Add External policy

Use this page to add an External policy for the IBM® TS7700 Grid.

To add a Storage Authentication Policy or LDAP Policy to a grid:
  1. From the Security Settings page, navigate to the Authentication Policies table.
  2. Select either Add Storage Authentication Policy OR Add Direct LDAP Policy from the Select Action drop-down menu.
    Note: You can create up to a maximum of 16 Storage Authentication Service policies. You can create a direct LDAP policy only when every cluster in the grid operates at microcode level 8.30.x.x or later.
  3. Click Go.
  4. Enter values for the following required fields:
    Policy Name
    The name of the policy that defines the authentication settings. The policy name is a unique value composed of one to 50 Unicode characters. Heading and trailing blank spaces are trimmed, though internal blank spaces are permitted. The name of the Local policy is "Local". Authentication policy names, either Local or user created, cannot be modified after creation.
    Primary Server URL
    The primary URL for the Storage Authentication Service. The value in this field is composed of one to 254 Unicode characters and takes one of the following formatsa, b, c: 
    https://<server_address>:secure_port/TokenService/services/Trust
ldaps://<server_address>:secure_port
ldap://<server_address>:port
    Note: If this value is a Domain Name Server (DNS) addressa you must activate and configure a DNS on the Cluster network settings page.
  5. Check the options you want to enable for IBM Service Representative access. These settings become active only when the associated policy is assigned to a cluster. You can check both options. These options are not visible if the grid contains a cluster operating at microcode level of 8.30.0.xx or earlier.
    Important: These options permit IBM Service Representatives to access a cluster as if no external (SAS or LDAP) policy was in force. When enabled, they create a mechanism by which an IBM Service Representative can reset an authentication policy to resolve a lockout scenario. If no option is checked, IBM Service personnel must log in to the cluster using LDAP credentials obtained from the system administrator. If no option is checked and the LDAP server is inaccessible, IBM Service Representatives cannot access the cluster.
    Allow IBM support to connect if they have physical access (Recommended)
    Check this box to allow an IBM Service Representative to log in physically without LDAP credentials to connect to the cluster. At least one IBM Service Representative must have direct, physical access to the cluster. An onsite IBM Representative can grant temporary remote access to an offsite IBM Representative. This is the recommended option.
    Allow IBM support to connect remotely
    Check this box to allow an IBM Service Representative to log in remotely without LDAP credentials to connect to the cluster.
  6. Enter values for any of the optional fields you want to define:
    Alternate Server URL
    The alternate URL for the Storage Authentication Service if the primary URL cannot be accessed. The value in this field is composed of one to 254 Unicode characters and takes one of the following formatsa, b, c: 
    https://<server_address>:secure_port/TokenService/services/Trust
ldaps://<server_address>:secure_port
ldap://<server_address>:port
    Notelist:
    1. The server address value in the Primary or Alternate Server URL can be an IP or DNS address. Valid IP formats include:
      IPv4
      Is 32 bits long, consists of four decimal numbers, each ranging from 0 to 255, separated by periods, like: 
      98.104.120.12
      IPv6
      Is an 128-bit long hexadecimal value enclosed by brackets and separated into 16-bit fields by colons, like: 
      [3afa:1910:2535:3:110:e8ef:ef41:91cf]
      Leading zeros can be omitted in each field, so that :0003: can be written as :3:. A double colon (::) can be used once per address to replace multiple fields of zeros. For example, 
      [3afa:0:0:0:200:2535:e8ef:91cf]
      can be written as: 
      [3afa::200:2535:e8ef:91cf]
    2. IP configurations must match between the machine used to add or modify an External policy and the machine on which that policy will be applied. You cannot use an IPv4 machine to configure an External policy for an IPv6 machine, or vice-versa.
    3. If the Primary or Alternate Server URL uses the https or ldaps protocol, a certificate for that address must be defined on the SSL Certificates page, as linked in Related Information.
    4. If no port is specified for an LDAP primary or Alternate Server URL, the following default ports are used:
      • 389 if SSL is not used
      • 636 if SLS is used
    Server Authentication
    Values in the following fields are required if WebSphere® Application Server security is enabled on the WebSphere Application Server hosting the Authentication Service, or if anonymous access is disabled on the LDAP server. If WebSphere Application Server security is disabled or anonymous access is enabled on the LDAP server the following fields are optional:
    User ID
    The user name used with HTTP basic authentication for authenticating to the Storage Authentication Service. This field supports a maximum length of 254 Unicode characters.
    Password
    The password used with HTTP basic authentication for authenticating to the Storage Authentication Service. This field supports a maximum length of 254 Unicode characters.
    Direct LDAP
    Values in the following fields are required if secure authentication is used or anonymous connections are disabled on the LDAP server.
    Note: LDAP settings are not available for backup or recovery through the backup or restore settings operations.
    User Distinguished Name
    The user distinguished name used to authenticate to the LDAP authentication service. This field supports a maximum length of 254 Unicode characters. For example: 
    CN=Administrator,CN=users,DC=mycompany,DC=com
    Password
    The password used to authenticate to the LDAP authentication service. This field supports a maximum length of 254 Unicode characters.
  7. If you selected Add Direct LDAP Policy in Step 2, enter values for LDAP Attributes:
    Base Distinguish Name
    The LDAP distinguished name (DN) that uniquely identifies a set of entries in a realm. This field is required but blank by default. The value in this field is composed of one to 254 Unicode characters.
    Username Attribute
    The attribute name used for the username during authentication. This field is required and contains the value uid by default. The value in this field is composed of one to 61 Unicode characters.
    Group Member Attribute
    The attribute name used to identify group members. This field is optional and contains the value member by default. This field can contain up to 61 Unicode characters.
    Group Name Attribute
    The attribute name used to identify the group during authorization. This field is optional and contains the value cn by default. This field can contain up to 61 Unicode characters.
    Username filter
    Used to filter and verify validity of an entered username. This field is optional and contains the value (uid={0}) by default. This field can contain up to 254 Unicode characters.
    Group Name filter
    Used to filter and verify validity of an entered group name. This field is optional and contains the value (cn={0}) by default. This field can contain up to 254 Unicode characters.
  8. Click OK to complete the operation or click Cancel to abandon the operation and return to the Security Settings page.
Parent topic: Security settings
Related information
Assign authentication policy
Confirm Delete External policy
Establish a connection to the Storage Authentication Server
Modify Local policy
Modify External policy
SSL certificates
Test authentication policy