Implement LDAP authentication for the DS8000 Configure the required Tivoli Productivity Center v4.1 Benefit from single sign-on
ibm.com/redbooks
Redpaper
International Technical Support Organization IBM System Storage DS8000: LDAP Authentication May 2009
REDP-4505-00
Note: Before using this information and the product it supports, read the information in Notices on page v.
First Edition (May 2009) This edition applies to the IBM System Storage DS8000 with Licensed Machine Code 5.4.20.xx (code bundles 64.20.x.x).
Copyright International Business Machines Corporation 2009. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Contents
Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .v Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii The team that wrote this paper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Become a published author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii Comments welcome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii Chapter 1. LDAP authentication for DS8000. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1 DS8000 basic user management and access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2 Directory Services and LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3 Overview of LDAP-based authentication for the DS8000 . . . . . . . . . . . . . . . . . . . . . . . . 1.4 Benefits for DS8000 administrators and users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chapter 2. Implementing LDAP for the DS8000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1 Test environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Installing the LDAP servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3 Installing and configuring the Tivoli Storage Productivity Center servers . . . . . . . . . . . 2.4 Creating the certificates and the truststore file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.4.1 Creating the certificate and the truststore file on TPC server1 . . . . . . . . . . . . . . . 2.4.2 Setting up TPC server2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.4.3 Copying the truststore file from TPC server1 to TPC server2. . . . . . . . . . . . . . . . 2.5 Configuring the DS8000 for LDAP authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chapter 3. User, group, and role administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 DS8000 to LDAP groups mappings using the DS GUI . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 DS8000 to LDAP groups mappings using the DS CLI . . . . . . . . . . . . . . . . . . . . . . . . . 3.3 User administration for Tivoli Storage Productivity Center servers . . . . . . . . . . . . . . . . 3.3.1 Tivoli Storage Productivity Center roles to LDAP group mappings. . . . . . . . . . . . 1 2 5 7 8
11 12 12 13 13 13 18 22 22 33 34 35 36 36
Appendix A. Installing Tivoli Storage Productivity Center 4.1 on Windows Server 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Appendix B. Configuring Tivoli Storage Productivity Center for DS8000 LDAP authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B.1 Securing the administration, applications, and infrastructure settings . . . . . . . . . . . . . B.2 Configuring federated repositories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B.3 Adding a base entry to a realm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B.4 Setting additional properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B.5 Managing users and groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 52 53 54 57 60
Appendix C. Installing Tivoli Directory Server v6.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 C.1 Installing the server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 C.2 Configuring the server instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Appendix D. Installing openLDAP in a SUSE Linux environment . . . . . . . . . . . . . . . . D.1 Installing the required LDAP packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D.2 Configuring the LDAP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D.3 Configuring the LDAP client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 74 75 75
iii
Appendix E. LDAP structure overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IBM Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Other publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How to get Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Help from IBM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 85 85 85 85
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
iv
Notices
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, NY 10504-1785 U.S.A. The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. These and other IBM trademarked terms are marked on their first occurrence in this information with the appropriate symbol ( or ), indicating US registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at http://www.ibm.com/legal/copytrade.shtml The following terms are trademarks of the International Business Machines Corporation in the United States, other countries, or both:
AIX DB2 Domino DS6000 DS8000 Enterprise Storage Server i5/OS IBM Lotus Redbooks Redbooks (logo) Redpaper System Storage Tivoli WebSphere z/OS
The following terms are trademarks of other companies: SUSE, the Novell logo, and the N logo are registered trademarks of Novell, Inc. in the United States and other countries. Interchange, Red Hat, and the Shadowman logo are trademarks or registered trademarks of Red Hat, Inc. in the U.S. and other countries. Java, Solaris, Sun, and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Active Directory, Microsoft, Windows Server, Windows, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others.
vi
Preface
Starting with release 4.2, the IBM System Storage DS8000 series offers the ability to replace the locally based user ID and password administration with a centralized directory based approach. This release also allows a single sign-on capability for multiple DS8000 servers and possibly other servers in your environment. This IBM Redpaper publication helps DS8000 storage administrators understand the concepts and benefits of directories. It provides information that is required for implementing a DS8000 authentication approach based on the Lightweight Directory Access Protocol (LDAP).
vii
Thanks to the following people for their contributions to this project: Sondra Ashmore, Kevin Gibble, Rakesh Jain, Markus Navarro, Thuan Q. Nguyen, and Kavita Shah of IBM U.S. Uwe Dubberke and Gerhard Pieper of IBM Germany Brian Sherman of IBM Canada
Comments welcome
Your comments are important to us! We want our papers to be as helpful as possible. Send us your comments about this paper or other IBM Redbooks in one of the following ways: Use the online Contact us review Redbooks form found at: ibm.com/redbooks Send your comments in an e-mail to: redbooks@us.ibm.com Mail your comments to: IBM Corporation, International Technical Support Organization Dept. HYTD Mail Station P099 2455 South Road Poughkeepsie, NY 12601-5400
viii
Chapter 1.
Whenever a user is added, a password is intially assigned by the administrator. At the first sign-on, users must change their password. The user ID is deactivated if an invalid password is entered and the number of attempts is more than the limit defined by the administrator as part of the security settings. The password for each user account is forced to adhere to the following rules: The length of the password must be between 6 and 16 characters. The password must begin and end with a letter. The password must have at least five letters. The password must contain at least one number. The password cannot be identical to the user ID. The password cannot be a previous password. General password settings include the time period in days after which passwords expire and a number that identifies the number of failed logins that are allowed. The user management is restricted to the following predefined user roles. Administrator Logical operator Allows access to all storage management console server service methods and all storage image resources. Allows access to service methods and resources that relate to logical volumes, hosts, host ports, logical subsystems, and volume groups, excluding security methods. Allows access to physical configuration service methods and resources, including Storage Complex, Storage Image, Rank, Array, and Extent Pool objects.
Physical operator
Copy Services operator Allows access to all Copy Services service methods and resources, excluding security methods. 2
IBM System Storage DS8000: LDAP Authentication
Monitor
Allows access to list and show commands. It provides access to all read-only, nonsecurity management console server service methods and resources. Does not allow access to any service method or storage image resources. By default, this user group is assigned to any user account in the security repository that is not associated with any other user group.
No access
Communications between the DS8000 HMC and the administrative clients are managed by a client/server connection between the DS8000 HMC ESSNI server and the host running a ESSNI client. Regardless of the connection type, all connections must authenticate with a user and password against the ESSNI server that is running on the HMC. Figure 1-1 illustrates the different possible communications between administrative clients and the DS8000 HMC, as well as the communication flow.
Browser
TPC GUI
TPC
DS8000 HMC 1
ESSNI Server
User repository
DS 8000 Complex 1
DS8000 HMC 2
ESSNI Server
User repository
DS 8000 Complex 2
Remote desktop
DS CLI Client
An administrative client has the following possible connections: Connection through the System Storage Productivity Center (SSPC) The ESSNI client is part of the Tivoli Storage Productivity Center running at the SSPC. Connection from a browser connected to the SSPC or Tivoli Storage Productivity Center on any server The ESSNI client is part of the DS graphical user interface (GUI) that is started within a Java applet during the connection. Connection from a separate Tivoli Storage Productivity Center workstation connected to the HMC The ESSNI client is part of the Tivoli Storage Productivity Center running on this workstation.
