Setting up authentication
Since the introduction of the web-based GUI, the use of external authentication servers continues to grow. IBM Spectrum Control (Spectrum Control) supports using Lightweight Directory Access Protocol (LDAP) or Active Directory (AD) as authentication methods. This chapter explains how you can use Spectrum Control with external authentication services and what you must understand to configure this setup correctly.
This chapter uses the term external authentication server and directory server interchangeably. Although both terms have the same meaning, there are times when one or the other characteristic should be emphasized, so both terms are used. Specifically, this chapter describes Spectrum Control user roles and Cognos authentication.
This chapter briefly describes how to implement the different cases of authentication:
For more information about configuring these implementations, see the Spectrum Control IBM Knowledge Center:
This chapter also demonstrates a use case about how to implement authentication by using the IBM Bluepages (intranet), as described in 3.3, “Use case: Configuring Spectrum Control to authenticate with Bluepages for an intranet user” on page 55.
A complete guide to setting up authentication can be found in IBM Tivoli Storage Productivity Center Beyond the Basics, SG24-8236.
3.1 Planning for authentication
Authentication in Spectrum Control can be complex, and this is especially true for large enterprises that have sophisticated security compliance and mechanisms in place.
Planning for authentication should begin even before you decide on the layout to install Spectrum Control. Without fully understanding how authentication works, the person (storage administrator) who is about to install Spectrum Control can easily choose a complex path.
A preferred practice is to install Spectrum Control by using the Local OS administrative account. However, if your security policy does not allow it, then this is the first question that must be answered: Do you need to install Spectrum Control by using a domain account, and what security restrictions are in place?
Typically, applications are installed by using a domain account because of security considerations, but the domain grants other advantages:
•Centralized user provisioning
•Centralized user de-provisioning
•Ability to enforce a policy on the accounts
•Centralized auditing of authentication attempts
Spectrum Control supports LDAP or AD as authentication methods. However, if you must install Spectrum Control by using an external user, that narrows down your possibilities to AD because LDAP can be used only for external authentication, not for installing the product.
You must understand that Spectrum Control has internal user IDs that are used by Spectrum Control components to communicate and external user IDs (users of Spectrum Control) that are used by administrators or users of the product.
Figure 3-1 shows the user ID and repository combinations schematic from IBM Tivoli Storage Productivity Center Beyond the Basics, SG24-8236. This chapter describes each use case. In addition, this chapter describes a use case about how to implement authentication by using the IBM Bluepages (intranet), which is described in 3.3, “Use case: Configuring Spectrum Control to authenticate with Bluepages for an intranet user” on page 55.
Figure 3-1 Authentication in Spectrum Control
3.1.1 Authentication and authorization
Authentication is the process in which the provided credentials are compared to the ones that are stored. In Spectrum Control, the provided credentials are the ones that are used in different interfaces, such the web-based GUI, the command-line interface (CLI) based tpctool, or Cognos Reporting. These credentials are compared to the ones that are stored in the File Registry, Local OS, or LDAP repository. A high-level overview is shown in Figure 3-2 on page 51.
Authorization is a function that specifies the access rights a user has that are related to a resource in a computer system. In Spectrum Control, role-based authorization is used, for example, the administrator role is authorized to view and accomplish more actions than the monitor role. For more information about role-based authorization, see the IBM Knowledge Center, found at:
Section 3.2, “Implementing authentication” on page 50 describes the different authentication possibilities. It shows the Spectrum Control environment as a single-server installation for simplicity. Spectrum Control can also be installed in a multi-server environment. For more information about Spectrum Control in a multiple-server environment, see the IBM Knowledge Center, found at:
Different actions must be applied on separate servers, depending on the installation type that you have.
3.1.2 Assigned roles
The user role concept has not changed as of Spectrum Control V5.2.8. It has remained the same since Version 5.2.0. The number of roles were reduced since earlier versions. There are now only three roles available, as listed in Table 3-1.
