IBM System Storage DS8000: LDAP Authentication - IBM Redbooks
IBM System Storage DS8000: LDAP Authentication - IBM Redbooks
IBM System Storage DS8000: LDAP Authentication - IBM Redbooks
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Front cover<br />
<strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>:<br />
<strong>LDAP</strong> <strong>Authentication</strong><br />
Implement <strong>LDAP</strong> authentication<br />
for the <strong>DS8000</strong><br />
Configure the required Tivoli<br />
Productivity Center v4.1<br />
Benefit from single<br />
sign-on<br />
Bertrand Dufrasne<br />
Marcus Gorzellik<br />
Gabor Penzes<br />
ibm.com/redbooks Redpaper
International Technical Support Organization<br />
<strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong><br />
May 2009<br />
REDP-4505-00
Note: Before using this information and the product it supports, read the information in “Notices” on page v.<br />
First Edition (May 2009)<br />
This edition applies to the <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong> with Licensed Machine Code 5.4.20.xx (code bundles<br />
64.20.x.x).<br />
© Copyright International Business Machines Corporation 2009. All rights reserved.<br />
Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule<br />
Contract with <strong>IBM</strong> Corp.
Contents<br />
Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .v<br />
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi<br />
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii<br />
The team that wrote this paper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii<br />
Become a published author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii<br />
Comments welcome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii<br />
Chapter 1. <strong>LDAP</strong> authentication for <strong>DS8000</strong>. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1<br />
1.1 <strong>DS8000</strong> basic user management and access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2<br />
1.2 Directory Services and <strong>LDAP</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5<br />
1.3 Overview of <strong>LDAP</strong>-based authentication for the <strong>DS8000</strong> . . . . . . . . . . . . . . . . . . . . . . . . 7<br />
1.4 Benefits for <strong>DS8000</strong> administrators and users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8<br />
Chapter 2. Implementing <strong>LDAP</strong> for the <strong>DS8000</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11<br />
2.1 Test environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12<br />
2.2 Installing the <strong>LDAP</strong> servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12<br />
2.3 Installing and configuring the Tivoli <strong>Storage</strong> Productivity Center servers . . . . . . . . . . . 13<br />
2.4 Creating the certificates and the truststore file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13<br />
2.4.1 Creating the certificate and the truststore file on TPC server1 . . . . . . . . . . . . . . . 13<br />
2.4.2 Setting up TPC server2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18<br />
2.4.3 Copying the truststore file from TPC server1 to TPC server2. . . . . . . . . . . . . . . . 22<br />
2.5 Configuring the <strong>DS8000</strong> for <strong>LDAP</strong> authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22<br />
Chapter 3. User, group, and role administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33<br />
3.1 <strong>DS8000</strong> to <strong>LDAP</strong> groups mappings using the DS GUI . . . . . . . . . . . . . . . . . . . . . . . . . 34<br />
3.2 <strong>DS8000</strong> to <strong>LDAP</strong> groups mappings using the DS CLI . . . . . . . . . . . . . . . . . . . . . . . . . 35<br />
3.3 User administration for Tivoli <strong>Storage</strong> Productivity Center servers. . . . . . . . . . . . . . . . 36<br />
3.3.1 Tivoli <strong>Storage</strong> Productivity Center roles to <strong>LDAP</strong> group mappings. . . . . . . . . . . . 36<br />
Appendix A. Installing Tivoli <strong>Storage</strong> Productivity Center 4.1 on<br />
Windows Server 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39<br />
Appendix B. Configuring Tivoli <strong>Storage</strong> Productivity Center for <strong>DS8000</strong> <strong>LDAP</strong><br />
authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51<br />
B.1 Securing the administration, applications, and infrastructure settings . . . . . . . . . . . . . 52<br />
B.2 Configuring federated repositories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53<br />
B.3 Adding a base entry to a realm. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54<br />
B.4 Setting additional properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57<br />
B.5 Managing users and groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60<br />
Appendix C. Installing Tivoli Directory Server v6.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61<br />
C.1 Installing the server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62<br />
C.2 Configuring the server instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66<br />
Appendix D. Installing open<strong>LDAP</strong> in a SUSE Linux environment . . . . . . . . . . . . . . . . 73<br />
D.1 Installing the required <strong>LDAP</strong> packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74<br />
D.2 Configuring the <strong>LDAP</strong> server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75<br />
D.3 Configuring the <strong>LDAP</strong> client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75<br />
© Copyright <strong>IBM</strong> Corp. 2009. All rights reserved. iii
Appendix E. <strong>LDAP</strong> structure overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81<br />
Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85<br />
<strong>IBM</strong> <strong>Redbooks</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85<br />
Other publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85<br />
How to get <strong>Redbooks</strong>. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85<br />
Help from <strong>IBM</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85<br />
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87<br />
iv <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
Notices<br />
This information was developed for products and services offered in the U.S.A.<br />
<strong>IBM</strong> may not offer the products, services, or features discussed in this document in other countries. Consult<br />
your local <strong>IBM</strong> representative for information on the products and services currently available in your area. Any<br />
reference to an <strong>IBM</strong> product, program, or service is not intended to state or imply that only that <strong>IBM</strong> product,<br />
program, or service may be used. Any functionally equivalent product, program, or service that does not<br />
infringe any <strong>IBM</strong> intellectual property right may be used instead. However, it is the user's responsibility to<br />
evaluate and verify the operation of any non-<strong>IBM</strong> product, program, or service.<br />
<strong>IBM</strong> may have patents or pending patent applications covering subject matter described in this document. The<br />
furnishing of this document does not give you any license to these patents. You can send license inquiries, in<br />
writing, to:<br />
<strong>IBM</strong> Director of Licensing, <strong>IBM</strong> Corporation, North Castle Drive, Armonk, NY 10504-1785 U.S.A.<br />
The following paragraph does not apply to the United Kingdom or any other country where such<br />
provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION<br />
PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR<br />
IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,<br />
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of<br />
express or implied warranties in certain transactions, therefore, this statement may not apply to you.<br />
This information could include technical inaccuracies or typographical errors. Changes are periodically made<br />
to the information herein; these changes will be incorporated in new editions of the publication. <strong>IBM</strong> may make<br />
improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time<br />
without notice.<br />
Any references in this information to non-<strong>IBM</strong> Web sites are provided for convenience only and do not in any<br />
manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the<br />
materials for this <strong>IBM</strong> product and use of those Web sites is at your own risk.<br />
<strong>IBM</strong> may use or distribute any of the information you supply in any way it believes appropriate without incurring<br />
any obligation to you.<br />
Information concerning non-<strong>IBM</strong> products was obtained from the suppliers of those products, their published<br />
announcements or other publicly available sources. <strong>IBM</strong> has not tested those products and cannot confirm the<br />
accuracy of performance, compatibility or any other claims related to non-<strong>IBM</strong> products. Questions on the<br />
capabilities of non-<strong>IBM</strong> products should be addressed to the suppliers of those products.<br />
This information contains examples of data and reports used in daily business operations. To illustrate them<br />
as completely as possible, the examples include the names of individuals, companies, brands, and products.<br />
All of these names are fictitious and any similarity to the names and addresses used by an actual business<br />
enterprise is entirely coincidental.<br />
COPYRIGHT LICENSE:<br />
This information contains sample application programs in source language, which illustrate programming<br />
techniques on various operating platforms. You may copy, modify, and distribute these sample programs in<br />
any form without payment to <strong>IBM</strong>, for the purposes of developing, using, marketing or distributing application<br />
programs conforming to the application programming interface for the operating platform for which the sample<br />
programs are written. These examples have not been thoroughly tested under all conditions. <strong>IBM</strong>, therefore,<br />
cannot guarantee or imply reliability, serviceability, or function of these programs.<br />
© Copyright <strong>IBM</strong> Corp. 2009. All rights reserved. v
Trademarks<br />
<strong>IBM</strong>, the <strong>IBM</strong> logo, and ibm.com are trademarks or registered trademarks of International Business Machines<br />
Corporation in the United States, other countries, or both. These and other <strong>IBM</strong> trademarked terms are<br />
marked on their first occurrence in this information with the appropriate symbol (® or ), indicating US<br />
registered or common law trademarks owned by <strong>IBM</strong> at the time this information was published. Such<br />
trademarks may also be registered or common law trademarks in other countries. A current list of <strong>IBM</strong><br />
trademarks is available on the Web at http://www.ibm.com/legal/copytrade.shtml<br />
The following terms are trademarks of the International Business Machines Corporation in the United States,<br />
other countries, or both:<br />
AIX®<br />
DB2®<br />
Domino®<br />
DS6000<br />
<strong>DS8000</strong>®<br />
Enterprise <strong>Storage</strong> Server®<br />
i5/OS®<br />
<strong>IBM</strong>®<br />
Lotus®<br />
<strong>Redbooks</strong>®<br />
<strong>Redbooks</strong> (logo) ®<br />
Redpaper<br />
The following terms are trademarks of other companies:<br />
vi <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong><br />
<strong>System</strong> <strong>Storage</strong><br />
Tivoli®<br />
WebSphere®<br />
z/OS®<br />
SUSE, the Novell logo, and the N logo are registered trademarks of Novell, Inc. in the United States and other<br />
countries.<br />
Interchange, Red Hat, and the Shadowman logo are trademarks or registered trademarks of Red Hat, Inc. in<br />
the U.S. and other countries.<br />
Java, Solaris, Sun, and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United<br />
States, other countries, or both.<br />
Active Directory, Microsoft, Windows Server, Windows, and the Windows logo are trademarks of Microsoft<br />
Corporation in the United States, other countries, or both.<br />
UNIX is a registered trademark of The Open Group in the United States and other countries.<br />
Linux is a trademark of Linus Torvalds in the United States, other countries, or both.<br />
Other company, product, or service names may be trademarks or service marks of others.
Preface<br />
Starting with release 4.2, the <strong>IBM</strong>® <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>® series offers the ability to<br />
replace the locally based user ID and password administration with a centralized directory<br />
based approach. This release also allows a single sign-on capability for multiple <strong>DS8000</strong><br />
servers and possibly other servers in your environment.<br />
This <strong>IBM</strong> Redpaper publication helps <strong>DS8000</strong> storage administrators understand the<br />
concepts and benefits of directories. It provides information that is required for implementing a<br />
<strong>DS8000</strong> authentication approach based on the Lightweight Directory Access Protocol (<strong>LDAP</strong>).<br />
The team that wrote this paper<br />
This paper was produced by a team of specialists from around the world working with the<br />
International Technical Support Organization (ITSO).<br />
Bertrand Dufrasne is an <strong>IBM</strong> Certified Consulting IT Specialist and Project Leader for <strong>IBM</strong><br />
<strong>System</strong> <strong>Storage</strong> disk products at the ITSO in San Jose, CA. He has worked at <strong>IBM</strong> in various<br />
IT areas, has written many <strong>IBM</strong> <strong>Redbooks</strong>® publications, and has developed and taught<br />
technical workshops. Before joining the ITSO, he worked for <strong>IBM</strong> Global Services as an<br />
Application Architect in the retail, banking, telecommunications, and healthcare industries. He<br />
holds a master degree in electrical engineering from the Polytechnic Faculty of Mons<br />
(Belgium).<br />
Marcus Gorzellik is an <strong>IBM</strong> Certified Specialist for High End Disk Solutions, working for the<br />
High End <strong>Storage</strong> <strong>System</strong> Support Center in Mainz, Germany. He has 12 years of experience<br />
in PC/server and network hardware support. For the past four years, he has provided support<br />
for Customer and Customer Service representatives with High End Disk Subsystems, such<br />
as the <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>, DS6000, and Enterprise <strong>Storage</strong> Server® (ESS). His<br />
focus is open systems attachment of high-end storage including AIX®, Microsoft®<br />
Windows®, and Linux®.<br />
Gabor Penzes is a Test Engineer and <strong>System</strong> Administrator, working with <strong>DS8000</strong> servers in<br />
Vac, Hungary. His focus is storage and highly available cluster systems on AIX and Linux<br />
platforms. He has more than 10 years of experience in planning, developing, and supporting<br />
UNIX®-based storage and server system architectures and networks. Gabor holds a degree<br />
in information engineering from the University of Pecs (Hungary).<br />
A special thank you to the following people:<br />
► John Bynum of <strong>IBM</strong> U.S.<br />
► Lisa Martinez of the <strong>IBM</strong> Tucson lab for providing equipment in support of this project<br />
► Jens Wissenbach of <strong>IBM</strong> Germany for his preliminary work, on which we based some<br />
parts of this paper<br />
© Copyright <strong>IBM</strong> Corp. 2009. All rights reserved. vii
Thanks to the following people for their contributions to this project:<br />
Sondra Ashmore, Kevin Gibble, Rakesh Jain, Markus Navarro, Thuan Q. Nguyen, and Kavita<br />
Shah of <strong>IBM</strong> U.S.<br />
Uwe Dubberke and Gerhard Pieper of <strong>IBM</strong> Germany<br />
Brian Sherman of <strong>IBM</strong> Canada<br />
Become a published author<br />
Join us for a two- to six-week residency program! Help write a book dealing with specific<br />
products or solutions, while getting hands-on experience with leading-edge technologies. You<br />
will have the opportunity to team with <strong>IBM</strong> technical professionals, Business Partners, and<br />
Clients.<br />
Your efforts will help increase product acceptance and customer satisfaction. As a bonus, you<br />
will develop a network of contacts in <strong>IBM</strong> development labs, and increase your productivity<br />
and marketability.<br />
Find out more about the residency program, browse the residency index, and apply online at:<br />
ibm.com/redbooks/residencies.html<br />
Comments welcome<br />