Chapter 1. LDAP authentication for DS8000
Connection by using Microsoft Windows Remote Desktop to the SSPC The ESSNI client is part of the Tivoli Storage Productivity Center running on the SSPC. Connection directly to the HMC by using DS command line interface (CLI) The ESSNI client is part of the DS CLI. User management and administration are done by using the DS GUI (through the SSPC) or the DS CLI. To work with user administration: 1. Sign on to the DS GUI. 2. From the selection menu on the left (Figure 1-2), select Real-time manager Monitor System and click User Administration. 3. In the Basic Authentication User Administration panel on the right, click the Select action list and select Add user.
4. In the Add/Modify User window (Figure 1-3), add a user by entering the user ID, the temporary password, and the role. The role decides the type of activities that can be performed by this user. You can temporarily deactivate the user ID by selecting No access (only).
You can also use the DS CLI to perform user administration tasks. Example 1-1 illustrates use of the mkuser command to add a new user, named csadmin.
Example 1-1 Adding a user by using the DS CLI
dscli>mkuser -pw AB9cdefg -group service,op_copy_services csadmin Date/Time: 16. Mrz 2009 15:01:33 GMT-07:00 IBM DSCLI Version: 5.4.2.540 DS: CMUC00133I mkuser: User csadmin successfully created. For the exact syntax of any DS CLI command, see the IBM System Storage DS8000: Command-Line Interface Users Guide, SC26-7916. You can also use the DS CLI help command for further assistance.
find resources that have the characteristics needed for a particular task. A directory can also be used to store user IDs, passwords, and other credentials of system users. For example, the World Wide Web cannot function without a directory of available Web sites. This directory is what is referred to as a Domain Name Service or Domain Name System (DNS). The DNS allows users to search the Web for servers without any knowledge of the network address, host name, or IP address. A directory is often described as a database, but a specialized one that has characteristics that set it apart from general purpose relational databases. One special characteristic of directories is that they are accessed (read or searched) more often than they are updated (written). Hundreds of people might look up an individuals phone number, or thousands of print clients might look up the characteristics of a particular printer, but the phone number or printer characteristics rarely change. Because the number of different networks and applications has grown, the number of specialized directories of information has also grown, resulting in islands of information that are difficult to share and manage. The ability to maintain and access all of this information in a consistent and controlled manner it might provide a focal point for integrating a distributed environment into a consistent and seamless system. The LDAP is an open industry standard that has evolved to meet these needs. LDAP defines a standard method for accessing and updating information in a directory. LDAP has gained wide acceptance as the directory access method of the Internet and is, therefore, becoming strategic within corporate intranets. LDAP defines a communication protocol. That is, it defines the transport and format of messages that are used by a client to access data in an X.500-like directory. LDAP does not define the directory service itself. When people talk about the LDAP directory, they are referring to the information that is stored and that can be retrieved by the LDAP protocol. All LDAP servers share many basic characteristics because they are based on the industry standard Request for Comments (RFCs). However, because of implementation differences, they are not all completely compatible with each other when a standard is not defined. For more information about RFCs, particularly regarding LDAP RFC 4510-4533, see the following Web address: http://www.ietf.org/rfc.html The implementation of directory service is based on a client/server relation. If an application expects some data from a object stored in a directory, the application must integrate with a client that connects to the directory server. The servers read the database and send the data back to the client application. For a more detailed description of LDAP, see the IBM Redbooks publication Understanding LDAP - Design and Implementation, SG24-4986. The following directory servers are the most common: IBM Tivoli Directory Server http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp For installation and configuration steps, see Appendix C, Installing Tivoli Directory Server v6.2 on page 61. IBM Lotus Domino http://www.ibm.com/software/lotus/products/domino/
Microsoft Active Directory http://www.microsoft.com/windowsserver2008/en/us/active-directory.aspx openLDAP for Linux http://www.openldap.org/ For installation and configuration steps, see Appendix D, Installing openLDAP in a SUSE Linux environment on page 73.
Browser
LDAP Authentication
Tivoli Storage Productivity Center GUI The authentication is now
managed through the Authentication Server, a Tivoli Storage Productivity Center component, and a new authentication client at the HMC.
Directly TCP/IP
1,2,3 1
Tivoli Storage Productivity Center 4.1
TCP/IP
DS8000 HMC 1
Host System
ESSNI Client 5
ESSNI Server 4 9
Authentication Client
10
DS8000 Complex 1
LDAP Service 7
Authentication Server
DS8000 HMC 2
The authentication server provides the connection to the LDAP or other repositories.
1,2,3
ESSNI Server
Authentication Client
DS8000 Complex 2
Remote desktop
DS CLI Client
Figure 1-4 Communication between the DS8000 HMC, Tivoli Storage Productivity Center, LDAP and DS CLI or DS GUI client
Communication between the DS8000 HMC and the various administrative clients (DS CLI, DS GUI) is unchanged compared to basic user authentication. The communication model still uses a client/server connection between the DS8000 HMC ESSNI server and the administrative client ESSNI client. The big difference with basic authentication is that the DS8000 user IDs (as used by the DS CLI or the DS GUI) are no longer locally managed and stored at the HMC. Instead they are managed and stored in an LDAP directory server. However, the HMC cannot directly communicate with the LDAP server. The HMC is configured to authenticate user IDs and passwords against a new service provided by Tivoli Storage Productivity Center v4.1, called the Authentication Server. This Authentication Server in Tivoli Storage Productivity Center receives authentication requests from an Authentication Client that is located at the HMC.
Chapter 1. LDAP authentication for DS8000
The Authentication Client also acts as an LDAP client to communicate those requests to the LDAP servers. Note: Tivoli Storage Productivity Center users are also now managed by LDAP. The HMC can still support basic authentication. The authentication method (either basic or LDAP) that is used is determined by setting an authentication policy in the DS GUI user administration menu. By default, the HMC is not configured to use LDAP, then the Authentication Server, which resides at the HMC, is not used. The initial authentication policy is set to the basic method. The two methods (basic or LDAP) are mutually exclusive. To use LDAP authentication, the authentication type at the DS8000 must be changed to Storage Authentication Service (SAS). The SAS policy includes all the information that is required for the LDAP connection and authentication. This information includes the host name or the IP address of the Authentication Server. It also includes the location of the truststore file, which is a digitally signed certificate of the Authentication Server. The certificate is used to establish a Secure Sockets Layer (SSL) connection between the Authentication Server and the Authentication Clients. The communication between the LDAP server and Authentication Server can also be configured to use a secure connection through SSL, but it is not required. As stated previously, the Authentication Server is provided by the Tivoli Storage Productivity Center 4.1. Tivoli Storage Productivity Center 4.1 also includes the Tivoli Integrated Portal. Tivoli Integrated Portal is a browser-based utility that is used to administrate and manage the Authentication Server. When provided with the correct authority, Tivoli Integrated Portal can also be used to administrate LDAP user and groups through a web browser started on any host. For example, when using the DS CLI, the connection from a user standpoint is still established as it was without LDAP. The user establishes the connection by specifying the IP address of the HMC and is prompted for a user ID and password. Now, because the DS8000 has an active SAS policy, the Authentication Client sends the user request to the Authentication Server. The Authentication Server validates the users credentials with LDAP. If valid, an authentication OK token is returned to the ESSNI server, which executes the command against the DS8000. In Figure 1-4 on page 7, this sequence is noted by the circled numbers.