Table 3-1 Roles in Spectrum Control V5.2
|
Role
|
Users that are assigned this role
|
|
|
Administrator
|
Can use every function in Spectrum Control. By default, the following groups are assigned the Administrator role:
•Windows: Administrators.
•Linux: root.
•AIX: system.
|
|
|
External Application
|
Cannot log in to the Tivoli Storage Productivity Center GUI. This role should be used for external applications that use the Tivoli Storage Productivity Center provisioning functions, such as:
•vSphere Web Client Extension for Tivoli Storage Productivity Center.
•IBM SmartCloud Storage Access. IBM SmartCloud Storage Access is no longer sold, and is in maintenance mode only.
|
|
|
Monitor
|
Can log in to Tivoli Storage Productivity Center, but cannot run any function. A user with this role still can see all the information and open log files, but the only actions that this person can do are the following ones:
•Acknowledge alerts
•Acknowledge a non-normal status
•Set the tier level of a storage pool
|
|
The basic concept is still the same: You assign a role to a group of users so all users in that group can perform certain actions in Spectrum Control.
3.1.3 Single sign-on
Even when Cognos Reporting is set up by using the same authentication server (LDAP repository) that Spectrum Control uses, you still must reauthenticatewhen you start reporting because the Spectrum Control web-based GUI is running a different WebSphere Application Server than the Cognos component. For this reason, you must authenticate again when you access the reports for the first time during a session.
There is a way to configure the WebSphere Application Server running Cognos Reporting to accept and use single sign-on tokens from the other WebSphere Application Server so that you do not need to enter a user ID and password. This procedure is described in the IBM Knowledge Center, found at:
|
Important: This configuration works only if you switch from the default file repository authentication to LDAP or to Local OS in the WebSphere Application Server that Cognos is using.
|
The single sign-on feature is not supported if you use the Element Managers of various devices that Spectrum Control manages.
3.2 Implementing authentication
This section briefly describes how to implement the different cases of authentication. It does not emphasize the whole installation it has not changed in Spectrum Control since Version 5.2.2.
3.2.1 Implementing Local OS authentication and an internal user ID
This implementation is the easiest and most often used one. Both the Spectrum Control internal user ID and users of Spectrum Control are Local OS users, typically db2admin for Windows OS or db2inst1 for Linux and AIX.
This implementation is illustrated in Figure 3-2 on page 51.
Figure 3-2 Install and perform authentication by using Local OS users
To install Spectrum Control in a single-server environment, see the IBM Knowledge Center, found at:
As shown in Figure 3-2, Cognos Reporting is running under a different IBM WebSphere Application Server, which is installed by using a File Registry account. Use smadmin as the user ID for this File Registry account.
To learn about the installation process for Cognos Reporting, see the IBM Knowledge Center, found at:
Figure 3-2 shows other Spectrum Control components, for example, Alert Server and Device Server. These components are under a separate IBM WebSphere Application Server, which is a lightweight application server called Liberty. This server has a file registry as the authentication mechanism, which is not described here because it is used only for internal communication and presents no interest to external users. The same is true for the other component, such as Data Server, Storage Resource Agent, or the CLI.
The preferred practice is to install Spectrum Control and to set up authentication locally because this process enables the setting of external authentication later, as described in 3.2.2, “Implementing external authentication (direct LDAP) and a local internal user ID” on page 52.
3.2.2 Implementing external authentication (direct LDAP) and a local internal user ID
After you install Spectrum Control by using Local OS accounts, the internal user ID stays as-is. However, the users of Spectrum Control want to use their own centralized user account to log in to a web-based GUI, as shown in Figure 3-3.
Figure 3-3 Install by using a Local OS user and perform authentication by using external users
This is the preferred method of implementation. It has the greatest flexibility in terms of external repositories by because you can use any LDAP directory server that supports LDAP V3. A comprehensive list can be found at the following website:
Using this implementation, the Spectrum Control server can be installed on any supported platform, whether it is Linux, AIX or Windows.
