Storage Authentication Service
The Storage Authentication Service (SAS) is an option for web login requests on the TS3500 tape library.
Remote authentication is supported on a TS7700 virtualization engine or TS3500 tape library using the Tivoli Secure Authentication Service client and server, and the WebSphere® Federated Repositories. The TS7700 virtualization engine or TS3500 tape library must connect to a System Storage® Productivity Center (SSPC) appliance or a server using Tivoli Storage Productivity Center (TPC). The SAS client is integrated into the TS7700 virtualization engine microcode or the TS3500 tape library firmware, while the SAS server and the WebSphere Federated Repositories are integrated into TPC 4.1 and later. TPC is available as a software-only package or as an integrated solution on the SSPC appliance.
When SAS is enabled, the TS3500 tape library passes user authentication requests to the SAS server on the SSPC or TPC, where they are forwarded to the customer's Lightweight Directory Access Protocol (LDAP) or Microsoft Active Directory (AD) server. The LDAP or AD server then authenticates the user's ID and password. If they are valid, then one or more user groups are assigned. The TS3500 tape library then assigns the user a role based on the LDAP or AD group.
- Add or remove a user
- Reset or change a password
- Assign, change, or delete the LDAP or AD group of a user
A central repository can also simplify the process of responding to new security requirements for one or more tape libraries. For instance, rules for passwords can be changed in one location without reconfiguring multiple, affected machines. By comparison, when local authentication is employed, each individual machine maintains an internal database of user IDs, with corresponding passwords and roles.
LDAP dependency
The WebSphere Federated Repositories component of the SSPC or TPC receives authentication requests from the TS3500 tape library through the SAS. The SAS passes user ID and password information to the LDAP or AD server.The LDAP or AD server returns authentication status to the SSPC or TPC, which forwards the authentication status through the SAS to the TS3500 tape library . The LDAP or AD server attached to the SSPC or TPC manages the following information:
- User ID
- A string to identify a specific user
- User password
- A password for each user ID
- Groups
- Strings to identify one or more groups of users. The TS3500 tape library maps each LDAP group to a TS3500 tape library role.
- The User ID and User password cannot exceed 15 characters. LDAP users that exceed this maximum might not be able to authenticate to the TS3500 Tape Library Specialist Web interface when SAS is enabled.
- The maximum length of a group is 15 characters. Groups exceeding 15 characters in length will not map to a defined role in the TS3500 tape library.
Mapping groups to roles
When a user is successfully authenticated using the Storage Authentication Service, the resulting user information includes a list of groups that the user belongs to. You can use the to define how groups are mapped to roles. For successful authorization, at least one LDAP group in the list must have the same name as a role that is defined in the TS3500 tape library. The first LDAP group to match a role determines the role of the user. Avoid ambiguity of multiple matches by making sure that only one group matches a role in the TS3500 tape library.For more information about TPC, visit the web at http://www-03.ibm.com/systems/storage/software/center/index.html. For additional information about TPC security features, including how to use Microsoft Active Directory for authentication, visit the web at http://www.ibm.com/support/knowledgecenter/SSEQTP_7.0.0/com.ibm.websphere.base.doc/info/aes/ae/cwim_fedrepos.html.