External authorization requirements using authorization server

System Administrator Guide for VSP 5000 Series

Version
90-08-8x
Audience
anonymous
Part Number
MK-98RD9009-13
The authorization server must satisfy the following requirements to work together with the authentication server:
Note: Use an operating system (OS) and software that continue to be supported by the vendor. Operations performed using an OS or software for which vendor support has expired cannot be guaranteed.
Prerequisite OS
  • Windows Server 2008*
  • Windows Server 2008 R2*
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016

* Microsoft support for this operating system has expired. Use an operating system for which Microsoft continues to provide support.

Prerequisite software
  • Active Directory
Authentication protocol for user for searching
  • LDAP v3 simple bind (Note that Bind DN is used for authentication.)
TLS security settings
Root certificate file format for Device Manager - Storage Navigator
  • X509 DER format
  • X509 PEM format
Requirements for root certificate format for Device Manager - Storage Navigator
  • If the public key of the certificate to be uploaded is RSA, the key length must not be less than the key length that is set for Minimum Key Length (Key Exchange) in the TLS Security Settings dialog box.
  • If the public key of the certificate to be uploaded is ECDSA, the public key parameter must be any of the following:
    • ECDSA_P256 (secp256r1)
    • ECDSA_P384 (secp384r1)
    • ECDSA_P521 (secp521r1)
  • The signature hash algorithm of the certificate must be SHA-256, SHA-384, or SHA-512.
  • The extended profile fields in the X.509 certificate support the following items as specified in RFC5280:
    • BasicConstraints
    • KeyUsage
    • SubjectKeyIdentifier
    • Authority Key Identifier
    • Certificate Policies
    • Subject Alternative Name
    • Name Constraints
    • Policy Constraints
    • Extended Key Usage
    • Inhibit anyPolicy
Requirements for certificate for the connected server
  • If the public key of the certificate is RSA, the key length must be 2048 bits or more.
  • If the public key of the certificate to be uploaded is ECDSA, the public key parameter must be any of the following:
    • ECDSA_P256 (secp256r1)
    • ECDSA_P384 (secp384r1)
    • ECDSA_P521 (secp521r1)
  • The signature hash algorithm of the certificate must be SHA-256, SHA-384, or SHA-512.
  • The extended profile fields in the X.509 certificate support the following items as specified in RFC5280:
    • BasicConstraints
    • KeyUsage
    • SubjectKeyIdentifier
    • Authority Key Identifier
    • Certificate Policies
    • Subject Alternative Name
    • Name Constraints
    • Policy Constraints
    • Extended Key Usage
    • Inhibit anyPolicy

    When setting a host name for Primary Host Name or Secondary Host Name in the Setup Server window (Settings > User Management > View External Authentication Server Properties > Setup Server), enter the host name of the server in subjectAltName or CommonName of the server certificate.

  • When setting an IP address for Primary Host Name or Secondary Host Name in the Setup Server window (Settings > User Management > View External Authentication Server Properties > Setup Server), enter the IP address of the server in subjectAltName or CommonName of the server certificate.
  • If you set an IP address as the host name of the server for a configuration file (created in Connecting authentication and authorization servers), make sure to also set the IP address for subjectAltName or CommonName of a certificate (for a secure communication) that is created along with the configuration file.

    When using DNS Lookup to connect to an external authentication server, enter the host name of the server in subjectAltName or CommonName of the server certificate. If the certificate contains both subjectAltName and CommonName, the IP address or the host name that you set for subjectAltName applies.

  • When you perform a certificate revocation check by using CRL, set the URI of the CRL repository for cRLDistributionPoint (CRL distribution point) of the intermediate certificate and server certificate set on the connected server. The CRL repository must be on the network that can be accessed by the SVP so that the SVP can communicate with the CRL repository. If the SVP cannot communicate with the CRL repository, communication with the authorization server fails.
  • When you perform a certificate revocation check by using OCSP, correctly set the URI of the OCSP responder for authorityInfoAccess (Authority Information Access) of the intermediate certificate and server certificate set on the connected server. The OCSP responder must be on the network that can be accessed by the SVP so that the SVP can communicate with the OCSP responder. If the SVP cannot communicate with the OCSP responder, communication with the authorization server fails.
  • If no DNS server is used, the IP address of the authorization server must be specified for the common name of the certificate.
  • Check the number of tiers of the certificate chain to be used. The maximum number supported is 20 tiers. Make sure to use a certificate in a certificate chain with no more than 20 tiers.
Note:
  • Acquire the root certificate for the authentication server from the authentication server administrator.
  • The certificates has an expiration date. If the certificate expires, you will not be able to connect to the authentication server. Make sure to set the expiration date carefully to prepare the certificate.
  • For more information about the certificate management, consult with the authentication server administrator and manage it appropriately.
Note: When using an LDAP server or a Kerberos server as an authentication server, and combining it with an authorization server, use the same host for the authentication and authorization servers.

When a RADIUS server is used as an authentication server, two authentication servers (one primary and one secondary) can be specified, but only one authorization server can be specified.

If you use Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2 as an authorization server, the SSL communications cannot be established by using DHE in the default settings. When you use any of these servers as the authorization server, configure the SSL communication settings by using Device Manager - Storage Navigator to disable the cipher suites that use DHE for key exchange.