External authentication requirements using authentication server

System Administrator Guide for VSP 5000 Series

Version
90-08-8x
Audience
anonymous
Part Number
MK-98RD9009-13

Authentication servers support the LDAP, RADIUS, and Kerberos protocols. The following lists explain requirements for each protocol.

LDAP

TLS Security Settings
LDAPv3 simple bind authentication (Note that Bind DN is used for authentication.)
Authentication format
The TLS security settings made in Setting SSL/TLS communications using the Tool Panel must be supported.
Root certificate file format for Device Manager - Storage Navigator
  • X509 DER format
  • X509 PEM format
Requirements for root certificate format for Device Manager - Storage Navigator
  • If the public key of the certificate to be updated is RSA, the key length must not be less than the key length that is set for Minimum Key Length (Key Exchange) in the TLS Security Settings dialog box.
  • If the public key of the certificate to be uploaded is ECDSA, the public key parameter must be any of the following:
    • ECDSA_P256 (secp256r1)
    • ECDSA_P384 (secp384r1)
    • ECDSA_P521 (secp521r1)
  • The signature hash algorithm of the certificate must be SHA-256, SHA-384, or SHA-512.
Requirements for certificate for the connected server
  • If the public key of the certificate is RSA, the key length must be 2048 bits or more.
  • If the public key of the certificate to be uploaded is ECDSA, the public key parameter must be any of the following:
    • ECDSA_P256 (secp256r1)
    • ECDSA_P384 (secp384r1)
    • ECDSA_P521 (secp521r1)
  • The signature hash algorithm of the certificate must be SHA-256, SHA-384, or SHA-512.
  • The extended profile fields in the X.509 certificate support the following items as specified in RFC5280:
    • subjectAltName
    • CRLDistributionPoint
    • AuthorityInfoAccess
    • BasicConstraints
    • KeyUsage
    • SubjectKeyIdentifier

    When setting a host name for Primary Host Name or Secondary Host Name in the Setup Server window (Settings > User Management > View External Authentication Server Properties > Setup Server), enter the host name of the server in subjectAltName or CommonName of the server certificate.

  • When setting an IP address for Primary Host Name or Secondary Host Name in the Setup Server window (Settings > User Management > View External Authentication Server Properties > Setup Server), enter the IP address of the server in subjectAltName or CommonName of the server certificate.
  • When using DNS Lookup to connect to an external authentication server, enter the host name of the server in subjectAltName or CommonName of the server certificate.
  • When you perform a certificate revocation check by using CRL, set the URI of the CRL repository for cRLDistributionPoint (CRL distribution point) of the intermediate certificate and server certificate set on the connected server. The CRL repository must be on the network that can be accessed by the SVP so that the SVP can communicate with the CRL repository. If the SVP cannot communicate with the CRL repository, external authentication fails.
  • When you perform a certificate revocation check by using OCSP, correctly set the URI of the OCSP responder for authorityInfoAccess (Authority Information Access) of the intermediate certificate and server certificate set on the connected server. The OCSP responder must be on the network that can be accessed by the SVP so that the SVP can communicate with the OCSP responder. If the SVP cannot communicate with the OCSP responder, external authentication fails.
  • If no DNS server is used, the IP address of the authentication server must be specified for the common name of the certificate.
  • Check the number of tiers of the certificate chain to be used. The maximum number supported is 20 tiers. Make sure to use a certificate in a certificate chain with no more than 20 tiers.
Note:
  • Acquire the root certificate for the authentication server from the authentication server administrator.
  • The certificates has an expiration date. If the certificate expires, you will not be able to connect to the authentication server. Make sure to update the certificate before the expiration date.
  • For more information about the certificate management, contact the key management server administrator.

RADIUS

Authentication format
RFC 2865-compliant RADIUS
  • PAP authentication
  • CHAP authentication

Kerberos

Authentication format
Kerberos v5
Encryption type
Windows
  • AES128-CTS-HMAC-SHA1-96
  • RC4-HMAC
  • DES3-CBC-SHA1
  • DES-CBC-CRC
  • DES-CBC-MD5
Solaris or Linux
  • DES-CBC-MD5
Note:
  • Two authentication servers (one primary and one secondary) can be connected to a storage system. When using the secondary server, configure the settings considering the following:
    • For the secondary server, use the same configuration settings as the primary server, except for the host name and the port number.
    • The same certificate must be used for the primary server and the secondary server.
  • If you search for a server using information registered in the SRV records in the DNS server, confirm that the following conditions are satisfied. For RADIUS servers, you cannot use the SRV records.
    LDAP server conditions:
    • The environmental setting for the DNS server is completed at the LDAP server.
    • The host name, port number, and domain name of the LDAP server are registered in the DNS server.
    Kerberos server conditions:
    • The host name, port number, and domain name of the Kerberos server are registered in the DNS server.
  • Because UDP/IP is used to access the RADIUS server, encrypted communications, including negotiation between processes, are not used. To access the RADIUS server in a secure environment, encryption in the packet level, such as IPsec, is required.
  • If you use Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2 as an authorization server, the SSL communications cannot be established by using DHE in the default settings. When you use any of these servers as the authentication server, configure the SSL communication settings by using Device Manager - Storage Navigator to disable the cipher suites that use DHE for key exchange.