More flexible user management You have different ways to add, change, or remove a user ID or to reset a password: Directly with the LDAP server GUI By using the Web (for example, Tivoli Directory Server Web Administration Tool) User Management by using the Tivoli Integrated Portal of the Tivoli Storage Productivity Center 4.1 Use of the same user ID to access all DS8000 systems in the enterprise Password policy management Tip: Use LDAP if it is already in use or if you have a large pool of DS8000 systems and other LDAP-enabled servers to administrate it. Even though LDAP support can provide single sign-on (SSO) capability by using the same credentials to access multiple DS8000 servers, it remains possible to create separate user IDs for one person, while maintaining those user IDs by using LDAP. This is important if the same person needs to access multiple DS8000 servers with different authorization levels. Security isolation with multiple DS8000 systems remains possible with LDAP.
10
Chapter 2.
11
12
Alternatively in a Linux environment, you can opt for an openLDAP server. For details, see D.1, Installing the required LDAP packages on page 74. As previously indicated, also provision a second (standby) LDAP server for redundancy. We refer to those LDAP servers in this paper as LDAP server1 and LDAP server2.
2.3 Installing and configuring the Tivoli Storage Productivity Center servers
IBM Tivoli Storage Productivity Center is storage infrastructure management software that can centralize, automate, and simplify the management of complex and heterogeneous storage environments. Tivoli Storage Productivity Center is included on the Storage System Productivity Center (SSPC) console that is recommended with DS8000 installation. Remember that Tivoli Storage Productivity Center or SSPC (which includes Tivoli Storage Productivity Center) is now required for DS8000 GUI access. Tivoli Storage Productivity Center v4.1 is required for LDAP authentication support. If you plan or must install a new Tivoli Storage Productivity Center server, see the installation instructions in Appendix A, Installing Tivoli Storage Productivity Center 4.1 on Windows Server 2008 on page 39. As previously indicated, you must also provision a second (standby) Tivoli Storage Productivity Center server for redundancy. We refer to those Tivoli Storage Productivity Center servers as TPC server1 and TPC server2. If you already have Tivoli Storage Productivity Center 4.1 servers installed, but not configured for LDAP authentication, use the Tivoli Integrated Portal component of Tivoli Storage Productivity Center to configure them for LDAP. For more information, see Appendix B, Configuring Tivoli Storage Productivity Center for DS8000 LDAP authentication on page 51. After the Tivoli Storage Productivity Center servers are installed and configured for LDAP, proceed to the following section, 2.4, Creating the certificates and the truststore file.
2.4.1 Creating the certificate and the truststore file on TPC server1
The Tivoli Storage Productivity Center v4.1 server administration is done to a component called the Tivoli Integrated Portal. Tivoli Integrated Portal is packaged with Tivoli Storage Productivity Center. This component provides a GUI front end to the Tivoli Storage Productivity Center administration, accessible from a Web browser. The Tivoli Integrated Portal is part of Tivoli Storage Productivity Center 4.1 and is automatically installed as part of any Tivoli Storage Productivity Center 4.1 installation.
13
To create the certificate and truststore file: 1. Open a Web browser and point it to the Tivoli Integrated Portal, which is typically accessible from the following URL: https://IP-Address:16311/ibm/console The default Tivoli Integrated Portal installation secures the https transport with a self signed certificate. Depending on the browser that you use, you might receive an exception message and have to accept that certificate as a trusted certificate. 2. Export the certificate: a. Log in to the Tivoli Integrated Portal console. b. Navigate to the SSL certificate and key management Key stores and certificates NodeDefaultKeyStore Personal certificates Extract certificate page (Figure 2-2). c. Under General Properties, enter the path and file name on the IBM Tivoli Integrated Portal server indicating where to extract the certificate. For example, if you enter the path and name c:\default_itso.cer, the default_itso.cert file is generated in the Tivoli Storage Productivity Center server C:\ root folder. The file name can be any file name that you provide. Data type defines the encoding scheme (for example, Base64 encoded ASCII data) for the SSL certificate. Click OK.
3. Create the truststore file: a. Launch the iKeyman utility that is included with Tivoli Storage Productivity Center 4.1. For example, in Windows 2003 Server, open a Command Line window and enter the following command to open the IBM Key Management window: c:\Program Files\IBM\tivoli\tip\bin\ikeyman.bat The iKeyman utility is a GUI-based tool that you can use to manage your digital certificates. With iKeyman, you can create a new key database or test a digital certificate, add certificate authority (CA) roots to your database, copy certificates from one database to another, request and receive a digital certificate from a CA, set default keys, and change passwords.
14
Certificate authority: A certificate authority is a trusted central administrative entity that can issue digital certificates to users and servers. The trust in the CA is the foundation of trust in the certificate as a valid credential. A CA uses its private key to create a digital signature on the certificate that it issues to validate the certificate's origin. Others can use the CA certificates public key to verify the authenticity of the certificates that the CA issues and signs. The term truststore refers to a special designation that is given to a CA certificate. This truststore designation allows a browser or other application to authenticate and accept certificates that the CA issues. b. In the IBM Key Management window (Figure 2-3), click Key Database File New.
15
c. In the New panel (Figure 2-4): i. For Key database type, select a type or leave the default of JKS. ii. For File Name, enter a file name. For example, enter itso_trust_store.jks. Note: For Microsoft Windows systems, the default location for the generated key file is c:\Program Files\IBM\tivoli\tip\bin\. iii. Click OK.
Figure 2-4 Selecting an export location and setting the file name
iv. In the Password Prompt window (Figure 2-5), specify a password that you can remember for the truststore file. Click OK.
After the truststore file is created, you return to the IBM Key Management window.
16
4. Import the certificate into the truststore file: a. Add the exported certificate file from the Tivoli Integrated Portal (see Figure 2-2 on page 14) to the truststore file: i. From the IBM Key Management window (Figure 2-6), click Add.
ii. In the Add CA certificate from a file window (Figure 2-7), click Browse. iii. Select the certificate file that you created in step 2 on page 14 (see Figure 2-2) and click OK.
17
iv. In the Enter a Label window (Figure 2-8), enter any label (any character string of your choice). For example, we enter itso_cert_label. Then click OK.
The certificate is successfully stored in the truststore file, as shown in Figure 2-9.
b. Exit the iKeyman tool and locate the truststore file. In our example, the file is in c:\Program Files\IBM\tivoli\tip\bin\itso_trust_store.jks. You need this truststore file and password while configuring the LDAP-based policy on the DS8000 server.
TPC server1. Implement TPC server2 preferably on the same hardware configuration as TPC server1, but imperatively with the same LDAP server/branch information as TPC server1. To do a basic Tivoli Storage Productivity Center installation, see the instructions in Appendix A, Installing Tivoli Storage Productivity Center 4.1 on Windows Server 2008 on page 39. The additional setup tasks described in this section are required. Note: The Tivoli Storage Productivity Center servers and Tivoli Integrated Portal are implemented as IBM WebSphere application servers, which can securely communicate by using the Lightweight Third Party Authentication (LTPA) protocol. LTPA is intended for distributed, multiple application server and machine environments. The LTPA protocol enables WebSphere Application Server to provide security in a distributed environment by using cryptography. Application servers distributed in multiple nodes can securely communicate by using this protocol. It also provides a single sign-on (SSO) feature where a user is required to authenticate only once. The LTPA protocol uses cryptographic keys to encrypt and decrypt user data that passes between the servers. These keys must be shared between the different servers, assuming that all the servers involved use the same LDAP or custom registry. The default LTPA keys are automatically generated during the installation process. All of the Tivoli Storage Productivity Center Server processes (Tivoli Integrated Portal, node, WebSphere Application Server) share the same set of keys. If key sharing is required between different servers, export them from one server and import them to the other server. For security purposes, the exported keys are encrypted with a user-defined password. This same password is needed when importing the keys into another server.
