept file transfers using NFT; you must use FTP or SFTP/SCP. Hopper may also be used. (Use the "Connect to FastFIS" or "Connect to RZFastFIS" options in Hopper's Connect menu.) If your files are not already on an llnl.gov machine, you must run FTP or Hopper on an llnl.gov machine to first get your files from outside. Files with blanks (spaces), or those with non-ASCII characters in their names (such as some Macintosh files), will not be handled properly on UNIX machines. See the FIS and File Names section on how FIS handles all file names.
If you have one or more files you wish to transfer from the OCF (CZ/RZ) to the iSNSI or SCF, you must first gain access to the machine that has the file(s) and cd to the directory that contains the file(s). You submit files by using Hopper, FTP or SFTP/SCP to make a copy of a file from your local machine onto the transfer machine. For CZ-only users: Initiate the FTP, SFTP/SCP client software or Hopper and connect to fastfis.llnl.gov, authenticating via RSA OTP. For RZ/CZ-RZ users: Connect to rzfastfis.llnl.gov, authenticating via RZ RSA token. After you have connected to fastfis.llnl.gov/rzfastfis.llnl.gov, change to your TO directory so that you can submit files for transfer. A binary transfer will copy the file from the local machine to the transfer machine unchanged. In most cases you will want to select the binary transfer mode. FIS treats all files as binary files and does not perform any data translation.
Due to security requirements, FIS systems will not accept direct connections from systems that are off site, even if VPN is running. If you are off-site, you will need to make a remote connection to a host on-site in order to connect to FIS.
NOTE It is the responsibility of each user to be mindful of the data transferred and to safeguard against viruses, worms, trojan horses, and other hazards. In addition, the user should ensure that the file content faithfully represents that which the user is attempting to copy.
After copies of your local file(s) are put into the TO directory, they will be queued for transfer within 5 minutes of submission to FastFIS. No user notification will be sent when the files reach their destination. On FastFIS, the individual TO directories are scanned periodically and submitted file(s) are moved as a batch to a transfer area. The files are then automatically transferred across the OWL to the server on the SCF and deposited in the FROM directory. The file transfer time depends on the size of your files and the size of the files in the queue ahead of yours. Batches are transferred in a FIFO (first-in-first-out) manner, but within a batch, files may be transferred in any order.
If transferring files using TapeFIS, the individual TO directories are scanned periodically and your submitted file(s) are moved to a central collection area. The LC Operations staff monitors this collection area, and they will write a transfer tape (depending on the age and amount of accumulated files). (The separation between open and secure systems is maintained while files are transferred across it by copying the files to tape and physically moving those tapes from the open TapeFIS server to its counterpart on the SCF.) Files are generally transferred within 4 hours. You will receive a transfer notification via e-mail message on the OCF confirming that your files have arrived on the SCF.
Claiming Open-to-Secure
Retrieve files on the SCF by using SFTP/SCP, FTP or Hopper to make a copy of a file from the transfer server to your local machine (note: FTP is required for connections to tapefis on the SCF). Initiate the FTP client software, connect to fis.llnl.gov, and complete the authentication process (by specifying a user name and SCF password). After you have connected to fis.llnl.gov, change to your FROM directory and list the file(s) in the directory. Use FTP to get a copy of the file from the transfer server and store it on your local machine. A binary transfer will copy the file from the local machine to the transfer machine unchanged. (In most cases, you will want to select the binary transfer mode.)
Because the transfer server has a finite amount of space and transfers will be impacted if file space is low, it is a good idea to delete the files from the FROM directory once you have retrieved and stored them on your local machine. After several days, files left in the FROM directory will be automatically purged.
Example Using OWL/FastFIS/FIS
Sending | Retrieving | |
---|---|---|
CZ-only Users | RZ Users | SCF or SNSI |
sftp fis (PIN and LLNL RSA token) cd TO put <filename> exit |
sftp rzfis (PIN and RZ RSA token) cd TO put <filename> exit |
sftp fis (PIN and LLNL RSA token) cd FROM get <filename> exit |
FIS to and from the iSNSI Network
Both TapeFIS and OWL (one-way link) FIS are available on the iSNSI network. iSNSI TapeFIS is bidirectional and requires Derivative Classifier (DC) intervention for file transfers from Pinot to the OCF. Login examples are provided below. OWL transfers are significantly faster but are unidirectional for transfers from CZ and RZ to the SCF.
Note: User authentication to iSNSI TapeFIS on the OCF via the CZ (snsifis) or RZ (rzsnsifis) requires your OCF LC user name. Authentication to iSNSI TapeFIS from Pinot (tapefis) requires your official user name (OUN), which may differ from your OCF LC user name.
CZ Access to iSNSI FIS
Tape | OWL |
---|---|
sftp snsitapefis (authenticate with OCF PIN and LLNL RSA SecurID token code) cd TO put filename |
sftp snsifis(authenticate with OCF PIN and LLNL RSA SecurID token code) cd TO put filename |
RZ Access to iSNSI FIS
Tape | OWL |
---|---|
sftp rzsnsitapefis (authenticate with PIN and RZ RSA token code) cd TO put filename |
sftp rzsnsifis (authenticate with PIN and RZ RSA token code) cd TO put filename |
Retrieving Files from iSNSI FIS
Tape | OWL |
---|---|
From an iSNSI desktop or Pinot ftp tapefis (authenticate with OUN and SNSI PIN and LLNL RSA token code) cd FROM get filename |
sftp fastfis (authenticate with OUN and SNSI PIN and LLNL RSA token code) cd FROM get filename |
Hopper and FIS
For information about how to use Hopper (a GUI for doing file management) with FIS, see our Quick Start Guide: Hopper and FIS.
Secure-to-Open Transfer (aka. SCF/iSNSI to OCF Transfer)
Review by a DC is part of every secure-to-open—i.e., SCF to OCF—TapeFIS file transfer. Only users with special authorization can initiate secure to open transfers, and only text files can be transferred. See the Quick Start Guide above outlining the process. (Note: A special visualization FIS process exists for secure-to-open image and movie file transfers. Contact the LC Hotline for details.) To help DCs carry out this review role, TapeFIS provides a special set of directories dedicated to managing files undergoing review and a special software tool (ADCTOOL) for conducting the review online.
A special user guide for DCs is available at DC Support for Secure-to-Open Transfers