System Storage Productivity Center and Spectrum Control Storage Authentication Service

You can use the System Storage Productivity Center (SSPC), a server operating with the Spectrum Control software, as an LDAP proxy to enforce Role-Based Access Controls (RBAC) on the TS7700.This topic describes the Storage Authentication Service (SAS), which is an option for web login requests on the TS3500 tape system.

Note: The following topic has been added to the TS7700 Service Information Center for reference only. LDAP setup and administration is a customer task. Contact the customer to obtain an LDAP user ID and password.

Remote authentication is supported on a TS7700 by using the Spectrum Control Secure Authentication Service (SAS) client and server, and the WebSphere® Federated Repositories. The TS7700 must connect to a System Storage Productivity Center (SSPC)an SSPC appliance or a server by using Tivoli Productivity Center (TPC)Spectrum Control. The SAS client is integrated into the TS7700 microcode, while the SAS server and the WebSphere Federated Repositories are integrated into Spectrum Control. Spectrum Control is available as a software-only package or as an integrated solution on the SSPC appliance.

When SAS is enabled, the TS7700 passes user authentication requests to the SAS server on the SSPC or Spectrum Control, where they are forwarded to the customer's Lightweight Directory Access Protocol (LDAP) such as provided by a Microsoft Active Directory (MSAD) server. The MSAD server then authenticates the user's ID and password; if they are valid then one or more user groups are assigned. The TS7700 then assigns the user a role based on the LDAP or MSAD group.

This central repository allows you to accomplish the following security tasks from a single interface, without logging in to multiple machinesa TS3500 tape system:
  • Add or remove a user
  • Reset or change a password
  • Assign, change, or delete the roleLDAP MSAD group of a user

A central repository can also simplify the process of responding to new security requirements for one or more tape libraries. For instance, rules for passwords can be changed in one location without reconfiguring multiple, affected machines. By comparison, when local authentication is employed, each individual machine maintains an internal database of user IDs, with corresponding passwords and roles.

LDAP dependency

The WebSphere Federated Repositories component of the SSPC or Spectrum Control receives authentication requests from attached devices such as the TS7700the TS3500 tape system through the SAS. The SAS passes user ID and password information to the MSAD server. The MSAD server returns authentication status to the SSPC or Spectrum Control, which forwards the authentication status through the SAS to the requesting deviceTS3500 tape system. The MSAD server that is attached to the SSPC or Spectrum Control manages the following information:
User ID
A string to identify a specific user
User password
A password for each user ID
Groups
Strings to identify one or more groups of users. The TS7700 can assign groups of users a particular role.The TS3500 tape system maps each LDAP group to a TS3500 tape system role.
Each user is defined as a member of one or more groups, meaning the user assumes the roles defined by those groups.
Notes:
  • The User ID and User password cannot exceed 15 characters. LDAP users that exceed this maximum cannot authenticate to the TS3500 TS3500 tape system web interface when SAS is enabled.
  • The maximum length of a Group is 15 characters. Groups exceeding 15 characters in length will not map to a defined role in the TS3500 tape system.

Mapping groups to roles

When a user is successfully authenticated by using the Storage Authentication ServiceSAS client, the resulting user information includes a list of groups the user belongs to. You can use the TS7700 Management Interface to define how groups are mapped to roles.For successful authorization, at least one LDAP group in the list must have the same name as a role that is defined in the TS3500 Tape Library. The first LDAP group to match a role determines the role of the user. Avoid ambiguity of multiple matches by making sure that only one group matches a role in the TS3500 Tape Library.
Note: Before firmware level A040, a user in an Admin LDAP group is required to enable and disable SAS.

For more information about Spectrum Control, visit the web at http://www-03.ibm.com/systems/storage/software/center/index.html. Refer to the Information Center link in the Related information section for additional information about Spectrum Control security features, including the external topic Using Microsoft Active Directory for authentication.For additional information about Spectrum Control security features, including how to use Microsoft Active Directory for authentication, visit the web at http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/cwim_fedrepos.html.