Managing security settings
This topic provides instructions for managing security settings.
About this task
Use the Security Settings page to create, modify, delete, and assign authentication policies. There are two types of policies for authentication, System Storage™ Productivity Center or native LDAP using Microsoft Active Directory.
- Supported Certificate File Types:
-
TSSC/IMC accepts the following types of certificates that are based on the X.509 standard.
- Base64-encoded X.509 Certificate (.cer, .pem or .crt)
- DER-encoded binary X.509 Certificate (.cer, .der or .crt)
Supported One-way Hash Functions (for public keys contained in a certificate.)
- MD5, SHA, SHA1, SHA224, SHA256, SHA384 and SHA512
Supported Signature Algorithms (for public keys contained in a certificate.)
- RSA, DSA, ECDSA
The following file types are not supported:- Cryptographic Message Syntax Standard (PKCS#7) Certificate (.p7b, .p7r or .spc)
(It is generally used by the CA to provide certificate chain to clients.)
- Certification Revocation List (.crl extension)
(It identifies whether a certificate has been revocated or not.)
Procedure
What to do next
Creating a Storage Authentication Service (SAS) policy or Direct LDAP policy:
- Click New Policy in the Policy Configuration panel to enable the configuration fields.
- Select the policy type SAS or Direct LDAP.
- Enter values for the following required fields:
Server Authentication
Values in the following fields are required if WebSphere® Application Server security is enabled on the WebSphere Application Server hosting the Authentication Service.
User ID
The user name used with HTTP basic authentication for authenticating to the Storage Authentication Service. This field supports a maximum length of 254 Unicode characters.
Password
The password used with HTTP basic authentication for authenticating to the Storage Authentication Service. This field supports a maximum length of 254 Unicode characters.
Direct LDAP
Values in the following fields are required.
User Distinguished Name
The user distinguished name used to authenticate to the LDAP authentication service. This field supports a maximum length of 254 Unicode characters. For example:
CN=Administrator,CN=users,DC=mycompany,DC=com
If you selected Add Direct LDAP Policy in Step 2, enter values for LDAP Attributes:
Base Distinguish Name
The LDAP base distinguished name (Base DN) that uniquely identifies a set of entries in a realm of both users and groups. This field is required but blank by default. The value in this field is composed of one to 254 Unicode characters.
Example: DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com
Bind Distinguished Name (Optional)
The LDAP bind distinguished name (Bind DN) is an object that you bind to inside LDAP to give you permission to access. Most of LDAP instances doesn't allow anonymous binds. Therefore, a bind DN must be specified in case of a simple authentication with the password. The value in this field is composed of one to 254 Unicode characters.
Example: CN=FVT3,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com
Bind Password (Optional)
The bind password must be specified for the Bind DN in case of simple authentication.
Username Attribute
The attribute name that is used for the username during authentication. This field is required and contains the value uid by default. The value in this field is composed of one to 61 Unicode characters.
Example: In case of the following example(Microsoft Active Directory), "cn"
or "sAMAccountName" can be specified as the username attribute.
$ ldapsearch -x -H ldaps://beat.gdl.mex.ibm.com:636 -w "*********" -D
"CN=FVT3,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com" -b
"DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com" "(&(objectClass=person)(cn=FVT3))"
....
dn: CN=FVT3,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com
....
objectClass: person
....
objectClass: user
cn: FVT3
....
distinguishedName: CN=FVT3,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com
....
sAMAccountName: FVT3
.....
Group Member Attribute
The attribute name that is used to identify group members. The group members in this attribute
must be provided as the user distinguished name
(CN=FVT3,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com
for example.). This field is
optional and contains the value member by default. This field can contain up to 61 Unicode
characters.
Example: In case of the following example(Microsoft Active Directory),
"member" can be specified as the group member attribute.
$ ldapsearch -x -H ldaps://beat.gdl.mex.ibm.com:636 -w "*********" -D
"CN=FVT3,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com" -b
"DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com" "(&(objectClass=group)(cn=TS4500_NEW))"
....
dn: CN=TS4500_NEW,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com
....
objectClass: group
cn: TS4500_NEW
member: CN=FVT3,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com
member: CN=RVT2,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com
....
Group Name Attribute
The attribute name that is used to identify the group during authorization. This field is optional and contains the value cn by default. This field can contain up to 61 Unicode characters.