This implementation is referred to as Method 1 in the repository combination schematic in Figure 3-1 on page 48.
One of the drawbacks of Method 1 is that the administrator of the Spectrum Control must change the authentication of the following items:
•Web server: You must change WebSphere Application Server from Local OS authentication to the LDAP repository authentication.
•Cognos Reporting: You must change WebSphere Application Server from File Registry authentication to LDAP repository authentication.
The procedures are similar and are described in the IBM Knowledge Center, found at:
|
Important: Before applying this method of authentication, you must ensure that there are no duplicated user names or group names in the local file repository, the operating system repository, or the LDAP repository.
In all the cases where external authentication is used, make sure that the firewall is configured so that it can communicate between all the components.
For a complete list of ports that are used by Spectrum Control, see the IBM Knowledge Center:
|
A use case of this implementation is described in 3.3, “Use case: Configuring Spectrum Control to authenticate with Bluepages for an intranet user” on page 55.
3.2.3 Implementing external authentication (implicit) and a local internal user ID
This implementation is referred as Method 2 in the repository combination schematic in Figure 3-1 on page 48.
Using this implementation, the Spectrum Control server can be installed only on a Windows platform, which limits the platform flexibility. The LDAP repository type can be AD only, so this is not a preferred practice. Use this method only when the Spectrum Control server must be part of the domain.
This implementation is illustrated in Figure 3-4.
Figure 3-4 Install by using a Local OS user and perform authentication by using external users
|
Note: Implementing direct communication with LDAP as described in 3.2.2, “Implementing external authentication (direct LDAP) and a local internal user ID” on page 52 can be done even in the cases when the Spectrum Control server is part of a domain. It is a preferred practice rather than using implicit authentication.
|
The advantage of using this implementation is that there is no need to configure the web server. The authentication can be left on, and as-is, by using Local OS because technically the authentication is handed over to the OS to resolve with AD.
The disadvantage of using this implementation is that for Cognos Reporting, the File Registry must be changed to Local OS. This procedure is described in IBM Tivoli Storage Productivity Center V5.2 Release Guide, SG24-8204.
In addition to the WebSphere Application Server change, the server must be added into the domain. For more information, see the IBM Knowledge Center:
Also, the computer browser service must be enabled and running on the server. To verify this setting, see the IBM Knowledge Center:
|
Note: The installation of the Spectrum Control server and DB2 must be accomplished by using the local users ID, as described in 3.2.1, “Implementing Local OS authentication and an internal user ID” on page 50.
|
3.2.4 Implementing external authentication and a domain internal user ID
This implementation is the most complex. It is the closest to the implementation that is described in 3.2.3, “Implementing external authentication (implicit) and a local internal user ID” on page 53.The only major difference is that the internal user ID must be a domain user. This method is supported only on AD, which limits LDAP repository support.
Figure 3-5 on page 55 shows this implementation.
Figure 3-5 Install by using a domain OS user and authentication by using external users
This method also has all the advantages and disadvantages described in 3.2.3, “Implementing external authentication (implicit) and a local internal user ID” on page 53. However, regarding the requirements that are related to the domain, there are a couple of additional items. These items are described in the IBM Knowledge Center, found at:
For installation details, see the Installing DB2 and Spectrum Control by using domain user accounts topic in the IBM Knowledge Center, found at:
3.3 Use case: Configuring Spectrum Control to authenticate with Bluepages for an intranet user
This use case describes how to configure authentication and authorization to allow IBM intranet users (Bluepages) to log in to the Spectrum Control web-based GUI.
The IBM LDAP repository is powered by the IBM Security Directory Server, which provides a trusted identity data infrastructure for authentication, with the following benefits:
•Standardized architecture and broad platform support for a large range of operating system and heterogeneous environments
•Scalability, availability, and flexibility to support hundreds of millions of entries
•Easy user and group management tool
•Robust auditing and reporting
As method of implementation, we use the preferred practice that is described in 3.2.2, “Implementing external authentication (direct LDAP) and a local internal user ID” on page 52.
