External authentication requirements using authentication server

System Administrator Guide for Virtual Storage Platform E Series

Version
93-07-0x
Audience
anonymous
Part Number
MK-97HM85028-18

Authentication servers support the following protocols:

  • LDAPv3 simple bind authentication (Note that Bind DN is used for authentication.)
  • RFC 2865-compliant RADIUS with PAP and CHAP authentication
  • Kerberos v5
Note: When an LDAP server is used as the authentication server, TLS1.2 must be used as the communication protocol.

The following root certificate file formats to be set on Device Manager - Storage Navigator are available for LDAP server settings:

  • X509 DER format
  • X509 PEM format
    Note:

    The root certificate to be set on Device Manager - Storage Navigator must satisfy the following requirements:

    • The extended profile fields in the X.509 certificate support the following items as specified in RFC5280:
      • BasicConstraints
      • KeyUsage
      • SubjectKeyIdentifier
      • Authority Key Identifier
      • Certificate Policies
      • Subject Alternative Name
      • Name Constraints
      • Policy Constraints
      • Extended Key Usage
      • Inhibit anyPolicy

    The certificate to be set on the connected server must satisfy the following requirements:

    • The extended profile fields in the X.509 certificate support the following items as specified in RFC5280:
      • BasicConstraints
      • KeyUsage
      • SubjectKeyIdentifier
      • Authority Key Identifier
      • Certificate Policies
      • Subject Alternative Name
      • Name Constraints
      • Policy Constraints
      • Extended Key Usage
      • Inhibit anyPolicy
    • If you set an IP address as the host name of the server for a configuration file (created in Connecting authentication and authorization servers), make sure to also set the IP address for subjectAltName or Common Name of a certificate (for a secure communication) that is created along with the configuration file.

      However, when using DNS Lookup, make sure to enter the host name of the server in subjectAltName or CommonName.

      If the certificate contains both subjectAltName and CommonName, the IP address or the host name that you set for subjectAltName applies.

    • If no DNS server is used, the IP address of the authentication server must be specified for the common name of the certificate.
    • Check the number of tiers of the certificate chain to be used. The maximum number supported is 5 tiers. Make sure to use a certificate in the certificate chain with no more than 5 tiers.

One of the following encryption types must be used for the Kerberos server:

Windows
  • AES128-CTS-HMAC-SHA1-96
  • RC4-HMAC
  • DES3-CBC-SHA1
CAUTION:
  • Two authentication servers (one primary and one secondary) can be connected to a storage system. When using the secondary server, configure the settings considering the following:
    • For the secondary server, use the same configuration settings as the primary server, except for the IP address, host name, and port number.
    • The same certificate must be used for the primary server and the secondary server.
  • If you search for a server using information registered in the SRV records in the DNS server, confirm that the following conditions are satisfied. For RADIUS servers, you cannot use the SRV records.
    LDAP server conditions:
    • The environmental setting for the DNS server is completed at the LDAP server.
    • The host name, the port number, and the domain name of the LDAP server are registered in the DNS server.
    Kerberos server conditions:
    • The host name, the port number, and the domain name of the Kerberos server are registered in the DNS server.
  • Because UDP/IP is used to access the RADIUS server, encrypted communications, including negotiation between processes, are not used. To access the RADIUS server in a secure environment, encryption in the packet level, such as IPsec, is required.