Your comments are important to us!<br />
We want our papers to be as helpful as possible. Send us your comments about this paper or<br />
other <strong>IBM</strong> <strong>Redbooks</strong> in one of the following ways:<br />
► Use the online Contact us review <strong>Redbooks</strong> form found at:<br />
ibm.com/redbooks<br />
► Send your comments in an e-mail to:<br />
redbooks@us.ibm.com<br />
► Mail your comments to:<br />
<strong>IBM</strong> Corporation, International Technical Support Organization<br />
Dept. HYTD Mail Station P099<br />
2455 South Road<br />
Poughkeepsie, NY 12601-5400<br />
viii <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
1<br />
Chapter 1. <strong>LDAP</strong> authentication for <strong>DS8000</strong><br />
Starting with Licensed Machine Code (LMC) level 5.4.20.xx, the <strong>DS8000</strong> offers the capability<br />
to use Directory Services-based user authentication. This capability relies on unique features<br />
of the Tivoli® <strong>Storage</strong> Productivity Center 4.1 and the Tivoli Integrated Portal, in conjunction<br />
with the Lightweight Directory Access Protocol (<strong>LDAP</strong>).<br />
Previous versions of the <strong>DS8000</strong> code only supported local user management (basic user<br />
management). Maintaining local repositories of users and their permissions is simple and<br />
convenient when only dealing with a small number of users and a small number of <strong>DS8000</strong><br />
servers or other systems. However, as the number of users and interconnected systems<br />
grows, authentication management quickly becomes difficult and time consuming.<br />
The benefits of a centralized user management approach can be substantial when<br />
considering the size and complexity of the overall IT environment. In this chapter, we review<br />
some of the benefits of this approach. Although the benefits from <strong>LDAP</strong> are substantial, you<br />
must also evaluate the substantial planning effort and complexity of deploying centralized<br />
Directory Services, if they are not already in place.<br />
We also briefly review the <strong>DS8000</strong> local user management and user access methods. In<br />
addition, we provide an overview of the new <strong>LDAP</strong>-based authentication, the technology<br />
used, and the potential benefits.<br />
© Copyright <strong>IBM</strong> Corp. 2009. All rights reserved. 1
1.1 <strong>DS8000</strong> basic user management and access<br />
Basic user management refers to the local user management approach. Until the availability of<br />
License Machine Code 5.42.xx.xx, basic user management was the only supported<br />
capability. In this section, we review the characteristics of the local user management<br />
approach.<br />
Basic user management for the <strong>DS8000</strong> is based on the definition of user IDs, passwords,<br />
roles, and permissions. This information is stored in a user repository and maintained locally<br />
at the <strong>DS8000</strong> Hardware Management Console (HMC). The user repository is specific to a<br />
particular <strong>DS8000</strong> and cannot be shared with other <strong>DS8000</strong> servers in the enterprise.<br />
Consequently if the same individuals must be administrators and users of multiple <strong>DS8000</strong><br />
servers within the enterprise, their user IDs, passwords, and roles must be separately created<br />
and individually maintained for each <strong>DS8000</strong> server.<br />
The Enterprise <strong>Storage</strong> <strong>System</strong> Network Interface (ESSNI) server, which resides on the HMC<br />
(Figure 1-1), is responsible for managing the security repository and establishing mappings<br />
between users and their role and permissions. The ESSNI server is also responsible for<br />
authenticating users.<br />
An administrator user ID is preconfigured during the installation of the <strong>DS8000</strong> with the<br />
following defaults:<br />
User ID admin<br />
Password admin<br />
Whenever a user is added, a password is intially assigned by the administrator. At the first<br />
sign-on, users must change their password. The user ID is deactivated if an invalid password<br />
is entered and the number of attempts is more than the limit defined by the administrator as<br />
part of the security settings.<br />
The password for each user account is forced to adhere to the following rules:<br />
► The length of the password must be between 6 and 16 characters.<br />
► The password must begin and end with a letter.<br />
► The password must have at least five letters.<br />
► The password must contain at least one number.<br />
► The password cannot be identical to the user ID.<br />
► The password cannot be a previous password.<br />
General password settings include the time period in days after which passwords expire and a<br />
number that identifies the number of failed logins that are allowed.<br />
The user management is restricted to the following predefined user roles.<br />
Administrator Allows access to all storage management console server service<br />
methods and all storage image resources.<br />
Logical operator Allows access to service methods and resources that relate to logical<br />
volumes, hosts, host ports, logical subsystems, and volume groups,<br />
excluding security methods.<br />
Physical operator Allows access to physical configuration service methods and<br />
resources, including <strong>Storage</strong> Complex, <strong>Storage</strong> Image, Rank, Array,<br />
and Extent Pool objects.<br />
Copy Services operator<br />
Allows access to all Copy Services service methods and resources,<br />
excluding security methods.<br />
2 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
Monitor Allows access to list and show commands. It provides access to all<br />
read-only, nonsecurity management console server service methods<br />
and resources.<br />
No access Does not allow access to any service method or storage image<br />
resources. By default, this user group is assigned to any user account<br />
in the security repository that is not associated with any other user<br />
group.<br />
Communications between the <strong>DS8000</strong> HMC and the administrative clients are managed by a<br />
client/server connection between the <strong>DS8000</strong> HMC ESSNI server and the host running a<br />
ESSNI client. Regardless of the connection type, all connections must authenticate with a<br />
user and password against the ESSNI server that is running on the HMC.<br />
Figure 1-1 illustrates the different possible communications between administrative clients<br />
and the <strong>DS8000</strong> HMC, as well as the communication flow.<br />
Browser<br />
TCP/IP<br />
Remote desktop<br />
TPC Host<br />
or SSPC<br />
Directly<br />
<strong>Authentication</strong><br />
without <strong>LDAP</strong><br />
TPC<br />
TPC GUI<br />
DS GUI<br />
ESSNI<br />
Client<br />
DS CLI<br />
Client<br />
TPC GUI<br />
<strong>DS8000</strong> HMC 1<br />
ESSNI<br />
Server<br />
<strong>DS8000</strong> HMC 2<br />
ESSNI<br />
Server<br />
Figure 1-1 Communication between <strong>DS8000</strong> HMC and administrative clients<br />
DS 8000<br />
Complex 1<br />
DS 8000<br />
Complex 2<br />
An administrative client has the following possible connections:<br />
► Connection through the <strong>System</strong> <strong>Storage</strong> Productivity Center (SSPC)<br />
The ESSNI client is part of the Tivoli <strong>Storage</strong> Productivity Center running at the SSPC.<br />
► Connection from a browser connected to the SSPC or Tivoli <strong>Storage</strong> Productivity Center<br />
on any server<br />
The ESSNI client is part of the DS graphical user interface (GUI) that is started within a<br />
Java applet during the connection.<br />
► Connection from a separate Tivoli <strong>Storage</strong> Productivity Center workstation connected to<br />
the HMC<br />
The ESSNI client is part of the Tivoli <strong>Storage</strong> Productivity Center running on this<br />
workstation.<br />
TCP/IP<br />
User repository<br />
User repository<br />
User authentication<br />
is managed by the<br />
ESSNI server<br />
regardless of type<br />
of connection<br />
Chapter 1. <strong>LDAP</strong> authentication for <strong>DS8000</strong> 3
► Connection by using Microsoft Windows Remote Desktop to the SSPC<br />
The ESSNI client is part of the Tivoli <strong>Storage</strong> Productivity Center running on the SSPC.<br />
► Connection directly to the HMC by using DS command line interface (CLI)<br />
The ESSNI client is part of the DS CLI.<br />
User management and administration are done by using the DS GUI (through the SSPC) or<br />
the DS CLI.<br />
To work with user administration:<br />
1. Sign on to the DS GUI.<br />
2. From the selection menu on the left (Figure 1-2), select Real-time manager → Monitor<br />
<strong>System</strong> and click User Administration.<br />
3. In the Basic <strong>Authentication</strong> User Administration panel on the right, click the Select action<br />
list and select Add user.<br />
Figure 1-2 Adding a user by using the DS GUI<br />
4 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
4. In the Add/Modify User window (Figure 1-3), add a user by entering the user ID, the<br />
temporary password, and the role. The role decides the type of activities that can be<br />
performed by this user. You can temporarily deactivate the user ID by selecting No access<br />
(only).<br />
Figure 1-3 Adding a user and selecting the role<br />
You can also use the DS CLI to perform user administration tasks. Example 1-1 illustrates use<br />
of the mkuser command to add a new user, named csadmin.<br />
Example 1-1 Adding a user by using the DS CLI<br />
dscli>mkuser -pw AB9cdefg -group service,op_copy_services csadmin<br />
Date/Time: 16. Mõrz 2009 15:01:33 GMT-07:00 <strong>IBM</strong> DSCLI Version: 5.4.2.540 DS: -<br />
CMUC00133I mkuser: User csadmin successfully created.<br />
For the exact syntax of any DS CLI command, see the <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>:<br />
Command-Line Interface User’s Guide, SC26-7916. You can also use the DS CLI help<br />
command for further assistance.<br />
1.2 Directory Services and <strong>LDAP</strong><br />
Until now, the local user management, as explained in 1.1, “<strong>DS8000</strong> basic user management<br />
and access” on page 2, has been the only possibility with the <strong>DS8000</strong> series. Maintaining<br />
local repositories of users and their permissions is simple and convenient when only dealing<br />
with a small number of users and a small number of <strong>DS8000</strong> servers or other systems.<br />
However, as the number of users and interconnected systems grows, it quickly becomes<br />
difficult and time consuming to manage.<br />
<strong>DS8000</strong> v4.2 can now exploit the possibilities offered by Directory Services and <strong>LDAP</strong> to<br />
simplify these management tasks. Directory Services typically provides a repository to store<br />
the location and other relevant information about resources, combined with an access method<br />
and related administration services. Common examples are a telephone directory and a<br />
library card catalog. For a telephone directory, the objects listed are individuals, businesses,<br />
and if applicable, the services they provide. Such information can be retrieved by name (white<br />
pages) or service categories (yellow pages).<br />
In computer terms, a directory is a specialized database, also called a data repository, that<br />
stores typed and ordered information about objects. Directories allow users or applications to<br />
Chapter 1. <strong>LDAP</strong> authentication for <strong>DS8000</strong> 5
find resources that have the characteristics needed for a particular task. A directory can also<br />
be used to store user IDs, passwords, and other credentials of system users. For example,<br />
the World Wide Web cannot function without a directory of available Web sites. This directory<br />
is what is referred to as a Domain Name Service or Domain Name <strong>System</strong> (DNS). The DNS<br />
allows users to search the Web for servers without any knowledge of the network address,<br />
host name, or IP address.<br />
A directory is often described as a database, but a specialized one that has characteristics<br />
that set it apart from general purpose relational databases. One special characteristic of<br />
directories is that they are accessed (read or searched) more often than they are updated<br />
(written). Hundreds of people might look up an individual’s phone number, or thousands of<br />
print clients might look up the characteristics of a particular printer, but the phone number or<br />
printer characteristics rarely change.<br />
Because the number of different networks and applications has grown, the number of<br />
specialized directories of information has also grown, resulting in islands of information that<br />
are difficult to share and manage. The ability to maintain and access all of this information in<br />
a consistent and controlled manner it might provide a focal point for integrating a distributed<br />
environment into a consistent and seamless system.<br />
The <strong>LDAP</strong> is an open industry standard that has evolved to meet these needs. <strong>LDAP</strong> defines<br />
a standard method for accessing and updating information in a directory. <strong>LDAP</strong> has gained<br />
wide acceptance as the directory access method of the Internet and is, therefore, becoming<br />
strategic within corporate intranets.<br />
<strong>LDAP</strong> defines a communication protocol. That is, it defines the transport and format of<br />
messages that are used by a client to access data in an X.500-like directory. <strong>LDAP</strong> does not<br />
define the directory service itself. When people talk about the <strong>LDAP</strong> directory, they are<br />
referring to the information that is stored and that can be retrieved by the <strong>LDAP</strong> protocol.<br />
All <strong>LDAP</strong> servers share many basic characteristics because they are based on the industry<br />
standard Request for Comments (RFCs). However, because of implementation differences,<br />
they are not all completely compatible with each other when a standard is not defined. For<br />
more information about RFCs, particularly regarding <strong>LDAP</strong> RFC 4510-4533, see the following<br />
Web address:<br />
http://www.ietf.org/rfc.html<br />
The implementation of directory service is based on a client/server relation. If an application<br />
expects some data from a object stored in a directory, the application must integrate with a<br />
client that connects to the directory server. The servers read the database and send the data<br />
back to the client application.<br />
For a more detailed description of <strong>LDAP</strong>, see the <strong>IBM</strong> <strong>Redbooks</strong> publication Understanding<br />
<strong>LDAP</strong> - Design and Implementation, SG24-4986.<br />
The following directory servers are the most common:<br />
► <strong>IBM</strong> Tivoli Directory Server<br />
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp<br />
For installation and configuration steps, see Appendix C, “Installing Tivoli Directory Server<br />
v6.2” on page 61.<br />
► <strong>IBM</strong> Lotus® Domino®<br />
http://www.ibm.com/software/lotus/products/domino/<br />
6 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
► Microsoft Active Directory®<br />
http://www.microsoft.com/windowsserver2008/en/us/active-directory.aspx<br />
► open<strong>LDAP</strong> for Linux<br />
http://www.openldap.org/<br />
For installation and configuration steps, see Appendix D, “Installing open<strong>LDAP</strong> in a SUSE<br />
Linux environment” on page 73.<br />
1.3 Overview of <strong>LDAP</strong>-based authentication for the <strong>DS8000</strong><br />
Figure 1-4 shows an overview of the <strong>DS8000</strong> <strong>LDAP</strong>-based authentication architecture.<br />
Browser<br />
Host <strong>System</strong><br />
1<br />
<strong>LDAP</strong> Service<br />
TCP/IP<br />
1<br />
Remote desktop<br />
7<br />
Directly<br />
TPC<br />
host<br />
only<br />
<strong>LDAP</strong> <strong>Authentication</strong><br />
Tivoli <strong>Storage</strong> Productivity Center 4.1<br />
6<br />
The authentication<br />
server provides the<br />
connection to the<br />
<strong>LDAP</strong> or other<br />
repositories.<br />
1<br />
TPC GUI<br />
DS GUI<br />
2<br />
TIP<br />
<strong>Authentication</strong><br />
Server<br />
1,2,3<br />
DS CLI<br />
Client<br />
ESSNI<br />
Client<br />
Tivoli <strong>Storage</strong> Productivity<br />
Center GUI<br />
The authentication is now<br />
managed through the<br />
<strong>Authentication</strong> Server, a<br />
Tivoli <strong>Storage</strong> Productivity<br />
Center component, and a<br />
