Setting up user authentication
User authentication is required to operate the storage system.
Setting up authentication and authorization with Device Manager - Storage Navigator
An authentication server enables users to log in to Device Manager - Storage Navigator with the same password as the password that they use for other applications. The authentication server must be configured for each user.
The following figure shows the login workflow without an authentication server:
The following figure shows the login workflow with an authentication server:
If an authorization server works together with an authentication server, the user groups that are registered in the authorization server can be assigned to a user for Device Manager - Storage Navigator.
The following figure shows the login workflow when an authentication server and an authorization server are used in combination:
You can use the authentication server without knowing the host names and port numbers, if you register the information of the authentication server as an SRV record in the DNS server. If you register multiple numbers of authentication servers to the SRV record, you can determine the authentication server to be used, based on the priority that has been set in advance.
Authentication server protocols
Authentication servers support the following protocols:
- LDAPv3 simple bind authentication
- RFC 2865-compliant RADIUS with PAP and CHAP authentication
- Kerberos v5
The following certificate file formats are available for LDAP server settings:
- X509 DER format
- X509 PEM format
One of the following encryption types must be used for the Kerberos server:
-
Windows
- AES128-CTS-HMAC-SHA1-96
- RC4-HMAC
- DES3-CBC-SHA1
- DES-CBC-CRC
- DES-CBC-MD5
-
Solaris or Linux
- DES-CBC-MD5
Authorization server requirements
The authorization server must satisfy the following requirements if it works together with the authentication server:
-
Prerequisite OS
- Windows Server 2003
- Windows Server 2003 R2
- Windows Server 2008
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
-
Prerequisite software
- Active Directory
-
Authentication protocol for user for searching
- LDAP v3 simple bind
When using an LDAP server or a Kerberos server as an authentication server, and combining it with an authorization server, use the same host for the authentication and authorization servers.
When a RADIUS server is used as an authentication server, two authentication servers (one primary and one secondary) can be specified, but only one authorization server can be specified.
Connecting two authentication servers
Two authentication servers can be connected to a storage system. When the servers are connected, the server configurations must be the same, except for the IP address and the port.
If you search for a server using information registered in the SRV records in the DNS server, confirm that the following conditions are satisfied:
-
LDAP server conditions:
- The environmental setting for the DNS server is completed at the LDAP server.
- The host name, the port number, and the domain name of the LDAP server are registered in the DNS server.
-
Kerberos server conditions:
- The host name, the port number, and the domain name of the Kerberos server are registered in the DNS server.
Because UDP/IP is used to access the RADIUS server, no encrypted communications are available, such as negotiations between processes. To access the RADIUS server in a secure environment, encryption in the packet level is required, such as IPsec.
If an LDAP server or Kerberos server is used as an authentication server and works with an authorization server, the authentication server and the authorization server must use the same host.
If you use RADIUS servers as authentication servers, you can connect two authentication servers (primary server and secondary server) and one authorization server.
If you use RADIUS servers as authentication servers with both primary and secondary servers specified and you specify different domains of authorization servers for the primary and the secondary servers prior to SVP microcode version 70-02-5x/00, a server configuring operation in the Setup Server window in SVP microcode version 70-02-5x/00 or later will only enable the authorization server with the domain you have specified on the primary server.
Connecting authentication and authorization servers
Before you can connect an authentication server and an authorization server, you must configure your network.
Before you begin
- If you have not already done so, obtain a security administrator account with a View & Modify role.
- Contact your server administrator for information about the values to be written in the LDAP, RADIUS, or Kerberos configuration file. If you use LDAP servers, the files of the LDAP servers must be certified; obtain certification.
- Contact your network administrator for information about the network settings.
- Give your service representative the IP address of the DNS server and ask that representative to configure the SVP.
Procedure
-
Click
. -
Click Setup Server to open the Setup Server window
-
Select the type of the authentication server.
-
Specify options to connect to the authentication server. If you use more than one authentication server or an authorization server, specify an option for each server.
-
To test the connection, in the Server Configuration Test field, click Check.
-
Click Finish.
-
Enter a task name and then click Apply.
-
After you finish setting up the authentication and authorization servers and confirm that you can use the servers, save a copy of the configuration files for connecting the authentication server.
Naming a user group in Device Manager - Storage Navigator
When you create a user group in Device Manager - Storage Navigator, you name the group with the user's memberOf
attribute value which is found in the Active Directory. Device Manager - Storage Navigator supports Active Directory nested groups.
