Enable HSI/HTAR transfers from IU's Scholarly Data Archive when your system is protected by a firewall

Files containing PHI must be encrypted when they are stored (at rest) and when they are transferred between networked systems (in transit). To ensure that files containing PHI are encrypted when they are stored, encrypt them before transferring them to storage. To ensure that files containing PHI remain encrypted during transit, use SFTP/SCP or the IU Globus Web App. For more, see Recommended tools for encrypting data containing HIPAA-regulated PHI.

If your system is protected by a firewall, to enable HSI/HTAR transfers from the Scholarly Data Archive (SDA), Indiana University's distributed HPSS data archive, you have two options:

  • If your firewall requires specific port ranges for transfers, you can use the HSI environment variable HPSS_PFTPC_PORT_RANGE to define a range of restricted ports that HSI will use for inbound HPSS connections. For example, to see a port range to ports 50000-51000:
    • In the ksh or bash shell, on the command line, enter:
        export HPSS_PFTPC_PORT_RANGE=ncacn_ip_tcp[50000-51000]
    • In the csh or tcsh shell, on the command line, enter:
        setenv HPSS_PFTPC_PORT_RANGE 'ncacn_ip_tcp[50000-51000]'
    HPSS uses dynamic ports for data transfer; it does not use a specific port range.
  • Configure your firewall to accept incoming traffic from the following subnet: (netmask

    HSI/HTAR will initiate transfers from any SDA host that is available. Consequently, you must add the entire subnet that's reserved for SDA hosts. For example, if your system is running iptables, use the following command to accept incoming transfers from all SDA hosts:

      iptables -A INPUT -s -j ACCEPT

If you need help or have questions, email the Research Storage team.

This is document awkf in the Knowledge Base.
Last modified on 2019-02-14 13:10:06.

Contact us

For help or to comment, email the UITS Support Center.