1,2,3 new authentication client at<br />
TCP/IP<br />
the HMC.<br />
<strong>DS8000</strong> HMC 1<br />
ESSNI<br />
Server<br />
4 9<br />
<strong>Authentication</strong><br />
Client<br />
<strong>DS8000</strong> HMC 2<br />
ESSNI<br />
Server<br />
<strong>Authentication</strong><br />
Client<br />
<strong>DS8000</strong><br />
Complex 1<br />
<strong>DS8000</strong><br />
Complex 2<br />
Figure 1-4 Communication between the <strong>DS8000</strong> HMC, Tivoli <strong>Storage</strong> Productivity Center, <strong>LDAP</strong> and<br />
DS CLI or DS GUI client<br />
Communication between the <strong>DS8000</strong> HMC and the various administrative clients (DS CLI,<br />
DS GUI) is unchanged compared to basic user authentication. The communication model still<br />
uses a client/server connection between the <strong>DS8000</strong> HMC ESSNI server and the<br />
administrative client ESSNI client.<br />
The big difference with basic authentication is that the <strong>DS8000</strong> user IDs (as used by the<br />
DS CLI or the DS GUI) are no longer locally managed and stored at the HMC. Instead they<br />
are managed and stored in an <strong>LDAP</strong> directory server. However, the HMC cannot directly<br />
communicate with the <strong>LDAP</strong> server. The HMC is configured to authenticate user IDs and<br />
passwords against a new service provided by Tivoli <strong>Storage</strong> Productivity Center v4.1, called<br />
the <strong>Authentication</strong> Server. This <strong>Authentication</strong> Server in Tivoli <strong>Storage</strong> Productivity Center<br />
receives authentication requests from an <strong>Authentication</strong> Client that is located at the HMC.<br />
5<br />
3<br />
8<br />
Chapter 1. <strong>LDAP</strong> authentication for <strong>DS8000</strong> 7<br />
10
The <strong>Authentication</strong> Client also acts as an <strong>LDAP</strong> client to communicate those requests to the<br />
<strong>LDAP</strong> servers.<br />
Note: Tivoli <strong>Storage</strong> Productivity Center users are also now managed by <strong>LDAP</strong>.<br />
The HMC can still support basic authentication. The authentication method (either basic or<br />
<strong>LDAP</strong>) that is used is determined by setting an authentication policy in the DS GUI user<br />
administration menu. By default, the HMC is not configured to use <strong>LDAP</strong>, then the<br />
<strong>Authentication</strong> Server, which resides at the HMC, is not used. The initial authentication policy<br />
is set to the basic method. The two methods (basic or <strong>LDAP</strong>) are mutually exclusive.<br />
To use <strong>LDAP</strong> authentication, the authentication type at the <strong>DS8000</strong> must be changed to<br />
<strong>Storage</strong> <strong>Authentication</strong> Service (SAS). The SAS policy includes all the information that is<br />
required for the <strong>LDAP</strong> connection and authentication. This information includes the host name<br />
or the IP address of the <strong>Authentication</strong> Server. It also includes the location of the truststore<br />
file, which is a digitally signed certificate of the <strong>Authentication</strong> Server. The certificate is used<br />
to establish a Secure Sockets Layer (SSL) connection between the <strong>Authentication</strong> Server and<br />
the <strong>Authentication</strong> Clients. The communication between the <strong>LDAP</strong> server and <strong>Authentication</strong><br />
Server can also be configured to use a secure connection through SSL, but it is not required.<br />
As stated previously, the <strong>Authentication</strong> Server is provided by the Tivoli <strong>Storage</strong> Productivity<br />
Center 4.1. Tivoli <strong>Storage</strong> Productivity Center 4.1 also includes the Tivoli Integrated Portal.<br />
Tivoli Integrated Portal is a browser-based utility that is used to administrate and manage the<br />
<strong>Authentication</strong> Server. When provided with the correct authority, Tivoli Integrated Portal can<br />
also be used to administrate <strong>LDAP</strong> user and groups through a web browser started on any<br />
host.<br />
For example, when using the DS CLI, the connection from a user standpoint is still<br />
established as it was without <strong>LDAP</strong>. The user establishes the connection by specifying the IP<br />
address of the HMC and is prompted for a user ID and password. Now, because the <strong>DS8000</strong><br />
has an active SAS policy, the <strong>Authentication</strong> Client sends the user request to the<br />
<strong>Authentication</strong> Server. The <strong>Authentication</strong> Server validates the user’s credentials with <strong>LDAP</strong>. If<br />
valid, an authentication OK token is returned to the ESSNI server, which executes the<br />
command against the <strong>DS8000</strong>. In Figure 1-4 on page 7, this sequence is noted by the circled<br />
numbers.<br />
1.4 Benefits for <strong>DS8000</strong> administrators and users<br />
When applications access a standard common directory that is designed in a proper way,<br />
rather than using application-specific directories, redundant and costly administration can be<br />
eliminated, and security risks are more controllable. With <strong>DS8000</strong> basic authentication, user<br />
administration is isolated and must be separately maintained. Each <strong>DS8000</strong> in your<br />
environment has its own local user repository.<br />
<strong>DS8000</strong> authentication through <strong>LDAP</strong> offers the following benefits:<br />
► Centralized user management from one or more <strong>LDAP</strong> servers<br />
The user IDs and the role definition are stored and managed in one central location.<br />
► Integration with existing Directory Services<br />
If you already use a directory service, you can integrate <strong>DS8000</strong> users and, if needed,<br />
create a separate <strong>DS8000</strong> <strong>LDAP</strong> group.<br />
8 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
► More flexible user management<br />
You have different ways to add, change, or remove a user ID or to reset a password:<br />
– Directly with the <strong>LDAP</strong> server GUI<br />
– By using the Web (for example, Tivoli Directory Server Web Administration Tool)<br />
– User Management by using the Tivoli Integrated Portal of the Tivoli <strong>Storage</strong><br />
Productivity Center 4.1<br />
– Use of the same user ID to access all <strong>DS8000</strong> systems in the enterprise<br />
– Password policy management<br />
Tip: Use <strong>LDAP</strong> if it is already in use or if you have a large pool of <strong>DS8000</strong> systems and<br />
other <strong>LDAP</strong>-enabled servers to administrate it.<br />
► Even though <strong>LDAP</strong> support can provide single sign-on (SSO) capability by using the same<br />
credentials to access multiple <strong>DS8000</strong> servers, it remains possible to create separate user<br />
IDs for one person, while maintaining those user IDs by using <strong>LDAP</strong>. This is important if<br />
the same person needs to access multiple <strong>DS8000</strong> servers with different authorization<br />
levels. Security isolation with multiple <strong>DS8000</strong> systems remains possible with <strong>LDAP</strong>.<br />
Chapter 1. <strong>LDAP</strong> authentication for <strong>DS8000</strong> 9
10 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
Chapter 2. Implementing <strong>LDAP</strong> for the<br />
<strong>DS8000</strong><br />
2<br />
In this chapter, we explain how to implement Lightweight Directory Access Protocol (<strong>LDAP</strong>)<br />
authentication for the <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong> server. The implementation involves the<br />
following high level tasks:<br />
1. Installing the <strong>LDAP</strong> servers<br />
2. Installing and configuring the Tivoli <strong>Storage</strong> Productivity Center servers<br />
3. Creating the certificates and the truststore file<br />
4. Configuring the <strong>DS8000</strong> for <strong>LDAP</strong> authentication<br />
© Copyright <strong>IBM</strong> Corp. 2009. All rights reserved. 11
2.1 Test environment<br />
Figure 2-1 shows the layout of the test environment that we set up for writing this paper. As a<br />
best practice, set up an environment that ensures high availability by providing redundancy for<br />
the installation key elements.<br />
In our case, we used two <strong>LDAP</strong> servers, two Tivoli <strong>Storage</strong> Productivity Center servers, and<br />
two Hardware Management Consoles (HMCs) for the <strong>DS8000</strong>. As you can see in the<br />
diagram, the administration workstation (DS command line interface (CLI) or DS graphical<br />
user interface (GUI)) has redundant paths to the dual HMCs and Tivoli <strong>Storage</strong> Productivity<br />
Center servers. The second <strong>DS8000</strong> server is for illustration purposes, but you can do the<br />
cabling and setup as illustrated when managing multiple <strong>DS8000</strong> servers.<br />
The <strong>DS8000</strong> R4.2 <strong>LDAP</strong> authentication feature enables the definition of a backup <strong>LDAP</strong> and<br />
a backup Tivoli <strong>Storage</strong> Productivity Center server. However, only one of each of the<br />
redundant servers can be active at a time.<br />
Figure 2-1 High available environment<br />
2.2 Installing the <strong>LDAP</strong> servers<br />
As described in Chapter 1, “<strong>LDAP</strong> authentication for <strong>DS8000</strong>” on page 1, the main benefit of<br />
an <strong>LDAP</strong>-based authentication is the centralized user management that it allows. Therefore, if<br />
you already have an operating <strong>LDAP</strong> server in your environment, use the same servers for<br />
<strong>DS8000</strong> user authentication.<br />
If you do not have an <strong>LDAP</strong> server installed yet, use the Tivoli Directory Server. For detailed<br />
installation instructions, see Appendix C, “Installing Tivoli Directory Server v6.2” on page 61.<br />
12 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
Alternatively in a Linux environment, you can opt for an open<strong>LDAP</strong> server. For details, see<br />
D.1, “Installing the required <strong>LDAP</strong> packages” on page 74.<br />
As previously indicated, also provision a second (standby) <strong>LDAP</strong> server for redundancy. We<br />
refer to those <strong>LDAP</strong> servers in this paper as <strong>LDAP</strong> server1 and <strong>LDAP</strong> server2.<br />
2.3 Installing and configuring the Tivoli <strong>Storage</strong> Productivity<br />
Center servers<br />
<strong>IBM</strong> Tivoli <strong>Storage</strong> Productivity Center is storage infrastructure management software that<br />
can centralize, automate, and simplify the management of complex and heterogeneous<br />
storage environments. Tivoli <strong>Storage</strong> Productivity Center is included on the <strong>Storage</strong> <strong>System</strong><br />
Productivity Center (SSPC) console that is recommended with <strong>DS8000</strong> installation.<br />
Remember that Tivoli <strong>Storage</strong> Productivity Center or SSPC (which includes Tivoli <strong>Storage</strong><br />
Productivity Center) is now required for <strong>DS8000</strong> GUI access. Tivoli <strong>Storage</strong> Productivity<br />
Center v4.1 is required for <strong>LDAP</strong> authentication support.<br />
If you plan or must install a new Tivoli <strong>Storage</strong> Productivity Center server, see the installation<br />
instructions in Appendix A, “Installing Tivoli <strong>Storage</strong> Productivity Center 4.1 on Windows<br />
Server 2008” on page 39.<br />
As previously indicated, you must also provision a second (standby) Tivoli <strong>Storage</strong><br />
Productivity Center server for redundancy. We refer to those Tivoli <strong>Storage</strong> Productivity<br />
Center servers as TPC server1 and TPC server2.<br />
If you already have Tivoli <strong>Storage</strong> Productivity Center 4.1 servers installed, but not configured<br />
for <strong>LDAP</strong> authentication, use the Tivoli Integrated Portal component of Tivoli <strong>Storage</strong><br />
Productivity Center to configure them for <strong>LDAP</strong>. For more information, see Appendix B,<br />
“Configuring Tivoli <strong>Storage</strong> Productivity Center for <strong>DS8000</strong> <strong>LDAP</strong> authentication” on page 51.<br />
After the Tivoli <strong>Storage</strong> Productivity Center servers are installed and configured for <strong>LDAP</strong>,<br />
proceed to the following section, 2.4, “Creating the certificates and the truststore file”.<br />
2.4 Creating the certificates and the truststore file<br />
The certificate and the truststore file from the Tivoli <strong>Storage</strong> Productivity Center server or<br />
servers are needed to secure Secure Sockets Layer (SSL) communication between the<br />
<strong>DS8000</strong> HMC and the Tivoli <strong>Storage</strong> Productivity Center server. The certificate and truststore<br />
file are shared between the Tivoli <strong>Storage</strong> Productivity Center servers and HMCs.<br />
2.4.1 Creating the certificate and the truststore file on TPC server1<br />
The Tivoli <strong>Storage</strong> Productivity Center v4.1 server administration is done to a component<br />
called the Tivoli Integrated Portal. Tivoli Integrated Portal is packaged with Tivoli <strong>Storage</strong><br />
Productivity Center. This component provides a GUI front end to the Tivoli <strong>Storage</strong><br />
Productivity Center administration, accessible from a Web browser.<br />
The Tivoli Integrated Portal is part of Tivoli <strong>Storage</strong> Productivity Center 4.1 and is<br />
automatically installed as part of any Tivoli <strong>Storage</strong> Productivity Center 4.1 installation.<br />
Chapter 2. Implementing <strong>LDAP</strong> for the <strong>DS8000</strong> 13
To create the certificate and truststore file:<br />
1. Open a Web browser and point it to the Tivoli Integrated Portal, which is typically<br />
accessible from the following URL:<br />
https://IP-Address:16311/ibm/console<br />
The default Tivoli Integrated Portal installation secures the https transport with a self<br />
signed certificate. Depending on the browser that you use, you might receive an exception<br />
message and have to accept that certificate as a trusted certificate.<br />
2. Export the certificate:<br />
a. Log in to the Tivoli Integrated Portal console.<br />
b. Navigate to the SSL certificate and key management →Key stores and<br />
certificates →NodeDefaultKeyStore →Personal certificates →Extract certificate<br />
page (Figure 2-2).<br />
c. Under General Properties, enter the path and file name on the <strong>IBM</strong> Tivoli Integrated<br />
Portal server indicating where to extract the certificate.<br />
For example, if you enter the path and name c:\default_itso.cer, the<br />
default_itso.cert file is generated in the Tivoli <strong>Storage</strong> Productivity Center server C:\<br />
root folder. The file name can be any file name that you provide. Data type defines the<br />
encoding scheme (for example, Base64 encoded ASCII data) for the SSL certificate.<br />
Click OK.<br />
Figure 2-2 Extract certificate page<br />
3. Create the truststore file:<br />
a. Launch the iKeyman utility that is included with Tivoli <strong>Storage</strong> Productivity Center 4.1.<br />
For example, in Windows 2003 Server, open a Command Line window and enter the<br />
following command to open the <strong>IBM</strong> Key Management window:<br />
c:\Program Files\<strong>IBM</strong>\tivoli\tip\bin\ikeyman.bat<br />
The iKeyman utility is a GUI-based tool that you can use to manage your digital<br />
certificates. With iKeyman, you can create a new key database or test a digital<br />
certificate, add certificate authority (CA) roots to your database, copy certificates from<br />
one database to another, request and receive a digital certificate from a CA, set default<br />
keys, and change passwords.<br />
14 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
Certificate authority: A certificate authority is a trusted central administrative<br />
entity that can issue digital certificates to users and servers. The trust in the CA is<br />
the foundation of trust in the certificate as a valid credential. A CA uses its private<br />
key to create a digital signature on the certificate that it issues to validate the<br />
certificate's origin. Others can use the CA certificate’s public key to verify the<br />
authenticity of the certificates that the CA issues and signs. The term truststore<br />
refers to a special designation that is given to a CA certificate. This truststore<br />
designation allows a browser or other application to authenticate and accept<br />
certificates that the CA issues.<br />
