Configure Network Transport Layer

Enable Transport Layer Security (TLS) for data communications.

When TLS is enabled, communication between Accesser® and Slicestor® devices use this mechanism. On the Settings tab, navigate to Authentication > Network Transport Layer.

The following options are displayed:

Table 1. Transport Layer Security (TLS) options
Option Description
None Disable TLS
Integrity Enables authentication and integrity features of TLS.
Encryption Enables authentication, integrity, and confidentiality features.

Select None, Integrity, or Encryption and click Update to disable or use cryptographic protocols for data communications between the IBM Accesser devices and the IBM Slicestor devices. It is a system-wide feature, applicable to all vaults on this system.

If confidentiality is not wanted, selecting Integrity has a positive impact on performance.

TLS typically provides three features: Confidentiality (others cannot read the content), Authentication (you are communicating with whom you think you are), and Integrity (others cannot tamper with communications without being noticed). The Integrity option provides only authentication and integrity, providing improved performance in cases where confidentiality is not needed. The Encryption option provides all three features. If TLS is enabled, IBM Cloud Object Storage Accesser devices establish encrypted connections before they store and retrieving data from Cloud Object Storage Slicestor devices [1]. Cloud Object Storage Slicestor devices establish encrypted connections to other IBM Cloud Object Storage Slicestor devices while they perform data consistency scans and rebuilding.

The SecureSlice™ feature, although technically not encryption, guarantees that without access to a threshold number of slices, no information can be obtained without brute forcing the random symmetric key that is used to perform the transformation. SecureSlice should remain enabled [default] for most deployments as it provides data at rest protection and has minimal performance impact.

Note: TLS encryption might affect data throughput performance. It should be disabled unless encryption and added security are needed.
These items are independent of the TLS setting.
  • Communication with the Cloud Object Storage Manager is always encrypted by using HTTPS, SSL tunneling, and SNMPv3 data protection.
  • User passwords are always encrypted before transmission between any IBM devices. A user password is never sent in plaintext. [2]
  • The Simple Object over HTTP (SOH) interface supports access over HTTP (plaintext) or HTTPS (encrypted). The HTTPS option is always made available for clients that are configured to use the proper port.
  • Software clients that are developed with the DSAF Server SecureSlice™ can always establish encrypted connections. Such client applications might not acknowledge the TLS setting and should be designed to allow the user to configure separately whether TLS is used.

[1]Communication between clients and Cloud Object Storage Accessers devices is governed separately. With SOH, the client determines whether encryption is used. The Cloud Object Storage Accesser device does not support IPSec.

[2]User passwords can be sent over plaintext between a client and an Accesser device over SOH when HTTP (port 80, plaintext) is used. Clients can be configured to avoid it by using HTTPS (port 443, encrypted).

Configure Client Connection mode

Configure how the IBM Cloud Object Storage Client connects to the Accesser device, for IP access control. IBM COS enforces client IP access control on a standard vault or a container, according to below connection types.

Table 2. Configure Client Connection mode options
Option Description
Direct When Direct is selected, client is expected to directly connect to the access enabled device. System uses TCP source IP for IP access control.
Proxy When Proxy is selected, client can connect to the accesser device through a load balancer or proxy. System uses HTTP Forward in this case. Customer with the proxy client connection must set the rightmost proxy ip address in the “x-forwarded-for” as the client originating ip to use the Container IP whitelisting.