Security
Security is of utmost importance for mission-critical workloads and data. IBM XIV Gen3, IBM FlashSystem A9000 and A9000R, and IBM Spectrum Accelerate software offer many features to ensure that both the access and the data are secure.
This chapter describes local access and authentication that can be configured in IBM FlashSystem A9000 and A9000R and IBM XIV Gen3. For details about LDAP-based authentication, refer to Enabling LDAP for IBM FlashSystem A9000 and A9000R with Microsoft Active Directory, REDP-5387. For information regarding encryption, refer to IBM FlashSystem A9000 and A9000R Business Continuity Solutions, REDP-5401.
3.1 Physical access security
When you install IBM XIV Gen3, IBM FlashSystem A9000 and A9000R and IBM Spectrum Accelerate software, the same common sense security practices for any other business-critical IT system apply. These practices include enforcing physical access security to the data center, access doors, the individual systems, and the racks.
Another typical concern is reliable power. Each major component of IBM FlashSystem A9000 and A9000R uses individual and internal redundant battery units to ensure correct operations. In a power loss, these batteries ensure the retention of all caches, destage securely, and perform a graceful shutdown.
However, if someone gains physical access to the equipment, that person might manually shut off or remove components by bypassing the normal process. In this case, the storage system has the potential to lose the contents of several of its caches, resulting in system unavailability or data loss. To eliminate or greatly reduce this risk, IBM FlashSystem A9000R and IBM XIV Gen3 can be equipped with lockable doors. IBM FlashSystem A9000 can be installed in a customer-provided rack that can also provide this feature.
|
Important: Protect IBM FlashSystem A9000 and A9000R or IBM XIV Gen3 by locking the rack doors and monitoring the physical access to the equipment.
|
3.2 Native user authentication
To prevent unauthorized access to the configuration of the storage system and ultimately to the information that is stored on its volumes, IBM XIV Gen3, IBM FlashSystem A9000 and A9000R, and IBM Spectrum Accelerate software use password-based user authentication.
|
Note: Because the graphical user interface (GUI) code is accessed through the IBM Hyper-Scale Manager server, security considerations also apply for that server. It is a preferred practice to regularly change the access code and machine account password. See 3.2.3, “Security considerations for Hyper-Scale Manager” on page 105.
|
3.2.1 Local credential repository
By default, IBM XIV Gen3, IBM FlashSystem A9000 and A9000R, and IBM Spectrum Accelerate software are configured to use native (locally managed) user authentication. The alternative is to use Lightweight Directory Access Protocol (LDAP), as described in Enabling LDAP for IBM FlashSystem A9000 and A9000R with Microsoft Active Directory, REDP-5387.
Native user authentication uses the credential repository that is stored locally on IBM XIV Gen3, IBM FlashSystem A9000 and A9000R, and IBM Spectrum Accelerate software.
The local credential repository maintains the following information:
•Domain memberships
•User name
•User password
•User role
•User group
•Optional account attributes
User name
A user name is a string of 1 - 63 characters that can contain only a - z, A - Z, 0 - 9, .-_~, and space symbols. User names are case-sensitive. IBM XIV Gen3, IBM FlashSystem A9000 and A9000R, and IBM Spectrum Accelerate software are configured with a set of predefined user accounts. Predefined user names and corresponding default passwords exist to provide the initial access at the time of installation for system maintenance.
The following user accounts are predefined:
•technician
This account is used by the IBM service support representative (SSR) to install and do maintenance.
•admin
This account provides the highest level of client access to the system. It can be used for creating new users and changing passwords for existing users in native authentication mode.
|
Important: Use of the admin account must be limited to the initial configuration when no other user accounts are available. Access to the admin account needs to be restricted and securely protected.
|
•xiv_development and xiv_maintenance user
These IDs are special-case, predefined internal IDs that can be accessed only by qualified IBM development personnel and SSRs.
Predefined user accounts cannot be deleted from the system, and they are always authenticated natively even if the system operates under Lightweight Directory Access Protocol (LDAP) authentication mode. Customers can contact IBM to arrange for the special-case, predefined internal IDs to be removed or changed due to government or intelligence sensitivity, which affects service and support operations.