b. In the <strong>IBM</strong> Key Management window (Figure 2-3), click Key Database File → New.<br />
Figure 2-3 iKeyman utility<br />
Chapter 2. Implementing <strong>LDAP</strong> for the <strong>DS8000</strong> 15
c. In the New panel (Figure 2-4):<br />
i. For Key database type, select a type or leave the default of JKS.<br />
ii. For File Name, enter a file name. For example, enter itso_trust_store.jks.<br />
Note: For Microsoft Windows systems, the default location for the generated key<br />
file is c:\Program Files\<strong>IBM</strong>\tivoli\tip\bin\.<br />
iii. Click OK.<br />
Figure 2-4 Selecting an export location and setting the file name<br />
iv. In the Password Prompt window (Figure 2-5), specify a password that you can<br />
remember for the truststore file. Click OK.<br />
Figure 2-5 Specifying a password<br />
After the truststore file is created, you return to the <strong>IBM</strong> Key Management window.<br />
16 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
4. Import the certificate into the truststore file:<br />
a. Add the exported certificate file from the Tivoli Integrated Portal (see Figure 2-2 on<br />
page 14) to the truststore file:<br />
i. From the <strong>IBM</strong> Key Management window (Figure 2-6), click Add.<br />
Figure 2-6 Adding a certificate to a truststore file<br />
ii. In the Add CA certificate from a file window (Figure 2-7), click Browse.<br />
iii. Select the certificate file that you created in step 2 on page 14 (see Figure 2-2) and<br />
click OK.<br />
Figure 2-7 Selecting the certificate authority<br />
Chapter 2. Implementing <strong>LDAP</strong> for the <strong>DS8000</strong> 17
iv. In the Enter a Label window (Figure 2-8), enter any label (any character string of<br />
your choice). For example, we enter itso_cert_label. Then click OK.<br />
Figure 2-8 Specifying a key label<br />
The certificate is successfully stored in the truststore file, as shown in Figure 2-9.<br />
Figure 2-9 CA successfully stored in the truststore file<br />
b. Exit the iKeyman tool and locate the truststore file. In our example, the file is in<br />
c:\Program Files\<strong>IBM</strong>\tivoli\tip\bin\itso_trust_store.jks.<br />
You need this truststore file and password while configuring the <strong>LDAP</strong>-based policy on<br />
the <strong>DS8000</strong> server.<br />
2.4.2 Setting up TPC server2<br />
As previously discussed, as a best practice, install and configure a second Tivoli <strong>Storage</strong><br />
Productivity Center server (TPC server2) to guarantee access to the <strong>DS8000</strong> in case of a<br />
failure of TPC server1. Only one Tivoli <strong>Storage</strong> Productivity Center server can be active for<br />
<strong>LDAP</strong> authentication. TPC server2 is typically in standby and takes over in case of a failure at<br />
18 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
TPC server1. Implement TPC server2 preferably on the same hardware configuration as TPC<br />
server1, but imperatively with the same <strong>LDAP</strong> server/branch information as TPC server1.<br />
To do a basic Tivoli <strong>Storage</strong> Productivity Center installation, see the instructions in<br />
Appendix A, “Installing Tivoli <strong>Storage</strong> Productivity Center 4.1 on Windows Server 2008” on<br />
page 39. The additional setup tasks described in this section are required.<br />
Note: The Tivoli <strong>Storage</strong> Productivity Center servers and Tivoli Integrated Portal are<br />
implemented as <strong>IBM</strong> WebSphere® application servers, which can securely communicate<br />
by using the Lightweight Third Party <strong>Authentication</strong> (LTPA) protocol.<br />
LTPA is intended for distributed, multiple application server and machine environments. The<br />
LTPA protocol enables WebSphere Application Server to provide security in a distributed<br />
environment by using cryptography. Application servers distributed in multiple nodes can<br />
securely communicate by using this protocol.<br />
It also provides a single sign-on (SSO) feature where a user is required to authenticate only<br />
once. The LTPA protocol uses cryptographic keys to encrypt and decrypt user data that<br />
passes between the servers. These keys must be shared between the different servers,<br />
assuming that all the servers involved use the same <strong>LDAP</strong> or custom registry. The default<br />
LTPA keys are automatically generated during the installation process.<br />
All of the Tivoli <strong>Storage</strong> Productivity Center Server processes (Tivoli Integrated Portal, node,<br />
WebSphere Application Server) share the same set of keys. If key sharing is required<br />
between different servers, export them from one server and import them to the other server.<br />
For security purposes, the exported keys are encrypted with a user-defined password. This<br />
same password is needed when importing the keys into another server.<br />
Exporting and importing the LTPA keys<br />
On TPC server2, export and import the LTPA keys by using either the CLI or the Tivoli<br />
<strong>Storage</strong> Productivity Center GUI.<br />
Using the CLI to export and import the LTPA keys<br />
To use the CLI to export and import the LTPA keys:<br />
1. Export the LTPA keys that were initially created when installing TPC server1:<br />
a. On TPC server2, open a command window and go to the /bin folder.<br />
b. Enter the wsadmin command as follows to export LTPA keys from TPC server1 to a file<br />
on TPC server2:<br />
wsadmin -user -password -lang jython<br />
-port -host -f "/tip/scripts/exportLTPAKeys.py" ""<br />
<br />
Note the following explanation:<br />
-user is the user name from the Tivoli Integrated Portal administrator.<br />
-password is the password from the Tivoli Integrated Portal administrator.<br />
-lang jython is the scripting language used for the export script (-f).<br />
-port is the port on which the Tivoli Integrated Portal is listening. The default is port<br />
16311.<br />
-host is the host name or IP address the Tivoli Integrated Portal server.<br />
Chapter 2. Implementing <strong>LDAP</strong> for the <strong>DS8000</strong> 19
-f is the export script path in the local Tivoli <strong>Storage</strong> Productivity Center server<br />
installation directory/tip/scripts directory. The script name is<br />
exportLTPAkeys.py.<br />
LTPA keys file name is the name (or path and filename) of the exported LTPA file.<br />
ltpaKeysPassword is the password that is used to encrypt and decrypt the LTPA<br />
keys. During import, this password must match the password that is used to export<br />
the keys at another LTPA server (for example, another application server, and so<br />
on). During export, remember this password so that you can enter it during import.<br />
Example 2-1 illustrates the command that we used (in our test environment) to export<br />
the keys. The exportedLTPAkeyfile file, which contains the LTPA keys of TPC server1<br />
and that we import to TPC server2, is generated.<br />
Note: Use forward slashes when specifyng the path names for files.<br />
Example 2-1 Exporting the key<br />
C:\Program Files\<strong>IBM</strong>\Tivoli\TIP\bin>wsadmin -user tpcadmin2 -password super321 -lang<br />
jython -port 16313 -host 9.11.112.112 -f "c:/program<br />
files/ibm/tpc/tip/scripts/exportLTPAKeys.py" "c:/share/exportedLTPAkeyfile" passw0rd<br />
2. Import the LTPA key:<br />
a. In the same command window on TPC server2, enter the following wsadmin command<br />
to import the LTPA keys in Tivoli Integrated Portal and then into the device server. The<br />
parameters have the same meaning as explained in step 1 on page 19.<br />
wsadmin -user -password -lang jython -f<br />
"/tip/scripts/importLTPAKeys.py" "" <br />
The device server discovers storage subsystems and SAN fabrics. Then it gathers<br />
information about storage subsystems and SAN fabrics and analyzes their<br />
performance. The device server controls the communication with agents and the data<br />
collection from agents that scan storage area network (SAN) fabrics. It is also<br />
responsible for the creation and monitoring of replication relationships between storage<br />
devices.<br />
Example 2-2 shows the key being imported to the device server.<br />
Example 2-2 Importing the key to the device server<br />
C:\Program Files\<strong>IBM</strong>\Tivoli\TIP\bin>wsadmin -user tpcadmin2 -password passw0rd -lang<br />
jython -f "c:/program files/ibm/tpc/tip/scripts/importLTPAKeys.py "<br />
c:/share/exportedLTPAkeyfile" passw0rd<br />
b. Change the directory to the device server’s TIP\bin folder and run the same command<br />
as shown in Example 2-3.<br />
Note: Use forward slashes when specifyng the path names for files.<br />
Example 2-3 Importing the key to the TIP folder<br />
C:\Program Files\<strong>IBM</strong>\TPC\device\apps\was\bin>wsadmin -user tpcadmin2 -password<br />
passw0rd -lang jython -f "c:/program files/ibm/tpc/tip/scripts/importLTPAKeys.py "<br />
c:/share/exportedLTPAkeyfile" passw0rd<br />
20 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
Using the GUI to export and import the LTPA keys<br />
To use the Tivoli <strong>Storage</strong> Productivity Center GUI to export and import the LTPA keys:<br />
1. Export the LTPA key:<br />
a. To access the Tivoli <strong>Storage</strong> Productivity Center administrative console (Tivoli<br />
Integrated Portal), type the following URL in a Web browser:<br />
http://server_name:port_number/ibm/console<br />
b. In the left pane, select Security → Secure administration, applications, and<br />
infrastructure → <strong>Authentication</strong> mechanisms and expiration.<br />
c. In the window that opens (Figure 2-10):<br />
i. Under Cross-cell single sign-on, in the Password and Confirm password fields,<br />
enter the password to encrypt the LTPA keys. Remember the password so that you<br />
can use it later when the keys are imported into the other server.<br />
ii. In the Fully qualified key file name field, specify the fully qualified path to the<br />
location where you want the exported LTPA keys to reside. You must have write<br />
permission to this file.<br />
iii. Click Export keys to export the keys to the location that you specified in the Fully<br />
qualified key file name field.<br />
iv. Click OK to confirm the changes and click Save to save your configuration.<br />
Figure 2-10 Exporting the LTPA key<br />
Chapter 2. Implementing <strong>LDAP</strong> for the <strong>DS8000</strong> 21
2. Import the LTPA key:<br />
a. Access the Tivoli Integrated Portal administrative console for the server that will receive<br />
the imported keys by typing the following URL in a Web browser:<br />
http://server_name:port_number/ibm/console<br />
b. In the left pane, click Security → Secure administration, applications, and<br />
infrastructure → <strong>Authentication</strong> mechanisms and expiration.<br />
c. In the window that opens:<br />
i. Under Cross-cell single sign-on, in the Password and Confirm password fields,<br />
enter the password that is used to decrypt the LTPA keys. This password must<br />
match the password that was used at the server from which you are importing the<br />
keys.<br />
ii. In the Fully qualified key file name field, specify the fully qualified path to the<br />
location where the signer keys reside. You must have write permission to this file.<br />
iii. Click Import keys to import the keys to the location that you specified in the Fully<br />
qualified key file name field.<br />
iv. Click OK and Save to save the changes to the master configuration. It is important<br />
to save the new set of keys to match the new password so that no problems are<br />
encountered when starting the servers later.<br />
The LTPA keys in TPC server1 and TPC server2 are now in sync.<br />
2.4.3 Copying the truststore file from TPC server1 to TPC server2<br />
For TPC server2 to take over in case a TPC server1 failure, both servers must have access to<br />
identical truststore files. Copy the truststore file that was created for TPC server1 (see 2.4.1,<br />
“Creating the certificate and the truststore file on TPC server1” on page 13) to TPC server2.<br />
2.5 Configuring the <strong>DS8000</strong> for <strong>LDAP</strong> authentication<br />
The <strong>DS8000</strong> must be configured to use <strong>LDAP</strong> authentication. To perform the configuration,<br />
you can use either the DS GUI or the DS CLI.<br />
Important: You must have redundant <strong>LDAP</strong> servers. If the <strong>LDAP</strong> service is not available,<br />
you cannot log on to a <strong>DS8000</strong> system that is enabled for <strong>LDAP</strong> to perform administrative<br />
tasks.<br />
Configuring <strong>DS8000</strong> <strong>LDAP</strong> authentication by using the GUI<br />
To configure <strong>DS8000</strong> <strong>LDAP</strong> authentication by using the GUI:<br />
1. Open the <strong>DS8000</strong> GUI using the administrative user ID and password. Enter the User<br />
Name and Password. Click OK.<br />
2. On the <strong>DS8000</strong> <strong>Storage</strong> Manager Menu (left pane), select User Administration.<br />
3. In the User and <strong>Authentication</strong> Policy Administration Summary page, select a Complex<br />
Name.<br />
22 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
4. Click Select action and select Create <strong>Storage</strong> <strong>Authentication</strong> Service Policy<br />
(Figure 2-11).<br />
Figure 2-11 Select Create <strong>Storage</strong> <strong>Authentication</strong> Service Policy<br />
5. On the <strong>Authentication</strong> Service Configuration page (Figure 2-12 on page 24):<br />
a. For Policy Name, enter any name. You can define more than one policy, but only one<br />
can be active. You can also switch freely between the different policies.<br />
b. For <strong>Authentication</strong> Service URL (Primary), enter the URL to the Tivoli Integrated Portal<br />
(on TPC server1). The following URL is the default to the truststore:<br />
https://tip_server_host:16311/TokenService/services/Trust<br />
c. For <strong>Authentication</strong> Service URL (secondary), enter the backup URL that points to TPC<br />
server2.<br />
d. For <strong>Authentication</strong> Service Client User ID, enter the user ID from the Tivoli Integrated<br />
Portal that is set up by installation.<br />
e. For <strong>Authentication</strong> Service Client Password, enter the password from the Tivoli<br />
Integrated Portal user.<br />
f. For Confirm <strong>Authentication</strong> Service Client Password, enter the password again.<br />
g. Click Next.<br />
Port number: The port for ESS service (16311) is 1 plus the default Tivoli Integrated<br />
Portal port 16310. If you change the default Tivoli Integrated Portal port, during<br />
installation to, say 17522, then the port# to use for ESS service is 17523 (one plus that<br />
Tivoli Integrated Portal port number).<br />
The ESS/<strong>Authentication</strong> Service URL is as follows:<br />
https://yourserver.com:17523/TokenService/services/Trust<br />
Chapter 2. Implementing <strong>LDAP</strong> for the <strong>DS8000</strong> 23
Figure 2-12 <strong>Authentication</strong> Service Configuration<br />
6. On the Truststore file Information page (Figure 2-13):<br />
a. For Truststore File Location, see 2.4, “Creating the certificates and the truststore file”<br />
on page 13.<br />
b. For Truststore File Password, enter the password that when the truststore was created.<br />
c. For Confirm Truststore File Password, enter the password.<br />
d. Click Next.<br />
Figure 2-13 Truststore file Information page<br />
24 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
7. On the Map External Users and User Groups to <strong>DS8000</strong> User Roles page (Figure 2-14):<br />
a. Enter the External Entity Name. Enter the name of the user or user group that exists in<br />
the <strong>LDAP</strong> directory.<br />
b. Select the external Entity Type. The type of entity can be External User Group or<br />
External User Name.<br />
c. For <strong>DS8000</strong> User Role, select a role from the list (see Table 3-1 on page 34).<br />
d. Click the Add button.<br />
e. To map more than one user or group, repeat these steps. For detailed information<br />
about user groups and roles, see 3.3, “User administration for Tivoli <strong>Storage</strong><br />
Productivity Center servers” on page 36.<br />
f. Click Next.<br />
Figure 2-14 Map External Users and User Groups to <strong>DS8000</strong> User Roles window<br />
Chapter 2. Implementing <strong>LDAP</strong> for the <strong>DS8000</strong> 25
8. On the Verification page (Figure 2-15), on which you can see the settings that will be<br />
stored, verify the information and click Next to continue or click Back to make changes.<br />
Figure 2-15 Verification page<br />
9. On the Summary page (Figure 2-16), leave the Activate the Policy check box cleared.<br />
