Security settings

Edit online

Use the Security settings option to view security settings for the IBM® TS7700 Grid. You can also use the Security settings page to access pages to add, modify, assign, test, and delete security settings.

Note: The following topic has been added to the TS7700 Service Information Center for reference only. LDAP setup and administration is a customer task. Contact the customer to obtain an LDAP user ID and password.

Session Timeout

Use Session timeout to specify the number of hours and minutes the management interface can be idle before the current session expires and the user is redirected to the login page.

Note: You can backup these settings as part of the ts7700_cluster<cluster ID>.xmi file and restore them for later use or use with another cluster. When the backup settings are restored, new settings are added and existing settings are modified, but no settings are deleted.

To modify the maximum idle time, select values from the Hours and Minutes menus and click Submit Changes.

Hours: The number of hours the management interface can be idle before the current session expires. Possible values for this field are 00 through 23.
Minutes: The number of minutes the management interface can be idle before the current session expires. Possible values for this field are 00 through 55, selected in 5-minute increments.

Report usage Statistics: Use Report usage Statistics to enable or disable usage reporting.
If the "Usage Reporting" setting is shown as Disabled, then click the button to enable usage reporting. If the setting is shown as Enabled, then click the button to disable usage reporting. When changing the setting, usage reporting is enabled or disabled for all users on both the client and server sides.

Note: By default, usage reporting is disabled.

Endpoint identification on LDAPS connections

Use Endpoint identification on LDAPS connections to enable or disable the endpoint identification algorithms for secure LDAP over TLS to improve the robustness of LDAPS connections.

If the Endpoint identification setting is enabled, the user has to make sure that:

the LDAP server certificate has Subject Alternative Names (SAN) and
the address from the LDAP authentication policy must match with one of those SANs.

If the server’s SSL certificate does not have SANs, then the LDAP policy address must match with the Common Name (CN) of the certificate.

SP800-131A Compliance

Use SP800-131A Compliance to support the requirements that are defined by the National Institute of Standards and Technology (NIST) Special Publications 800-131a. SP 800-131a strengthens security by defining which algorithms can be used, and minimum strengths.

Set the property to transition to specify that SP800-131a transition compliance is requested.

Set the property to strict to allow only strict adherence to the SP800-131a recommendation. Note: When this option is selected the SSL/TLS Level under SSL Settings section will be defined as TLS 1.2.

SSL Settings: Use SSL Settings to set the SSL/TLS Level. There are only two choices: TLS 1.0 (transition) and TLS 1.2 (strict). The default setting is TLS 1.0.
If your browser does not support TLS 1.2, and HTTPS-only is enabled, then a warning message is displayed. The message tells you that you might lose access to the Management Interface if you continue.

HTTP Settings: Use this section to change HTTP enablement. If the "HTTP for web" setting is shown as Disabled, then click the button to enable HTTP. If the setting is shown as Enabled, then click the button to disable HTTP.
If you change the HTTP settings, the TS7700 Management Interface restarts. All users that are logged on at the time lose connection to the Management Interface and must log in again.

Authentication Policies

Use this table to view and manage authentication policies for the grid. You can add, modify, assign, test, and delete the authentication policies that determine how users are authenticated to the TS7700 Management Interface. Each cluster is assigned a single authentication policy. You must be authorized to modify security settings before you can change authentication policies.

There are two categories of authentication policies: Local, which replicates users and their assigned roles across a grid, and External, which stores user and group data on a separate server and maps relationships between users, groups, and authorization roles when a user logs in to a cluster. External policies include Storage Authentication Service policies and Direct LDAP (lightweight directory access protocol) policies.

Important: A restore operation following a backup of cluster settings does NOT restore or otherwise modify any user, role, or password settings defined by a security policy.

Note: When operating at microcode level 8.20.x.x or 8.21.0.63–8.21.0.119 with Storage Authentication Service enabled, a 5-minute web server outage occurs when a service person logs in to the machine.

Policies can be assigned on a per cluster basis; one cluster can employ local authentication, while a different cluster within the same grid domain can employ an external policy. Additionally, each cluster in a grid can operate its own external policy. However, only one policy can be enabled on a cluster at a time.

The Authentication Policies table displays the following information:

Policy Name

The name of the policy that defines the authentication settings. The policy name is a unique value that is composed of one to 50 Unicode characters. Heading and trailing blank spaces are trimmed, though internal blank spaces are permitted. The name of the Local policy is "Local". Authetication policy names, either Local or user who is created , cannot be modified after creation.

Type

The policy type. Possible values are:

Local

A policy that replicates authorization based on user accounts and assigned roles. It is the default authentication policy. When enabled, it is in effect for all clusters on the grid. If Storage Authentication Service is enabled, the Local policy is disabled. This policy can be modified to add, change, or delete individual accounts, but the policy itself cannot be deleted.

External

Polices that map user, group, and role relationships upon user login. External policies can be modified. However, they cannot be deleted if in use on any cluster. External policies include:

Storage Authentication Service: A centrally managed, role-based access control policy (RBAC) that authenticates and authorizes users using the System Storage Productivity Center to authenticate users to an LDAP server.
LDAP: An RBAC policy that authenticates and authorizes users through direct communication with an LDAP server.

Clusters

The clusters for which the authentication policy is enabled. Cluster names are only displayed for policies that are enabled and assigned. Only one policy can be assigned to a cluster at a time.

Allow IBM Support

The type of access that is granted to IBM service representatives for service support. This access is most often used to reset the cluster authentication policy to Local.

Note: If an IBM service representative resets a cluster authentication policy to Local, the Local authentication policy is enabled on all clusters in the grid, regardless of previous LDAP policy settings. Previously enabled LDAP policies are disabled and should be reenabled following resolution of any LDAP authentication issue.

Possible values include:

Physical: IBM service representatives can log in physically without LDAP credentials to connect to the cluster. At least one IBM representative must have physical access to the cluster. An onsite IBM representative can grant temporary remote access to an off-site IBM representative. This is the recommended option.
Remote: IBM service representatives can log in remotely without LDAP credentials to connect to the cluster.

Important: If this field is blank for an enabled policy, then no IBM support options were selected for the policy when it was created or last modified. If the policy is a Storage Authentication Service or LDAP policy, IBM service personnel must log in using LDAP login credentials that are obtained from the system administrator. If the LDAP server is inaccessible, IBM service representatives cannot access the cluster.