Securing your IBM Storage Scale pattern

There are different means used to secure access to the IBM® Pattern for IBM Storage Scale.

Access controls

Access control for the IBM Pattern for IBM Storage Scale is provided by the IBM Cloud Pak® security mechanisms.
  • Clients can only access the IBM Storage Scale Server pattern by retrieving data from the locally deployed shared service. The shared service provides the IP address and security key to communicate with the IBM Storage Scale Server. If the shared service is not deployed, clients can only access the IBM Storage Scale Server pattern by using the IBM Storage Scale Manager IP address and Client Key that were specified at deployment time or through the Connect to server operation
  • File system access is restricted by controlling who and what can deploy to a cloud group or environment profile.
  • The security information that is needed connect to the IBM Storage Scale shared file system (information that is used by the IBM Storage Scale shared service or directly by clients at deployment time) is accessed through the management console of the deployed IBM Storage Scale pattern. Restrictions must be placed on the deployment to prevent non-administrator access to the deployed instance.
  • System administrators can control what clients can connect to a IBM Storage Scale shared file system by choosing where to deploy the IBM Storage Scale shared service that connects to the IBM Storage Scale Server.
  • Within the IBM Storage Scale file system, access rights and policies can be placed on any file or directory. However, patterns in the process of deployment run as root, and are not constrained by file system controls.

Security keys

There are multiple security keys used by the IBM Pattern for IBM Storage Scale.
  • Client key:

    This key consists of a public and private SSH key pair. The public key is installed on the IBM Storage Scale Manager virtual machine, and is used by IBM Storage Scale Clients for initial communication with the IBM Storage Scale deployment. The private key is used by the IBM Storage Scale Client deployments to communicate with the IBM Storage Scale Manager and request access to the IBM Storage Scale server cluster and shared file system. Note that when you retrieve the client private key using the Retrieve Key operation, the private key is returned as a text string. This string contains the client private key and appends the Manager IP to the string. This private key and Manager IP is used when you deploy the IBM shared service for IBM Storage Scale instance or when you deploy a IBM Storage Scale Client instance, if the Manager IP and Client private key information is set on client deployment.

  • Cluster key:

    This key consists of a public and private SSH key pair. The public key is installed on any IBM Storage Scale Server virtual machine in the same cluster, and together with the private key pair is used by the IBM Storage Scale product to communicate with the IBM Storage Scale Servers in the cluster. When you attach a Mirror, Tiebreak, or Passive configuration to a Primary configuration, before the IBM Storage Scale Servers can become part of the Primary configuration cluster, the Cluster key from the Primary configuration is copied over and installed on all IBM Storage Scale Servers that are being attached to the Primary deployment.

  • Manager key:

    This key consists of a public and private SSH key pair. The public key is installed on each IBM Storage Scale Manager virtual machine, and together with the private key is used to communicate with other IBM Storage Scale Manager virtual machines when they are attached to the same IBM Storage Scale cluster. For example, if this instance is a IBM Storage Scale Primary configuration and you are attaching a Mirror configuration, the IBM Storage Scale Manager virtual machine for this deployment attempts to access the IBM Storage Scale Manager virtual machine for the Mirror configuration by using the Manager key that is installed on the Primary Manager virtual machine.

    If the same key is not installed on the IBM Storage Scale Manager virtual machine for the Mirror configuration, the communication fails. To recover, you must retrieve the Manager key (by using the Retrieve Key operation) from the Primary configuration and then install it (by using the Install Key operation) on the IBM Storage Scale Manager virtual machine for the Mirror configuration.