Click Finish to create the policy. Note that in the next step, we test the policy before<br />
activating it.<br />
Figure 2-16 Summary page<br />
26 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
10.On the Manage Authorization Policy page (Figure 2-17), select a policy. Under the Select<br />
action menu, click Test <strong>Authentication</strong> Policy.<br />
Figure 2-17 Test <strong>Authentication</strong> Policy<br />
11.In the Test <strong>Storage</strong> <strong>Authentication</strong> Service Policy window (Figure 2-18), enter values for<br />
the External User Name and External User Password input fields. The user must be an<br />
existing user from the <strong>LDAP</strong> Directory and mapped to a local <strong>DS8000</strong> role. Then click OK.<br />
Figure 2-18 Test policy<br />
Chapter 2. Implementing <strong>LDAP</strong> for the <strong>DS8000</strong> 27
The test takes a few seconds to complete. When complete, the Test summary page is<br />
displayed. If the test was successful, the Result State box is green and the Result details<br />
cell is empty, as shown in Figure 2-19. If something is wrong, the Result Status cell is red<br />
and the error messages is displayed in the Result details box. In this case, go back to the<br />
configuration and check the settings.<br />
Figure 2-19 Test completes successfully<br />
12.Activate the configuration. Select a policy. Under the Select action menu, click Activate.<br />
28 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
13.In the Activate <strong>Storage</strong> <strong>Authentication</strong> Service Policy window (Figure 2-20):<br />
a. For External User Name, enter a name that exists and is valid user name from the<br />
<strong>LDAP</strong> Directory.<br />
b. Enter the External User password.<br />
c. Click OK to activate the policy.<br />
Figure 2-20 Activate the configuration<br />
Configuring <strong>DS8000</strong> <strong>LDAP</strong> authentication by using the DS CLI<br />
In addition to using the GUI, you can configure the <strong>DS8000</strong> external authentication policy<br />
through the command line interface (CLI). To configure with DS CLI:<br />
1. Go to the DS CLI Install Directory and open the DCSCLI command window.<br />
2. In the DS CLI command window, enter the HMC IP Address, User Name, and Password.<br />
3. To see the existing <strong>Authentication</strong> policies, enter the lsauthpol command as shown in<br />
Example 2-4. As you can see, the default initialPolicy is set for basic (non-<strong>LDAP</strong>)<br />
authentication.<br />
Example 2-4 Listing <strong>Authentication</strong> policies<br />
dscli> lsauthpol<br />
Date/Time: March 11, 2009 9:17:16 AM MST <strong>IBM</strong> DSCLI Version: 5.4.2.540 DS: -<br />
name type state<br />
==========================<br />
initialPolicy Basic active<br />
Chapter 2. Implementing <strong>LDAP</strong> for the <strong>DS8000</strong> 29
4. Create a new empty policy, where the -type sas specifies the authentication policy type<br />
by entering the mkauthpol -type sas itsopolicy command as shown in Example 2-5.<br />
Currently, SAS (<strong>Storage</strong> <strong>Authentication</strong> Service) is the only valid value for this parameter<br />
and it is required. itsopolicy defines the name from the new policy.<br />
Example 2-5 Creating a new policy<br />
dscli> mkauthpol -type sas itsopolicy<br />
Date/Time: March 11, 2009 9:24:20 AM MST <strong>IBM</strong> DSCLI Version: 5.4.2.540 DS: -<br />
CMUC00365I mkauthpol: The authentication policy itsopolicy has been created.<br />
5. Add a policy server or policy servers to the policy as shown in Example 2-6 by entering the<br />
the setauthpol command with the -action setauthserver and -loc parameters, where<br />
the -loc parameter is the URL to the TPC server1-.<br />
Example 2-6 Setting the policy server<br />
dscli> setauthpol -action setauthserver -loc<br />
https://9.11.240.201:16311//TokenService/services/Trust itsopolicy<br />
Date/Time: March 11, 2009 9:27:10 AM MST <strong>IBM</strong> DSCLI Version: 5.4.2.540 DS: -<br />
CMUC00366I setauthpol: The authentication policy itsopolicy has been modified.<br />
6. Add the keystore file to the policy. Enter the setauthpol command with the -action<br />
settruststore parameter and the -loc parameter, where the value is the location of the<br />
truststore file (see 2.4, “Creating the certificates and the truststore file” on page 13), and<br />
-pw parameter for the truststore file password. See Example 2-7.<br />
Example 2-7 Setting the key<br />
dscli> setauthpol -action settruststore -loc c:\key_itso.jks -pw passw0rd<br />
itsopolicy<br />
Date/Time: March 11, 2009 9:29:25 AM MST <strong>IBM</strong> DSCLI Version: 5.4.2.540 DS: -<br />
CMUC00366I setauthpol: The authentication policy itsopolicy has been modified.<br />
7. Add the ESS user to the policy by entering the setauthpol command with -action<br />
setsasuser parameter, as shown in Example 2-8. For more details about the ESS user<br />
see Appendix A, “Installing Tivoli <strong>Storage</strong> Productivity Center 4.1 on Windows Server<br />
2008” on page 39.<br />
Example 2-8 Setting the ESS user<br />
dscli> setauthpol -action setsasuser -username tipadmin -pw passw0rd<br />
itsopolicy<br />
Date/Time: March 11, 2009 9:31:24 AM MST <strong>IBM</strong> DSCLI Version: 5.4.2.540 DS: -<br />
CMUC00366I setauthpol: The authentication policy itsopolicy has been modified.<br />
8. Map existing users and user groups from the <strong>LDAP</strong> server to user groups on the <strong>DS8000</strong><br />
by entering the setauthpol command with -action setmap parameter and -groupmap<br />
User:Group values, as shown in Example 2-9.<br />
Example 2-9 Mapping a user to a group<br />
dscli> setauthpol -action setmap -groupmap admin:Administrators itsipolicy<br />
Date/Time: March 11, 2009 9:32:54 AM MST <strong>IBM</strong> DSCLI Version: 5.4.2.540 DS: -<br />
CMUC00366I setauthpol:<strong>Authentication</strong> policy itsopolicy successfully modified.<br />
30 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
9. Now that the policy is set up, check it as shown in Example 2-10. The policy is now in<br />
inactive state.<br />
Example 2-10 Listing of the available policiies<br />
dscli> lsauthpol itsopolicy<br />
Date/Time: March 11, 2009 9:35:47 AM MST <strong>IBM</strong> DSCLI Version: 5.4.2.540 DS: -<br />
name type state<br />
=========================<br />
itsopolicy SAS inactive<br />
10.To view the configuration parameters, enter the showauthpol command, as shown in<br />
Example 2-11.<br />
Example 2-11 Showing the configuration parameters<br />
dscli> showauthpol itsopolicy<br />
Date/Time: March 11, 2009 9:36:52 AM MST <strong>IBM</strong> DSCLI Version: 5.4.2.540 DS: -<br />
name itsopolicy<br />
type SAS<br />
state inactive<br />
location https://9.11.240.201:16311//TokenService/services/Trust<br />
truststore itsopolicy_trustStore.jks<br />
sasuser tipadmin<br />
11.Test the configuration by entering the testauthpol command as shown in Example 2-12.<br />
Example 2-12 Testing the configuration<br />
dscli> testauthpol -username tipadmin -pw passw0rd itsopolicy<br />
Date/Time: March 11, 2009 9:38:28 AM MST <strong>IBM</strong> DSCLI Version: 5.4.2.540 DS: -<br />
CMUC00366I testauthpol:<strong>Authentication</strong> policy itsopolicy successfully verified.<br />
12.If the test completed successfully, active the policy by entering the chauthpol command<br />
with the -activate parameter as shown in Example 2-13.<br />
Example 2-13 Activating the policy<br />
dscli> chauthpol -quiet -activate -username tipadmin -pw passw0rd itsopolicy<br />
Date/Time: March 11, 2009 9:55:54 AM MST <strong>IBM</strong> DSCLI Version: 5.4.2.540 DS: -<br />
CMUC00366I setauthpol:<strong>Authentication</strong> policy itsopolicy successfully modified.<br />
13.Check the state for the policy by entering the lsauthpol command (Example 2-14).<br />
Example 2-14 Listing the policy<br />
dscli> lsauthpol itsopolicy<br />
Date/Time: March 11, 2009 10:06:34 AM MST <strong>IBM</strong> DSCLI Version: 5.4.2.540 DS: -<br />
name type state<br />
============================<br />
itsopolicy SAS active<br />
Chapter 2. Implementing <strong>LDAP</strong> for the <strong>DS8000</strong> 31
32 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
Chapter 3. User, group, and role<br />
administration<br />
3<br />
In this chapter, we explain how to map <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong> users and roles with<br />
Lightweight Directory Access Protocol (<strong>LDAP</strong>) users and groups. We also explain the<br />
mapping of Tivoli <strong>Storage</strong> Productivity Center users with <strong>LDAP</strong> users and groups.<br />
The chapter includes the following topics:<br />
► 3.1, “<strong>DS8000</strong> to <strong>LDAP</strong> groups mappings using the DS GUI” on page 34<br />
► 3.2, “<strong>DS8000</strong> to <strong>LDAP</strong> groups mappings using the DS CLI” on page 35<br />
► 3.3, “User administration for Tivoli <strong>Storage</strong> Productivity Center servers” on page 36<br />
© Copyright <strong>IBM</strong> Corp. 2009. All rights reserved. 33
3.1 <strong>DS8000</strong> to <strong>LDAP</strong> groups mappings using the DS GUI<br />
<strong>LDAP</strong> groups (for example, groups in your <strong>LDAP</strong> repository) are associated with predefined<br />
roles. When a user ID is authenticated to a <strong>DS8000</strong> through the graphical user interface (GUI)<br />
or command line interface (CLI), the user’s membership in a particular <strong>LDAP</strong> group<br />
determines the user’s authorization level. Table 3-1 shows the association between <strong>DS8000</strong><br />
user roles and authorization levels.<br />
Table 3-1 <strong>DS8000</strong> roles and authorization levels<br />
Role Authorization level<br />
Administrator This user role has the highest level of authority. It allows a user to add or<br />
remove user accounts. This role has access to all service functions and<br />
<strong>DS8000</strong> resources.<br />
Logical operator This role has access to resources that relate to logical volumes, hosts, host<br />
ports, logical subsystems, and volume groups, excluding security functions.<br />
Monitor This role has access to all read-only, nonsecurity service functions and all<br />
<strong>DS8000</strong> resources.<br />
Physical operator This user role allows access to resources that are related to physical<br />
configuration, including storage complex, storage unit, storage image,<br />
management console, arrays, ranks, and extent pools. The physical operator<br />
role does not have access to security functions.<br />
Copy Services<br />
operator<br />
Logical operator and<br />
Copy Services<br />
operator<br />
To define the mappings:<br />
1. From the <strong>DS8000</strong> User administration menu, select a storage complex. From the Select<br />
action list, select Manage <strong>Authentication</strong> Policy. Select a <strong>Storage</strong> <strong>Authentication</strong> Service<br />
policy, and from the Select action list, select Properties.<br />
2. In the <strong>Storage</strong> <strong>Authentication</strong> Service Policy Properties window (Figure 3-3 on page 38),<br />
click the External Users tab and complete the following actions:<br />
a. For External Entity Name, enter the name of the user or user group that exists in the<br />
<strong>LDAP</strong> Directory.<br />
b. For External Entity Type, select the type of entity, which can be External User Group or<br />
External User Name.<br />
c. For <strong>DS8000</strong> User Role, select a role from the list. Refer to Table 3-1.<br />
d. Click Add.<br />
e. After you add external (<strong>LDAP</strong>) users or groups, click OK to apply the changes. If you<br />
want to discard the changes, click Cancel.<br />
34 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong><br />
This role has access to all Copy Services service functions and resources,<br />
excluding security functions.<br />
This role provides the authority of both the logical operator and Copy Services<br />
operator.<br />
No access This is the default selection. It must be the only assigned role. This role has<br />
no access to any service functions or <strong>DS8000</strong> resources. This user role is<br />
assigned to a user account that is not associated with any other user role.
Figure 3-1 <strong>Storage</strong> <strong>Authentication</strong> Service Policy Properties window<br />
3.2 <strong>DS8000</strong> to <strong>LDAP</strong> groups mappings using the DS CLI<br />
To map <strong>LDAP</strong> groups-or-users-to <strong>DS8000</strong>-group, use the setauthpol command. With the<br />
setauthpol command, you can modify, delete, or add a mapping. To add a new group map,<br />
use the -action setmap, -groupmap admin:Administrator command as shown in<br />
Example 3-1. In this command, admin is the <strong>DS8000</strong> role group, and Administrator is the<br />
user group or user name from the <strong>LDAP</strong> repository.<br />
Example 3-1 Mapping groups to a <strong>DS8000</strong> role<br />
dscli> setauthpol -action setmap -groupmap admin:Administrators itsipolicy<br />
Date/Time: March 11, 2009 9:32:54 AM MST <strong>IBM</strong> DSCLI Version: 5.4.2.540 DS: -<br />
CMUC00366I setauthpol:<strong>Authentication</strong> policy itsopolicy successfully modified.<br />
The <strong>DS8000</strong> authority group roles for the DS CLI (see Table 3-1 on page 34) have the<br />
following possible values:<br />
► admin<br />
► op_storage<br />
► op_volume<br />
► op_copy_services<br />
► service<br />
► monitor<br />
► no_access<br />
Chapter 3. User, group, and role administration 35
To add a new user map, use the -action setmap, -userpmap admin:Administrator command.<br />
In this command, admin is the <strong>DS8000</strong> role group, and Administrator is the user from the<br />
<strong>LDAP</strong> repository. The group roles are the same as described in Table 3-1 on page 34.<br />
3.3 User administration for Tivoli <strong>Storage</strong> Productivity Center<br />
servers<br />
Access to the Tivoli <strong>Storage</strong> Productivity Center servers can now also be controlled and<br />
managed by using <strong>LDAP</strong>.<br />
3.3.1 Tivoli <strong>Storage</strong> Productivity Center roles to <strong>LDAP</strong> group mappings<br />
After installing <strong>IBM</strong> Tivoli <strong>Storage</strong> Productivity Center, you must assign roles to individuals<br />
who will use Tivoli <strong>Storage</strong> Productivity Center. From the Role-to-Group Mapping node, you<br />
can map Tivoli <strong>Storage</strong> Productivity Center roles, such as Tape Operator or Fabric<br />
Administrator, to user groups that you create either in the operating system or in an<br />
<strong>LDAP</strong>-compliant repository. In this paper, we discuss only the mapping to <strong>LDAP</strong>.<br />
Tivoli <strong>Storage</strong> Productivity Center role-based authorization<br />
<strong>LDAP</strong> groups (for example, groups in your <strong>LDAP</strong> repository) are associated with predefined<br />
roles. When a user ID is authenticated to <strong>IBM</strong> Tivoli <strong>Storage</strong> Productivity Center through the<br />
GUI, CLI, or application programming interfaces (APIs), the user’s membership in a specific<br />
<strong>LDAP</strong> group is used to determine the user’s authorization level.<br />
Table 3-2 shows the association between Tivoli <strong>Storage</strong> Productivity Center user roles and<br />
authorization levels.<br />
Table 3-2 Roles and authorization levels in Tivoli <strong>Storage</strong> Productivity Center<br />
Role Authorization level<br />
Superuser Has full access to all Tivoli <strong>Storage</strong> Productivity Center functions.<br />
Productivity Center<br />
administrator<br />
36 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong><br />
Has full access to operations in the Administration section of the GUI<br />
Disk administrator Has full access to Tivoli <strong>Storage</strong> Productivity Center disk functions.<br />
Disk operator Has access to reports only for Tivoli <strong>Storage</strong> Productivity Center disk functions.<br />
This includes reports on tape devices.<br />
Fabric administrator Has full access to Tivoli <strong>Storage</strong> Productivity Center for Fabric functions.<br />
Fabric operator Has access to reports only for Tivoli <strong>Storage</strong> Productivity Center for Fabric<br />
functions.<br />
Data administrator Has full access to Tivoli <strong>Storage</strong> Productivity Center for Data functions.<br />
Data operator Has access to reports only Tivoli <strong>Storage</strong> Productivity Center for Data<br />
functions.<br />
Tape administrator Has full access to Tivoli <strong>Storage</strong> Productivity Center tape functions<br />
Tape operator Has access to reports only for tape functions.