User accounts can initially be created by the admin user only. After the admin user creates a user account and assigns it to the storageadmin (storage administrator) role, then other user accounts can be created by this storageadmin user.
|
Tip: When you install Hyper-Scale Manager, which is the primary way of managing and monitoring the IBM XIV Gen3, IBM FlashSystem A9000 and A9000R, and IBM Spectrum Accelerate family of storage systems, a default management system_management _user is created.
|
In native authentication mode, the system is limited to creating up to 128 user accounts. This number includes the predefined users.
User password
The user password is a secret word or phrase that is used by the account owner to gain access to the system. The user password is used at the time of authentication to establish the identity of that user. User passwords can be 6 - 12 characters and include these characters:
a - z, A - Z, ~, !, @, #, $, %, ^, &, *, (, ), _ , + , -, =, {, }, |, :, ;, <, >, ?, ., /, , [, and ]
The passwords must not have spaces between characters. In native authentication mode, IBM XIV Gen3, IBM FlashSystem A9000 and A9000R, and IBM Spectrum Accelerate software verify the validity of a password when the password is assigned. Be careful to ensure that strong passwords are used.
Predefined users have the default passwords that are shown in Table 3-1 and that are assigned at the installation.
Table 3-1 Default passwords
|
Predefined user
|
Default password
|
|
admin
|
adminadmin
|
|
system_management _user
|
adminadmin
|
|
Important: The default admin password must be changed at the time of installation to prevent unauthorized access to the system. For instructions, see 3.2.2, “Managing user accounts” on page 101.
|
The following restrictions apply when you work with passwords in native authentication mode:
•For security, passwords are not shown in user lists.
•Passwords are user-changeable. Users can change their own passwords only.
•Only the predefined user admin can change the passwords of other users.
•Passwords are changeable from both the command-line interface (CLI) and the GUI.
•Passwords are case-sensitive.
•User password assignment is mandatory at the time that a user account is created.
•Creating user accounts with an empty password or removing a password from an existing user account is not permitted.
User roles
Eight predefined user roles exist in the Storage Management GUI and the CLI. In the CLI, roles are also referred to as categories, and they are used for day-to-day operation of the storage system. Multiple users can be created for the first four roles that are listed (storageadmin, applicationadmin, securityadmin, and readonly). The other four roles are preassigned by the system, and they do not allow additional users to be created with these roles.
The following section describes predefined roles, their level of access, and applicable use:
•Storage administrator
The storage administrator (storageadmin) role is the user role with highest level of access that is available on the system. A user that is assigned to this role can perform changes on any system resource, except maintaining physical components, changing the status of physical components, or effecting changes that relate to encryption.
•Application administrator
The application administrator (applicationadmin) role provides flexible access control over volume snapshots. A user that is assigned to the applicationadmin role can create snapshots of volumes, perform mapping of their own snapshots to assigned hosts, and delete their own snapshots.
The user group to which an application administrator belongs determines the hosts and their related set of mapped volumes that the application administrator is allowed to manage. If a user group is defined with access_all="yes", application administrators who are members of that group can manage all volumes on the system. For more information about user group membership and group-to-host association, see “User groups” on page 100.
•Security administrator
The security administrator (securityadmin) role is to manage certificates, key servers, and other items that relate to encryption. Defining at least two security administrators is a must because two is the minimum number that is required to enable recovery keys.
•Operations administrator
Users that are assigned to the operations role (readonly) can view system information only. A typical use for the operations role is a user who is responsible for monitoring system status, system reporting, and message logging. This user must not be permitted to change the system.
•Technician
The technician role has a single predefined user name (technician) assigned to it, and it is intended to be used by IBM support personnel for maintaining the physical components of the system. The technician is limited to the following tasks: Physical system maintenance and phasing components in or out of service. The access of the technician to the system is restricted. The technician is unable to perform any configuration changes to pools, volumes, or host definitions on the storage system.
•xiv_development
This single predefined user name is assigned to the xiv_development role, and it is intended to be used by IBM development personnel.
•xiv_maintenance
This single predefined user name is assigned to the xiv_maintenance role, and it is intended to be used by IBM maintenance personnel.
