This chapter describes the authentication methods that are available for the IBM DS8000 family.

This chapter covers the following topics:

The DS8000 system provides, by default, local basic user authentication. The user IDs, roles, and their respective passwords are maintained locally within the DS8000 system. Each individual DS8000 system has its own list of user IDs and passwords that must be maintained separately.

To simplify the user ID management and comply with industry or company internal security regulations, the DS8000 system can access a centralized directory service to perform user authentication by using the Lightweight Directory Access Protocol (LDAP).

Starting with Licensed Machine Code (LMC) 7.9.10 (bundle version 89.10.92.0), referred to as Release 9.1, the DS8900 system includes a native LDAP authentication function in addition to the previous implementation by using an IBM Copy Services Manager (CSM) LDAP proxy.

With the native LDAP implementation, you can directly configure the remote user authentication with the DS Storage Manager GUI.

The remote authentication method that was previously supported by various models of the DS8000 family uses Storage Authentication Service (SAS) and requires one or two CSM instances. In this former implementation based on CSM, the DS8000 system relies on the CSM authentication components to authenticate DS8000 users against the configured LDAP directory server. This method is still supported, and is referred to in this paper as the LDAP proxy.

This chapter provides an overview of the two remote authentication implementations, an introduction to LDAP for DS8000 administrators, and planning aids for a successful implementation of LDAP with your DS8900 system.

This section describes the SAS solution that is based on the CSM LDAP proxy. This solution remains the only choice for remote authentication for any DS8000 supported models that are not running DS8000 Release 9.1 code. With the DS8900 Release 9.1 code or later, you may stay with the CSM LDAP proxy-based solution or use the new native LDAP authentication.

The CSM LDAP proxy method requires at least one CSM instance that is running, and is configured for LDAP authentication. For redundancy purpose, deploy two operational CSM instances, with one instance as active and the other one as a standby CSM server.

Figure 1-1 on page 3 shows a typical remote authentication setup that uses the CSM server that is provided with the DS8000 HMC. The embedded CSM on HMC is available starting with the DS8000 LMC bundle 88.10.x for DS8880 and on all DS8900 systems. For redundancy, a second CSM instance is used. This second instance can be also an embedded CSM instance on another DS8880 or DS8900 system or a stand-alone instance. All supported DS8000 systems before the DS8880 system require CSM instances to be installed on separate servers.

When using the LDAP authentication through CSM, the DS8000 user authenticates through the DS Storage Manager GUI or DS Command-Line Interface (DS CLI). The authentication request is sent to the Enterprise Storage Network Interface (ESSNI) server that is running on the HMC.

To authenticate the user, the ESSNI server connects to the CSM authentication module. Then, the CSM authentication module converts the request into LDAP and queries and authenticates against the configured directory server.

From a high level, the configuration requires the following two actions:

Various manual steps are required to create a certificate truststore that is used to ensure an encrypted and secured connection.

Various manual steps are required to ensure that the communication between the directory server and the CSM server is secure.

For more information, see Chapter 9, “Implementing LDAP through IBM Copy Services Manager” on page 99.

Starting with the DS8900 LMC 89.10.92.0, you can directly configure the remote LDAP authentication from the DS GUI or DS CLI. CSM is no longer required for the communication between the ESSNI and the directory server.

Figure 1-2 shows the authentication mechanism for the DS8900 native LDAP authentication. The DS8900 ESSNI server on the HMC can now directly authenticate the user against the directory server. The ESSNI Server uses either the LDAP or LDAPS (TLS secured LDAP) protocol to communicate with the directory server.

This native implementation is simpler and preferred, when possible, over the CSM based implementation.

When you want to set up remote authentication, follow the wizard guided setup in the DS GUI or issue a set of DS CLI commands. The setup through the wizard does not require the creation of a truststore file. All relevant information to set up a secure LDAP (LDAPs) to the directory server can be specified through the wizard.

To establish a secure connection, the DS8900 system needs the public key of the directory server to encrypt the authentication request. To prevent man-in-the-middle attacks, the DS8900 system stores the certificate or certificate chain on both of its HMCs.

The certificates can be imported to the DS8900 system in two ways:

During the setup process, a TLS handshake with the directory server is initiated. During the handshake, the server certificate is sent to the DS8900 HMC.

To ensure that the correct server certificate is retrieved, some details about the certificate are presented to the user. The user must verify the certificate details to complete the configuration.

This method must be used if you want the root certificate authority (CA) installed and it is not provided by the LDAP server. In this case, you must also specify the supported format, which must be Java KeyStore (JKS).

Switching from local to remote authentication has the following advantages:

Users can use their corporate login credentials to authenticate their DS8000 access. Password rules and requirements are enforced at the corporate level. Users do not need to log on to several DS8000 systems to frequently change their passwords.

For example, if a user joins or leaves the department, only one group in the directory server must be updated. The update is reflected instantly when trying to access the DS8000 system.

You do not need to implement new or updated password rules for each DS8000 system in your data center or fix locked user accounts.

Every IT environment is unique, and you must decide what solutions best fit your existing environment.

Starting with the DS8900 LMC 89.10.92.0, you can choose between direct authentication or using CSM as a proxy.

For new installations, it is a best practice to use the native LDAP authentication described in 1.3, “Remote authentication by using the native implementation” on page 4. The setup and cloning of the configuration to other DS8900 systems are easy. You should adjust your remote authentication strategy for your new DS8900 systems toward native remote authentication. If you want to migrate from the CSM based authentication to the native LDAP implementation, see Chapter 8, “Migrating from IBM Copy Services Manager based LDAP authentication to native LDAP authentication” on page 89.

For older DS8000 models or if your DS8900 system is not at Release 9.1, you must use remote authentication through CSM, as described in 1.2, “Storage Authentication Service by using CSM as an LDAP proxy” on page 2.