If you select operating system authentication for your <strong>IBM</strong> Tivoli <strong>Storage</strong> Productivity Center,<br />
you do not have to create any of the groups before installation. The Tivoli <strong>Storage</strong> Productivity<br />
Center Superuser role is automatically mapped to the Administrators group on Windows, to<br />
the system group on AIX, or to the root group on Linux.<br />
Note: For more information about <strong>IBM</strong> Tivoli <strong>Storage</strong> Productivity Center user and group<br />
mapping, see the “User roles” topic in the Tivoli <strong>Storage</strong> Productivity Center Information<br />
Center at the following address:<br />
http://publib.boulder.ibm.com/infocenter/tivihelp/v4r1/index.jsp?topic=/com.ibm<br />
.tpc_V33.doc/fqz0_c_user_roles.html<br />
Establishing group mapping in Tivoli <strong>Storage</strong> Productivity Center<br />
To establish group mapping:<br />
1. Log in to the Tivoli <strong>Storage</strong> Productivity Center (Tivoli Integrated Portal) with your<br />
administrator user name and password.<br />
2. From the left Navigation Tree (Figure 3-2), expand Administrative Services →<br />
Configuration and select Role-toGroup Mappings.<br />
3. In the Role-to-Group Mappings pane:<br />
a. Choose a role to map and click Edit.<br />
Figure 3-2 Role-to-Group Mappings panel<br />
Chapter 3. User, group, and role administration 37
. In the Edit Group dialog box (Figure 3-3), enter the <strong>LDAP</strong> group (it must exist) that you<br />
want to map this role and click OK.<br />
Figure 3-3 Add group to Role window<br />
c. Select File → Save to store the changes.<br />
38 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
Appendix A. Installing Tivoli <strong>Storage</strong><br />
Productivity Center 4.1 on<br />
Windows Server 2008<br />
A<br />
In this appendix, we explain how to install the Tivoli <strong>Storage</strong> Productivity Center 4.1. In the<br />
same procedure, we also install Tivoli <strong>Storage</strong> Productivity Center for Replication, the Tivoli<br />
Integrated Portal, and a DB2® database. In this installation, we use the most common default<br />
values, which are suitable for a majority of environments.<br />
Prerequisites: To install a Tivoli <strong>Storage</strong> Productivity Center server on Windows Server®<br />
2008, you must have the latest Windows Service Packs and Microsoft hot fixes installed.<br />
You must also first install the DB2 Server v9 for Windows.<br />
© Copyright <strong>IBM</strong> Corp. 2009. All rights reserved. 39
1. Before you launch the Tivoli <strong>Storage</strong> Productivity Center installation, in Windows Services,<br />
ensure that the DB2 services are started as indicated in the Status column in Figure A-1.<br />
This status is required because a DB2 database is installed in silent mode as part of the<br />
Tivoli <strong>Storage</strong> Productivity Center installation.<br />
Figure A-1 Windows Service Menu<br />
2. Launch the Tivoli <strong>Storage</strong> Productivity Center 4.1 installer.<br />
3. When prompted to select a language for the installation (Figure A-2), select your<br />
language. This setting is just the language for the installation wizard. You are prompted to<br />
select the language for Tivoli <strong>Storage</strong> Productivity Center later. Click OK.<br />
Figure A-2 Language selection<br />
4. In the License Agreement window, accept the terms of the license agreement to continue<br />
with the installation and click Next.<br />
40 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
5. For the type of Installation (Figure A-3):<br />
a. Select Typical installation.<br />
b. Clear the Agents and the Register with the agent manager check boxes.<br />
c. Specify a directory for the Tivoli <strong>Storage</strong> Productivity Center installation or use the<br />
default C:\Program Files\<strong>IBM</strong>\TPC directory.<br />
d. Click Next.<br />
Figure A-3 Tivoli <strong>Storage</strong> Productivity Center Server - Installation type<br />
Appendix A. Installing Tivoli <strong>Storage</strong> Productivity Center 4.1 on Windows Server 2008 41
6. In the next window (Figure A-4), specify the DB2 administrator ID and password. The<br />
default user ID is DB2admin.<br />
DB2 user ID: You must create the DB2 user ID first in Windows user management and<br />
have administrator and DB2 permissions.<br />
In the lower part of the window, specify the server name, server port, and agent port if<br />
applicable. Click Next to continue.<br />
Figure A-4 Tivoli <strong>Storage</strong> Productivity Center DB2 user and server IP port settings<br />
42 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
7. In the next window (Figure A-5), specify the Tivoli <strong>Storage</strong> Productivity Center<br />
administrator user ID and password. Again, the user ID should have operating system and<br />
database administrator authority.<br />
In the lower half of the window, enter the name of the Tivoli <strong>Storage</strong> Productivity Center<br />
server and the server port that will be used to communicate with the Tivoli <strong>Storage</strong><br />
Productivity Center server. Click Next.<br />
Figure A-5 IP settings<br />
Appendix A. Installing Tivoli <strong>Storage</strong> Productivity Center 4.1 on Windows Server 2008 43
8. As shown in (Figure A-6), select the authentication method to use for Tivoli <strong>Storage</strong><br />
Productivity Center. Select <strong>LDAP</strong>/Active Directory. Click Next.<br />
Figure A-6 Selecting the authentication method<br />
9. Define the basic <strong>LDAP</strong> connection settings (Figure A-7). Enter the <strong>LDAP</strong> server IP<br />
address and port number. If anonymous login’s are allowed by the <strong>LDAP</strong> server, the user<br />
and password are optional. Otherwise, select an <strong>LDAP</strong> user with the administrator role.<br />
Click Next.<br />
Figure A-7 <strong>LDAP</strong> connection settings<br />
44 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
10.Specify appropriate values to reflect the structure of your <strong>LDAP</strong> directory (Figure A-8).<br />
Click Next.<br />
Figure A-8 <strong>LDAP</strong> user and group attributes<br />
11.Specify the <strong>LDAP</strong> user who will have administrator privileges for Tivoli <strong>Storage</strong><br />
Productivity Center (Figure A-9). Click Next.<br />
Figure A-9 Administrator user for Tivoli <strong>Storage</strong> Productivity Center<br />
Appendix A. Installing Tivoli <strong>Storage</strong> Productivity Center 4.1 on Windows Server 2008 45
12.Review the summary information (Figure A-10). If you are satisfied with the values and<br />
features that you chose, click Install to start the installation process. Otherwise click Back<br />
to change any of the installation values.<br />
Figure A-10 Summary information<br />
The Tivoli <strong>Storage</strong> Productivity Center installation process is now effectively taking place.<br />
13.In the Tivoli <strong>Storage</strong> Productivity Center for Replication installation window (Figure A-11),<br />
which opens when nearly ninety percent of the installation is completed, click Next. In<br />
doing so, you proceed with the Tivoli <strong>Storage</strong> Productivity Center for Replication<br />
installation wizard for the Tivoli <strong>Storage</strong> Productivity Center installation to complete.<br />
Figure A-11 Installation of Tivoli <strong>Storage</strong> Productivity Center for Replication<br />
46 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
14.In the system prerequisite check window (Figure A-12), click Next.<br />
Figure A-12 <strong>System</strong> check<br />
15.Accept the License Agreement for the Tivoli <strong>Storage</strong> Productivity Center for Replication to<br />
continue the installation process (Figure A-13). Click Next.<br />
Figure A-13 License agreement<br />
Appendix A. Installing Tivoli <strong>Storage</strong> Productivity Center 4.1 on Windows Server 2008 47
16.In the next window (Figure A-14), specify the program installation directory or accept the<br />
default. Click Next.<br />
Figure A-14 Installation directory<br />
17.Specify the Tivoli <strong>Storage</strong> Productivity Center for Replication administrator user name and<br />
password (Figure A-15). Click Next.<br />
Figure A-15 Tivoli <strong>Storage</strong> Productivity Center for Replication - Administrator details<br />
48 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
18.As shown in Figure A-16, select the Port for the WebSphere Application Server that Tivoli<br />
<strong>Storage</strong> Productivity Center for Replication uses for its runtime environment. The<br />
WebSphere Application Server is automatically installed. Click Next.<br />
Figure A-16 Port settings for WebSphere Application Server<br />
19.In the installation summary window (Figure A-17), review the details. If you are satisfied<br />
with the values, click Install to start the Tivoli <strong>Storage</strong> Productivity Center for Replication<br />
Installation Process. Otherwise, click Back to change any of the installation values.<br />
Figure A-17 Tivoli <strong>Storage</strong> Productivity Center for Replication - Installation summary window<br />
Appendix A. Installing Tivoli <strong>Storage</strong> Productivity Center 4.1 on Windows Server 2008 49
20.After the Tivoli <strong>Storage</strong> Productivity Center for Replication installation is complete, in the<br />
summary information window (Figure A-18), click Finish to return to the Tivoli <strong>Storage</strong><br />
Productivity Center Install Process.<br />
Figure A-18 Tivoli <strong>Storage</strong> Productivity Center for Replication - Installation complete<br />
The Tivoli <strong>Storage</strong> Productivity Center installation resumes.<br />
21.In the summary window (Figure A-19) that indicates successful installation of Tivoli<br />
<strong>Storage</strong> Productivity Center, click Finish.<br />
Figure A-19 Tivoli <strong>Storage</strong> Productivity Center - Installation finished<br />
You can now further configure your Tivoli <strong>Storage</strong> Productivity Center server as explained in<br />
2.4, “Creating the certificates and the truststore file” on page 13.<br />
50 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
B<br />
Appendix B. Configuring Tivoli <strong>Storage</strong><br />
Productivity Center for <strong>DS8000</strong><br />
<strong>LDAP</strong> authentication<br />
If you already have Tivoli <strong>Storage</strong> Productivity Center 4.1 servers installed, but not configured<br />
for Lightweight Directory Access Protocol (<strong>LDAP</strong>) authentication, you must enable them for<br />
<strong>LDAP</strong>. To enable the servers for <strong>LDAP</strong>, you use Tivoli Integrated Portal before you configure<br />
the <strong>DS8000</strong> itself for <strong>LDAP</strong> authentication. In this appendix, we explain how to enable <strong>LDAP</strong><br />
on a Tivoli <strong>Storage</strong> Productivity Center 4.1 server.<br />
To configure Tivoli <strong>Storage</strong> Productivity Center for <strong>DS8000</strong> <strong>LDAP</strong> support, begin by logging in<br />
to Tivoli Integrated Portal. Then proceed as explained in this chapter.<br />
Important: This configuration is only required when you want to enable <strong>LDAP</strong> support on<br />
an already installed Tivoli <strong>Storage</strong> Productivity Center server. Otherwise, <strong>LDAP</strong> support<br />
can be configured when you initially install a Tivoli <strong>Storage</strong> Productivity Center 4.1 server<br />
as explained in Appendix A, “Installing Tivoli <strong>Storage</strong> Productivity Center 4.1 on Windows<br />
Server 2008” on page 39.<br />
© Copyright <strong>IBM</strong> Corp. 2009. All rights reserved. 51
B.1 Securing the administration, applications, and<br />
infrastructure settings<br />
To secure the administration, applications, and infrastructure settings:<br />
1. From the Tivoli Integrated Portal console main widow, select Security → Secure<br />
administration, applications, and infrastructure.<br />
2. On the administrative console page (Figure B-1 on page 53), configure administrative,<br />
application, and infrastructure security on a global level.<br />
a. Select Enable administrative security.<br />
By selecting this option, you enable administrative security for this application server<br />
domain. Administrative security requires users to authenticate before obtaining<br />
administrative control of the application server. When enabling security, set the<br />
authentication mechanism configuration, and specify a valid user ID and password (or<br />
a valid administrator ID when the internalServerID feature is used) in the selected<br />
registry configuration.<br />
Note: There is a difference between the user ID (normally called the administrator<br />
ID), which identifies administrators who manage the environment, and a server ID,<br />
which is used for server-to-server communication. You do not need to enter a server<br />
ID and password when you are using the internal server ID feature. However,<br />
optionally, you can specify a server ID and password. To specify the server ID and<br />
password:<br />
1. Click Security → Global security.<br />
2. Under User accounts repository, select the repository and click Configure.<br />
3. In the Server user identity section, specify the server ID and password.<br />
b. Select Enable application security.<br />
Administrative security alone does not provide full security. In most environments, you<br />
must also enable application and resource security by selecting Enable application<br />
security.<br />
c. Under User account repository, from the Available realm definitions field, select<br />
Federated repositories to use <strong>LDAP</strong> as your account repository. Then click<br />
Configure to open the General Properties page (Figure B-2).<br />
52 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
Figure B-1 Administrative console page<br />
B.2 Configuring federated repositories<br />
Use the General Properties page (Figure B-2) to manage the realm of your federated security<br />
repositories. The realm can consist of identities in the file-based repository that is built into the<br />
system, in one or more external repositories (<strong>LDAP</strong>), or in both the built-in, file-based<br />
repository, and one or more external repositories.<br />
To configure the federated repositories:<br />
1. For Realm name, specify a name of your choice for the realm, for example, TIPRealm. You<br />
can change the realm name afterwards.<br />
2. For Primary administrative user name, type the name of the user with administrative<br />
privileges that is defined in the repository, for example, superAdmin.<br />
3. Under Server user identity, select the Automatically generated server identity check<br />
box to enable the application server to generate the server identity that is used for internal<br />
process communication. You can change this server identity on the <strong>Authentication</strong><br />
mechanisms and expiration panel.<br />
4. Configure one or more Lightweight Directory Access Protocol (<strong>LDAP</strong>) repositories to store<br />
identities in the realm by using either of the following options as appropriate:<br />
– Click Add base entry to Realm to specify a repository configuration and a base entry<br />
into the realm. You can configure multiple different base entries in the same repository.<br />
– Click Remove to remove selected repositories from the realm. Repository<br />
configurations and contents are not destroyed.<br />
Appendix B. Configuring Tivoli <strong>Storage</strong> Productivity Center for <strong>DS8000</strong> <strong>LDAP</strong> authentication 53
The following restrictions apply:<br />
The realm must always contain at least one base entry. Therefore, you cannot<br />
remove all entries.<br />
If you plan to remove the built-in, file-based repository from the administrative<br />
realm, verify that at least one user in another member repository is a console user<br />
with administrative rights. Otherwise, you must disable security to regain access to<br />
the administrative console.<br />
Figure B-2 General Properties page<br />
B.3 Adding a base entry to a realm<br />
When you click Add base entry to realm (Figure B-2), the page shown in Figure B-3 on<br />
page 55 is displayed. Use this page to configure secure access to an <strong>LDAP</strong> repository with<br />
optional failover servers.<br />
To view the administrative console page:<br />
1. Click Add Repository to specify a new external repository or select an external repository<br />
that is preconfigured.<br />
54 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
Figure B-3 Adding a repository to the realm<br />
2. On the Repository configuration page (Figure B-4 on page 56):<br />
a. For Repository identifier, the value is the unique identifier for the <strong>LDAP</strong> repository that<br />
you entered in the General Properties (Figure B-3). This identifier uniquely identifies<br />
the repository, for example: c0y0te.<br />
b. For Directory type, select the type of <strong>LDAP</strong> server to which you connect from the<br />
drop-down list of <strong>LDAP</strong> directory types. For example, for use with an open<strong>LDAP</strong> server,<br />
select the Custom value.<br />
c. For Primary host name, specify the host name of the primary <strong>LDAP</strong> server. This host<br />