This use case does not describe how to set up the IBM Security Directory Server. In this example, we use a test instance of the real IBM intranet (Bluepages). For more information about how to install and configure IBM Security Directory Server as an LDAP repository, see the following resources:
•Installation:
•Configuration:
If your organization uses IBM Security Directory Server, you must contact the administrator to provide you with the configuration information of the server. This information is required for the upcoming steps.
|
Note: Some of the steps in this section are optional. Skip them if they are not applicable to your environment.
|
Complete the following steps:
1. Open the admin console for WebSphere Application Server.
2. After you log in to Spectrum Control with Local OS credentials, click Settings → User Management. Click the Modify Authentication mechanism link to start the administration console (Figure 3-6).
Figure 3-6 User Management window using Local OS authentication
3. The WebSphere Application Server admin console opens. Provide the File Registry / Local OS credentials (Figure 3-7 on page 57).
Figure 3-7 WebSphere Application Server admin console login window
3.3.1 Adding a Bluepages SSL certificate
This step is optional and must be done only if your IBM Security Directory Server is configured with SSL. Complete the following steps:
1. After you log in, from the left menu click Security → SSL certificate and key management.
Figure 3-8 SSL certificate and key management - keystores and certificates window
Figure 3-9 NodeDefaultTrustStore
Figure 3-10 Signer certificate
Figure 3-11 Retrieve from port
6. Complete the Properties fields with the details of your IBM Security Directory Server. In this use case, we use our test Bluepages directory server. Click Retrieve signer information after the properties are entered (Figure 3-12).
Figure 3-12 Retrieve from port properties window
7. The certificate is retrieved. You are prompted to save the changes directly to the master configuration after you click Apply (Figure 3-13).
Figure 3-13 Retrieve the certificate and save changes
8. After the certificate is retrieved and the changes are saved, make sure that this certificate shows up in the table, as shown in Figure 3-14.
Figure 3-14 Certificate shows up in the Signer certificate table
9. Restart the WebSphere Application Server by using the scripts that are provided in Spectrum Control under <IBM Spectrum Control install location>/scripts:
– stopTPCWeb.bat or .sh
– startTPCWeb.bat or .sh
3.3.2 Configuring the federated repository
This step is mandatory. Depending on whether IBM Security Directory Server is configured with or without SSL, different ports are used and there is also an additional check box that you must select when using SSL.
The following steps assume that you already logged in to the WebSphere Application Server admin console:
1. Click Security → Global security.
Figure 3-15 Available realm definitions
Figure 3-16 Managed repositories
Figure 3-17 Managed repositories - add an LDAP repository
5. You must enter the general properties of the LDAP repository, as shown in Figure 3-18 on page 63. This information typically is provided by the IBM Security Directory Server administrator. In this use case, the primary host name is tstbluepages.mkm.can.ibm.com and the port is 636 for SSL. Make sure that the Require SSL communication check box is selected if SSL is used; clear this check box for non-SSL communication. The Login properties field also must be changed from uid to mail if you want the email to be used (instead of the serial number) for authentication.
Figure 3-18 Configuring Bluepages as a federated repository
6. At the bottom of the window, click Apply. You are prompted to save the changes to the master repository. Click Save.
7. While you are in the Manage repositories window, as shown in Figure 3-18, click tstbluepages, and in the Additional Properties section, click LDAP entity types, as shown in Figure 3-19.
Figure 3-19 LDAP entity types
8. Change the Group entity type to groupOfUniqueNames and the PersonAccount entity type to ibmPerson, as shown in Figure 3-20.
Figure 3-20 Group and PersonAccount entity type changes
9. You are prompted to save the changes to the master configuration. Click Apply for all the updates and save these changes.
