Managing security settings

This topic provides instructions for managing security settings.

About this task

Use the Security Settings page to create, modify, delete, and assign authentication policies. There are two types of policies for authentication, System Storage™ Productivity Center or native LDAP using Microsoft Active Directory.

Note: Only the customer user, and users with administration role, have access to modify Security Settings, SSL Certificates, and Roles Management.
Supported Certificate File Types:
TSSC/IMC accepts the following types of certificates that are based on the X.509 standard.
  • Base64-encoded X.509 Certificate (.cer, .pem or .crt)
  • DER-encoded binary X.509 Certificate (.cer, .der or .crt)

    Supported One-way Hash Functions (for public keys contained in a certificate.)

  • MD5, SHA, SHA1, SHA224, SHA256, SHA384 and SHA512

    Supported Signature Algorithms (for public keys contained in a certificate.)

  • RSA, DSA, ECDSA
The following file types are not supported:
  • Cryptographic Message Syntax Standard (PKCS#7) Certificate (.p7b, .p7r or .spc)

    (It is generally used by the CA to provide certificate chain to clients.)

  • Certification Revocation List (.crl extension)

    (It identifies whether a certificate has been revocated or not.)

Procedure

  1. From the System console management GUI, select Console Settings > Security Settings.
  2. Enter values for any of the optional fields you want to define:
    Policy Name
    The name of the policy that defines the authentication settings. The policy name is a unique value that is composed of one to 50 Unicode characters. Blank spaces and special characters are not permitted.
    Primary Server URL
    The primary URL for the Storage Authentication Service. The value in this field is composed of one to 254 Unicode characters and takes one of the following formats:
         https://<server_address>:secure_port/TokenService/services/Trust
         ldaps://<server_address>:secure_port
         ldap://<server_address>:port
    Note: If this value is a Domain Name Server (DNS) address you must activate and configure a DNS server on the Console Settings > IP Settings page.
    Alternate Server URL
    The alternate URL for the Storage Authentication Service if the primary URL cannot be accessed. The value in this field is composed of one to 254 Unicode characters and takes one of the following formats:
         https://<server_address>:secure_port/TokenService/services/Trust
         ldaps://<server_address>:secure_port
         ldap://<server_address>:port
    The server address value in the Primary or Alternate Server URL can be an IP or DNS address. Valid IP formats include:
    IPv4
    Is 32 bits long, consists of four decimal numbers, each ranging from 0 to 255, separated by periods, like:
         98.104.120.12
    IPv6
    Is an 128-bit long hexadecimal value enclosed by brackets and separated into 16-bit fields by colons, like:
          [3afa:1910:2535:3:110:e8ef:ef41:91cf]
    Leading zeros can be omitted in each field, so that :0003: can be written as :3:. A double colon (::) can be used once per address to replace multiple fields of zeros. For example,
    
         [3afa:0:0:0:200:2535:e8ef:91cf]
         can be written as:
         [3afa::200:2535:e8ef:91cf]
    

    If the Primary or Alternate Server URL uses the https protocol, a certificate for that address must be defined on the SSL Certificates page or retrieved with the Retrieve Certificates.

    Policy Scope

    Select the scope of the policy as follows:

    • Remote: The authentication policy will apply only on remote access
    • Local: The authentication policy will apply only on local access (Login directly on the machine)
    • Both: The authentication policy will apply to both local and remote accounts

What to do next

Creating a Storage Authentication Service (SAS) policy or Direct LDAP policy:

  1. Click New Policy in the Policy Configuration panel to enable the configuration fields.
  2. Select the policy type SAS or Direct LDAP.
  3. Enter values for the following required fields:

Server Authentication

Values in the following fields are required if WebSphere® Application Server security is enabled on the WebSphere Application Server hosting the Authentication Service.

User ID

The user name used with HTTP basic authentication for authenticating to the Storage Authentication Service. This field supports a maximum length of 254 Unicode characters.

Password

The password used with HTTP basic authentication for authenticating to the Storage Authentication Service. This field supports a maximum length of 254 Unicode characters.

Direct LDAP

Values in the following fields are required.

User Distinguished Name

The user distinguished name used to authenticate to the LDAP authentication service. This field supports a maximum length of 254 Unicode characters. For example:


     CN=Administrator,CN=users,DC=mycompany,DC=com

If you selected Add Direct LDAP Policy in Step 2, enter values for LDAP Attributes:

Base Distinguish Name

The LDAP base distinguished name (Base DN) that uniquely identifies a set of entries in a realm of both users and groups. This field is required but blank by default. The value in this field is composed of one to 254 Unicode characters.

Example: DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com

Bind Distinguished Name (Optional)

The LDAP bind distinguished name (Bind DN) is an object that you bind to inside LDAP to give you permission to access. Most of LDAP instances doesn't allow anonymous binds. Therefore, a bind DN must be specified in case of a simple authentication with the password. The value in this field is composed of one to 254 Unicode characters.

Example: CN=FVT3,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com

Bind Password (Optional)

The bind password must be specified for the Bind DN in case of simple authentication.

Username Attribute

The attribute name that is used for the username during authentication. This field is required and contains the value uid by default. The value in this field is composed of one to 61 Unicode characters.

Example: In case of the following example(Microsoft Active Directory), "cn" 
or "sAMAccountName" can be specified as the username attribute.
$ ldapsearch -x -H ldaps://beat.gdl.mex.ibm.com:636 -w "*********" -D 
"CN=FVT3,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com" -b 
"DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com" "(&(objectClass=person)(cn=FVT3))"
....
dn: CN=FVT3,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com
....
objectClass: person
....
objectClass: user
cn: FVT3
....
distinguishedName: CN=FVT3,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com
....
sAMAccountName: FVT3
.....