Example: In case of the following example(Microsoft Active Directory), "cn" or "sAMAccountName"
can be specified as the group name attribute.
$ ldapsearch -x -H ldaps://beat.gdl.mex.ibm.com:636 -w "*********" -D
"CN=FVT3,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com" -b
"DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com" "(&(objectClass=group)(cn=TS4500_NEW))"
....
dn: CN=TS4500_NEW,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com
....
objectClass: group
cn: TS4500_NEW
member: CN=FVT3,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com
member: CN=RVT2,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com
....
distinguishedName: CN=TS4500_NEW,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com
....
sAMAccountName: TS4500_NEW
....
Username filter
Used to filter and verify validity of an entered username. This field is optional and contains the value (cn=*) by default. This field can contain up to 254 Unicode characters.
Example: Refer the attribute values for each user instances.
"(cn=*)", "(cn={0})", "(objectClass=user)" or "(objectClass=person)" can be specified as the filter.
$ ldapsearch -x -H ldaps://beat.gdl.mex.ibm.com:636 -w "*********" -D
"CN=FVT3,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com" -b
"DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com" "(&(objectClass=person)(cn=FVT3))"
....
dn: CN=FVT3,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com
....
objectClass: person
....
objectClass: user
cn: FVT3
....
distinguishedName: CN=FVT3,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com
....
sAMAccountName: FVT3
.....
Group Name filter
Used to filter and verify validity of an entered group name. This field is optional and contains the value (cn=*) by default. This field can contain up to 254 Unicode characters.
Example: Refer the attribute values for each group instances.
"(cn=*)" or "(objectClass=group)" can be specified as the filter.
$ ldapsearch -x -H ldaps://beat.gdl.mex.ibm.com:636 -w "Passw0rd123456" -D
"CN=FVT3,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com" -b
"DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com" "(&(objectClass=group)(cn=TS4500_NEW))"
....
dn: CN=TS4500_NEW,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com
objectClass: group
cn: TS4500_NEW
member: CN=FVT3,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com
....
member: CN=FVT2,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com
....
member: CN=FVT,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com
distinguishedName: CN=TS4500_NEW,CN=Users,DC=beat,DC=gdl,DC=mex,DC=ibm,DC=com
....
sAMAccountName: TS4500_NEW
....
4. Click Save Changes to save the policy.
Edit Policy
- In the Authentication Policies Panel, select the policy to be edited.
- Click Edit Policy, the fields will be enabled in the Policy Configuration panel.
- Make the changes.
- Click Save Changes.
- - If the URL changed, it is necessary to Retrieve another Certificate
- - If the policy name changed, a new policy will be created
- - You are required to re-enter the Authentication Password to save any changes made to SAS policies
- - Every time a policy is edited, it must be re-tested before it can be assigned as the active policy
Test Policy
This section is to test policies already saved. With this function you can verify that the configuration of the policy is correct.
- Enter a valid user ID and password.
- Click Test.
- - This function is only available on policies already saved.
- - Before assigning a policy, the policy should be tested to guarantee a correct log in.
Assign Policy
- In the Authentication Policies Panel select the policy.
- Test the policy in the right panel at the bottom to make sure that it is correctly configured.
- Click Assign Policy in the Authentication Policies panel.
- - If the Policy has not been tested, you will not be able to assign the policy
- - Only one policy can be active at a time.
Delete Policy
- In the Authentication Policies Panel select the policy to delete.
- Click Delete Policy.
System Storage Productivity Center and Spectrum Control
You can use the System Storage Productivity Center (SSPC), a server operating with the Spectrum Control software, as an LDAP proxy to enforce Access Controls on the TSSC.
Native LDAP
You can use a Microsoft Active Directory (MSAD) Lightweight Directory Access Protocol (LDAP) server directly to centrally manage access controls on the TSSC.
Certificates
Use this page to display, add, and delete SSL Certificates.
If any SSL certificates have been retrieved, they are displayed in the SSL Certificates area on the Certificates page.
Add SSL Certificate
- Enter an Alias for the Certificate.
- Type the URL.
- Type the port.
- Click Retrieve Certificate.
Delete SSL Certificate
- Select an SSL Certificate.
- Click Delete Selected Entry.