name is either an IP address or a Domain Name <strong>System</strong> (DNS) name.<br />
d. For Port, type the <strong>LDAP</strong> server port. The default value is 389, which is not a Secure<br />
Sockets Layer (SSL) connection. For some <strong>LDAP</strong> servers, you can specify a different<br />
port for a non-SSL or SSL connection.<br />
e. For Failover host name, specify the host name of the failover <strong>LDAP</strong> server. You can<br />
specify a secondary directory server to use in the event that your primary directory<br />
server becomes unavailable.<br />
f. For Support referrals to other <strong>LDAP</strong> servers, specify how referrals that are encountered<br />
by the <strong>LDAP</strong> server are handled. A referral is an entity that is used to redirect a client<br />
request to another <strong>LDAP</strong> server. A referral contains the names and locations of other<br />
objects. It is sent by the server to indicate that the information that the client requested<br />
can be found at another location, possibly at another server or several servers. The<br />
default value is ignore.<br />
g. For Bind distinguished name, type the distinguished name (DN) for the application<br />
server to use when binding to the <strong>LDAP</strong> repository. If no name is specified, the<br />
application server binds anonymously. In most cases, bind DN and bind password are<br />
required. However, when anonymous bind can satisfy all of the required functions, a<br />
bind DN and password are not required.<br />
h. For Bind password, type the password for the application server to use when binding to<br />
the <strong>LDAP</strong> repository.<br />
i. For Login properties, type the property names to use to log into the application server,<br />
for example, uid. This field accepts multiple login properties that are delimited by a<br />
semicolon (;). All login properties are searched during login. If multiple entries or no<br />
entries are found, an exception is thrown. For example, if you specify the login<br />
properties as uid and the login ID as Bob, the search filter searches for uid=Bob. When<br />
Appendix B. Configuring Tivoli <strong>Storage</strong> Productivity Center for <strong>DS8000</strong> <strong>LDAP</strong> authentication 55
the search returns a single entry, authentication can proceed. Otherwise, an exception<br />
is thrown.<br />
j. For Certificate mapping, to map X.509 certificates into an <strong>LDAP</strong> directory, choose<br />
either EXACT_DN or CERTIFICATE_FILTER. Specify EXACT_DN to use the specified<br />
certificate filter for the mapping.<br />
k. For Certificate filter, type the filter certificate mapping property for the <strong>LDAP</strong> filter. The<br />
filter is used to map attributes in the client certificate to entries in the <strong>LDAP</strong> repository.<br />
l. Select Require SSL communications to enable secure socket communication to the<br />
<strong>LDAP</strong> server. When enabled, the SSL settings for <strong>LDAP</strong> are used, if they are specified.<br />
m. Click OK to add the new repository.<br />
Figure B-4 Repository configuration<br />
3. On the next page (Figure B-5 on page 57), add the repository details:<br />
a. For Distinguished name that uniquely identifies this set of entries in the realm, add the<br />
DN that uniquely identifies this set of entries in the realm. If multiple repositories are<br />
included in the realm, define an additional DN that uniquely identifies this set of entries<br />
within the realm, for example: dc=tucson,dc=ibm,dc=com.<br />
b. For Distinguished name of a base entry in this repository, add the <strong>LDAP</strong> DN of the<br />
base entry within the repository. The entry and its descendents are mapped to the<br />
subtree that is identified by the unique base name entry field, for example:<br />
dc=tucson,dc=ibm,dc=com.<br />
If this field is left blank, the subtree defaults to the root of the <strong>LDAP</strong> repository.<br />
56 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
c. Click OK to save the changes.<br />
Figure B-5 Repository details<br />
As shown in Figure B-6, the repository was added successfully to the realm.<br />
Figure B-6 Repositories in the realm<br />
4. Click Apply to save the configuration.<br />
5. In the Messages box (Figure B-7), click Save to save the changes to the configuration.<br />
Figure B-7 Messages Box - Saving and reviewing the changes<br />
B.4 Setting additional properties<br />
Back in the General Properties window (Figure B-2 on page 54), you can configure additional<br />
properties, including performance, <strong>LDAP</strong> entity types, and group attribute definition<br />
(Figure B-8). While this section provides only an overview, see the product documentation for<br />
details.<br />
Figure B-8 Additional properties<br />
Appendix B. Configuring Tivoli <strong>Storage</strong> Productivity Center for <strong>DS8000</strong> <strong>LDAP</strong> authentication 57
► Configuring performance<br />
Use the page shown in Figure B-9 to minimize the impact to performance by adding open<br />
connections and contexts to internally maintained pools and reusing them. These settings<br />
also minimize performance impacts by maintaining internal caches of retrieved data.<br />
Figure B-9 shows the performance settings that we used in our environment.<br />
Figure B-9 Adjusting performance settings<br />
► Setting up <strong>LDAP</strong> entity types<br />
Use the page shown in Figure B-10 to list entity types that are supported by the member<br />
repositories or to select an entity type to view or change its configuration properties. You<br />
must configure the supported entity types before you can manage this account with users<br />
and groups in the administrative console. The “Base entry for the default parent” column<br />
determines the repository location where entities of the specified type are placed on write<br />
operations by user and group management.<br />
After you add or update your federated repository configuration, go to the Security →<br />
Secure administration, applications, and infrastructure panel and click Apply to<br />
validate the changes.<br />
Figure B-10 Editing the Directory Structure settings<br />
58 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
► Specifying the group attribute definition<br />
Use the page shown in Figure B-11 to specify the name of the group membership<br />
attribute. Every <strong>LDAP</strong> entry includes this attribute to indicate the group to which this entry<br />
belongs.<br />
Figure B-11 General Properties<br />
As shown in Figure B-12, add a new members attribute collection to your configuration. In<br />
our case, the name of the member attribute is member, and the Object class is<br />
groupOfNames.<br />
Figure B-12 <strong>LDAP</strong> group DN to Tivoli Integrated Portal member mapping<br />
After you configure any of these additional properties, save your settings and apply the<br />
changes.<br />
Important: When you finish adding or updating your federated repository configuration, go<br />
to the Security → Secure administration, applications, and infrastructure panel and<br />
click OK then Apply to validate the changes.<br />
Appendix B. Configuring Tivoli <strong>Storage</strong> Productivity Center for <strong>DS8000</strong> <strong>LDAP</strong> authentication 59
B.5 Managing users and groups<br />
To manage users and groups, from the Tivoli Integrated Portal console main window, select<br />
Security → Users and Groups. Then choose whether you want to manage users or groups:<br />
► Managing users<br />
Use the Manage Users window (Figure 3-4) to display a list of users that match your<br />
search criteria. You can perform additional tasks such as view more information about a<br />
user, change information about a user, add a new user, delete users, or duplicate the<br />
group assignments of a user for other users. You can also customize how the information<br />
is displayed in the table, as well as create and save customized search filters.<br />
Figure 3-4 Manage Users window<br />
► Managing groups<br />
Use the Manage Groups window (Figure 3-4) to list groups that match your search criteria.<br />
You can perform additional tasks such as view more information about a group, change<br />
information about a group, add a new group, delete groups, or duplicate the group<br />
assignments of a group for other groups. You can also customize how the information is<br />
displayed in the table, as well as create and save customized search filters.<br />
Figure B-13 Manage Groups window<br />
60 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
C<br />
Appendix C. Installing Tivoli Directory Server<br />
v6.2<br />
The Tivoli Directory Server uses the Lightweight Directory Access Protocol (<strong>LDAP</strong>) to provide<br />
a trusted identity data infrastructure for authentication in the following ways:<br />
► It provides identity management for companies that want to deploy a robust and scalable<br />
identity infrastructure.<br />
► It uses <strong>LDAP</strong> identity infrastructure software and meets <strong>LDAP</strong> v3 industry compliance<br />
standards.<br />
► It enhances proxy server capabilities with flow control for managing requests and paging<br />
search results for single and multiple partitions and a smart fail-back mechanism to<br />
restore servers safely.<br />
► It maintains high availability with master/subordinate and peer-to-peer replication<br />
capabilities and scheduled online or offline backup and remote restore.<br />
► It supports virtual list views so that you can scroll forward or backward through entries in a<br />
large sorted data set and can record deleted entries.<br />
► It supports leading platforms, including <strong>IBM</strong> AIX, i5/OS®, z/OS®, Sun Solaris,<br />
Microsoft Windows Server, HP-UX, and SUSE® and Red Hat® Linux distributions.<br />
In this appendix, we explain how to install and configure Tivoli Directory Server v6.2 in a<br />
Windows Server environment.<br />
© Copyright <strong>IBM</strong> Corp. 2009. All rights reserved. 61
C.1 Installing the server<br />
To install the server:<br />
1. In the ./tdsV6.2/tds/ directory, select the install_tds file to launch the installation.<br />
2. When prompted by the installation wizard (Figure C-1), select a language for the<br />
installation and click OK.<br />
Figure C-1 Selecting the language<br />
3. In the welcome panel, click Next.<br />
4. In the license agreement panel (Figure C-2), click I accept both the <strong>IBM</strong> and non-<strong>IBM</strong><br />
terms and then click Next.<br />
Figure C-2 License agreement panel<br />
62 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
5. In the next window (Figure C-3) choose the type of installation, which normally to select<br />
Typical. Then click Next.<br />
Figure C-3 Selecting the type of installation<br />
6. Provide a DB2 user ID and password (Figure C-4).<br />
Figure C-4 Specifying a user ID for the DB2 administrator<br />
Appendix C. Installing Tivoli Directory Server v6.2 63
While you can select an existing user, you must ensure that the user is a member of the<br />
DB2ADMNS and DB2USERS groups as illustrated in Figure C-5.<br />
Figure C-5 User group membership of the DB2 administrator<br />
Back in the window shown in Figure C-4, click Next.<br />
7. In the installation summary panel (Figure C-6), if all the options are correct for your<br />
environment, click Install.<br />
Figure C-6 Summary before the installation<br />
64 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
Figure C-7 shows the installation process starting. This process might take a while,<br />
depending on the hardware.<br />
Figure C-7 DB2 installation progress<br />
8. After the installation completes successfully, in the installation window (Figure C-8), click<br />
Finish to continue with the configuration.<br />
Figure C-8 Successful installation<br />
Appendix C. Installing Tivoli Directory Server v6.2 65
C.2 Configuring the server instance<br />
The Tivoli Directory Server Instance Administration Tool (Figure C-9) starts automatically<br />
upon completion of the Tivoli Directory Server installation. To configure the server instance:<br />
1. In the Tivoli Directory Server Instance Administration Tool window, click Manage.<br />
Figure C-9 Tivoli Directory Server Instance Administrator Tool window<br />
In the left pane of the next window (Figure C-10 on page 67), you see some of the<br />
configuration tasks that can be performed:<br />
– Change the administrator user or password<br />
– Perform database related tasks such as backup and restore operations or tune the<br />
database performance settings.<br />
– Import existing <strong>LDAP</strong> Data Interchange Format (LDIF) files (contain the Object<br />
entries of the <strong>LDAP</strong> tree). This Export/Import function can also be used to create a<br />
backup of critical <strong>LDAP</strong> information.<br />
66 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
Figure C-10 Tivoli Directory Server Configuration Tool<br />
2. Make changes as required for your environment by selecting the appropriate options.<br />
Then proceed with the additional changes as documented in the following steps.<br />
3. Invoke the Web Administration Tool. From the Windows desktop, click Start → All<br />
Programs → <strong>IBM</strong> Tivoli Directory Server 6.2 → Web Administration Tool. The default<br />
browser opens.<br />
4. In the initial window (Figure C-11), enter the administrator user ID and password. The<br />
default user ID is superadmin and the default password is secret. Then click Login.<br />
Figure C-11 Console administrator login<br />
Appendix C. Installing Tivoli Directory Server v6.2 67
5. After a successful logon, in the Console administration pane (Figure C-12), change the<br />
default login user ID and password:<br />
– To change the login name, from the left pane, click Change console administrator<br />
login.<br />
– To change the password, from the left pane, click Change console administrator<br />
password.<br />
Note: This user ID and password change is not for the Windows Administrator user. For<br />
more information, see the documentation for Tivoli Directory Server in the information<br />
center at the following address:<br />
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?toc=/com.ib<br />
m.<strong>IBM</strong>DS.doc/toc.xml<br />
Add a console server connection by clicking Manage console servers and then clicking<br />
Add.<br />
Figure C-12 Console administration panel<br />
6. In the Manage console servers pane (Figure C-13), click Edit to review or change the<br />
parameters for the connection between the Web Admin tool and the <strong>LDAP</strong> Server<br />
Instance.<br />
Figure C-13 Manage console servers pane<br />
68 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
7. In the Edit server pane (Figure C-14), enter the server host name or IP address. Then<br />
click OK.<br />
Port: To view the Port Settings, in the Server Instance Administration Tool, select the<br />
instance and click view.<br />
Figure C-14 Properties of the server connection<br />
8. Log out of the Console administration window and log in again by clicking the here link.<br />
Now the login name has changed to the Directory server login.<br />
9. In the Directory server login window (Figure C-15), from the <strong>LDAP</strong> Server Name list,<br />
select an <strong>LDAP</strong> server if more than one is available. The User DN (cn=root in our case) is<br />
configured during the configuration of the first server instance. Type the password and<br />
click Login.<br />
Figure C-15 Directory Server Login<br />
Now you can start to build your directory structure by creating the different groups and users.<br />
Figure C-16 on page 70 through Figure C-20 on page 72 show examples of the different<br />
options that are available to manage your Tivoli Directory Server <strong>LDAP</strong> directory.<br />
Appendix C. Installing Tivoli Directory Server v6.2 69
Figure C-16 shows the welcome page.<br />
Figure C-16 Web Administration welcome page<br />
By selecting Server administartion in the left pane in Figure C-16, you can edit the port<br />
setting or the administrator group, or you can set a password policy. You can also start and<br />
stop the server.<br />
Figure C-17 shows the Manage users pane.<br />
Figure C-17 Manage users pane<br />
70 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
Figure C-18 shows the Manage groups pane.<br />
Figure C-18 Manage groups pane<br />
Figure C-19 and Figure C-20 on page 72 show the Directory management panes for<br />
modifying existing directory entries.<br />
Figure C-19 Directory Content Management<br />
Appendix C. Installing Tivoli Directory Server v6.2 71
Figure C-20 Content Management User<br />
More information: For a detailed description, see the Tivoli Directory Server<br />
documentation in the information center at the following address:<br />
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?toc=/com.ibm.I<br />
BMDS.doc/toc.xml<br />
72 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
D<br />
Appendix D. Installing open<strong>LDAP</strong> in a SUSE<br />
Linux environment<br />
In this appendix, we explain how to install open<strong>LDAP</strong> in a SUSE Linux environment. The<br />
SUSE Linux distribution contains the required packages for Lightweight Directory Access<br />
Protocol (<strong>LDAP</strong>) support.<br />
© Copyright <strong>IBM</strong> Corp. 2009. All rights reserved. 73
