Enabling remote authentication through the DS CLI

You can enable and configure remote authentication through an LDAP repository. Use this scenario to enable remote authentication from the DS8000 command-line interface (CLI).

Before you begin

Starting with DS8000 Version 8.1, you can use either IBM Spectrum Control (formerly IBM Tivoli Productivity Center) or IBM Copy Services Manager to connect to an LDAP repository and enable remote authentication. Copy Services Manager also now comes preinstalled on the DS8000 Hardware Management Console (HMC). For instructions on how to install and configure these products, see the following online product documentation:

About this task

Table 1. Authentication proxy server information

Using IBM Spectrum Control for remote authentication

The prerequisites for enabling remote authentication through IBM Spectrum Control include:
  • At least one authentication server to connect to
  • A truststore file with password
  • A WebSphere Integrated Solutions Console user name and password

A truststore file holds signer certificates for only the target servers that are trusted. The certificate and the truststore file are needed to implement Secure Sockets Layer (SSL) communication between the DS8000 HMC and the LDAP server.

IBM Spectrum Control uses the IBM WebSphere Integrated Solutions Console to administer and manage the authentication server. When provided with the correct authority, this console can also be used to administer LDAP users and groups through a web browser that is started on any host.

For more information about enabling remote authentication on DS8000 through IBM Spectrum Control, including how to create a truststore file, see the IBM Redbooks publication titled LDAP Authentication for IBM DS8000 Storage. You can download this publication from http://www.redbooks.ibm.com/abstracts/redp4505.html?Open&pdfbookmark.

Using Copy Services Manager for remote authentication

After you configure LDAP authentication with Copy Services Manager, the differences from using IBM Spectrum Control are as follows:
  • You do not need to create your own truststore file with the certificate information. The Copy Services Manager csmAuth server creates one at startup. The csmAuth server creates this file based on the same keystore that is it uses for Secure Sockets Layer (SSL) settings. If that keystore is changed for any reason, a new one is created when the server is restarted. The output information can be changed in the csmauth.properties file. The default values in this file are:

    itso.keystore.name=key_itso.jks
    itso.keystore.password=passw0rd
    itso.keystore.directory=resources/security
  • The csmAuth server can have only one user registry, which in this case is the LDAP server. Therefore, no separate admin user like the JazzSM wsadmin user exists. Copy Services Manager does not use WebSphere Integrated Console, but rather the more lightweight Liberty server. The Storage Authentication Service (SAS) user for Copy Services Manager is any valid LDAP user.

Procedure

  1. Log in to the DS CLI installation directory and open the DS CLI command window.
  2. In the DS CLI command window, enter the HMC IP address, user name, and password.
  3. To see the existing authentication policies, enter the lsauthpol command. The default initial policy is set for basic (non-LDAP) authentication.
  4. Create a new empty policy. Where the -type sas specifies the authentication policy type, enter the mkauthpol -type sas itsopolicy command. Currently, SAS (Storage Authentication Service) is the only valid value for this parameter, and it is required. Also, itsopolicy defines the name from the new policy.
  5. Add one or more policy servers to the policy by entering the setauthpol command with the -action setauthserver and -loc parameters. Starting at this step, the command options might differ depending on whether you use IBM Spectrum Control or Copy Services Manager for remote authentication.
    • If you are using IBM Spectrum Control, the -loc parameter is the URL to the IBM Spectrum Control server. See the IBM Redbooks publication titled LDAP Authentication for IBM DS8000 Storage, which you can download from http://www.redbooks.ibm.com/abstracts/redp4505.html?Open&pdfbookmark, for more-specific instructions.
    • If you are using Copy Services Manager, the -loc parameter is the URL to the Copy Services Manager server, the csmAuth server, which is at https://<hostname>:<auth port>/CSMAuth/TokenService.. Because Copy Services Manager is preinstalled on the HMC, you can use a direct connection method and enter https://<HMC addr>:9562/CSMAuth/TokenService.
  6. Add the keystore file to the policy. Enter the setauthpol command with the –action settruststore parameter and the -loc parameter, where the value is the location of the truststore file. Use the -pw parameter for the truststore file password.
    • For IBM Spectrum Control, the location and password of the truststore file is determined after you create it by following the instructions in the IBM Redbooks publication titled LDAP Authentication for IBM DS8000 Storage, which you can download from http://www.redbooks.ibm.com/abstracts/redp4505.html?Open&pdfbookmark. See the section titled "Create the certificates and the truststore file."
    • For Copy Services Manager, the truststore file is at <Installdir>/liberty/wlp/usr/servers/csmAuth/resources/security/key_itso.jks. The default password for the Copy Services Manager truststore file is passw0rd (with a zero in place of the letter O).
      Note: If you use the instance of Copy Services Manager that is running on the HMC, you can download this file instead from https://<hostname>:9559/CSM/security/key_itso.jks after first logging in to Copy Services Manager as an administrator.

      If you use more than one Copy Services Manager server for remote authentication, ensure that the <install path>/liberty/wlp/usr/servers/csmAuth/resources/security/key.jks file is the same between the two csmAuth servers. Otherwise, the truststore file will not work for one of them. Restart the server for the one with the file that you replaced.

  7. Add the authentication user to the policy by entering the setauthpol command with -action setsasuser parameter. Again, use the -pw parameter for the associated user password.
    • If you are using IBM Spectrum Control, enter a user name and password for the WebSphere Integrated Solutions Console admin user.
    • If you are using Copy Services Manager, the authentication user for this step must be a valid LDAP user. This user name is used for all authentication requests. You must update this setting when the password for this authentication user is updated.
  8. Map existing users and user groups from the LDAP server to user groups on the DS8000 by entering the setauthpol command with the -action setmap parameter and -dsgroup with -extuser or -extgroup values.
  9. Now that the policy is set up, check it by entering lsauthpol itsopolicy. The policy is in inactive state.
  10. To view the configuration parameters, enter the showauthpol command.
  11. Test the configuration by entering the testauthpol command.
  12. If the test completed successfully, activate the policy by entering the chauthpol command with the -activate parameter.
  13. Check the state for the policy by entering the lsauthpol command.

Results

After you complete all of these steps, the DS8000 storage system is enabled and configured for remote authentication.