Manage Security Settings
About this task
Use the Security Settings page to create, modify, delete, and assign authentication policies. There are two types of policies for authentication, System Storage™ Productivity Center or native LDAP using LDAP server such as Microsoft Active Directory (MSAD) and OpenLDAP.
- Only the customer user, and users with administration role, have access to modify Security Settings, Roles Management, and SSL Certificates.
Use this information to update Security settings.
- Use the customer user or a user with administration role to have access to these settings.
- From the System Console GUI, select Figure 1. . You see the screen that is shown in
Policy Name
The name of the policy that defines the authentication settings. The policy name is a unique value that is composed of one to 50 Unicode characters. Blank spaces and special characters are not allowed.
Primary Server URL
The primary URL for the Storage Authentication Service. The value in this field is composed of one to 254 Unicode characters and takes one of the following formats:
https://<server_address>:secure_port/TokenService/services/Trust
ldaps://<server_address>:secure_port
ldap://<server_address>:port
Enter values for any of the optional fields you want to define:
Alternate Server URL
The alternate URL for the Storage Authentication Service if the primary URL cannot be accessed. The value in this field is composed of one to 254 Unicode characters and takes one of the following formats:
https://<server_address>:secure_port/TokenService/services/Trust
ldaps://<server_address>:secure_port
ldap://<server_address>:port
Notelist:
The server address value in the Primary or Alternate Server URL can be an IP or DNS address. Valid IP formats include:
IPv4
Is 32 bits long, consists of four decimal numbers, each in the range 0 - 255, separated by periods, like:
98.104.120.12
IPv6
Is a 128-bit long hexadecimal value enclosed by brackets and separated into 16-bit fields by colons, like:
[3afa:1910:2535:3:110:e8ef:ef41:91cf]
Leading zeros can be omitted in each field so that :0003: can be written as :3:. A double colon (::) can be used once per address to replace multiple fields of zeros. For example,
[3afa:0:0:0:200:2535:e8ef:91cf]
can be written as:
[3afa::200:2535:e8ef:91cf]
If the Primary or Alternate Server URL uses the https protocol, a certificate for that address must be defined on the SSL Certificates page or retrieved with the Retrieve Certificates.
Policy Scope
Select the scope of the policy as follows:
- Remote: The authentication policy applies only on remote access
- Local: The authentication policy applies only on local access (Login directly on the system console)
- Both: The authentication policy applies to both local and remote accounts
System Storage Productivity Center and Tivoli Storage Productivity Center
You can use the System Storage Productivity Center (SSPC), a server operating with the Tivoli® Storage Productivity Center (TPC) software, as an LDAP proxy to enforce Access Controls on the TSSC.
Native LDAP
You can use a Microsoft Active Directory (MSAD) Lightweight Directory Access Protocol (LDAP) server directly to centrally manage access controls on the TSSC.
Creating a Storage Authentication Service (SAS) policy or Direct LDAP policy:
- Click New Policy in the Policy Configuration panel to enable the configuration fields.
- Select the policy type SAS or Direct LDAP.
- Enter values for the following required fields:
Server Authentication
Values in the following fields are required if WebSphere® Application Server security is enabled on the WebSphere Application Server hosting the Authentication Service.
User ID
The user name that is used with HTTP basic authentication for authenticating to the Storage Authentication Service. This field supports a maximum length of 254 Unicode characters.
Password
The password that is used with HTTP basic authentication for authenticating to the Storage Authentication Service. This field supports a maximum length of 254 Unicode characters.
Direct LDAP
Values in the following fields are required.
User Distinguished Name
The user distinguished name that is used to authenticate to the LDAP authentication service. This field supports a maximum length of 254 Unicode characters. For example,
CN=Administrator,CN=users,DC=mycompany,DC=com
If you selected Add Direct LDAP Policy in Step 2, enter values for LDAP Attributes:
Base Distinguish Name
The LDAP distinguished name (DN) that uniquely identifies a set of entries in a realm. This field is required but blank by default. The value in this field is composed of one to 254 Unicode characters.
Bind Distinguished Name (optional)
The Bind Distinguished Name is comprised of the user and the location of the user in the LDAP directory tree. The value in this field is comprised of one to 254 Unicode characters.
Bind Password (optional)
The Bind Password that is used to bind the LDAP server as a simple authentication. The field supports a maximum length of one to 254 Unicode characters.
Username Attribute
The attribute name that is used for the username during authentication. This field is required and contains the value uid by default. The value in this field is composed of one to 61 Unicode characters.
Group Member Attribute
The attribute name that is used to identify group members. This field is optional and contains the value member by default. This field can contain up to 61 Unicode characters.
Group Name Attribute
The attribute name that is used to identify the group during authorization. This field is optional and contains the value cn by default. This field can contain up to 61 Unicode characters.
Username filter
Used to filter and verify validity of an entered username. This field is optional and contains the value (cn=*) by default. This field can contain up to 254 Unicode characters.
Group Name filter
Used to filter and verify validity of an entered group name. This field is optional and contains the value (cn=*) by default. This field can contain up to 254 Unicode characters.
4. Click Save Changes to save the policy.
Edit Policy
- In the Authentication Policies panel (Figure 5), select the policy to be edited.
- Click Edit Policy, the fields are enabled in the Policy Configuration panel.
- Make the changes.
- Click Save Changes.
- If the URL changed, it is necessary to Retrieve another Certificate.
- If the policy name changed, a new policy is created.
- You are required to reenter the Authentication Password to save any changes that are made to SAS policies.
- Every time a policy is edited, it must be retested before it can be assigned as the active policy.
Test Policy
This section is to test policies that are already saved. With this function, you can verify that the configuration of the policy is correct.
- Enter a valid user and password.
- Click Test.
- This function is only available on policies already saved.
- Before you assign a policy, the policy should be tested to guarantee a correct login.
Assign Policy
- In the Authentication Policies panel (Figure 5), select the policy.
- Test the policy to make sure that it is correctly configured.
- Click Assign Policy in the Authentication Policies panel.
- If the Policy is not tested, you cannot assign the policy.
- Only one policy can be active at a time.
Delete Policy
- In the Authentication Policies panel (Figure 5), select the policy to delete.
- Click Delete Policy.
SSL/TLS Level
- The TLS Level setting allows you to select the desired TLS version. Note: Currently, only TLSv1.2 version is available.
- In addition, to disable the SHA1 cipher, click the check box next to Disable SHA1 and click Apply.
Restart Application Server
To restart application server, click Restart Application Server