Group Member Attribute

The attribute name that is used to identify group members. The group members in this attribute must be provided as the user distinguished name (CN=FVT3,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com for example.). This field is optional and contains the value member by default. This field can contain up to 61 Unicode characters.

Example: In case of the following example(Microsoft Active Directory), 
"member" can be specified as the group member attribute.

$ ldapsearch -x -H ldaps://beat.gdl.mex.ibm.com:636 -w "*********" -D 
"CN=FVT3,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com" -b 
"DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com" "(&(objectClass=group)(cn=TS4500_NEW))"
....
dn: CN=TS4500_NEW,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com
....
objectClass: group
cn: TS4500_NEW
member: CN=FVT3,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com
member: CN=RVT2,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com
....

Group Name Attribute

The attribute name that is used to identify the group during authorization. This field is optional and contains the value cn by default. This field can contain up to 61 Unicode characters.

Example: In case of the following example(Microsoft Active Directory), "cn" or "sAMAccountName" 
can be specified as the group name attribute.

$ ldapsearch -x -H ldaps://beat.gdl.mex.ibm.com:636 -w "*********" -D 
"CN=FVT3,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com" -b 
"DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com" "(&(objectClass=group)(cn=TS4500_NEW))"
....
dn: CN=TS4500_NEW,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com
....
objectClass: group
cn: TS4500_NEW
member: CN=FVT3,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com
member: CN=RVT2,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com
....
distinguishedName: CN=TS4500_NEW,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com
....
sAMAccountName: TS4500_NEW
....

Username filter

Used to filter and verify validity of an entered username. This field is optional and contains the value (cn=*) by default. This field can contain up to 254 Unicode characters.

Example: Refer the attribute values for each user instances.
"(cn=*)", "(cn={0})", "(objectClass=user)" or "(objectClass=person)" can be specified as the filter.

$ ldapsearch -x -H ldaps://beat.gdl.mex.ibm.com:636 -w "*********" -D 
"CN=FVT3,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com" -b 
"DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com" "(&(objectClass=person)(cn=FVT3))"
....
dn: CN=FVT3,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com
....
objectClass: person
....
objectClass: user
cn: FVT3
....
distinguishedName: CN=FVT3,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com
....
sAMAccountName: FVT3
.....

Group Name filter

Used to filter and verify validity of an entered group name. This field is optional and contains the value (cn=*) by default. This field can contain up to 254 Unicode characters.

Example: Refer the attribute values for each group instances.
"(cn=*)" or "(objectClass=group)" can be specified as the filter.

$ ldapsearch -x -H ldaps://beat.gdl.mex.ibm.com:636 -w "Passw0rd123456" -D 
"CN=FVT3,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com" -b 
"DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com" "(&(objectClass=group)(cn=TS4500_NEW))"
....
dn: CN=TS4500_NEW,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com
objectClass: group
cn: TS4500_NEW
member: CN=FVT3,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com
....
member: CN=FVT2,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com
....
member: CN=FVT,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com
distinguishedName: CN=TS4500_NEW,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com
....
sAMAccountName: TS4500_NEW
....
Note: These fields will depend on the customer's individual network configuration. Consult with the customer to collect the necessary values.

4. Click Save Changes to save the policy.

5. To retrieve the certificate, click Retrieve Certificate. To confirm that it was successful, select the SSL Certificates tab at the top of the page.
Note: The Retrieve Certificate option will retrieve certificates for both the primary and alternate server.

Edit Policy

  1. In the Authentication Policies Panel, select the policy to be edited.
  2. Click Edit Policy, the fields will be enabled in the Policy Configuration panel.
  3. Make the changes.
  4. Click Save Changes.
Notes:
  • - If the URL changed, it is necessary to Retrieve another Certificate
  • - If the policy name changed, a new policy will be created
  • - You are required to re-enter the Authentication Password to save any changes made to SAS policies
  • - Every time a policy is edited, it must be re-tested before it can be assigned as the active policy

Test Policy

This section is to test policies already saved. With this function you can verify that the configuration of the policy is correct.

  1. Enter a valid user ID and password.
  2. Click Test.
Notes:
  • - This function is only available on policies already saved.
  • - Before assigning a policy, the policy should be tested to guarantee a correct log in.

Assign Policy

  1. In the Authentication Policies Panel select the policy.
  2. Test the policy in the right panel at the bottom to make sure that it is correctly configured.
  3. Click Assign Policy in the Authentication Policies panel.
Notes:
  • - If the Policy has not been tested, you will not be able to assign the policy
  • - Only one policy can be active at a time.

Delete Policy

  1. In the Authentication Policies Panel select the policy to delete.
  2. Click Delete Policy.
Note: When LDAP authentication is enabled, remote and local access is controlled by the LDAP server. Service access requires the user to authenticate through the normal service login and then authenticate again using the IBM service representative Direct LDAP Policy.

System Storage Productivity Center and Spectrum Control

You can use the System Storage Productivity Center (SSPC), a server operating with the Spectrum Control software, as an LDAP proxy to enforce Access Controls on the TSSC.

Native LDAP

You can use a Microsoft Active Directory (MSAD) Lightweight Directory Access Protocol (LDAP) server directly to centrally manage access controls on the TSSC.

Certificates

Use this page to display, add, and delete SSL Certificates.

If any SSL certificates have been retrieved, they are displayed in the SSL Certificates area on the Certificates page.

Add SSL Certificate

  1. Enter an Alias for the Certificate.
  2. Type the URL.
  3. Type the port.
  4. Click Retrieve Certificate.

Delete SSL Certificate

  1. Select an SSL Certificate.
  2. Click Delete Selected Entry.