•xiv_hostprofiler
This single predefined user name is assigned to the xiv_hostprofiler role, and it is intended to be used for gathering additional information about hosts that are attached to the IBM XIV Storage System.
|
User roles: It is not possible to add user roles or to modify predefined roles. In native authentication mode, after a user is assigned a role, the only way to assign a new role is to first delete the user account and then re-create it.
|
Native authentication mode implements the user role mechanism as a form of role-based access control (RBAC). Each predefined user role determines the level of system access and associated functions that a user is allowed to use.
|
RBAC: IBM XIV Gen3, IBM FlashSystem A9000 and A9000R, and IBM Spectrum Accelerate software use role-based access control (RBAC)-based authentication and authorization mechanisms.
|
All user accounts must be assigned to a single user role. Assignment to multiple roles is not permitted. Deleting or modifying role assignment of natively authenticated users is also not permitted. Do not confuse this concept with domains. The concept of domains is a separate construct, and multiple domains can be associated with a user’s single role.
Global administrator and domain administrator
When you add a user, the user can be assigned to the global space (no domain) or several domains that are defined on IBM XIV Gen3, IBM FlashSystem A9000 and A9000R, and IBM Spectrum Accelerate software, as shown in Figure 3-1.
Figure 3-1 Add a user to a domain
If a particular user needs to be assigned to multiple domains, the additional association must be made from the Domains view.
With the introduction of domains, two levels of authority exist for a user in a specific role:
•Domain administrator
A user who is associated with one or more domains is a domain administrator, and the user has access rights (as implied by the user’s role, such as readonly or storageadmin) to the entities that are uniquely associated with the pertinent domains.
•Global administrator
A user who is not associated with any domain is a global administrator, and the user has access rights to all of the entities that are not uniquely associated with a domain (global space).
A global administrator who is a storageadmin can create, edit, and delete domains, and they can associate resources with a domain.
An open or closed policy can be defined so that a global administrator can (or cannot) extend the reach into a domain.
The intervention of a global administrator who has permission for the global resources of the system is only needed for these situations:
– Initial creation of the domain and the assignment of a domain administrator
– Resolution of hardware issues
User groups
A user group is a group of application administrators who share a set of snapshot creation permissions. The permissions are enforced by associating the user groups with hosts or clusters. User groups have the following characteristics:
•Only users that are assigned to the applicationadmin role can be members of a user group.
•A user can be a member of a single user group.
•A maximum of eight user groups can be created.
•Group names are case-sensitive.
•In native authentication mode, a user group can contain up to eight members.
•If a user group is defined with access_all=“yes”, users that are assigned to the applicationadmin role who are members of that group can manage all snapshots on the system.
•A user must be assigned to the storageadmin role to be permitted to create and manage user groups.
|
Important: A user group membership can be defined only for users who are assigned to the applicationadmin role.
|
User group and host associations
Hosts and clusters can be associated with only one user group. When a user is a member of a user group that is associated with a host, that user is allowed to manage the snapshots of the volumes that are mapped to that host.
User group and host associations have the following properties:
•User groups can be associated with both hosts and clusters. This configuration enables limiting group member access to specific volumes.
•A host that is part of a cluster can be associated only with a user group through user group to cluster association. Any attempts to create user group association for that host fail.
•When a host is added to a cluster, the association of that host is removed. Limitations on the management of volumes that are mapped to the host are controlled by the association of the cluster.
•When a host is removed from a cluster, the association of that cluster remains unchanged. This configuration enables the continuity of operations so that all scripts that rely on this association continue to work.
Optional account attributes
In this section, we describe optional attributes for email and phone numbers:
•Email: Email is used to notify specific users about events through email messages. Email addresses must follow standard formatting procedures.
Acceptable value: Any valid email address. A default value is not defined.
•Phone: Phone numbers are used to send Short Message Service (SMS) messages to notify specific users about system events. Phone numbers and area codes can be a maximum of 63 digits, hyphens (-), and periods (.).
Acceptable value: Any valid telephone number. A default value is not defined.
3.2.2 Managing user accounts
This section illustrates the procedure for managing user accounts, groups, and group membership in IBM XIV Gen3, IBM FlashSystem A9000 and A9000R, and IBM Spectrum Accelerate software.
Adding users
This process requires that you first log on to IBM Hyper-Scale Manager with storage administrator access rights (storageadmin role). If you are accessing the system for the first time, use the predefined user admin (the default password is adminadmin).
Follow these steps to add a new user:
1. In the main GUI window, click NEW+ in the upper-right corner of the window. The CREATE NEW menu opens, as shown in Figure 3-2.
