Configuring protocol data security

The data security features associated with protocols facilitate to configure a secured way for the clients to raise the data access request and to transfer data from the IBM Spectrum Scale™ system to the client system.

Parent topic: Securing protocol data
Related concepts:
Planning for protocol data security
Data security limitations

Enabling secured connection between the IBM Spectrum Scale system and authentication server

You need to secure the communication channel between the IBM Spectrum Scale system and authentication server to secure the authentication server and hence to prevent unauthorized access to data and other system resources.

Securing AD server

To secure the AD server that is used for file access, configure it with Kerberos and to secure AD used for object access, configure it with TLS.

In the AD-based authentication for file access, Kerberos is configured by default. The following steps provide an example on how to configure TLS with AD, while it is used for object access.
  1. Ensure that the CA certificate for AD server is placed under /var/mmfs/tmp directory with the name ldap_cacert.pem, specifically on the protocol node where the command is run. Perform validation of CA cert availability with desired name at required location as shown in the following example: 
    # stat /tmp/ldap_cacert.pem
File: ∾/tmp/ldap_cacert.pem∾
Size: 2130 Blocks: 8 IO Block: 4096 regular file
Device: fd00h/64768d Inode: 103169903 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Context: unconfined_u:object_r:user_tmp_t:s0
Access: 2015-01-23 12:37:34.088837381 +0530
Modify: 2015-01-23 12:16:24.438837381 +0530
Change: 2015-01-23 12:16:24.438837381 +0530
  2. To configure AD with TLS authentication for object access, issue the mmuserauth service create command: 
    # mmuserauth service create --type ad --data-access-method object 
--user-name "cn=Administrator,cn=Users,dc=IBM,dc=local" 
--password "myPassword" --base-dn "dc=IBM,DC=local" 
--enable-server-tls --ks-dns-name myKeystoneDnsName
--ks-admin-user admin --servers myADserver 
--user-id-attrib cn --user-name-attrib sAMAccountName 
--user-objectclass organizationalPerson --user-dn "cn=Users,dc=IBM,dc=local" 
--ks-swift-user swift --ks-swift-pwd myKWSwiftPassword
Object configuration with LDAP (Active Directory) as identity 
backend is completed successfully.
Object Authentication configuration completed successfully.
    Note: The value that you specify for --servers must match the value in the TLS certificate. Otherwise the command fails.
  3. To verify the authentication configuration, use the mmuserauth service list command as shown in the following example: 
    # mmuserauth service list
FILE access not configured
PARAMETERS               VALUES
-------------------------------------------------

OBJECT access configuration: AD
PARAMETERS               VALUES
-------------------------------------------------
ENABLE_ANONYMOUS_BIND    false
ENABLE_SERVER_TLS        true
ENABLE_KS_SSL            false
USER_NAME                cn=Administrator,cn=Users,dc=IBM,dc=local
SERVERS                  myADserver
BASE_DN                  dc=IBM,DC=local
USER_DN                  cn=users,dc=ibm,dc=local
USER_OBJECTCLASS         organizationalPerson
USER_NAME_ATTRIB         sAMAccountName
USER_ID_ATTRIB           cn
USER_MAIL_ATTRIB         mail
USER_FILTER              none
ENABLE_KS_CASIGNING      false
KS_ADMIN_USER            admin

Securing LDAP server

To secure the LDAP server that is used for file access, configure it with TLS and Kerberos and to secure LDAP server that is used for object access, configure it with TLS.

