Add External policy
Use this page to add an External policy for the IBM® TS7700 Grid.
To add a Storage Authentication Policy or LDAP Policy to a grid:
- From the Security Settings page, navigate to the Authentication Policies table.
- Select either Add Storage Authentication Policy OR Add
Direct LDAP Policy from the Select Action drop-down
menu. Note: You can create up to a maximum of 16 Storage Authentication Service policies. You can create a direct LDAP policy only when every cluster in the grid operates at microcode level 8.30.x.x or later.
- Click Go.
- Enter values for the following required fields:
- Policy Name
- The name of the policy that defines the authentication settings. The policy name is a unique value composed of one to 50 Unicode characters. Heading and trailing blank spaces are trimmed, though internal blank spaces are permitted. The name of the Local policy is "Local". Authentication policy names, either Local or user created, cannot be modified after creation.
- Primary Server URL
- The primary URL for the Storage Authentication Service. The value
in this field is composed of one to 254 Unicode characters and takes
one of the following formatsa, b, c:
https://<server_address>:secure_port/TokenService/services/Trust ldaps://<server_address>:secure_port ldap://<server_address>:port
Note: If this value is a Domain Name Server (DNS) addressa you must activate and configure a DNS on the Cluster network settings page.
- Check the options you
want to enable for IBM Service Representative access. These settings become active only when the associated
policy is assigned to a cluster. You can check both options. These
options are not visible if the grid contains a cluster operating at
microcode level of 8.30.0.xx or earlier.Important: These options permit IBM Service Representatives to access a cluster as if no external (SAS or LDAP) policy was in force. When enabled, they create a mechanism by which an IBM Service Representative can reset an authentication policy to resolve a lockout scenario. If no option is checked, IBM Service personnel must log in to the cluster using LDAP credentials obtained from the system administrator. If no option is checked and the LDAP server is inaccessible, IBM Service Representatives cannot access the cluster.
- Allow IBM support to connect if they have physical access (Recommended)
- Check this box to allow an IBM Service Representative to log in physically without LDAP credentials to connect to the cluster. At least one IBM Service Representative must have direct, physical access to the cluster. An onsite IBM Representative can grant temporary remote access to an offsite IBM Representative. This is the recommended option.
- Allow IBM support to connect remotely
- Check this box to allow an IBM Service Representative to log in remotely without LDAP credentials to connect to the cluster.
- Enter values for any of the optional fields you want to define:
- Alternate Server URL
- The alternate URL for the Storage Authentication Service if the
primary URL cannot be accessed. The value in this field is composed
of one to 254 Unicode characters and takes one of the following formatsa,
b, c:
https://<server_address>:secure_port/TokenService/services/Trust ldaps://<server_address>:secure_port ldap://<server_address>:port
Notelist:- The server address value in the Primary or Alternate Server URL
can be an IP or DNS address. Valid IP formats include:
- IPv4
- Is 32 bits long, consists of four decimal numbers, each ranging
from 0 to 255, separated by periods, like:
98.104.120.12
- IPv6
- Is an 128-bit long hexadecimal value enclosed by brackets and
separated into 16-bit fields by colons, like:
Leading zeros can be omitted in each field, so that :0003: can be written as :3:. A double colon (::) can be used once per address to replace multiple fields of zeros. For example,[3afa:1910:2535:3:110:e8ef:ef41:91cf]
can be written as:[3afa:0:0:0:200:2535:e8ef:91cf]
[3afa::200:2535:e8ef:91cf]
- IP configurations must match between the machine used to add or modify an External policy and the machine on which that policy will be applied. You cannot use an IPv4 machine to configure an External policy for an IPv6 machine, or vice-versa.
- If the Primary or Alternate Server URL uses the https or ldaps protocol, a certificate for that address must be defined on the SSL Certificates page, as linked in Related Information.
- If no port is specified for an LDAP primary or Alternate Server
URL, the following default ports are used:
- 389 if SSL is not used
- 636 if SLS is used
- The server address value in the Primary or Alternate Server URL
can be an IP or DNS address. Valid IP formats include:
- Server Authentication
- Values in the following fields are required if WebSphere® Application Server security is
enabled on the WebSphere Application
Server hosting the Authentication Service, or if anonymous access
is disabled on the LDAP server. If WebSphere Application
Server security is disabled or anonymous access is enabled on the
LDAP server the following fields are optional:
- User ID
- The user name used with HTTP basic authentication for authenticating to the Storage Authentication Service. This field supports a maximum length of 254 Unicode characters.
- Password
- The password used with HTTP basic authentication for authenticating to the Storage Authentication Service. This field supports a maximum length of 254 Unicode characters.
- Direct LDAP
- Values in the following fields are required if secure authentication
is used or anonymous connections are disabled on the LDAP server. Note: LDAP settings are not available for backup or recovery through the backup or restore settings operations.
- User Distinguished Name
- The user distinguished name used to authenticate to the LDAP authentication
service. This field supports a maximum length of 254 Unicode characters.
For example:
CN=Administrator,CN=users,DC=mycompany,DC=com
- Password
- The password used to authenticate to the LDAP authentication service. This field supports a maximum length of 254 Unicode characters.
- If you selected Add Direct LDAP Policy in
Step 2, enter values for LDAP Attributes:
- Base Distinguish Name
- The LDAP distinguished name (DN) that uniquely identifies a set of entries in a realm. This field is required but blank by default. The value in this field is composed of one to 254 Unicode characters.
- Username Attribute
- The attribute name used for the username during authentication. This field is required and contains the value uid by default. The value in this field is composed of one to 61 Unicode characters.
- Group Member Attribute
- The attribute name used to identify group members. This field is optional and contains the value member by default. This field can contain up to 61 Unicode characters.
- Group Name Attribute
- The attribute name used to identify the group during authorization. This field is optional and contains the value cn by default. This field can contain up to 61 Unicode characters.
- Username filter
- Used to filter and verify validity of an entered username. This field is optional and contains the value (uid={0}) by default. This field can contain up to 254 Unicode characters.
- Group Name filter
- Used to filter and verify validity of an entered group name. This field is optional and contains the value (cn={0}) by default. This field can contain up to 254 Unicode characters.
- Click OK to complete the operation or click Cancel to abandon the operation and return to the Security Settings page.