Security

Use the following tables to access IBM Storage Scale documentation about security.

Cluster security mode
The adminMode configuration attribute
Sudo-wrapper scripts
Secure access to a remote file system
Security in the GUI
Security in cloud services
Security for protocols
Security for Hadoop
Audit logging
Access control lists
Security with active file management (AFM)
Security-Enhanced Linux® (SELinux) support
Security issues with local read-only cache (LROC)
Windows authentication
Firewall settings

Quick reference for file encryption: See File encryption.

Table 1. Cluster security mode
For this information...	Go to...
Cluster security mode	Security mode Setting the security mode for internode communications in a cluster Completing the upgrade to a new level of IBM Storage Scale

Table 2. The adminMode configuration attribute
For this information...	Go to...
The adminMode attribute of the mmchconfig command	The adminMode configuration attribute

Table 3. Sudo-wrapper scripts
For this information...	Go to...
Sudo-wrapper scripts	Running IBM Storage Scale commands without remote root login

Table 4. Secure access to a remote file system
For this information...	Go to...
Configuring secure access	Accessing a remote GPFS file system Remote user access to a GPFS file system Using NFS/SMB protocol over remote cluster mounts Mounting a remote GPFS file system Managing remote access to a GPFS file system Using remote access with multiple network definitions Using multiple security levels for remote access Changing security keys with remote access NIST compliance Important information about remote access
Setting the public key for a remote cluster	mmremotecluster command
Conflicting cluster security modes	Using multiple security levels for remote access Remote file system does not mount due to differing GPFS cluster security configurations The cipherList option has not been set properly

Table 5. Security in the GUI
For this information...	Go to...
Managing GUI users in an external AD or LDAP server Managing GUI user passwords	Managing GUI users
Secure communications with web browsers	Managing certificates to secure communications between GUI web server and web browsers
Command audit logging for GUI	Command audit log

Table 6. Security with cloud services
For this information...	Go to...
Planning for security for cloud services	Security considerations
Configuring cloud services with SKLM	Configuring cloud services with SKLM (optional)
Authentication for WORM solutions	Setting up transparent cloud tiering for WORM solutions Setting up a private key and creating locked vaults Configuring Transparent cloud tiering with certificate-based authentication and locked vaults Rotating client key or revoking old certificate Updating transparent cloud tiering with a new private key and certificate
Configuring a cloud gateway for security	mmcloudgateway command
Backing up encryption credentials	Checking the cloud services database integrity
Cloud services does not support SKLM with proxy servers	Known limitations of cloud services
Firewall settings for cloud services	Firewall recommendations for cloud services

Table 7. Security for protocols
For this information...	Go to...
Protocols support overview	Protocols support overview: Integration of protocol access methods with GPFS NFS support overview SMB support overview S3 support overview Swift Object storage support overview
Planning for protocol authentication	Planning for protocols Authentication considerations General authentication support matrix Planning for NFS Planning for SMB Planning for S3
Managing protocol user authentication	Managing protocol user authentication Setting up authentication servers to configure protocol user access Configuring authentication and ID mapping for file access Managing user-defined authentication Configuring authentication for Swift Object access Deleting the authentication and the ID-mapping configuration Listing the authentication configuration Verifying the authentication services configured in the system Modifying the authentication method Authentication limitations
Unified file and object access	Identity management modes for unified file and Swift Object access Authentication in unified file and object access Validating shared authentication ID mapping
Securing protocol data	Securing protocol data Planning for protocol data security Configuring protocol data security Data security limitations
Authentication data for protocols cluster disaster recovery	Authentication related data required for protocols cluster DR

Table 8. Security for Hadoop
For this information...	Go to...
CES HDFS	Overview under CES HDFS in Big data and analytics support documentation
Hadoop HDFS Transparency	Security under IBM Spectrum Scale support for Hadoop in Big data and analytics support documentation

Table 9. Audit logging
For this information...	Go to...
Audit logging	File audit logging Audit messages for cluster configuration changes Command audit log

Table 10. Access control lists
For this information...	Go to...
Access control lists: Administration	Managing GPFS access control lists Exceptions and limitations to NFSv4 ACLs support

Table 11. Security with active file management (AFM)
For this information...	Go to...
Encryption	Using AFM with encryption
AFM support for Kerberos-enabled NFS protocol exports	Creating an AFM relationship by using the NFS protocol
`afmEnableNFSSec` attribute of the mmchconfig command	Configuration parameters for AFM, AFM-DR, and AFM to cloud object storage

Table 12. Security-Enhanced Linux support
For this information...	Go to...
Security-Enhanced Linux (SELinux) support	Security-Enhanced Linux support

Table 13. Security issues with local read-only cache (LROC)
For this information...	Go to...
Encrypted data is internally held as plaintext	Local read-only cache Encryption and a local read-only cache (LROC) device

Table 14. Windows authentication
For this information...	Go to...
Installing IBM Storage Scale on Microsoft Windows nodes	Access control on GPFS file systems Configuring a mixed Windows and UNIX (AIX or Linux) cluster
Identity management in Windows	Identity management on Windows / RFC 2307 attributes Auto-generated ID mappings Configuring ID mappings in Active Directory Users and Computers for Windows Server 2016 (and subsequent) versions Installing Windows IDMU Configuring ID mappings in IDMU

Table 15. Firewall settings
For this information...	Go to...
Firewall settings¹	Securing IBM Storage Scale by using a firewall Firewall recommendations for the IBM Storage Scale installation Firewall recommendations for internal communication among nodes Firewall recommendations for protocol access Firewall recommendations for IBM Storage Scale GUI Firewall recommendations for IBM SKLM Firewall recommendations for Performance Monitoring tool Firewall considerations for Active File Management (AFM) Firewall considerations for remote mounting of file systems Firewall recommendations for using IBM Storage Protect with IBM Storage Scale Firewall considerations for using IBM Spectrum Archive with IBM Storage Scale Firewall recommendations for call home Examples of how to open firewall ports
¹For firewall settings for cloud services see Table 6.