19
-f is the export script path in the local Tivoli Storage Productivity Center server installation directory/tip/scripts directory. The script name is exportLTPAkeys.py. LTPA keys file name is the name (or path and filename) of the exported LTPA file. ltpaKeysPassword is the password that is used to encrypt and decrypt the LTPA keys. During import, this password must match the password that is used to export the keys at another LTPA server (for example, another application server, and so on). During export, remember this password so that you can enter it during import.
Example 2-1 illustrates the command that we used (in our test environment) to export the keys. The exportedLTPAkeyfile file, which contains the LTPA keys of TPC server1 and that we import to TPC server2, is generated. Note: Use forward slashes when specifyng the path names for files.
Example 2-1 Exporting the key C:\Program Files\IBM\Tivoli\TIP\bin>wsadmin -user tpcadmin2 -password super321 -lang jython -port 16313 -host 9.11.112.112 -f "c:/program files/ibm/tpc/tip/scripts/exportLTPAKeys.py" "c:/share/exportedLTPAkeyfile" passw0rd
2. Import the LTPA key: a. In the same command window on TPC server2, enter the following wsadmin command to import the LTPA keys in Tivoli Integrated Portal and then into the device server. The parameters have the same meaning as explained in step 1 on page 19. wsadmin -user <tip_admin id> -password <tip_admin password> -lang jython -f "<tpc_install_dir on TPC_Server2>/tip/scripts/importLTPAKeys.py" "<LTPA keys file name>" <ltpaKeysPassword> The device server discovers storage subsystems and SAN fabrics. Then it gathers information about storage subsystems and SAN fabrics and analyzes their performance. The device server controls the communication with agents and the data collection from agents that scan storage area network (SAN) fabrics. It is also responsible for the creation and monitoring of replication relationships between storage devices. Example 2-2 shows the key being imported to the device server.
Example 2-2 Importing the key to the device server C:\Program Files\IBM\Tivoli\TIP\bin>wsadmin -user tpcadmin2 -password passw0rd -lang jython -f "c:/program files/ibm/tpc/tip/scripts/importLTPAKeys.py " c:/share/exportedLTPAkeyfile" passw0rd
b. Change the directory to the device servers TIP\bin folder and run the same command as shown in Example 2-3. Note: Use forward slashes when specifyng the path names for files.
Example 2-3 Importing the key to the TIP folder C:\Program Files\IBM\TPC\device\apps\was\bin>wsadmin -user tpcadmin2 -password passw0rd -lang jython -f "c:/program files/ibm/tpc/tip/scripts/importLTPAKeys.py " c:/share/exportedLTPAkeyfile" passw0rd
20
21
2. Import the LTPA key: a. Access the Tivoli Integrated Portal administrative console for the server that will receive the imported keys by typing the following URL in a Web browser: http://server_name:port_number/ibm/console b. In the left pane, click Security Secure administration, applications, and infrastructure Authentication mechanisms and expiration. c. In the window that opens: i. Under Cross-cell single sign-on, in the Password and Confirm password fields, enter the password that is used to decrypt the LTPA keys. This password must match the password that was used at the server from which you are importing the keys. ii. In the Fully qualified key file name field, specify the fully qualified path to the location where the signer keys reside. You must have write permission to this file. iii. Click Import keys to import the keys to the location that you specified in the Fully qualified key file name field. iv. Click OK and Save to save the changes to the master configuration. It is important to save the new set of keys to match the new password so that no problems are encountered when starting the servers later. The LTPA keys in TPC server1 and TPC server2 are now in sync.
2.4.3 Copying the truststore file from TPC server1 to TPC server2
For TPC server2 to take over in case a TPC server1 failure, both servers must have access to identical truststore files. Copy the truststore file that was created for TPC server1 (see 2.4.1, Creating the certificate and the truststore file on TPC server1 on page 13) to TPC server2.
22
4. Click Select action and select Create Storage Authentication Service Policy (Figure 2-11).
5. On the Authentication Service Configuration page (Figure 2-12 on page 24): a. For Policy Name, enter any name. You can define more than one policy, but only one can be active. You can also switch freely between the different policies. b. For Authentication Service URL (Primary), enter the URL to the Tivoli Integrated Portal (on TPC server1). The following URL is the default to the truststore: https://tip_server_host:16311/TokenService/services/Trust c. For Authentication Service URL (secondary), enter the backup URL that points to TPC server2. d. For Authentication Service Client User ID, enter the user ID from the Tivoli Integrated Portal that is set up by installation. e. For Authentication Service Client Password, enter the password from the Tivoli Integrated Portal user. f. For Confirm Authentication Service Client Password, enter the password again. g. Click Next. Port number: The port for ESS service (16311) is 1 plus the default Tivoli Integrated Portal port 16310. If you change the default Tivoli Integrated Portal port, during installation to, say 17522, then the port# to use for ESS service is 17523 (one plus that Tivoli Integrated Portal port number). The ESS/Authentication Service URL is as follows: https://yourserver.com:17523/TokenService/services/Trust
23
6. On the Truststore file Information page (Figure 2-13): a. For Truststore File Location, see 2.4, Creating the certificates and the truststore file on page 13. b. For Truststore File Password, enter the password that when the truststore was created. c. For Confirm Truststore File Password, enter the password. d. Click Next.
24
7. On the Map External Users and User Groups to DS8000 User Roles page (Figure 2-14): a. Enter the External Entity Name. Enter the name of the user or user group that exists in the LDAP directory. b. Select the external Entity Type. The type of entity can be External User Group or External User Name. c. For DS8000 User Role, select a role from the list (see Table 3-1 on page 34). d. Click the Add button. e. To map more than one user or group, repeat these steps. For detailed information about user groups and roles, see 3.3, User administration for Tivoli Storage Productivity Center servers on page 36. f. Click Next.
Figure 2-14 Map External Users and User Groups to DS8000 User Roles window
25
8. On the Verification page (Figure 2-15), on which you can see the settings that will be stored, verify the information and click Next to continue or click Back to make changes.
9. On the Summary page (Figure 2-16), leave the Activate the Policy check box cleared. Click Finish to create the policy. Note that in the next step, we test the policy before activating it.
26
10.On the Manage Authorization Policy page (Figure 2-17), select a policy. Under the Select action menu, click Test Authentication Policy.
11.In the Test Storage Authentication Service Policy window (Figure 2-18), enter values for the External User Name and External User Password input fields. The user must be an existing user from the LDAP Directory and mapped to a local DS8000 role. Then click OK.
27
The test takes a few seconds to complete. When complete, the Test summary page is displayed. If the test was successful, the Result State box is green and the Result details cell is empty, as shown in Figure 2-19. If something is wrong, the Result Status cell is red and the error messages is displayed in the Result details box. In this case, go back to the configuration and check the settings.