After entering the user group name, verify that the user group name that you entered is registered in the authorization server.
Creating configuration files
Authentication servers and authorization servers must be configured using configuration files.
Creating an LDAP configuration file
You can use an LDAP server for authentication on your storage system.
To use an LDAP server for authentication, create a configuration file in UTF-8 encoding. Include information about the authentication server as shown in the following example. Any file name and extension is allowed.
auth.server.type=ldap auth.server.name=<server_name> auth.group.mapping=<value> auth.ldap.<server_name>.<attribute>=<value>
A full example is shown here:
auth.server.type=ldap auth.server.name=PrimaryServer auth.group.mapping=true auth.ldap.PrimaryServer.protocol=ldaps auth.ldap.PrimaryServer.host=ldaphost.domain.local auth.ldap.PrimaryServer.port=636 auth.ldap.PrimaryServer.timeout=3 auth.ldap.PrimaryServer.attr=sAMAccountName auth.ldap.PrimaryServer.searchdn=CN=sample1,CN=Users,DC=domain,DC=local auth.ldap.PrimaryServer.searchpw=passwordauth.ldap.PrimaryServer.basedn=CN=Users,DC=domain,DC=local auth.ldap.PrimaryServer.retry.interval=1 auth.ldap.PrimaryServer.retry.times=3 auth.ldap.PrimaryServer.domain.name=EXAMPLE.COM
The LDAP attributes are defined in the following table.
Attribute | Description | Required / Optional | Default value |
auth.server.type | Type of an authentication server. Specify ldap . |
Required | None |
auth.server.name |
The name of an authentication server. When registering a primary and a secondary server, use a comma to separate the names. The name of the server, including the primary name, secondary name, and the comma (1 byte) must be 64 bytes or less. The names can use all ASCII code characters except for the following: \ / : , ; * ? " < > | $ % & ' ˜ In this manual, the value specified here is called <server_ name> hereafter. |
Required | None |
auth.group.mapping | Information about whether to work together with an authorization server:
|
Optional | False |
auth.ldap.<server_name>.protocol | LDAP protocol to use.
When you specify "true" to auth.ldap.<server_name>.dns_lookup, specify ldaps. |
Required | None |
auth.ldap.<server_name>.host |
A host name, an IPv4 address or an IPv6 address of the LDAP server. An IPv6 address must be enclosed in square brackets. To use StartTLS as a protocol, specify a host name. If this value is specified, auth.ldap.<server_name>.dns_lookup will be ignored |
Optional1 | None |
auth.ldap.<server_name>.port |
A port number of the LDAP server. Must be between 1 and 65,535.2 |
Optional | 389 |
auth.ldap.<server_name>.timeout |
The number of seconds before the connection to the LDAP server times out. It must be between 1 and 30.2 | Required | 10 |
auth.ldap.<server_name>.attr |
Attribute name to identify a user (such as a user ID).
sAMAccountName is used for Active Directory. |
Required | None |
auth.ldap.<server_name>.searchdn |
DN of the user for searching. If omitted, [value_of_attr]=[Login_ID],[value_ of _basedn] is used for bind authentication.3 |
Otional | None |
auth.ldap.<server_name>.searchpw |
User password that is used for searching. Specify the same password that is registered in the LDAP server. |
Required | None |
auth.ldap.<server_name>.basedn |
BaseDN for searching for users to authenticate.3
|
Required | None |
auth.ldap.<server_name>.retry.interval |
Retry interval in seconds when the connection to the LDAP server fails. Must be between 1 and 5.2 | Optional | 1 |
auth.ldap.<server_name>.retry.times |
Retry times when the connection to the LDAP server fails. Must be between 0 and 3. Zero means no retry.2 |
Optional | 3 |
auth.ldap.<server_name>.domain.name |
A domain name that the LDAP server manages. |
Required | None |
auth.ldap.<server_name>.dns_lookup |
Information about whether to search the LDAP server with the information registered in the SRV records in the DNS server.
When "host" and "port" are specified, the LDAP server is not searched with the information registered in the SRV records by specifying "true". |
Optional | False |
Notes:
|
Creating a RADIUS configuration file
You can use a RADIUS server for authentication on your storage system.
