Manage Security Settings

About this task

Use the Security Settings page to create, modify, delete, and assign authentication policies. There are two types of policies for authentication, System Storage™ Productivity Center or native LDAP using LDAP server such as Microsoft Active Directory (MSAD) and OpenLDAP.

Notes:
  • Only the customer user, and users with administration role, have access to modify Security Settings, Roles Management, and SSL Certificates.

Use this information to update Security settings.

  1. Use the customer user or a user with administration role to have access to these settings.
  2. From the System Console GUI, select Console Settings > Security Settings. You see the screen that is shown in Figure 1.
    Figure 1. Security Settings

Policy Name

The name of the policy that defines the authentication settings. The policy name is a unique value that is composed of one to 50 Unicode characters. Blank spaces and special characters are not allowed.

Primary Server URL

The primary URL for the Storage Authentication Service. The value in this field is composed of one to 254 Unicode characters and takes one of the following formats:

     https://<server_address>:secure_port/TokenService/services/Trust
     ldaps://<server_address>:secure_port
     ldap://<server_address>:port
Note: If this value is a Domain Name Server (DNS) address, you must activate and configure a DNS server on the Console Settings > IP Settings page.

Enter values for any of the optional fields you want to define:

Alternate Server URL

The alternate URL for the Storage Authentication Service if the primary URL cannot be accessed. The value in this field is composed of one to 254 Unicode characters and takes one of the following formats:

     https://<server_address>:secure_port/TokenService/services/Trust
     ldaps://<server_address>:secure_port
     ldap://<server_address>:port

Notelist:

The server address value in the Primary or Alternate Server URL can be an IP or DNS address. Valid IP formats include:

IPv4

Is 32 bits long, consists of four decimal numbers, each in the range 0 - 255, separated by periods, like:

     98.104.120.12

IPv6

Is a 128-bit long hexadecimal value enclosed by brackets and separated into 16-bit fields by colons, like:

      [3afa:1910:2535:3:110:e8ef:ef41:91cf]

Leading zeros can be omitted in each field so that :0003: can be written as :3:. A double colon (::) can be used once per address to replace multiple fields of zeros. For example,


     [3afa:0:0:0:200:2535:e8ef:91cf]
     can be written as:
     [3afa::200:2535:e8ef:91cf]

If the Primary or Alternate Server URL uses the https protocol, a certificate for that address must be defined on the SSL Certificates page or retrieved with the Retrieve Certificates.

Policy Scope

Select the scope of the policy as follows:

  • Remote: The authentication policy applies only on remote access
  • Local: The authentication policy applies only on local access (Login directly on the system console)
  • Both: The authentication policy applies to both local and remote accounts
Figure 2. Policy Scope

System Storage Productivity Center and Tivoli Storage Productivity Center

You can use the System Storage Productivity Center (SSPC), a server operating with the Tivoli® Storage Productivity Center (TPC) software, as an LDAP proxy to enforce Access Controls on the TSSC.

Native LDAP

You can use a Microsoft Active Directory (MSAD) Lightweight Directory Access Protocol (LDAP) server directly to centrally manage access controls on the TSSC.

Creating a Storage Authentication Service (SAS) policy or Direct LDAP policy:

Note: Using SAS is discouraged as the required TPC/SSPC is long End of Support.
  1. Click New Policy in the Policy Configuration panel to enable the configuration fields.
  2. Select the policy type SAS or Direct LDAP.
  3. Enter values for the following required fields:

Server Authentication

Values in the following fields are required if WebSphere® Application Server security is enabled on the WebSphere Application Server hosting the Authentication Service.

User ID

The user name that is used with HTTP basic authentication for authenticating to the Storage Authentication Service. This field supports a maximum length of 254 Unicode characters.

Password

The password that is used with HTTP basic authentication for authenticating to the Storage Authentication Service. This field supports a maximum length of 254 Unicode characters.