12.Activate the configuration. Select a policy. Under the Select action menu, click Activate.
28
13.In the Activate Storage Authentication Service Policy window (Figure 2-20): a. For External User Name, enter a name that exists and is valid user name from the LDAP Directory. b. Enter the External User password. c. Click OK to activate the policy.
dscli> lsauthpol Date/Time: March 11, 2009 9:17:16 AM MST IBM DSCLI Version: 5.4.2.540 DS: name type state ========================== initialPolicy Basic active
29
4. Create a new empty policy, where the -type sas specifies the authentication policy type by entering the mkauthpol -type sas itsopolicy command as shown in Example 2-5. Currently, SAS (Storage Authentication Service) is the only valid value for this parameter and it is required. itsopolicy defines the name from the new policy.
Example 2-5 Creating a new policy
dscli> mkauthpol -type sas itsopolicy Date/Time: March 11, 2009 9:24:20 AM MST IBM DSCLI Version: 5.4.2.540 DS: CMUC00365I mkauthpol: The authentication policy itsopolicy has been created. 5. Add a policy server or policy servers to the policy as shown in Example 2-6 by entering the the setauthpol command with the -action setauthserver and -loc parameters, where the -loc parameter is the URL to the TPC server1-.
Example 2-6 Setting the policy server
dscli> setauthpol -action setauthserver -loc https://9.11.240.201:16311//TokenService/services/Trust itsopolicy Date/Time: March 11, 2009 9:27:10 AM MST IBM DSCLI Version: 5.4.2.540 DS: CMUC00366I setauthpol: The authentication policy itsopolicy has been modified. 6. Add the keystore file to the policy. Enter the setauthpol command with the -action settruststore parameter and the -loc parameter, where the value is the location of the truststore file (see 2.4, Creating the certificates and the truststore file on page 13), and -pw parameter for the truststore file password. See Example 2-7.
Example 2-7 Setting the key
dscli> setauthpol -action settruststore -loc c:\key_itso.jks -pw passw0rd itsopolicy Date/Time: March 11, 2009 9:29:25 AM MST IBM DSCLI Version: 5.4.2.540 DS: CMUC00366I setauthpol: The authentication policy itsopolicy has been modified. 7. Add the ESS user to the policy by entering the setauthpol command with -action setsasuser parameter, as shown in Example 2-8. For more details about the ESS user see Appendix A, Installing Tivoli Storage Productivity Center 4.1 on Windows Server 2008 on page 39.
Example 2-8 Setting the ESS user
dscli> setauthpol -action setsasuser -username tipadmin -pw passw0rd itsopolicy Date/Time: March 11, 2009 9:31:24 AM MST IBM DSCLI Version: 5.4.2.540 DS: CMUC00366I setauthpol: The authentication policy itsopolicy has been modified. 8. Map existing users and user groups from the LDAP server to user groups on the DS8000 by entering the setauthpol command with -action setmap parameter and -groupmap User:Group values, as shown in Example 2-9.
Example 2-9 Mapping a user to a group
dscli> setauthpol -action setmap -groupmap admin:Administrators itsipolicy Date/Time: March 11, 2009 9:32:54 AM MST IBM DSCLI Version: 5.4.2.540 DS: CMUC00366I setauthpol:Authentication policy itsopolicy successfully modified.
30
9. Now that the policy is set up, check it as shown in Example 2-10. The policy is now in inactive state.
Example 2-10 Listing of the available policiies
dscli> lsauthpol itsopolicy Date/Time: March 11, 2009 9:35:47 AM MST IBM DSCLI Version: 5.4.2.540 DS: name type state ========================= itsopolicy SAS inactive 10.To view the configuration parameters, enter the showauthpol command, as shown in Example 2-11.
Example 2-11 Showing the configuration parameters
dscli> showauthpol itsopolicy Date/Time: March 11, 2009 9:36:52 AM MST IBM DSCLI Version: 5.4.2.540 DS: name itsopolicy type SAS state inactive location https://9.11.240.201:16311//TokenService/services/Trust truststore itsopolicy_trustStore.jks sasuser tipadmin 11.Test the configuration by entering the testauthpol command as shown in Example 2-12.
Example 2-12 Testing the configuration
dscli> testauthpol -username tipadmin -pw passw0rd itsopolicy Date/Time: March 11, 2009 9:38:28 AM MST IBM DSCLI Version: 5.4.2.540 DS: CMUC00366I testauthpol:Authentication policy itsopolicy successfully verified. 12.If the test completed successfully, active the policy by entering the chauthpol command with the -activate parameter as shown in Example 2-13.
Example 2-13 Activating the policy
dscli> chauthpol -quiet -activate -username tipadmin -pw passw0rd itsopolicy Date/Time: March 11, 2009 9:55:54 AM MST IBM DSCLI Version: 5.4.2.540 DS: CMUC00366I setauthpol:Authentication policy itsopolicy successfully modified. 13.Check the state for the policy by entering the lsauthpol command (Example 2-14).
Example 2-14 Listing the policy
dscli> lsauthpol itsopolicy Date/Time: March 11, 2009 10:06:34 AM MST IBM DSCLI Version: 5.4.2.540 DS: name type state ============================ itsopolicy SAS active
31
32
Chapter 3.
33
Copy Services operator Logical operator and Copy Services operator No access
To define the mappings: 1. From the DS8000 User administration menu, select a storage complex. From the Select action list, select Manage Authentication Policy. Select a Storage Authentication Service policy, and from the Select action list, select Properties. 2. In the Storage Authentication Service Policy Properties window (Figure 3-3 on page 38), click the External Users tab and complete the following actions: a. For External Entity Name, enter the name of the user or user group that exists in the LDAP Directory. b. For External Entity Type, select the type of entity, which can be External User Group or External User Name. c. For DS8000 User Role, select a role from the list. Refer to Table 3-1. d. Click Add. e. After you add external (LDAP) users or groups, click OK to apply the changes. If you want to discard the changes, click Cancel.
34
dscli> setauthpol -action setmap -groupmap admin:Administrators itsipolicy Date/Time: March 11, 2009 9:32:54 AM MST IBM DSCLI Version: 5.4.2.540 DS: CMUC00366I setauthpol:Authentication policy itsopolicy successfully modified. The DS8000 authority group roles for the DS CLI (see Table 3-1 on page 34) have the following possible values: admin op_storage op_volume op_copy_services service monitor no_access
35
To add a new user map, use the -action setmap, -userpmap admin:Administrator command. In this command, admin is the DS8000 role group, and Administrator is the user from the LDAP repository. The group roles are the same as described in Table 3-1 on page 34.
36
If you select operating system authentication for your IBM Tivoli Storage Productivity Center, you do not have to create any of the groups before installation. The Tivoli Storage Productivity Center Superuser role is automatically mapped to the Administrators group on Windows, to the system group on AIX, or to the root group on Linux. Note: For more information about IBM Tivoli Storage Productivity Center user and group mapping, see the User roles topic in the Tivoli Storage Productivity Center Information Center at the following address: http://publib.boulder.ibm.com/infocenter/tivihelp/v4r1/index.jsp?topic=/com.ibm .tpc_V33.doc/fqz0_c_user_roles.html
37
b. In the Edit Group dialog box (Figure 3-3), enter the LDAP group (it must exist) that you want to map this role and click OK.