Provide examples of how to configure LDAP with TLS and Kerberos to secure the LDAP server when it is used for file and object access.
  1. To configure LDAP with TLS and Kerberos as the authentication method for file access, issue the mmuserauth service create command as shown in the following example: 
    # mmuserauth service create --type ldap --data-access-method file 
--servers es-pune-host-01 --base-dn dc=example,dc=com 
--user-name cn=manager,dc=example,dc=com --password secret 
--netbios-name ess --enable-server-tls --enable-kerberos 
--kerberos-server es-pune-host-01 --kerberos-realm example.com
    The system displays the following output:
    File Authentication configuration completed successfully.
    To verify the authentication configuration, use the mmuserauth service list command as shown in the following example: 
    # mmuserauth service list
    The system displays the following output:
    FILE access configuration : LDAP
PARAMETERS               VALUES
-------------------------------------------------
ENABLE_ANONYMOUS_BIND    false
ENABLE_SERVER_TLS        true
ENABLE_KERBEROS          true
USER_NAME                cn=manager,dc=example,dc=com
SERVERS                  es-pune-host-01
NETBIOS_NAME             ess
BASE_DN                  dc=example,dc=com
USER_DN                  none
GROUP_DN                 none
NETGROUP_DN              none
USER_OBJECTCLASS         posixAccount
GROUP_OBJECTCLASS        posixGroup
USER_NAME_ATTRIB         cn
USER_ID_ATTRIB           uid
KERBEROS_SERVER          es-pune-host-01
KERBEROS_REALM           example.com

OBJECT access not configured
PARAMETERS               VALUES
-------------------------------------------------
  2. To configure LDAP with TLS as the authentication method for object access, issue the mmuserauth service create command as shown in the following example: 
    # mmuserauth service create --type ldap --data-access-method object 
--user-name "cn=manager,dc=essldapdomain" --password "Passw0rd" 
--base-dn dc=isst,dc=aus,dc=stglabs,dc=ibm,dc=com --enable-server-tls 
--ks-dns-name c40bbc2xn3 --ks-admin-user mamdouh --servers 192.0.2.11 
--user-dn "ou=People,dc=essldapdomain" --ks-swift-user swift 
--ks-swift-pwd Passw0rd
    The system displays the following output:
    Object configuration with LDAP as identity backend is completed successfully.
Object Authentication configuration completed successfully.
    To verify the authentication configuration, use the mmuserauth service list command as shown in the following example: 
    # mmuserauth service list
    The system displays the following output:
    FILE access not configured
PARAMETERS               VALUES
-------------------------------------------------

OBJECT access configuration : LDAP
PARAMETERS               VALUES
-------------------------------------------------
ENABLE_ANONYMOUS_BIND    false
ENABLE_SERVER_TLS        true
ENABLE_KS_SSL            false
USER_NAME                cn=manager,dc=essldapdomain
SERVERS                  192.0.2.11
BASE_DN                  dc=isst,dc=aus,dc=stglabs,dc=ibm,dc=com
USER_DN                  ou=people,dc=essldapdomain
USER_OBJECTCLASS         posixAccount
USER_NAME_ATTRIB         cn
USER_ID_ATTRIB           uid
USER_MAIL_ATTRIB         mail
USER_FILTER              none
ENABLE_KS_CASIGNING      false
KS_ADMIN_USER            mamdouh

Securing Keystone server

The Keystone server that is used by the IBM Spectrum Scale system supports SSL. The SSL certificate provides secure communication while resolving the authentication requests. When Keystone is configured with authentication servers such as LDAP or AD, the system can be configured to establish a secured communication between AD or LDAP and Keystone by using TLS encryption. For more information on configuring AD or LDAP-based authentication with TLS, see the mmuserauth service create command. The IBM Spectrum Scale for Object Storage can also be configured with an external Keystone server. If the external Keystone server contains SSL certificate in place, then the system administrator can configure secured communication with the IBM Spectrum Scale system by following some manual steps.

The following is an example on how to configure secured object access.
  1. Remove the object authentication and the idmapping: 
    /usr/lpp/mmfs/bin/mmuserauth service remove  --data-access-method object
/usr/lpp/mmfs/bin/mmuserauth service remove  --data-access-method object --idmapdelete
mmuserauth service list
    The system displays the following output:
    FILE access not configured
PARAMETERS             VALUES
-------------------------------------------------
OBJECT access not configured
PARAMETERS             VALUES                   
-------------------------------------------------
  2. Copy the CA certificate on the node on which the mmuserauth command is being run. The name and the path of the CA certificate on the current node is /var/mmfs/tmp/ks_ext_cacert.pem.
  3. Configure object authentication by using the mmuserauth service create command with the --enable-ks-ssl option: 
    mmuserauth service create --data-access-method object --enable-ks-ssl --type 
userdefined --ks-ext-endpoint https://externalkeystoneserver:35357/v3
--ks-swift-user swift --ks-swift-pwd Passw0rd
  4. Run the mmuserauth service list command to verify the configuration: 
    mmuserauth service list
FILE access not configured
PARAMETERS            VALUES
-------------------------------------------------
OBJECT access configuration : USERDEFINED
PARAMETERS            VALUES
-------------------------------------------------

Securing data transfer

The data in transit security is configured by using the security features that are available with the protocol that is used for data I/O.