To use a RADIUS server for authentication, create a configuration file in UTF-8 encoding. Include information about the authentication server as shown in the following example. Any file name and extension is allowed. If an authorization server is not used, you do not need to define the items for it.
auth.server.type=radius auth.server.name=server-name auth.group.mapping=value auth.radius.server-name.attribute=value auth.group.domain-name.attribute=value
A full example is shown below:
auth.server.type=radius auth.server.name=PrimaryServer auth.group.mapping=true auth.radius.PrimaryServer.protocol=pap auth.radius.PrimaryServer.host=xxx.xxx.xxx.xxx auth.radius.PrimaryServer.port=1812 auth.radius.PrimaryServer.timeout=3 auth.radius.PrimaryServer.secret=secretword auth.radius.PrimaryServer.retry.times=3 auth.radius.PrimaryServer.attr.NAS-Identifier=xxxxxxxx auth.group.auth.radius.PrimaryServer.domain.name=radius.example.com auth.group.auth.radius.PrimaryServer.domain.name.protocol=ldap auth.group.auth.radius.PrimaryServer.domain.name.host=xxx.xxx.xxx.xxx auth.group.auth.radius.PrimaryServer.domain.name.port=386 auth.group.auth.radius.PrimaryServer.domain.name.searchdn=CN=sample1,CN=Users,DC=domain,DC=local auth.group.auth.radius.PrimaryServer.domain.name.searchpw=password auth.ldap.PrimaryServer.basedn=CN=Users,DC=domain,DC=local
The attributes are defined in the following tables.
Attribute | Description | Required / Optional | Default value |
auth.server.type | Type of an authentication server. Specify radius . |
Required | None |
auth.server.name | The name of an authentication server.
When registering a primary and secondary server, use a comma to separate the names. The name of the server, including the primary name, secondary name, and the comma (1 byte) must be 64 bytes or less. The names can use all ASCII code characters except for the following: \ / : , ; * ? " < > | $ % & ' ˜ In this manual, the value specified here is called server-name hereafter. |
Required | None |
auth.group.mapping | Information about whether to work together with an authorization server
|
Optional | False |
auth.radius.server-name.protocol | RADIUS protocol to use.
|
Required | None |
auth.radius.server-name.host | A host name, an IPv4 address or an IPv6 address of the RADIUS server. An IPv6 address must be enclosed in square brackets. | Required | None |
auth.radius.server-name.port | A port number of the RADIUS server.
Must be between 1 and 65,535.1 |
Optional | 1,812 |
auth.radius.server-name.timeout |
The number of seconds before the connection to the RADIUS server times out. Must be between 1 and 30.2 |
Optional | 10 |
auth.radius.server-name.secret | RADIUS secret key used for PAP or CHAP authentication | Required | None |
auth.radius.server-name.retry.times |
Retry times when the connection to the RADIUS server fails. Must be between 0 and 3. 0 means no retry.1 |
Optional | 3 |
auth.radius.server-name.attr.NASIdentifier | Identifier for the RADIUS server to find SVP. Specify this value if the attr.NAS-Identifier attribute is used in your RADIUS environment. ASCII codes up to 253 bytes long are accepted. | Optional2 | None |
auth.radius.server-name.attr.NAS-IPv4-Address | IPv4 address of the SVP. Specify the value of the NAS-IP-Address attribute. This value is transmitted to the RADIUS server when the authentication is requested. | Optional2 | None |
auth.radius.server-name.attr.NAS-IPv6-Address | IPv6 address of the SVP. Specify the value of the NAS-IPv6-Address attribute. This value is transmitted to the RADIUS server when the authentication is requested. | Optional2 | None |
Notes:
|
Attribute | Description | Required / Optional | Default value |
auth.radius.server-name.domain.name | A domain name that the LDAP server manages. In this manual, the value specified here is called domain-name hereafter. | Required | None |
auth.radius.server-name.dns_lookup |
Information about whether to search the LDAP server with the information registered in the SRV records in the DNS server.
|
Optional | false |
auth.radius.domain-name.protocol |
LDAP protocol to use.