38
Appendix A.
39
1. Before you launch the Tivoli Storage Productivity Center installation, in Windows Services, ensure that the DB2 services are started as indicated in the Status column in Figure A-1. This status is required because a DB2 database is installed in silent mode as part of the Tivoli Storage Productivity Center installation.
2. Launch the Tivoli Storage Productivity Center 4.1 installer. 3. When prompted to select a language for the installation (Figure A-2), select your language. This setting is just the language for the installation wizard. You are prompted to select the language for Tivoli Storage Productivity Center later. Click OK.
4. In the License Agreement window, accept the terms of the license agreement to continue with the installation and click Next.
40
5. For the type of Installation (Figure A-3): a. Select Typical installation. b. Clear the Agents and the Register with the agent manager check boxes. c. Specify a directory for the Tivoli Storage Productivity Center installation or use the default C:\Program Files\IBM\TPC directory. d. Click Next.
Appendix A. Installing Tivoli Storage Productivity Center 4.1 on Windows Server 2008
41
6. In the next window (Figure A-4), specify the DB2 administrator ID and password. The default user ID is DB2admin. DB2 user ID: You must create the DB2 user ID first in Windows user management and have administrator and DB2 permissions. In the lower part of the window, specify the server name, server port, and agent port if applicable. Click Next to continue.
Figure A-4 Tivoli Storage Productivity Center DB2 user and server IP port settings
42
7. In the next window (Figure A-5), specify the Tivoli Storage Productivity Center administrator user ID and password. Again, the user ID should have operating system and database administrator authority. In the lower half of the window, enter the name of the Tivoli Storage Productivity Center server and the server port that will be used to communicate with the Tivoli Storage Productivity Center server. Click Next.
Appendix A. Installing Tivoli Storage Productivity Center 4.1 on Windows Server 2008
43
8. As shown in (Figure A-6), select the authentication method to use for Tivoli Storage Productivity Center. Select LDAP/Active Directory. Click Next.
9. Define the basic LDAP connection settings (Figure A-7). Enter the LDAP server IP address and port number. If anonymous logins are allowed by the LDAP server, the user and password are optional. Otherwise, select an LDAP user with the administrator role. Click Next.
44
10.Specify appropriate values to reflect the structure of your LDAP directory (Figure A-8). Click Next.
11.Specify the LDAP user who will have administrator privileges for Tivoli Storage Productivity Center (Figure A-9). Click Next.
Appendix A. Installing Tivoli Storage Productivity Center 4.1 on Windows Server 2008
45
12.Review the summary information (Figure A-10). If you are satisfied with the values and features that you chose, click Install to start the installation process. Otherwise click Back to change any of the installation values.
The Tivoli Storage Productivity Center installation process is now effectively taking place. 13.In the Tivoli Storage Productivity Center for Replication installation window (Figure A-11), which opens when nearly ninety percent of the installation is completed, click Next. In doing so, you proceed with the Tivoli Storage Productivity Center for Replication installation wizard for the Tivoli Storage Productivity Center installation to complete.
46
14.In the system prerequisite check window (Figure A-12), click Next.
15.Accept the License Agreement for the Tivoli Storage Productivity Center for Replication to continue the installation process (Figure A-13). Click Next.
Appendix A. Installing Tivoli Storage Productivity Center 4.1 on Windows Server 2008
47
16.In the next window (Figure A-14), specify the program installation directory or accept the default. Click Next.
17.Specify the Tivoli Storage Productivity Center for Replication administrator user name and password (Figure A-15). Click Next.
Figure A-15 Tivoli Storage Productivity Center for Replication - Administrator details
48
18.As shown in Figure A-16, select the Port for the WebSphere Application Server that Tivoli Storage Productivity Center for Replication uses for its runtime environment. The WebSphere Application Server is automatically installed. Click Next.
19.In the installation summary window (Figure A-17), review the details. If you are satisfied with the values, click Install to start the Tivoli Storage Productivity Center for Replication Installation Process. Otherwise, click Back to change any of the installation values.
Figure A-17 Tivoli Storage Productivity Center for Replication - Installation summary window
Appendix A. Installing Tivoli Storage Productivity Center 4.1 on Windows Server 2008
49
20.After the Tivoli Storage Productivity Center for Replication installation is complete, in the summary information window (Figure A-18), click Finish to return to the Tivoli Storage Productivity Center Install Process.
Figure A-18 Tivoli Storage Productivity Center for Replication - Installation complete
The Tivoli Storage Productivity Center installation resumes. 21.In the summary window (Figure A-19) that indicates successful installation of Tivoli Storage Productivity Center, click Finish.
You can now further configure your Tivoli Storage Productivity Center server as explained in 2.4, Creating the certificates and the truststore file on page 13. 50
Appendix B.
51
52
Appendix B. Configuring Tivoli Storage Productivity Center for DS8000 LDAP authentication
53
The following restrictions apply: The realm must always contain at least one base entry. Therefore, you cannot remove all entries. If you plan to remove the built-in, file-based repository from the administrative realm, verify that at least one user in another member repository is a console user with administrative rights. Otherwise, you must disable security to regain access to the administrative console.
54
2. On the Repository configuration page (Figure B-4 on page 56): a. For Repository identifier, the value is the unique identifier for the LDAP repository that you entered in the General Properties (Figure B-3). This identifier uniquely identifies the repository, for example: c0y0te. b. For Directory type, select the type of LDAP server to which you connect from the drop-down list of LDAP directory types. For example, for use with an openLDAP server, select the Custom value. c. For Primary host name, specify the host name of the primary LDAP server. This host name is either an IP address or a Domain Name System (DNS) name. d. For Port, type the LDAP server port. The default value is 389, which is not a Secure Sockets Layer (SSL) connection. For some LDAP servers, you can specify a different port for a non-SSL or SSL connection. e. For Failover host name, specify the host name of the failover LDAP server. You can specify a secondary directory server to use in the event that your primary directory server becomes unavailable. f. For Support referrals to other LDAP servers, specify how referrals that are encountered by the LDAP server are handled. A referral is an entity that is used to redirect a client request to another LDAP server. A referral contains the names and locations of other objects. It is sent by the server to indicate that the information that the client requested can be found at another location, possibly at another server or several servers. The default value is ignore. g. For Bind distinguished name, type the distinguished name (DN) for the application server to use when binding to the LDAP repository. If no name is specified, the application server binds anonymously. In most cases, bind DN and bind password are required. However, when anonymous bind can satisfy all of the required functions, a bind DN and password are not required. h. For Bind password, type the password for the application server to use when binding to the LDAP repository. i. For Login properties, type the property names to use to log into the application server, for example, uid. This field accepts multiple login properties that are delimited by a semicolon (;). All login properties are searched during login. If multiple entries or no entries are found, an exception is thrown. For example, if you specify the login properties as uid and the login ID as Bob, the search filter searches for uid=Bob. When
Appendix B. Configuring Tivoli Storage Productivity Center for DS8000 LDAP authentication
55
the search returns a single entry, authentication can proceed. Otherwise, an exception is thrown. j. For Certificate mapping, to map X.509 certificates into an LDAP directory, choose either EXACT_DN or CERTIFICATE_FILTER. Specify EXACT_DN to use the specified certificate filter for the mapping. k. For Certificate filter, type the filter certificate mapping property for the LDAP filter. The filter is used to map attributes in the client certificate to entries in the LDAP repository. l. Select Require SSL communications to enable secure socket communication to the LDAP server. When enabled, the SSL settings for LDAP are used, if they are specified. m. Click OK to add the new repository.