Securing NFS data transfer

Securing the NFS data transfer over the network is achieved by using the Kerberos-based encryption that is available with NFSV4 protocol. You can use Kerberos to encrypt the data that is transferred over the network and also to secure the communication with the authentication server.

The following example shows how to enable data security to ensure secured NFS data transfer.
  1. Create a keytab file for protocol nodes in IBM Spectrum Scale cluster. To create a keytab file, you need to create a principal nfs/<node-fqdn> for each protocol node. Issue the following commands on the system that hosts the KDC server. In the following example, the sample commands are submitted on the Linux system that hosts MIT KDC server: 
    $ addprinc -randkey nfs/<protocol-node1-fqdn>
$ addprinc -randkey nfs/<protocol-node2-fqdn>

.....

&mldr; $ addprinc -randkey nfs/<protocol-nodeN-fqdn>
$ ktadd -k /tmp/krb5.keytab nfs/<protocol-node1-fqdn>
$ ktadd -k /tmp/krb5.keytab nfs/<protocol-node2-fqdn>

.....

&mldr; $ ktadd -k /tmp/krb5.keytab nfs/<protocol-nodeN-fqdn>
  2. Ensure that the keytab file that is created is placed under the /tmp directory as krb5.keytab, specifically on the node where the IBM Spectrum Scale authentication commands are submitted. Perform validation of keytab file availability with the required name and location: 
    # stat /tmp/krb5.keytab
File: ∾/tmp/krb5.keytab∾
Size: 502 Blocks: 8 IO Block: 4096 regular file
Device: fd00h/64768d Inode: 103169898 Links: 1
Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root)
Context: unconfined_u:object_r:user_tmp_t:s0
Access: 2015-01-23 14:31:18.244837381 +0530
Modify: 2015-01-23 12:45:05.475837381 +0530
Change: 2015-01-23 12:45:05.476837381 +0530
Birth: -
  3. Issue the mmuserauth service create command on the IBM Spectrum Scale protocol node as shown in the following example: 
    #  mmuserauth service create --data-access-method file --type ldap 
--servers 192.0.2.17 --base-dn dc=example,dc=com 
--user-name "cn=manager,dc=example,dc=com" --password secret --enable-kerberos 
--kerberos-server 192.0.2.17 --kerberos-realm example.com --netbios-name cktest
File Authentication configuration completed successfully.
  4. Issue the mmuserauth service list command to see the current authentication configuration as shown in the following example: 
    # mmuserauth service list
ILE access configuration : LDAP
PARAMETERS               VALUES
-------------------------------------------------
ENABLE_ANONYMOUS_BIND    false
ENABLE_SERVER_TLS        false
ENABLE_KERBEROS          true
USER_NAME                cn=manager,dc=example,dc=com
SERVERS                  9.118.46.17
NETBIOS_NAME             cktest
BASE_DN                  dc=example,dc=com
USER_DN                  none
GROUP_DN                 none
NETGROUP_DN              none
USER_OBJECTCLASS         posixAccount
GROUP_OBJECTCLASS        posixGroup
USER_NAME_ATTRIB         cn
USER_ID_ATTRIB           uid
KERBEROS_SERVER          9.118.46.17
KERBEROS_REALM           example.com

OBJECT access not configured
PARAMETERS               VALUES
-------------------------------------------------
  5. Create Kerberos exports with krb5, krb5i, and krb5p security features on the IBM Spectrum Scale node. 
    # mmcrfileset gpfs0 krb5
Fileset krb5 created with id 2 root inode 47898.

