Enabling or disabling the Storage Authentication Service

Complete this task to enable or disable the Storage Authentication Service using the Tape Library Specialist Web interface.

About this task

Note:
  • TS3500 Storage Authentication Service is not supported with Tivoli® Storage Productivity Center V5.1 and later.
  • Password protection must be turned on in order to enable the Storage Authentication Service (SAS). If password protection is not turned on, the SAS tab is not available. To enable password protection, refer to Enabling or disabling password protection for Web screens.
In order to enable the Storage Authentication Service in the TS3500 tape library, it is necessary to configure the following settings:
  • Primary Server URL
  • Secondary Server URL (optional)
  • Service Connection User ID
  • Service Connection User Password

If you are using Hypertext Transfer Protocol Secure (HTTPS) Uniform Resource Locators (URLs), additional steps at the end of this procedure are necessary to enable SAS and to manage the TIP server Secure Socket Layer (SSL) certificates as described in the following information.

HTTPS connection involves a client (in this case the TS3500 tape library) verifying the credentials of the server using the TIP server's SSL certificates. This implies that the TIP server's genuine SSL certificates should be available in the client to compare with the SSL information the server sends over the connection before secure communication begins using HTTPS.

If there are no certificates available locally, the TS3500 tape library automatically gets the needed SSL certificate in-band using the HTTPS connection and presents the certificate details on the SSL Certificates tab of the Web Security page of the Tape Library Specialist Web interface. An administrator can then verify the contents of the certificate and either accept or reject the certificates. Details for any additional steps required are provided at the end of this procedure.

To enable or disable the Storage Authentication Service, an administrator must perform the following steps:

Procedure

  1. From the Work Items navigation pane, select Access —> Web Security.
    The Web Security screen displays.
  2. Select the Storage Authentication Service tab.
  3. Select the Enable Storage Authentication Service check box to enable SAS. Deselect the Enable Storage Authentication Service check box to disable SAS.
    Notes:
    • It is also possible to disable SAS by resetting the security/admin password on the operator panel. Refer to Using the operator panel to change the administrator's Web password in order to use this method.
    • When SAS is disabled, all users with active sessions continue with the same permissions that were obtained when SAS was enabled.
    • You cannot change the SAS configuration while SAS is enabled.
  4. If you are enabling SAS, insert values for the following fields. If you are disabling SAS, proceed to step 5.
    • Primary Server URL: This should be set to the HTTPS URL using the IP address of the host running the TIP server and the communication port used by SAS. An example of the Primary Server URL is: https://192.168.0.10:16311 where 192.168.0.10 is the TIP host server and 16311 is the authentication service port.

      The TS3500 tape library does not support Domain Name Service (DNS) host names. Only IP addresses can be used in the URL. The URL can have a maximum of 254 characters. For the TIP Authentication Service, the default HTTP port is 16310 and the default HTTPS port is 16311. Contact your TPC administrator if the TIP server is configured differently and you need to verify the host IP and port number for the TIP server.

    • Secondary Server URL: Optionally, a Secondary Server URL can be given for making SAS highly available in case the TIP server using the Primary Server URL is not reachable. The TIP server URL given here must adhere to the following rules:
      • Both the Primary Server URL and the Secondary Server URL must be either HTTP or HTTPS.
      • Both of the TIP servers must have the same common set of user credentials.
      When the Secondary Server URL is given, SAS uses this secondary URL as follows.
      • When enabling SAS, authentication and authorization for the given Admin User ID and password must succeed using both URLs.
      • When logging in or disabling SAS, the Primary Server URL is tried first and if there is no communication failure, the results are returned back to the user. Other potential failures, such as failure to authenticate (an unknown user or a wrong password) or failed authorization (not an Admin) do not cause SAS to use the secondary server URL. The Secondary Server URL is only used if there is a communication failure with the Primary Server URL.
    • Service Connection User ID and Password: The TS3500 tape library uses this User ID and Password for connecting to the TIP Authentication Service using HTTP basic authentication. The User ID can be configured in TIP to be any User ID in LDAP or a User ID that is also used by TPC. Contact your IBM® Tivoli Storage Productivity Center administrator to obtain the authentication service User ID and Password.
      Note: The User ID and Password cannot exceed 14 characters each.
  5. Enter the User ID and Password of a user in an Admin LDAP group and select Apply.
    If you are using only HTTP URLs, you have completed this procedure. If you are also using HTTPS URLs, proceed according to the following scenarios:
    Note: It can take up to two minutes to enable SAS when using HTTPS URLs.
    • If an acceptable SSL certificate exists, no error message displays and you are finished with this procedure.
    • If there are no SSL certificates, the following error message displays: Request Failed - New Certificate Required. Proceed to step 6.
    • If there is a mismatch with an existing certificate (for example an expired certificate or the subject does not match) the following error message displays: Certificate Error Has Occurred. Proceed to step 7.
    Notes:
    • When submitting any changes to the settings on this tab, you must also provide the User ID and Password to be confirmed using the Storage Authentication Service.
    • Should the login with the SAS User ID and Password fail for any reason, refer to Using the operator panel to change the administrator's Web password in order to disable SAS using the operator panel. You can then log in using your local user account.
  6. If the Request Failed - New Certificate Required error message displays, verify and accept an SSL certificate by completing the following substeps:
    1. From the Web Security screen, select the SSL Certificates tab.
    2. Verify the hostname in the Issued To field to ensure that it corresponds to the IP in the URL.
    3. Verify that the expiration date is still valid in the Expiration field.
      Note: The date and time are in Universal Time Coordinated (UTC) format. Since the tape library does not maintain local time zone information, there is a minor discrepancy in verifying the validity dates of a certificate. SAS may declare a certificate invalid a few hours early or a few hours too late depending on the difference between local time and UTC.
    4. Verify the value in the Fingerprint field by using a browser connected to the TIP Server console and looking at the certificate details used in the browser connection.
    5. Take one of the following actions:
      • To accept the certificate, return to the Storage Authentication Service tab. Enter the User ID and Password and select Apply. Once accepted, certificates are stored in compact flash in the TS3500 tape library.
      • To reject one or more certificates because the hostname, expiration date, or fingerprint values do not match, select the certificate(s). Then select Delete from the Select Action drop-down menu and click Go.
        Note: Certificates can only be deleted when SAS is disabled.
  7. If the Certificate Error Has Occurred error message displays, delete the existing certificate by completing the following substeps:
    1. From the Web Security screen, select the SSL Certificates tab.
    2. Select the certificate(s) to be deleted. Then select Delete from the Select Action drop-down menu and click Go.
    3. Go back and complete step 6.

What to do next

For more information about TPC, visit the Web at http://www-03.ibm.com/systems/storage/software/center/index.html.