Setting up authentication and authorization with HDvM - SN or maintenance utility

System Administrator Guide for Virtual Storage Platform E Series

Version
93-07-0x
Audience
anonymous
Part Number
MK-97HM85028-18
The following figures show the Device Manager - Storage Navigator login workflow without and with an authentication server. The authentication server must be configured for each user.
Figure. Logging in without an authentication server

Figure. Logging in with an authentication server

The following figure shows the login workflow when an authentication server and an authorization server are used in combination. In this case, the user groups that are registered in the authorization server can be assigned to Device Manager - Storage Navigator users.

Figure. Logging in with an authentication server and an authorization server


About authentication servers:

  • If you register the information of the authentication server as an SRV record in the DNS server, you can use the authentication server without knowing the host names and port numbers. If you register multiple numbers of authentication servers to the SRV record, you can determine the authentication server to be used based on the priority that has been set in advance.
  • External authentication by the SVP functions for all storage systems registered in the Storage Device List. You cannot switch between use of external authentication by the SVP and use of external authentication by the maintenance utility for each storage system registered in the Storage Device List. As shown in the following table, how to set external authentication differs depending on the configuration and the type of the authentication server.
    Condition Authentication server Setting of external authentication by the maintenance utility Setting of external authentication by the SVP
    Management model in which the SVP is used LDAP Not available* Available
    Kerberos Not available Available
    RADIUS Not available Available
    Management model in which the SVP is not used LDAP Available Not available
    Kerberos Not available Not available
    RADIUS Not available Not available
    * When you use the management model in which the SVP is used, do not use the maintenance utility for external authentication settings.
Note:
  • To use an authentication server and authorization server, you need to configure network settings and connection settings to the authentication server and authorization server. For details about network settings, contact the network administrator. For details about the setting values for the connection, contact the administrator of the authentication server and authorization server.
  • If you change your storage system management from using the SVP to not using the SVP, disable external authentication by the maintenance utility, and then register the storage system in the Storage Device List of the SVP. For details, see Disabling external authentication by the maintenance utility.
  • If you change your storage system management from the management model in which the SVP is used to the management model in which the SVP is not used, delete the storage system from the Storage Device List of the SVP, and then set external authentication by the maintenance utility. For details about how to set external authentication by using the maintenance utility, see Setting up LDAP.
  • If the affiliated user group registered in the authorization server and the user group registered locally in the storage system are different, the user group in the storage system has higher priority.
  • You cannot create a load balancer between the SVP and the authentication server and between the SVP and the authorization server.
  • If you use Device Manager - Storage Navigator or the maintenance utility to create user accounts, you can choose external authentication as the authentication method, but the assignment (authorization) settings of user groups in HDvM – SN (or the maintenance utility) are applied. The assignment (authorization) settings of user groups on the authorization server are not applied.

    If you do not use Device Manager - Storage Navigator or the maintenance utility to create user accounts, assign (authorize) user groups on the authorization server. In this case, the user group names defined on the authorization server must be the same as the user group names defined on the storage system. For details about the built-in group names, see Built-in user groups.