Manualshelf

HP 3PAR InForm OS Common Criteria Administrator's Reference (QL226-96586, October 2012)

ManualsBrandsHP ManualsComputer AccessoriesHP 3PAR Inform S800/4x500GB Nearline Magazine LTU
11121314151617181920
Operating in Common Criteria Mode 14
By default, the HP 3PAR Storage System does not authenticate hosts. To authenticate the
identity of hosts, use iSCSI to interface to the hosts and use the Challenge-Handshake
Authentication Protocol (CHAP), or dual-CHAP, for host authentication (CHAP is not
supported for the FC interface). CHAP can be configured using the sethost CLI
command and the initchap, targetchap CLI subcommands (see the HP 3PAR InForm
OS Command Line Reference for details).
LDAP Server Configuration
The HP 3PAR Storage Server can be configured to communicate with an external LDAP
server for remote user authentication using either a secure or unsecure channel. To
conform to the CC standard, the HP 3PAR Storage Server should be configured to
communicate with the LDAP server using TLS. The HP 3PAR InForm OS CLI Administrator’s
Manual provides detailed information on establishing LDAP connections using Simple
Binding over SSL (see sections “Active Directory LDAP Configurations with Simple Binding
Over SSL” or “OpenLDAP Configuration with Simple Binding Over SSL”) . To conform to
the CC standard, the following setauthparam CLI command specifiers must have the
values indicated below:
ldap-port – Set to 636 (secure SSL) or any other site/implementation-defined port
that supports encryption (SSL).
ldap-sslSet to 1 to use SSL (the default value is 0).
ldap-reqcertSet to 1 to indicate a valid certificate is required to establish a
connection (the default value is 0)
ldap-ssl-cacertSpecify the path and file name of the file containing the CA
certificate bundle. This allows the InForm OS OpenLDAP client to validate the
certificate sent from the LDAP server.
ldap-StartTLSThis is site/implementation-defined and so it should be set for your
specific requirements (the default value is “no”).
allow-ssh-keyKeep the default value (0) so that an LDAP user is not able to use
a public key for SSH authentication when logging into the HP 3PAR Storage System.
Users that are authenticated using a public key for SSH authentication become,
effectively, a local user when logged in using the key and a LDAP user when logged in
when the key is not available. The key associates them with their LDAP authentication
profile at the time the key was installed and therefore no update from the LDAP server
will be recognized. See the HP 3PAR InForm OS CLI Administrator’s Manual
(“Configuring LDAP Connections) and HP 3PAR InForm OS Command Line Interface
Reference (setsshkey, removesshkey) for additional details.
Related to the allow-ssh-key parameter configuration, it is important that
administrators do not create local and remote users having the same user account. Since
the HP 3PAR Storage System checks first if the user has been created locally, it will never
look to the LDAP server since the user will have been found to exist locally.