Figure 3-2 Create New menu
2. Click User. The Add User window opens. The name, system, and password are required fields. The default category for a new user is Storage Administrator. Use the drop-down list to select the correct category for the user. An optional field is Domains. This field is used if the user must be associated with a domain. For more information about domains, see Chapter 4, “Multitenancy” on page 111.
Figure 3-3 Add user window
Removing users
User maintenance is important for security. It involves removing users when they leave the company or their job changes and they no longer need access to the same systems.
To remove or delete a user, ensure that you log on with the security administrator role and perform the following steps:
1. Click the ACCESS VIEWS icon on the left side of the window. The ACCESS VIEWS menu is shown in Figure 3-4.
Figure 3-4 ACCESS VIEWS menu
Figure 3-5 List of users
|
Note: /Global Space/ in the domain field means that the user is not associated with a domain.
|
3. Click the user name that you want to delete (1 in Figure 3-6). Then, click the Actions tab (2 in Figure 3-6). The Actions menu opens as shown in Figure 3-6.
Figure 3-6 User actions menu
4. From the Actions menu, when you hover over Delete, you see the Delete User(s) option that is shown in Figure 3-7. Click Delete User(s). You are prompted for a confirmation.
Figure 3-7 Delete a user
5. The confirmation that is shown in Figure 3-8 gives you one last chance to cancel the deletion of this user. If you are certain that you want to delete the user that is named in the message, click Delete.
Figure 3-8 Confirm to delete the user
|
Note: Default users cannot be removed.
|
User groups
Create a group by selecting the NEW → User Group option on the top menu bar. This option displays the Create User Group window as shown in Figure 3-9. In this image, we expanded the explanation for the Limited Access value.
Figure 3-9 System selection for a new user group
Complete the required information for the new users group and select either Limited Access or Full Access. Click Create to create the group.
After you create the user group, it is a simple task to create a user in the group by selecting the group from the table view (Access Views → User Groups) and then selecting Actions → Members → Create User Here. This action prepopulates the system, user group, and domain fields, as shown in Figure 3-10. Complete the remaining required fields (name and password) and select the correct category for the user. We created the group with limited access and selected the user category of Application Administrator.
Figure 3-10 Add a user to an existing user group
The new group will then be displayed in the table view under Access Views → User Groups.
To create a user group with the CLI, use the command user_groupcreate. An example of this command is shown in Example 3-1.
Example 3-1 Create a user group
>>user_group_create user_group=itso_application_group
Command executed successfully.
|
Tip: If you use spaces in user group names, enclose the name between double quotation marks, such as “new group name”.
|
3.2.3 Security considerations for Hyper-Scale Manager
When you first log on to the system from the GUI by using the default admin credentials, you get unrestricted access to the system. You use this unrestricted access to change the Hyper-Scale Manager settings. This unrestricted or advanced login mode is indicated by the check mark that is displayed next to the Management Server icon as shown in Figure 3-11.
Figure 3-11 Management Server access
Complete the following steps:
1. With the unrestricted access, from the GUI Dashboard, select the Settings icon, and then click Management Server from the menu as shown in Figure 3-12.
Figure 3-12 Management Server preferences
2. You can then change the access restriction and specify a new access code (a new password) from the Security menu as shown in Figure 3-13.
Figure 3-13 Change the access code
3. You can also change the monitoring account password, as shown in Figure 3-14.
Figure 3-14 Change the monitoring account password
The same actions can also be performed directly on the Hyper-Scale Manager server by using the Hyper-Scale Manager configuration menu.
3.2.4 Managing user accounts by using the XCLI
This section summarizes the commands and options that are available to manage user accounts, user roles, user groups, group memberships, and user group to host associations through the XCLI.
Table 3-2 shows the various commands and a brief description for each command. The table also indicates the user role that is required to issue specific commands.
Table 3-2 XCLI access control commands
|
Command
|
Description
|
Role that is required to use the command
|
|
access_define
|
Defines an association between a user group and a host.
|
storageadmin
|
|
access_delete
|
Deletes an access control definition.
|
storageadmin
|
|
access_list
|
Lists access control definitions.
|
storageadmin, readonly, and applicationadmin
|
|
user_define
|
Defines a new user.
|
storageadmin and securityadmin
|
|
user_delete
|
Deletes a user.
|
storageadmin and securityadmin
|
|
user_list
|
Lists all users or a specific user.
|
storageadmin, readonly, securityadmin, and applicationadmin
|
|
user_rename
|
Renames a user.
