Configuring secure access to the data grid

Configure administrative access and specify settings for your appliance collectives to configure secure authentication and authorization to the data grid.

1. Secure administrative access.

   The appliance comes configured with an administrative user ID, xcadmin, and the default administrative password, xcadmin. This user ID and password grant full access to all of the administrative functions and data of the device and collective. You must configure a password for the xcadmin administrative user ID that is difficult to guess. To complete this action, in the web console, click Collective > Users. Select the Administrator user, and edit the password.

2. Configure transport layer security (TLS).
3. Configure server-to-server authentication.

   Data grid communication between appliances in a collective and between linked appliance domains, is authenticated using a shared secret key. The appliance is already configured with a default secret key this is hard-coded into each appliance. You must change the secret key to have a secure configuration. Select Override factory default authentication secret key to specify a unique secret key.

   The secret key must be a long passphrase that is difficult to guess. Record the secret key, and store it in a secure location. When collectives are joined in linked domains, each collective must be configured with the same secret key.

4. Require authentication for all data grid requests.

   You can configure authentication for each client request to the data grid. By default, this authentication is not required. However, you can provide protection for data grid access by securing individual grids, and for a secure configuration, require authentication for all grid requests. When this is set, each client must be configured with a user ID and password that are recognized by appliance collective, or in the case of LDAP authentication, the user ID and password must be registered in LDAP. Only the root administrator (the xcadmin user ID) can log in without LDAP authentication.

   After you complete steps 2-4, submit the changes to restart the collective. These settings are automatically propagated to appliance that are to be assimilated into the collective. If you enabled FIPS, the FIPS is enabled on each appliance before it is assimilated into the collective.

5. Disable Telnet access.

   The default configuration for the appliance includes an active Telnet server. Telnet communication in the appliance does not support SSL. For a secure configuration, disable the telnet server. To disable telnet, establish an SSH session to the appliance using the administrator user ID and password, and issue the command, platform service telnet disable. This is not a collective wide setting, which means that you must run this command for each appliance. The command, platform service telnet enable, starts Telnet if it has been disabled. This procedure is a manual and cannot be automated.

6. Configure LDAP authentication.
   Authentication for browser, REST, and data grid access to the appliance is done in one of two ways. You can store the authenticated identities in the appliance collective or in LDAP. You can use either method in a secure configuration.

   Tip: Authentication of the root administrator always uses a password that is verified by the collective and not by LDAP.

   When LDAP authentication is used, protect the LDAP connection with SSL so that passwords do not pass over the network unencrypted. To enable SSL for an LDAP connection, specify an LDAPS URL, such as ldaps://ldapserver.company.com:636. Now, you must configure the appliance truststore with a certificate to establish trust with the LDAP server for SSL communication. For more information about configuring LDAP authentication, see Configuring your appliance to authenticate users with an LDAP directory.