External authorization requirements using authorization server

System Administrator Guide for VSP 5000 Series

Version
90-09-2x
Audience
anonymous
Part Number
MK-98RD9009-16
Note: Use an operating system (OS) and software that continue to be supported by the vendor. Operations performed using an OS or software for which vendor support has expired cannot be guaranteed.

Authorization servers support the LDAP and RADIUS protocols:

LDAP

Prerequisite OS
  • Windows Server 2008*
  • Windows Server 2008 R2*
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016

* Microsoft support for this operating system has expired. Use an operating system for which Microsoft continues to provide support.

Prerequisite software
  • Active Directory
Authentication protocol for user for searching
  • LDAP v3 simple bind (Note that Bind DN is used for authentication.)
TLS security settings
Root certificate file format for Device Manager - Storage Navigator
  • X509 DER format
  • X509 PEM format
Requirements for root certificate format for Device Manager - Storage Navigator
  • If the public key of the certificate to be uploaded is RSA, the key length must not be less than the key length that is set for Minimum Key Length (Key Exchange) in the TLS Security Settings dialog box.
  • If the public key of the certificate to be uploaded is ECDSA, the public key parameter must be any of the following:
    • ECDSA_P256 (secp256r1)
    • ECDSA_P384 (secp384r1)
    • ECDSA_P521 (secp521r1)
  • The signature hash algorithm of the certificate must be SHA-256, SHA-384, or SHA-512.
  • The extended profile fields in the X.509 certificate support the following items as specified in RFC5280:
    • BasicConstraints
    • KeyUsage
    • SubjectKeyIdentifier
    • Authority Key Identifier
    • Certificate Policies
    • Subject Alternative Name
    • Name Constraints
    • Policy Constraints
    • Extended Key Usage
    • Inhibit anyPolicy
Requirements for certificate for the connected server
  • If the public key of the certificate is RSA, the key length must be 2048 bits or more.
  • If the public key of the certificate to be uploaded is ECDSA, the public key parameter must be any of the following:
    • ECDSA_P256 (secp256r1)
    • ECDSA_P384 (secp384r1)
    • ECDSA_P521 (secp521r1)
  • The signature hash algorithm of the certificate must be SHA-256, SHA-384, or SHA-512.
  • The extended profile fields in the X.509 certificate support the following items as specified in RFC5280:
    • BasicConstraints
    • KeyUsage
    • SubjectKeyIdentifier
    • Authority Key Identifier
    • Certificate Policies
    • Subject Alternative Name
    • Name Constraints
    • Policy Constraints
    • Extended Key Usage
    • Inhibit anyPolicy

    When setting a host name for Primary Host Name or Secondary Host Name in the Setup Server window (Settings > User Management > View External Authentication Server Properties > Setup Server), enter the host name of the server in subjectAltName or CommonName of the server certificate.

  • When setting an IP address for Primary Host Name or Secondary Host Name in the Setup Server window (Settings > User Management > View External Authentication Server Properties > Setup Server), enter the IP address of the server in subjectAltName or CommonName of the server certificate.
  • If you set an IP address as the host name of the server for a configuration file (created in Connecting authentication and authorization servers), make sure to also set the IP address for subjectAltName or CommonName of a certificate (for a secure communication) that is created along with the configuration file.

    When using DNS Lookup to connect to an external authentication server, enter the host name of the server in subjectAltName or CommonName of the server certificate. If the certificate contains both subjectAltName and CommonName, the IP address or the host name that you set for subjectAltName applies.

  • When you perform a certificate revocation check by using CRL, set the URI of the CRL repository for cRLDistributionPoint (CRL distribution point) of the intermediate certificate and server certificate set on the connected server. The CRL repository must be on the network that can be accessed by the SVP so that the SVP can communicate with the CRL repository. If the SVP cannot communicate with the CRL repository, communication with the authorization server fails.
  • When you perform a certificate revocation check by using OCSP, correctly set the URI of the OCSP responder for authorityInfoAccess (Authority Information Access) of the intermediate certificate and server certificate set on the connected server. The OCSP responder must be on the network that can be accessed by the SVP so that the SVP can communicate with the OCSP responder. If the SVP cannot communicate with the OCSP responder, communication with the authorization server fails.
  • If no DNS server is used, the IP address of the authorization server must be specified for the common name of the certificate.
  • Check the number of tiers of the certificate chain to be used. The maximum number supported is 20 tiers. Make sure to use a certificate in a certificate chain with no more than 20 tiers.
Note:
  • Acquire the root certificate for the authentication server from the authentication server administrator.
  • The certificates has an expiration date. If the certificate expires, you will not be able to connect to the authentication server. Make sure to set the expiration date carefully to prepare the certificate.
  • For more information about the certificate management, consult with the authentication server administrator and manage it appropriately.
Note: When using an LDAP server or a Kerberos server as an authentication server, and combining it with an authorization server, use the same host for the authentication and authorization servers.

When a RADIUS server is used as an authentication server, two authentication servers (one primary and one secondary) can be specified, but only one authorization server can be specified.

If you use Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2 as an authorization server, the SSL communications cannot be established by using DHE in the default settings. When you use any of these servers as the authorization server, configure the SSL communication settings by using Device Manager - Storage Navigator to disable the cipher suites that use DHE for key exchange.

RADIUS

RADIUS authorization servers are supported when the SVP version is 90-09-21 or later.

When you use a RADIUS server as an authorization server, also use a RADIUS server as an authentication server. Note that the authorization server and the authentication server must run on the same host.

When you use a RADIUS authorization server, the following requirements must be satisfied in addition to the requirements for the RADIUS authentication server).

Response with the information about the group containing the logged-in user:

  • The Attributes field in an Access-Accept response* must include the information about the group containing the logged-in user.

    * A response that is returned from an authorization server to a storage system when login is successful.

  • Use one of the following as the attribute type of the attribute containing group information:
    • 11 (Filter-Id)
    • 25 (Class)
    • 64-255
  • Use "string" as the data type of the attribute containing group information.
  • Group information must be described in DN format (in compliance with RFC 4514) that starts with "attribute-name=group-name".
    • attribute-name is a character string without an equal sign (=)
    • Storage systems extract the group-name that is the attribute value in the first RDN. For example, when group information is "CN=UserGroupA", storage systems extract UserGroupA as the group name.
CAUTION:
  • Include only group information in the types of attributes for containing group information on the authorization server. Storage systems obtain group information from the attribute type specified in External User Group Mapping - Attribute Type containing the user group information in the RADIUS Set Up Server window. If information other than group information is included in the specified attribute type on the authorization server, storage systems obtain that information as group information as well. If this occurs, the logged-in user might be given unexpected permissions.
  • For RADIUS (RFC 2865), the maximum size of an Access-Accept response packet is 4,096 bytes. If the size of an Access-Accept response packet exceeds 4,096 bytes, all or part of group information might not be sent from the authorization server to the storage system, resulting in a login failure. If login fails, check the group information on the authorization server to see if the information exceeds 4,096 bytes.