# mmlinkfileset gpfs0 krb5 -J /ibm/gpfs0/krb5
Fileset krb5 linked at /ibm/gpfs0/krb5

# mmnfs export add /ibm/gpfs0/krb5 --client \
    "*(ACCESS_TYPE=RW,SQUASH=no_root_squash,SECTYPE=krb5)"
The NFS export was created successfully.

# mmcrfileset gpfs0 krb5i
Fileset krb5i created with id 3 root inode 47900.

# mmlinkfileset gpfs0 krb5i -J /ibm/gpfs0/krb5i
Fileset krb5i linked at /ibm/gpfs0/krb5i

# mmnfs export add /ibm/gpfs0/krb5i --client \
    "*(ACCESS_TYPE=RW,SQUASH=no_root_squash,SECTYPE=krb5i)"
The NFS export was created successfully.

# mmcrfileset gpfs0 krb5p
Fileset krb5p created with id 4 root inode 47895.

# mmlinkfileset gpfs0 krb5p -J /ibm/gpfs0/krb5p
Fileset krb5p linked at /ibm/gpfs0/krb5p

# mmnfs export add /ibm/gpfs0/krb5p --client \
    "*(ACCESS_TYPE=RW,SQUASH=no_root_squash,SECTYPE=krb5p)"
The NFS export was created successfully.

# mmnfs export list
    The system displays output similar to this:
    Path               Delegations    Clients
-------------------------------------------
/ibm/gpfs0/krb5    none           *
/ibm/gpfs0/krb5i   none           *
/ibm/gpfs0/krb5p   none           *
/ibm/gpfs0/nfsexp1 none           *
  6. Issue the mmnfs export list command with krb5 option to see the authentication only configuration. 
    # mmnfs export list --nfsdefs /ibm/gpfs0/krb5

    The system displays output similar to this:

    
Path             Delegations  Clients Access_Type Protocols Transports Squash         Anonymous_uid Anonymous_gid SecType PrivilegedPort Export_id DefaultDelegation Manage_Gids NFS_Commit
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
/ibm/gpfs0/krb5    none           *       RW          3,4       TCP        NO_ROOT_SQUASH -2            -2            KRB5    FALSE          2         none              FALSE       FALSE
  7. Issue the mmnfs export list command with krb5i option to see the authentication and data integrity configuration. 
    # mmnfs export list --nfsdefs /ibm/gpfs0/krb5i

    The system displays output similar to this:

    
Path               Delegations    Clients Access_Type Protocols Transports Squash         Anonymous_uid Anonymous_gid SecType PrivilegedPort Export_id DefaultDelegation Manage_Gids NFS_Commit
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
/ibm/gpfs0/krb5i   none           *       RW          3,4       TCP        NO_ROOT_SQUASH -2            -2            KRB5I   FALSE          3         none              FALSE       FALSE
  8. Issue the mmnfs export list command with krb5p option to see the authentication and privacy configuration. 
    # mmnfs export list --nfsdefs /ibm/gpfs0/krb5p

    The system displays output similar to this:

    
Path               Delegations    Clients Access_Type Protocols Transports Squash         Anonymous_uid Anonymous_gid SecType PrivilegedPort Export_id DefaultDelegation Manage_Gids NFS_Commit
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
/ibm/gpfs0/krb5p   none           *       RW          3,4       TCP        NO_ROOT_SQUASH -2            -2            KRB5P   FALSE          4         none              FALSE       FALSE

Securing SMB data transfer

Secured SMB data transfer can be enabled when you are using SMB3 and later.

You can either enable or disable encryption of the data in transit by using the mmsmb export add command as shown in the following example: 
# mmsmb export add secured_export  /ibm/gpfs0/secured_export --option "smb encrypt=mandatory"

Secured object data transfer

For secure communication between the clients and the IBM Spectrum Scale Object, the system administrator needs to configure HAProxy for SSL termination, traffic encryption, and load balancing of the requests to IBM Spectrum Scale Object. The HAProxy needs to be set up on an external system that is not a part of the IBM Spectrum Scale cluster. For more information on how to configure HAProxy, see the documentation of the corresponding Linux distribution that you selected.