3. On the next page (Figure B-5 on page 57), add the repository details: a. For Distinguished name that uniquely identifies this set of entries in the realm, add the DN that uniquely identifies this set of entries in the realm. If multiple repositories are included in the realm, define an additional DN that uniquely identifies this set of entries within the realm, for example: dc=tucson,dc=ibm,dc=com. b. For Distinguished name of a base entry in this repository, add the LDAP DN of the base entry within the repository. The entry and its descendents are mapped to the subtree that is identified by the unique base name entry field, for example: dc=tucson,dc=ibm,dc=com. If this field is left blank, the subtree defaults to the root of the LDAP repository.
56
As shown in Figure B-6, the repository was added successfully to the realm.
4. Click Apply to save the configuration. 5. In the Messages box (Figure B-7), click Save to save the changes to the configuration.
Figure B-8 Additional properties Appendix B. Configuring Tivoli Storage Productivity Center for DS8000 LDAP authentication
57
Configuring performance Use the page shown in Figure B-9 to minimize the impact to performance by adding open connections and contexts to internally maintained pools and reusing them. These settings also minimize performance impacts by maintaining internal caches of retrieved data. Figure B-9 shows the performance settings that we used in our environment.
Setting up LDAP entity types Use the page shown in Figure B-10 to list entity types that are supported by the member repositories or to select an entity type to view or change its configuration properties. You must configure the supported entity types before you can manage this account with users and groups in the administrative console. The Base entry for the default parent column determines the repository location where entities of the specified type are placed on write operations by user and group management. After you add or update your federated repository configuration, go to the Security Secure administration, applications, and infrastructure panel and click Apply to validate the changes.
58
Specifying the group attribute definition Use the page shown in Figure B-11 to specify the name of the group membership attribute. Every LDAP entry includes this attribute to indicate the group to which this entry belongs.
As shown in Figure B-12, add a new members attribute collection to your configuration. In our case, the name of the member attribute is member, and the Object class is groupOfNames.
After you configure any of these additional properties, save your settings and apply the changes. Important: When you finish adding or updating your federated repository configuration, go to the Security Secure administration, applications, and infrastructure panel and click OK then Apply to validate the changes.
Appendix B. Configuring Tivoli Storage Productivity Center for DS8000 LDAP authentication
59
Managing groups Use the Manage Groups window (Figure 3-4) to list groups that match your search criteria. You can perform additional tasks such as view more information about a group, change information about a group, add a new group, delete groups, or duplicate the group assignments of a group for other groups. You can also customize how the information is displayed in the table, as well as create and save customized search filters.
60
Appendix C.
61
3. In the welcome panel, click Next. 4. In the license agreement panel (Figure C-2), click I accept both the IBM and non-IBM terms and then click Next.
62
5. In the next window (Figure C-3) choose the type of installation, which normally to select Typical. Then click Next.
63
While you can select an existing user, you must ensure that the user is a member of the DB2ADMNS and DB2USERS groups as illustrated in Figure C-5.
Back in the window shown in Figure C-4, click Next. 7. In the installation summary panel (Figure C-6), if all the options are correct for your environment, click Install.
64
Figure C-7 shows the installation process starting. This process might take a while, depending on the hardware.
8. After the installation completes successfully, in the installation window (Figure C-8), click Finish to continue with the configuration.
Figure C-8 Successful installation Appendix C. Installing Tivoli Directory Server v6.2
65
In the left pane of the next window (Figure C-10 on page 67), you see some of the configuration tasks that can be performed: Change the administrator user or password Perform database related tasks such as backup and restore operations or tune the database performance settings. Import existing LDAP Data Interchange Format (LDIF) files (contain the Object entries of the LDAP tree). This Export/Import function can also be used to create a backup of critical LDAP information.
66
2. Make changes as required for your environment by selecting the appropriate options. Then proceed with the additional changes as documented in the following steps. 3. Invoke the Web Administration Tool. From the Windows desktop, click Start All Programs IBM Tivoli Directory Server 6.2 Web Administration Tool. The default browser opens. 4. In the initial window (Figure C-11), enter the administrator user ID and password. The default user ID is superadmin and the default password is secret. Then click Login.
67
5. After a successful logon, in the Console administration pane (Figure C-12), change the default login user ID and password: To change the login name, from the left pane, click Change console administrator login. To change the password, from the left pane, click Change console administrator password. Note: This user ID and password change is not for the Windows Administrator user. For more information, see the documentation for Tivoli Directory Server in the information center at the following address: http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?toc=/com.ib m.IBMDS.doc/toc.xml Add a console server connection by clicking Manage console servers and then clicking Add.
6. In the Manage console servers pane (Figure C-13), click Edit to review or change the parameters for the connection between the Web Admin tool and the LDAP Server Instance.
68
7. In the Edit server pane (Figure C-14), enter the server host name or IP address. Then click OK. Port: To view the Port Settings, in the Server Instance Administration Tool, select the instance and click view.
8. Log out of the Console administration window and log in again by clicking the here link. Now the login name has changed to the Directory server login. 9. In the Directory server login window (Figure C-15), from the LDAP Server Name list, select an LDAP server if more than one is available. The User DN (cn=root in our case) is configured during the configuration of the first server instance. Type the password and click Login.
Now you can start to build your directory structure by creating the different groups and users. Figure C-16 on page 70 through Figure C-20 on page 72 show examples of the different options that are available to manage your Tivoli Directory Server LDAP directory.
69
By selecting Server administartion in the left pane in Figure C-16, you can edit the port setting or the administrator group, or you can set a password policy. You can also start and stop the server. Figure C-17 shows the Manage users pane.
70
Figure C-19 and Figure C-20 on page 72 show the Directory management panes for modifying existing directory entries.
71
More information: For a detailed description, see the Tivoli Directory Server documentation in the information center at the following address: http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?toc=/com.ibm.I BMDS.doc/toc.xml
72
Appendix D.
73
The packages are now being installed. Wait until the entire process completes. 74
IBM System Storage DS8000: LDAP Authentication
75
2. In the LDAP Client Configuration window (Figure D-3): a. Under User Authentication, select Use LDAP. b. In the Address of LDAP Servers field, enter the LDAP server IP address. c. In the LDAP base DN field, enter the LDAP distinguished name (DN). Alternatively, you can click Fetch DN after you enter the LDAP server name (and assuming the service is started). In this case, a window is displayed in which you can select the DN. d. Click Advanced Configuration.
I
76
3. In the Advanced Configuration window (Figure D-4), click the Client Settings tab and enter the values under Naming Contexts. The values should match the base DN specified in the LDAP Client Configuration window (Figure D-3 on page 76).
77
4. Click the Administration Settings tab (Figure D-5) and click Accept to complete the LDAP client configuration.
5. Verify that your LDAP client is properly configured and working by entering your LDAP server settings in the LDAP Browser dialog (Figure D-6).
78
If successful, you see a view of the LDAP tree that lists all the configured entries on the LDAP server (Figure D-7).
At this stage, the installation is completed. You can now create and configure users and groups according to the directory structure you want.
79
80
Appendix E.