Figure 3-21 Add Base entry to Realm
Figure 3-22 Distinguished name of a base entry
12. Go back to Manage repositories, and in the Additional Properties section, select the Group attribute definition for this newly defined repository. Click Member attributes (Figure 3-23).
Figure 3-23 Group attribute definition
13. You must update the member to contain the Object Class: groupOfNames and add a property into the table uniquememer, which contains the Object class : groupOfUniqueNames (Figure 3-24). These values are provided by your IBM Security Directory Server administrator.
Figure 3-24 Member attributes window
14. Click Apply and save the changes to the master configuration.
15. Restart WebSphere Application Server by using the scripts that are provided in Spectrum Control under <IBM Spectrum Control install location>/scripts:
– stopTPCWeb.bat or .sh
– startTPCWeb.bat or .sh
3.3.3 Configuring web security
This step is another optional step. You need to complete it only if your IBM Security Directory Server is configured with SSL. Complete the following steps:
1. Click Security → Global security.
Figure 3-25 Web security - General settings
3. Make sure that authentication is selected only when the URI is protected (Figure 3-26).
Figure 3-26 General Properties for web security general settings
4. Click Apply and save the changes to the master configuration file.
3.3.4 Performing a test communication with Bluepages
After the IBM Security Directory Server (LDAP repository) is added to the WebSphere Application Server federated repositories, you can list the LDAP repository users in the WebSphere Admin Console under Users and Groups → Manage Users, as shown in Figure 3-27. There is a search function available that you can use to find your user in the LDAP repository.
If WebSphere Application Server could not successfully connect to the LDAP repository, the users are not listed.
Figure 3-27 LDAP repository users that are listed in the WebSphere Application Server admin console
Now, you can log out of the WebSphere Application Server admin console and use the Bluepages (intranet) user account to log in to the admin console (Figure 3-28).
Figure 3-28 Log in with Bluepages credential
3.3.5 Adding a specific Bluegroup to Spectrum Control role-based authorization
It is not yet possible to log in to Spectrum Control by using the Bluepages (intranet) account. There is one more step that must be completed in the Spectrum Control web-based GUI, which is to map the LDAP group to an authorization level for Spectrum Control.
For more information about role-based authorization, go to the IBM Knowledge Center, found at:
Complete the following steps:
1. Using the Bluegroup administration tool, create a group to be used by Spectrum Control. In this use case, we name it SpectrumControl_LDAP.
This administration tool is a web interface for the IBM Security Directory Server. A group can be created on the server itself by using other methods, such as the command line. Make sure that your user is part of this Bluegroup (Figure 3-29).
Figure 3-29 BlueGroups administration application
2. After the LDAP repository is added to the federated repository in the WebSphere Application Server admin console, the LDAP users can be listed under Users and Groups and Manage Users, as shown in Figure 3-27 on page 67. The Spectrum Control User Management window should show the Bluegroup that was created earlier.
3. Log in to the Spectrum Control web-based GUI by using a local OS account, click Settings → User Management, and select Add Group (Figure 3-30).
Figure 3-30 Add the Bluegroup to role-based authorization
4. After the Bluegroup is added to the Spectrum Control authorization, log out of the local OS user and log in by using the Bluepages (intranet) user ID (Figure 3-31 on page 69).
Figure 3-31 Log in to Spectrum Control by using the Bluepages (intranet) account
Now, you can log in to Spectrum Control by using your Bluepages (intranet) credentials, but you still cannot log in to Cognos Reporting with these credentials. As described in 3.2.2, “Implementing external authentication (direct LDAP) and a local internal user ID” on page 52, the WebSphere Application Server of Cognos Reporting must undergo the same procedures as described in this use case.
|
Important: Using the single sign-on function from Spectrum Control to Cognos Reporting does circumvent the necessity of configuring direct LDAP for Cognos Reporting.
|
To access the WebSphere Application Server admin console of Cognos Reporting, use the following link, where the default port number is 16316:
https://host_name:port/ibm/console/logon.jsp
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.