Modify External policy

Use this page to modify External policy settings for the IBM® TS7700 Grid.

Note: The following topic has been added to the TS7700 Service Information Center for reference only. LDAP setup and administration is a customer task. Contact the customer to obtain an LDAP user ID and password.

To modify a Storage Authentication Service Policy or LDAP Policy:

From the Security Settings page, navigate to the Authentication Policies table.
Select the radio button next to the policy you want to modify.
Select Modify... from the Select Action drop-down menu.
Click Go.
Note: You cannot modify the Policy Name belonging to any authentication policy.
Check the options you want to enable for IBM Service Representative access. These settings become active only when the associated policy is assigned to a cluster. You can check both options.
Important: These options permit IBM Service Representatives to access a cluster as if no external (SAS or LDAP) policy was in force. When enabled, they create a mechanism by which an IBM Service Representative can reset an authentication policy to resolve a lockout scenario. If no option is checked, IBM Service personnel must log in to the cluster using LDAP credentials obtained from the system administrator. If no option is checked and the LDAP server is inaccessible, IBM Service Representatives cannot access the cluster.

Allow IBM support to connect if they have physical access (Recommended)

Check this box to allow an IBM Service Representative to log in physically without LDAP credentials to connect to the cluster. At least one IBM Service Representative must have direct, physical access to the cluster. An onsite IBM Representative can grant temporary remote access to an offsite IBM Representative. This is the recommended option.

Allow IBM support to connect remotely

Check this box to allow an IBM Service Representative to log in remotely without LDAP credentials to connect to the cluster.
Modify values for any of the following fields:
Primary Server URL
The primary URL for the Storage Authentication Service. The value in this field is composed of one to 254 Unicode characters and takes one of the following formats^{a, b, c}:
```
https://<server_address>:secure_port/TokenService/services/Trust
ldaps://<server_address>:secure_port
ldap://<server_address>:port
```
Note: If this value is a Domain Name Server (DNS) address^a you must activate and configure a DNS on the Cluster network settings TS7700 Customer Information Center Cluster network settings page.
Alternate Server URL
The alternate URL for the Storage Authentication Service if the primary URL cannot be accessed. The value in this field is composed of one to 254 Unicode characters and takes one of the following formats^{a,
b, c}:
```
https://<server_address>:secure_port/TokenService/services/Trust
ldaps://<server_address>:secure_port
ldap://<server_address>:port
```
Notelist:
1. The server address value in the Primary or Alternate Server URL can be an IP or DNS address. Valid IP formats include:
  
  IPv4
  
  Is 32 bits long, consists of four decimal numbers, each ranging from 0 to 255, separated by periods, like:
  98.104.120.12
  
  IPv6
  
  Is an 128-bit long hexadecimal value enclosed by brackets and separated into 16-bit fields by colons, like:
  [3afa:1910:2535:3:110:e8ef:ef41:91cf]
  Leading zeros can be omitted in each field, so that :0003: can be written as :3:. A double colon (::) can be used once per address to replace multiple fields of zeros. For example,
  [3afa:0:0:0:200:2535:e8ef:91cf]
  can be written as:
  [3afa::200:2535:e8ef:91cf]
2. IP configurations must match between the machine used to add or modify an External policy and the machine on which that policy will be applied. You cannot use an IPv4 machine to configure an External policy for an IPv6 machine, or vice-versa.
3. If the Primary or Alternate Server URL uses the https or ldaps protocol, a certificate for that address must be defined on the SSL Certificates page, as linked in Related Information.
4. If no port is specified for an LDAP primary or Alternate Server URL, the following default ports are used:
  
  389 if SSL is not used
  
  636 if SLS is used
Server Authentication

Values in the following fields are required if WebSphere® Application Server security is enabled on the WebSphere Application Server hosting the Authentication Service, or if anonymous access is disabled on the LDAP server. If WebSphere Application Server security is disabled or anonymous access is enabled on the LDAP server the following fields are optional:

User ID

The user name used with HTTP basic authentication for authenticating to the Storage Authentication Service. This field supports a maximum length of 254 Unicode characters.

Password

The password used with HTTP basic authentication for authenticating to the Storage Authentication Service. This field supports a maximum length of 254 Unicode characters.

Direct LDAP
Values in the following fields are required if secure authentication is used or anonymous connections are disabled on the LDAP server.
Note: LDAP settings are not available for backup or recovery through the backup or restore settings operations.
User Distinguished Name
The user distinguished name used to authenticate to the LDAP authentication service. This field supports a maximum length of 254 Unicode characters. For example:
CN=Administrator,CN=users,DC=mycompany,DC=com
Password

The password used to authenticate to the LDAP authentication service. This field supports a maximum length of 254 Unicode characters.
If you selected to modify an LDAP Policy, you can also make changes to any of these LDAP Attributes fields:

Base Distinguish Name

The LDAP distinguished name (DN) that uniquely identifies a set of entries in a realm. This field is required but blank by default. The value in this field is composed of one to 254 Unicode characters.

Username Attribute

The attribute name used for the username during authentication. This field is required and contains the value uid by default. The value in this field is composed of one to 61 Unicode characters.

Group Member Attribute

The attribute name used to identify group members. This field is optional and contains the value member by default. This field can contain up to 61 Unicode characters.

Group Name Attribute

The attribute name used to identify the group during authorization. This field is optional and contains the value cn by default. This field can contain up to 61 Unicode characters.

Username filter

Used to filter and verify validity of an entered username. This field is optional and contains the value (uid={0}) by default. This field can contain up to 254 Unicode characters.
Note: A DN (Distinguished Name) pattern containing the values uid={0},cn=people,dc=storage,dc=ibm,dc=com can be used instead of a filter. {0} is a placeholder for the actual user name that is registered with the authentication policy.

Group Name filter

Used to filter and verify validity of an entered group name. This field is optional and contains the value (cn={0}) by default. This field can contain up to 254 Unicode characters.
Note: A DN (Distinguished Name) pattern containing the values uid={0},cn=groups,dc=storage,dc=ibm,dc=com can be used instead of a filter. {0} is a placeholder for the actual group name that is registered with the authentication policy.
Click OK to complete the operation. Click Cancel to abandon the operation and return to the Security Settings page.

The External Policy Users/Groups table defines a role assigned to a user or group of users as well as the clusters those users or groups can access To add, modify, or delete a user or group for a Storage Authentication Service or LDAP policy use the options provided by the External Policy Users/Groups table and described by the Add User, Add Group, Modify Group or User, or Delete Group or User page.