|
storageadmin and securityadmin
|
|
user_update
|
Updates a user. You can rename the user, change a password, modify the Access All setting, modify email, modify the area code, or modify the phone number.
|
storageadmin, applicationadmin, and securityadmin
|
|
user_group_add_user
|
Adds a user to a user group.
|
storageadmin
|
|
user_group_create
|
Creates a user group.
|
storageadmin
|
|
user_group_delete
|
Deletes a user group.
|
storageadmin
|
|
user_group_list
|
Lists all user groups or a specific one.
|
storageadmin, readonly, and applicationadmin
|
|
user_group_remove_user
|
Removes a user from a user group.
|
storageadmin
|
|
user_group_rename
|
Renames a user group.
|
storageadmin
|
|
user_group_update
|
Updates a user group.
|
storageadmin
|
|
domain_list_users
|
Lists users that are associated with domains.
|
storageadmin, securityadmin, applicationadmin, readonly, and technician
|
|
domain_add_user
|
Associate a user with a domain.
|
storageadmin and securityadmin
|
|
domain_remove_user
|
Disassociate a user from a domain.
|
storageadmin and securityadmin
|
Adding users with the XCLI
Before you complete the following steps, you must install the XCLI component on the management workstation. A storageadmin user is required. The following examples assume a Microsoft Windows management workstation.
To add users, complete the following steps:
1. Use the user_list command to obtain the list of predefined users and categories, as shown in Example 3-2. This example assumes that no users, other than the default users, were added to the system.
Example 3-2 XCLI user_list
>>user_list
Name Category Group Active... Access All
xiv_development xiv_development yes
xiv_maintenance xiv_maintenance yes
admin storageadmin yes
technician technician yes
itso storageadmin yes
lab_admin applicationadmin Application01_Group yes ... no
2. If this system is a new system, change the default password for the admin user by running user_update, as shown in Example 3-3.
Example 3-3 XCLI user_update
>>user_update user=admin password=New-Passw0rd password_verify=New-Passw0rd
Command executed successfully.
3. Add a user, as shown in Example 3-4. Define a user by using a unique name, a password, and a role (which is designated here as category).
Example 3-4 XCLI user_define
>>user_define user=lab_user password=XIV-R3 password_verify=XIV-R3 category=applicationadmin
Command executed successfully.
To add user to a domain, complete the following steps:
1. Use the domain_list_users command to obtain the list of predefined and domain-associated users and categories, as shown in Example 3-5. This example is based on the assumption that a domain was defined and that one admin associated user is present in the system.
Example 3-5 XCLI domain_list_users
XIV_PFE2_1340010>>domain_list_users
Domain User Category
ITSO_d1 ITSO_User1 storageadmin
no-domain Residency applicationadmin
no-domain xiv_development xiv_development
no-domain xiv_maintenance xiv_maintenance
no-domain admin storageadmin
no-domain technician technician
no-domain xiv_hostprofiler xiv_hostprofiler
2. Add the same user to another domain, as shown in Example 3-6. The example assumes that another domain was defined. Specify the domain and user name. A user can have a domain administrator role in more than one domain.
Example 3-6 XCLI domain_add_user
XIV_PFE2_1340010>>domain_add_user domain=pfe.ibm user=ITSO_User1
Command executed successfully.
Defining user groups with the XCLI
To define a user group, complete the following steps:
1. Run user_group_create, as shown in Example 3-7, to create a user group that is called Application03_Mainz.
Example 3-7 XCLI user_group_create
>>user_group_create user_group=Application03_Mainz
Command executed successfully.
|
Note: Avoid spaces in user group names. If spaces are required, the group name must be placed between quotation marks, such as “name with spaces”.
|
The Application03_Mainz user group is empty, and it has no associated host. The next step is to associate a host or a cluster.
2. Associate the Application03_Mainz user group to the Application_host01 host, as shown in Example 3-8.
Example 3-8 XCLI access_define
>>access_define user_group=Application03_Mainz host=Application_host01
Command executed successfully.
A host is assigned to the user group. The user group does not have any users that are included in the user group yet.
3. Add the first user, as shown in Example 3-9.
Example 3-9 XCLI user_group_add_user
>>user_group_add_user user_group=Application03_Mainz user=lab_user
Command executed successfully.
The user lab_user was assigned to the Application03_Mainz user group. This user is an applicationadmin with the Full Access right set to no.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.