Figure 3. Creating Storage Authentication Policy

Direct LDAP

Values in the following fields are required.

User Distinguished Name

The user distinguished name that is used to authenticate to the LDAP authentication service. This field supports a maximum length of 254 Unicode characters. For example,


     CN=Administrator,CN=users,DC=mycompany,DC=com

If you selected Add Direct LDAP Policy in Step 2, enter values for LDAP Attributes:

Base Distinguish Name

The LDAP distinguished name (DN) that uniquely identifies a set of entries in a realm. This field is required but blank by default. The value in this field is composed of one to 254 Unicode characters.

Bind Distinguished Name (optional)

The Bind Distinguished Name is comprised of the user and the location of the user in the LDAP directory tree. The value in this field is comprised of one to 254 Unicode characters.

Bind Password (optional)

The Bind Password that is used to bind the LDAP server as a simple authentication. The field supports a maximum length of one to 254 Unicode characters.

Username Attribute

The attribute name that is used for the username during authentication. This field is required and contains the value uid by default. The value in this field is composed of one to 61 Unicode characters.

Group Member Attribute

The attribute name that is used to identify group members. This field is optional and contains the value member by default. This field can contain up to 61 Unicode characters.

Group Name Attribute

The attribute name that is used to identify the group during authorization. This field is optional and contains the value cn by default. This field can contain up to 61 Unicode characters.

Username filter

Used to filter and verify validity of an entered username. This field is optional and contains the value (cn=*) by default. This field can contain up to 254 Unicode characters.

Group Name filter

Used to filter and verify validity of an entered group name. This field is optional and contains the value (cn=*) by default. This field can contain up to 254 Unicode characters.

Figure 4. Creating LDAP Policy
Note: These fields depend on the customer's individual network configuration. Consult with the customer to collect the necessary values.

4. Click Save Changes to save the policy.

5. To retrieve the certificate, click Retrieve Certificate. To confirm that it was successful, select the SSL Certificates tab at the top of the page.
Note: The Retrieve Certificate option retrieves certificates for both the primary and alternate server.

Edit Policy

  1. In the Authentication Policies panel (Figure 5), select the policy to be edited.
  2. Click Edit Policy, the fields are enabled in the Policy Configuration panel.
  3. Make the changes.
  4. Click Save Changes.
Figure 5. Policies Panel
Notes:
  • If the URL changed, it is necessary to Retrieve another Certificate.
  • If the policy name changed, a new policy is created.
  • You are required to reenter the Authentication Password to save any changes that are made to SAS policies.
  • Every time a policy is edited, it must be retested before it can be assigned as the active policy.

Test Policy

This section is to test policies that are already saved. With this function, you can verify that the configuration of the policy is correct.

  1. Enter a valid user and password.
  2. Click Test.
Figure 6. Test Policy
Notes:
  • This function is only available on policies already saved.
  • Before you assign a policy, the policy should be tested to guarantee a correct login.

Assign Policy

  1. In the Authentication Policies panel (Figure 5), select the policy.
  2. Test the policy to make sure that it is correctly configured.
  3. Click Assign Policy in the Authentication Policies panel.
Notes:
  • If the Policy is not tested, you cannot assign the policy.
  • Only one policy can be active at a time.

Delete Policy

  1. In the Authentication Policies panel (Figure 5), select the policy to delete.
  2. Click Delete Policy.
Note: When LDAP authentication is enabled, remote and local access is controlled by the LDAP server. Service access requires the user to authenticate through the normal service login and then authenticate again by using the IBM service representative Direct LDAP Policy.

SSL/TLS Level

  1. The TLS Level setting allows you to select the desired TLS version.
    Note: Currently, only TLSv1.2 version is available.
  2. In addition, to disable the SHA1 cipher, click the check box next to Disable SHA1 and click Apply.

Restart Application Server

Note: Retrieving/Uploading/Deleting a certificate file requires restarting application server to reflect.

To restart application server, click Restart Application Server