Reference Guide

Authentication and access

This chapter contains the following information:

Topics:

• Authenticating and Managing User Accounts, Roles, and Privileges

• Certificates

• Secure communication between PowerStore appliances within a cluster

• Secure communication for replication and data import

• vSphere Storage API for Storage Awareness support

• CHAP authentication

• Configuring CHAP

• External SSH access

• Configuring external SSH access

• NFS secure

• Security on file system objects

• File systems access in a multiprotocol environment

• Understanding Common AntiVirus Agent (CAVA)

• Code signing

Authenticating and Managing User Accounts, Roles,

and Privileges

Authentication for access to the cluster is performed based on the credentials of a user (local or LDAP) account. User accounts

are created and subsequently managed from the Users page, which is accessible in PowerStore Manager through Settings >

Users > Users. The authorizations that apply depend on the role associated with the user account. When the user specifies the

network address of the cluster as the URL in a web browser, the user will be presented with a login page from which the user

can authenticate as either a local user or through an LDAP directory server. The credentials that the user provides will be

authenticated and a session will be created on the system. Subsequently, the user can monitor and manage the cluster within

the capabilities of the role assigned to the user. The cluster authenticates its users by validating user names and passwords

through a secure connection with the management server.

NOTE:

When users attempt to perform an action in PowerStore Manager for which they are not authorized, a notification

appears stating that the action is not authorized.

The Lightweight Directory Access Protocol (LDAP) is an application protocol for querying directory services running on TCP/IP

networks. LDAP provides central management of authentication and identity and group information used for authorization on

the cluster. Integrating the system into an existing LDAP environment provides a way to control user and user group access to

the system through PowerStore Manager, RESTful API or CLI.

After you configure LDAP settings for the system, you can manage users and user groups, within the context of an established

LDAP directory structure. For instance, you can assign access roles (Administrator, Storage Administrator, Security

Administrator, Operator, VM administrator) to the LDAP user or groups. The role applied will determine the level of authorization

the user or group will have in administering the storage system. The system uses the LDAP settings only for facilitating control

of access to PowerStore Manager, RESTful API or CLI, not for access to storage resources.

Factory default management

Your appliance comes with factory default user account settings to use when initially accessing and configuring the appliance.

NOTE:

With releases 1.0.x, it is recommended that you initially configure PowerStore using the PowerStore Manager UI

rather than using the API, CLI, or Service Scripts interfaces. It will ensure that all the default passwords are changed.

6 Authentication and access