81
c=us
o=ibm
o=xyz
ou=tucson
ou=raleigh
ou=new york
cn=groups
cn=users
cn=printers
cn=admins
cn=diskAdmin
deviceID=printer1
deviceID=printer37
cn=users
cn=tapeAdmin
cn=superAdmin
Each object must have a unique identifier, known as the distinguished name (DN). This DN is built from its relative distinguished name (RDN), and the RDN is a construct of some of the objects attributes followed by the parent objects DN. As a way to illustrate the concept of DN and RDN, consider a full file name on a PC. As shown in Example E-1, the full name, including the whole path, can be thought of as the DN. The RDN is the short file name, relative to the subdirectory where the file is located.
Example E-1 DN and RDN
DN of ntuser.dat =C:\WINDOWS\system32\win.com RDN of win.com = win.com the DN is now build up of the parent DNs DN of=c:\ DN of=WINDOWS DN of=system32 when the object win.com is now copied to c:\WINDOWS\ the DN changes to C:\WINDOWS\win.com but the object and its attributes are the same. The DN is not fixed for an object and can change. In our example, when the file is moved to a different subdirectory, the full file name (DN) changes. This is also the case for the DN of an object in Directory Services. Whenever some attributes of the object change, the DN of that object also changes. To uniquely identify objects, the LDAP server assigns a Universally Unique Identifier (UUID) to each object. Compared to the DN, the UUID never changes until the object is deleted.
82
Example E-2 shows an illustration from the test directory, which contains DS8000 user information that we used in preparation of this paper.
Example E-2 User attributes
dn: uid=diskAdmin,cn=users,ou=tucson,o=ibm,c=us objectclass: inetOrgPerson objectclass: person objectclass: organizationalPerson cn: disk sn: admin mail: diskadmin@us.ibm.com uid: diskAdmin userpassword: passw0rd uuid: 25a8c2e8-1a3f-4ac4-b1b5-32d9b9188000 This example shows how the DN was built from different attributes of the user. (LDAP lets you define which attributes must be listed for a valid DN. For our client for DS8000 users, we configured a default of cn=users,ou=tucson,o=ibm,c=us and uid as specific user attribute. See Figure A-8 on page 45.
83
84
Related publications
The publications listed in this section are considered particularly suitable for a more detailed discussion of the topics covered in this paper.
IBM Redbooks
For information about ordering these publications, see How to get Redbooks on page 85. Note that some of the documents referenced here may be available in softcopy only. Managing Disk Subsystems using IBM TotalStorage Productivity Center, SG24-7097 Patterns: Pervasive Portals Patterns for e-business Series, SG24-6876 Understanding LDAP - Design and Implementation, SG24-4986
Other publications
These publications are also relevant as further information sources: IBM System Storage DS8000: Command-Line Interface Users Guide, SC26-7916 IBM System Storage DS8000: Introduction and Planning Guide, GC35-0515
85
86
Index
A
administration for users, groups, and roles 33 administration, applications, and infrastructure settings 52 administrative security 52 administrator role 2, 34 application security 52 Authentication Client 8 Authentication Server 78 ESSNI (Enterprise Storage System Network Interface) client 3, 7 server 23, 7
F
federated repositories 53
G
group administration 33 group attribute definition 59 group management 60
B
base entry added to a realm 54 basic user management 12
H
Hardware Management Console (HMC) 2 HMC (Hardware Management Console) 2
C
CA (certificate authority) 15 certificate authority (CA) 15 certificate creation 13 chauthpol command 31 Copy Services operator role 2, 34
I
iKeyman utility 14
J D
data repository 5 DB2 Server v9 for Windows 39 device server 20 directory 5 Directory Information Tree (DIT) 81 Directory Services 1 LDAP 5 Directory Services-based user authentication 1 directory structure 69 distinguished name (DN) 55, 82 DN (distinguished name) 82 DNS (Domain Name System) 6 domain 81 forest 81 Domain Name System (DNS) 6 DS CLI 4 DS GUI 3 DS8000 basic user management and access 2 benefits of LDAP authentication for administrators and users 8 configuration for LDAP authentication 22 HMC 2 LDAP authentication 1, 7 jython 19
L
LDAP (Lightweight Directory Access Protocol) 67 authentication benefits 8 configuration in Tivoli Storage Productivity Center 51 for DS8000 1 Directory Services 5 entity types 58 group mappings DS CLI 35 DS GUI 34 Tivoli Storage Productivity Center roles 36 implementation for the DS8000 11 installation of servers 12 structure overview 81 SUSE Linux client configuration 75 required packages 74 Lightweight Directory Access Protocol (LDAP) 1, 67, 33, 61 authentication benefits 8 configuration in Tivoli Storage Productivity Center 51 for DS8000 1 Directory Services 5 entity types 58 group mappings
E
Enterprise Storage System Network Interface (ESSNI) client 3, 7 server 23, 7 ESS service port 23
87
DS CLI 35 DS GUI 34 Tivoli Storage Productivity Center roles 36 implementation for the DS8000 11 installation of servers 12 structure overview 81 SUSE Linux client configuration 75 required packages 74 server configuration 75 Lightweight Third Party Authentication (LTPA) 19 logical operator role 2, 34 Lotus Domino 6 lsauthpol command 29, 31 LTPA (Lightweight Third Party Authentication) 19 LTPA keys CLI to export and import 19 GUI to export and import 21
S
SAS (Storage Authentication Service) 8 server ID 52 setauthpol command 30 setauthserver command 30 settruststore command 30 showauthpol command 31 single sign-on (SSO) 19 SSPC (Storage System Productivity Center) SSPC (System Storage Productivity Center) Storage Authentication Service (SAS) 8 Storage System Productivity Center (SSPC) SUSE Linux, openLDAP installation 73 System Storage Productivity Center (SSPC)
13 3 13 3
T
testauthpol command 31 Tivoli Directory Server 6, 61 v6.2 installation 61 Tivoli Directory Server Instance Administration Tool 66 Tivoli Integrated Portal 1, 8, 13 Tivoli Storage Productivity Center configuration for LDAP authentication 51 Directory Services-based user authentication 1 installation and configuration of servers 13 installation of v4.1 39 role-based authorization 36 user administration for servers 36 v4.1 installation on Windows Server 2008 39 Tivoli Storage Productivity Center for Replication 46 truststore file 8, 13 copying 22 creation 13
M
Manage Groups 60 Manage Users 60 Microsoft Active Directory 7 mkuser command 5 monitor role 3, 34
N
no access role 3, 34
O
openLDAP 13, 73 for Linux 7 installation in a SUSE Linux environment 73
P
performance configuration 58 physical operator role 2, 34 port number 23
U
Universally Unique Identifier (UUID) 82 user account repository 52 user administration 33 user management 60 user repository 2 user roles 2, 34 UUID (Universally Unique Identifier) 82
R
RDN (relative distinguished name) 82 realm 53 adding a base entry 54 Redbooks Web site 85 Contact us viii referral 55 relative distinguished name (RDN) 82 repository 52 Request for Comments (RFCs) 6 RFC (Request for Comments) 6 role-based authorization, Tivoli Storage Productivity Center 36 roles 2 administration 33
W
Windows Server 2008, installation of Tivoli Storage Productivity Center v4.1 39 wsadmin command 19
X
X.500 6
Y
YaST 75
88
Back cover