|
Required | None |
auth.radius.domain-name.host |
A host name, an IPv4 address or an IPv6 address of the LDAP server. An IPv6 address must be enclosed in square brackets ([ ]). | Optional1 | None |
auth.radius.domain-name.port |
A port number of the LDAP server. Must be between 1 and 65535.2 |
Optional | 389 |
auth.radius.domain-name.searchdn |
DN of the user for searching. | Required | None |
auth.radius.domain-name.searchpw | User password for searching. Specify the same password that is registered in the LDAP server. | Required | None |
auth.radius.domain-name.basedn | Base DN for searching for users to authenticate. Specify DN of the hierarchy, including all the users for searching because the targeted users for searching are in lower hierarchy than the specified DN.3 | Optional | abbr |
auth.radius.domain-name.timeout | The number of seconds before the connection to the LDAP server times out. Must be between 1 and 30. | Optional | 10 |
auth.radius.domain-name.retry.interval | Retry interval in seconds when the connection to the LDAP server fails. Must be between 1 and 5.2 | Optional | 1 |
auth.radius.domain-name.retry.times | Retry times when the connection to the LDAP server fails. Must be between 0 and 3. 0 means no retry.2 | Optional | 3 |
Notes:
|
Creating a Kerberos configuration file
You can use a Kerberos server for authentication on your storage system.
To use a Kerberos server for authentication, create a configuration file in UTF-8 encoding. Include information about the authentication server as shown in the following example. Any file name and extension are allowed. If an authorization server is not used, you do not need to define the items for it.
auth.server.type=kerberos auth.group.mapping=<value> auth.kerberos.<attribute>=<value> auth.group.<realm name>.<attribute>=<value>
A full example is shown below:
auth.server.type=kerberos auth.group.mapping=true auth.kerberos.default_realm=example.com auth.kerberos.dns_lookup_kdc=true auth.kerberos.clockshow=300 auth.kerberos.timeout=10 auth.group.example.com.searchdn=CN=sample1,CN=Users,DC=domain,DC=localauth.group.example.com.searchpw=passwordauth.ldap.PrimaryServer.basedn=CN=Users,DC=domain,DC=local
The Kerberos attributes are defined in the following table.
Attribute | Description | Required / Optional | Default value |
auth.server.type | Type of an authentication server. Specify kerberos . |
Required | None |
auth.group.mapping | Information about whether to work together with an authorization server
|
Optional | false |
auth.kerberos.default_realm | Default realm name | Required | None |
auth.kerberos.dns_lookup.kdc |
This is a switch that determines which information registered in the SRV records in the DNS server to use when searching the Kerberos server.
|
Optional | false |
auth.kerberos.clockskew | The acceptable range of the difference in time between the SVP and the Kerberos server where the SVP is operating.
Must be between 0 and 300 seconds.1 |
Optional | 300 |
auth.kerberos.timeout | The number of seconds before the connection to the RADIUS server times out. Must be between 1 and 30. When 0 is specified, the connection does not time out until a communication error occurs.1 | Optonal | 10 |
auth.kerberos.realm_name | Realm identifier name
Any name to distinguish the information of Kerberos server in each realm. Duplicate names cannot be used. If you register multiple names, use a comma to separate the names. The value specified here is called <realm_name> hereafter. |
Optional2 | None |
auth.kerberos.<realm _name>.realm | The realm name set to the Kerberos server. | Optional2 | None |
auth.kerberos.<realm_name>.kdc | The host name, the IPv4 address, and the port number of the Kerberos server. Specify these in the format of "<Host name or IP address>[:Port number]". | Optional2 | None |
Notes:
|
Attribute | Description | Required / Optional | Default value |
auth.group.<realm_na me>.protocol | LDAP protocol to use.
|
Required | None |
auth.group.<realm_name>.port | A port number of the LDAP server.
Must be between 1 and 65535. 1 |
Optional | 389 |
auth.group.<realm_name>.searchdn | DN of the user for searching.2 | Required | None |
auth.group.<realm_name>.searchpw | Password of the user for searching. Specify the same password that is registered in the LDAP server. | Required | None |
auth.group.<realm_name>.basedn | BaseDN when the search for users begins. When searching, specify the hierarchy DN, including all the users, because the targeted user for the search is in a lower hierarchy than the specified DN.2 | Optional | abbr |
auth.group.<realm_name>.timeout | Number of seconds before the connection to the LDAP server times out. Must be between 1 and 30 seconds. When 0 is specified, the connection does not time out until a communication error occurs.1 | Optional | 10 |
auth.group.<realm_name>.retry.interval | Retry interval in seconds when the connection to the LDAP server fails. Must be between 1 and 5.1 | Optional | 1 |
auth.group.<realm_name>.retry.times | Retry times when the connection to the LDAP server fails. Must be between 0 and 3. 0 means no retry.1 | Optional | 3 |
Notes:
|