D.1 Installing the required <strong>LDAP</strong> packages<br />
To implement an <strong>LDAP</strong> server on a SUSE Linux Enterprise Server (SLES) 10 system, install<br />
the following packages:<br />
► openldap2<br />
► openldap2-clients<br />
► openldap2-devel<br />
► nss_ldap<br />
► pam_ldap<br />
To search for the <strong>LDAP</strong> packages:<br />
1. Enter the following command:<br />
yast2 sw_single &<br />
2. In the YaST2 installation window (Figure D-1):<br />
a. In the Search field, type the word ldap and click Search to obtain the list of packages<br />
that contain ldap in their name.<br />
b. Select the required packages (using the check boxes) and click Accept.<br />
Figure D-1 YaST2 installation window<br />
The packages are now being installed. Wait until the entire process completes.<br />
74 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
D.2 Configuring the <strong>LDAP</strong> server<br />
From YaST, choose the <strong>LDAP</strong> server. In the <strong>LDAP</strong> Server Configuration window (Figure D-2),<br />
select Yes to have the <strong>LDAP</strong> server automatically started when booting the server.<br />
Figure D-2 Selecting to start the <strong>LDAP</strong> server<br />
D.3 Configuring the <strong>LDAP</strong> client<br />
To configure the <strong>LDAP</strong> client:<br />
1. Enter the following command:<br />
yast2 ldap &<br />
Appendix D. Installing open<strong>LDAP</strong> in a SUSE Linux environment 75
2. In the <strong>LDAP</strong> Client Configuration window (Figure D-3):<br />
a. Under User <strong>Authentication</strong>, select Use <strong>LDAP</strong>.<br />
b. In the Address of <strong>LDAP</strong> Servers field, enter the <strong>LDAP</strong> server IP address.<br />
c. In the <strong>LDAP</strong> base DN field, enter the <strong>LDAP</strong> distinguished name (DN). Alternatively, you<br />
can click Fetch DN after you enter the <strong>LDAP</strong> server name (and assuming the service is<br />
started). In this case, a window is displayed in which you can select the DN.<br />
d. Click Advanced Configuration.<br />
I<br />
Figure D-3 <strong>LDAP</strong> Client Configuration window<br />
76 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
3. In the Advanced Configuration window (Figure D-4), click the Client Settings tab and<br />
enter the values under Naming Contexts. The values should match the base DN specified<br />
in the <strong>LDAP</strong> Client Configuration window (Figure D-3 on page 76).<br />
Figure D-4 <strong>LDAP</strong> Advanced Configuration - Client Settings tab<br />
Appendix D. Installing open<strong>LDAP</strong> in a SUSE Linux environment 77
4. Click the Administration Settings tab (Figure D-5) and click Accept to complete the<br />
<strong>LDAP</strong> client configuration.<br />
Figure D-5 Advanced Configuration - Administration Settings tab<br />
5. Verify that your <strong>LDAP</strong> client is properly configured and working by entering your <strong>LDAP</strong><br />
server settings in the <strong>LDAP</strong> Browser dialog (Figure D-6).<br />
Figure D-6 <strong>LDAP</strong> Browser <strong>LDAP</strong> Server connection settings<br />
78 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
If successful, you see a view of the <strong>LDAP</strong> tree that lists all the configured entries on the<br />
<strong>LDAP</strong> server (Figure D-7).<br />
Figure D-7 <strong>LDAP</strong> Browser list<br />
At this stage, the installation is completed. You can now create and configure users and<br />
groups according to the directory structure you want.<br />
Appendix D. Installing open<strong>LDAP</strong> in a SUSE Linux environment 79
80 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
Appendix E. <strong>LDAP</strong> structure overview<br />
E<br />
In this appendix, we provide a brief overview of the <strong>LDAP</strong> structure. The structure of the<br />
directory used with <strong>LDAP</strong> looks like a upside down tree, with the root on the top. This is<br />
known as a directory information tree (DIT). The directory start with a root directory and<br />
branches in the different sections.<br />
The root of a directory service structure is tied to a domain. There are some circumstances<br />
where it is necessary to divide the information into two or more domain trees or directory<br />
information trees. This is known as a domain forest.<br />
Similar to a file directory on a PC, the branches in the directory service tree contain<br />
information or specific attributes about an object. Some of the object attributes are built by the<br />
position of that object within the tree structure, and some attributes are given separately.<br />
Figure E-1 on page 82 shows an example of a directory tree. In this example, the root of the<br />
directory is the country information, followed by the company name, then an identifier for the<br />
city, and underneath, branches for user, group or even printers.<br />
© Copyright <strong>IBM</strong> Corp. 2009. All rights reserved. 81
Figure E-1 Structure of an <strong>LDAP</strong> directory database<br />
Each object must have a unique identifier, known as the distinguished name (DN). This DN is<br />
built from its relative distinguished name (RDN), and the RDN is a construct of some of the<br />
object’s attributes followed by the parent objects’ DN.<br />
As a way to illustrate the concept of DN and RDN, consider a full file name on a PC. As shown<br />
in Example E-1, the full name, including the whole path, can be thought of as the DN. The<br />
RDN is the short file name, relative to the subdirectory where the file is located.<br />
Example E-1 DN and RDN<br />
DN of ntuser.dat =C:\WINDOWS\system32\win.com<br />
RDN of win.com = win.com<br />
the DN is now build up of the parent DN’s<br />
DN of=c:\<br />
DN of=WINDOWS<br />
DN of=system32<br />
when the object “win.com” is now copied to “c:\WINDOWS\”<br />
the DN changes to “C:\WINDOWS\win.com” but the object and it’s attributes are the<br />
same.<br />
The DN is not fixed for an object and can change. In our example, when the file is moved to a<br />
different subdirectory, the full file name (DN) changes. This is also the case for the DN of an<br />
object in Directory Services. Whenever some attributes of the object change, the DN of that<br />
object also changes.<br />
To uniquely identify objects, the <strong>LDAP</strong> server assigns a Universally Unique Identifier (UUID)<br />
to each object. Compared to the DN, the UUID never changes until the object is deleted.<br />
82 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong><br />
c=us<br />
o=ibm o=xyz<br />
ou=tucson ou=raleigh<br />
cn=groups cn=users cn=printers<br />
cn=admins<br />
cn=users<br />
cn=diskAdmin<br />
cn=tapeAdmin<br />
cn=superAdmin<br />
ou=new york<br />
deviceID=printer1 deviceID=printer37
Example E-2 shows an illustration from the test directory, which contains <strong>DS8000</strong> user<br />
information that we used in preparation of this paper.<br />
Example E-2 User attributes<br />
dn: uid=diskAdmin,cn=users,ou=tucson,o=ibm,c=us<br />
objectclass: inetOrgPerson<br />
objectclass: person<br />
objectclass: organizationalPerson<br />
cn: disk<br />
sn: admin<br />
mail: diskadmin@us.ibm.com<br />
uid: diskAdmin<br />
userpassword: passw0rd<br />
uuid: 25a8c2e8-1a3f-4ac4-b1b5-32d9b9188000<br />
This example shows how the DN was built from different attributes of the user. (<strong>LDAP</strong> lets you<br />
define which attributes must be listed for a valid DN. For our client for <strong>DS8000</strong> users, we<br />
configured a default of cn=users,ou=tucson,o=ibm,c=us and uid as specific user attribute.<br />
See Figure A-8 on page 45.<br />
Appendix E. <strong>LDAP</strong> structure overview 83
84 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
Related publications<br />
<strong>IBM</strong> <strong>Redbooks</strong><br />
The publications listed in this section are considered particularly suitable for a more detailed<br />
discussion of the topics covered in this paper.<br />
For information about ordering these publications, see “How to get <strong>Redbooks</strong>” on page 85.<br />
Note that some of the documents referenced here may be available in softcopy only.<br />
► Managing Disk Subsystems using <strong>IBM</strong> Total<strong>Storage</strong> Productivity Center, SG24-7097<br />
► Patterns: Pervasive Portals Patterns for e-business Series, SG24-6876<br />
► Understanding <strong>LDAP</strong> - Design and Implementation, SG24-4986<br />
Other publications<br />
These publications are also relevant as further information sources:<br />
► <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: Command-Line Interface User’s Guide, SC26-7916<br />
► <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: Introduction and Planning Guide, GC35-0515<br />
How to get <strong>Redbooks</strong><br />
Help from <strong>IBM</strong><br />
You can search for, view, or download <strong>Redbooks</strong>, Redpapers, Technotes, draft publications<br />
and Additional materials, as well as order hardcopy <strong>Redbooks</strong>, at this Web site:<br />
ibm.com/redbooks<br />
<strong>IBM</strong> Support and downloads<br />
ibm.com/support<br />
<strong>IBM</strong> Global Services<br />
ibm.com/services<br />
© Copyright <strong>IBM</strong> Corp. 2009. All rights reserved. 85
86 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong>
Index<br />
A<br />
administration for users, groups, and roles 33<br />
administration, applications, and infrastructure settings<br />
52<br />
administrative security 52<br />
administrator role 2, 34<br />
application security 52<br />
<strong>Authentication</strong> Client 8<br />
<strong>Authentication</strong> Server 7–8<br />
B<br />
base entry added to a realm 54<br />
basic user management 1–2<br />
C<br />
CA (certificate authority) 15<br />
certificate authority (CA) 15<br />
certificate creation 13<br />
chauthpol command 31<br />
Copy Services operator role 2, 34<br />
D<br />
data repository 5<br />
DB2 Server v9 for Windows 39<br />
device server 20<br />
directory 5<br />
Directory Information Tree (DIT) 81<br />
Directory Services 1<br />
<strong>LDAP</strong> 5<br />
Directory Services-based user authentication 1<br />
directory structure 69<br />
distinguished name (DN) 55, 82<br />
DN (distinguished name) 82<br />
DNS (Domain Name <strong>System</strong>) 6<br />
domain 81<br />
forest 81<br />
Domain Name <strong>System</strong> (DNS) 6<br />
DS CLI 4<br />
DS GUI 3<br />
<strong>DS8000</strong><br />
basic user management and access 2<br />
benefits of <strong>LDAP</strong> authentication for administrators and<br />
users 8<br />
configuration for <strong>LDAP</strong> authentication 22<br />
HMC 2<br />
<strong>LDAP</strong> authentication 1, 7<br />
E<br />
Enterprise <strong>Storage</strong> <strong>System</strong> Network Interface (ESSNI)<br />
client 3, 7<br />
server 2–3, 7<br />
ESS service port 23<br />
ESSNI (Enterprise <strong>Storage</strong> <strong>System</strong> Network Interface)<br />
client 3, 7<br />
server 2–3, 7<br />
F<br />
federated repositories 53<br />
G<br />
group administration 33<br />
group attribute definition 59<br />
group management 60<br />
H<br />
Hardware Management Console (HMC) 2<br />
HMC (Hardware Management Console) 2<br />
I<br />
iKeyman utility 14<br />
J<br />
jython 19<br />
L<br />
<strong>LDAP</strong> (Lightweight Directory Access Protocol) 6–7<br />
authentication<br />
benefits 8<br />
configuration in Tivoli <strong>Storage</strong> Productivity Center<br />
51<br />
for <strong>DS8000</strong> 1<br />
Directory Services 5<br />
entity types 58<br />
group mappings<br />
DS CLI 35<br />
DS GUI 34<br />
Tivoli <strong>Storage</strong> Productivity Center roles 36<br />
implementation for the <strong>DS8000</strong> 11<br />
installation of servers 12<br />
structure overview 81<br />
SUSE Linux<br />
client configuration 75<br />
required packages 74<br />
Lightweight Directory Access Protocol (<strong>LDAP</strong>) 1, 6–7,<br />
33, 61<br />
authentication<br />
benefits 8<br />
configuration in Tivoli <strong>Storage</strong> Productivity Center<br />
51<br />
for <strong>DS8000</strong> 1<br />
Directory Services 5<br />
entity types 58<br />
group mappings<br />
© Copyright <strong>IBM</strong> Corp. 2009. All rights reserved. 87
DS CLI 35<br />
DS GUI 34<br />
Tivoli <strong>Storage</strong> Productivity Center roles 36<br />
implementation for the <strong>DS8000</strong> 11<br />
installation of servers 12<br />
structure overview 81<br />
SUSE Linux<br />
client configuration 75<br />
required packages 74<br />
server configuration 75<br />
Lightweight Third Party <strong>Authentication</strong> (LTPA) 19<br />
logical operator role 2, 34<br />
Lotus Domino 6<br />
lsauthpol command 29, 31<br />
LTPA (Lightweight Third Party <strong>Authentication</strong>) 19<br />
LTPA keys<br />
CLI to export and import 19<br />
GUI to export and import 21<br />
M<br />
Manage Groups 60<br />
Manage Users 60<br />
Microsoft Active Directory 7<br />
mkuser command 5<br />
monitor role 3, 34<br />
N<br />
no access role 3, 34<br />
O<br />
open<strong>LDAP</strong> 13, 73<br />
for Linux 7<br />
installation in a SUSE Linux environment 73<br />
P<br />
performance configuration 58<br />
physical operator role 2, 34<br />
port number 23<br />
R<br />
RDN (relative distinguished name) 82<br />
realm 53<br />
adding a base entry 54<br />
<strong>Redbooks</strong> Web site 85<br />
Contact us viii<br />
referral 55<br />
relative distinguished name (RDN) 82<br />
repository 52<br />
Request for Comments (RFCs) 6<br />
RFC (Request for Comments) 6<br />
role-based authorization, Tivoli <strong>Storage</strong> Productivity Center<br />
36<br />
roles 2<br />
administration 33<br />
88 <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>: <strong>LDAP</strong> <strong>Authentication</strong><br />
S<br />
SAS (<strong>Storage</strong> <strong>Authentication</strong> Service) 8<br />
server ID 52<br />
setauthpol command 30<br />
setauthserver command 30<br />
settruststore command 30<br />
showauthpol command 31<br />
single sign-on (SSO) 19<br />
SSPC (<strong>Storage</strong> <strong>System</strong> Productivity Center) 13<br />
SSPC (<strong>System</strong> <strong>Storage</strong> Productivity Center) 3<br />
<strong>Storage</strong> <strong>Authentication</strong> Service (SAS) 8<br />
<strong>Storage</strong> <strong>System</strong> Productivity Center (SSPC) 13<br />
SUSE Linux, open<strong>LDAP</strong> installation 73<br />
<strong>System</strong> <strong>Storage</strong> Productivity Center (SSPC) 3<br />
T<br />
testauthpol command 31<br />
Tivoli Directory Server 6, 61<br />
v6.2 installation 61<br />
Tivoli Directory Server Instance Administration Tool 66<br />
Tivoli Integrated Portal 1, 8, 13<br />
Tivoli <strong>Storage</strong> Productivity Center<br />
configuration for <strong>LDAP</strong> authentication 51<br />
Directory Services-based user authentication 1<br />
installation and configuration of servers 13<br />
installation of v4.1 39<br />
role-based authorization 36<br />
user administration for servers 36<br />
v4.1 installation on Windows Server 2008 39<br />
Tivoli <strong>Storage</strong> Productivity Center for Replication 46<br />
truststore file 8, 13<br />
copying 22<br />
creation 13<br />
U<br />
Universally Unique Identifier (UUID) 82<br />
user account repository 52<br />
user administration 33<br />
user management 60<br />
user repository 2<br />
user roles 2, 34<br />
UUID (Universally Unique Identifier) 82<br />
W<br />
Windows Server 2008, installation of Tivoli <strong>Storage</strong> Productivity<br />
Center v4.1 39<br />
wsadmin command 19<br />
X<br />
X.500 6<br />
Y<br />
YaST 75
<strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong>:<br />
<strong>LDAP</strong> <strong>Authentication</strong><br />
Implement <strong>LDAP</strong><br />
authentication for the<br />
<strong>DS8000</strong><br />
Configure the<br />
required Tivoli<br />
Productivity Center<br />
v4.1<br />
Benefit from single<br />
sign-on<br />
REDP-4505-00<br />
Back cover<br />
Starting with release 4.2, the <strong>IBM</strong> <strong>System</strong> <strong>Storage</strong> <strong>DS8000</strong> series<br />
offers the ability to replace the locally based user ID and password<br />
administration with a centralized directory based approach. This<br />
release also allows a single sign-on capability for multiple <strong>DS8000</strong><br />
servers and possibly other servers in your environment.<br />
This <strong>IBM</strong> Redpaper publication helps <strong>DS8000</strong> storage<br />
administrators understand the concepts and benefits of<br />
directories. It provides information that is required for<br />
implementing a <strong>DS8000</strong> authentication approach based on the<br />
Lightweight Directory Access Protocol (<strong>LDAP</strong>).<br />
INTERNATIONAL<br />
TECHNICAL<br />
SUPPORT<br />
ORGANIZATION<br />
®<br />
Redpaper <br />
BUILDING TECHNICAL<br />
INFORMATION BASED ON<br />
PRACTICAL EXPERIENCE<br />
<strong>IBM</strong> <strong>Redbooks</strong> are developed<br />
by the <strong>IBM</strong> International<br />
Technical Support<br />
Organization. Experts from<br />
<strong>IBM</strong>, Customers and Partners<br />
from around the world create<br />
timely technical information<br />
based on realistic scenarios.<br />
Specific recommendations<br />
are provided to help you<br />
implement IT solutions more<br />
effectively in your<br />
environment.<br />
For more information:<br />
ibm.com/redbooks