Configure administrative access and specify settings for
your appliance collectives to configure secure authentication and
authorization to the data grid.
About this task
For optimal protection against security threats complete
the following steps to help prevent external threats and unauthorized
data access by employees and contractors who might have access to
network segments where appliances communicate between clients and
servers.
Attention: In the administrative console, when
you specify collective settings for server-to-server communication
and protection of data on the network, you can configure settings
that control security. When you change these settings, you must restart
the entire collective. To specify these settings, click . For efficiency, make all the changes at one time,
and then submit them, so that you restart the collective only once.
- Secure administrative access.
The appliance
comes configured with an administrative user ID, xcadmin,
and the default administrative password, xcadmin.
This user ID and password grant full access to all of the administrative
functions and data of the device and collective. You must configure
a password for the xcadmin administrative user
ID that is difficult to guess. To complete this action, in the web
console, click . Select the Administrator user,
and edit the password.
- Configure transport layer
security (TLS).
- Configure server-to-server authentication.
Data
grid communication between appliances in a collective and between
linked appliance domains, is authenticated using a shared secret key.
The appliance is already configured with a default secret key this
is hard-coded into each appliance. You must change the secret key
to have a secure configuration. Select Override factory
default authentication secret key to specify a unique
secret key.
The secret key must be a long passphrase that is
difficult to guess. Record the secret key, and store it in a secure
location. When collectives are joined in linked domains, each collective
must be configured with the same secret key.
- Require authentication for all data grid requests.
You can configure authentication for each client request
to the data grid. By default, this authentication is not required.
However, you can provide protection for data grid access by securing
individual grids, and for a secure configuration, require authentication
for all grid requests. When this is set, each client must be configured
with a user ID and password that are recognized by appliance collective,
or in the case of LDAP authentication, the user ID and password must
be registered in LDAP. Only the root administrator (the xcadmin user
ID) can log in without LDAP authentication.
After you complete
steps 2-4, submit the changes to restart the collective. These settings
are automatically propagated to appliance that are to be assimilated
into the collective. If you enabled FIPS, the FIPS is enabled on
each appliance before it is assimilated into the collective.
- Disable Telnet access.
The default configuration
for the appliance includes an active Telnet server. Telnet communication
in the appliance does not support SSL. For a secure configuration,
disable the telnet server. To disable telnet, establish an SSH session
to the appliance using the administrator user ID and password, and
issue the command, platform service telnet disable.
This is not a collective wide setting, which means that you must
run this command for each appliance. The command, platform
service telnet enable, starts Telnet if it has been disabled.
This procedure is a manual and cannot be automated.
- Configure LDAP authentication.
Authentication
for browser, REST, and data grid access to the appliance is done in
one of two ways. You can store the authenticated identities in the
appliance collective or in LDAP. You can use either method in a secure
configuration.
Tip: Authentication of the root administrator
always uses a password that is verified by the collective and not
by LDAP.
When LDAP authentication is used, protect the LDAP
connection with SSL so that passwords do not pass over the network
unencrypted. To enable SSL for an LDAP connection, specify an
LDAPS URL,
such as
ldaps://ldapserver.company.com:636. Now,
you must configure the appliance truststore with a certificate to
establish trust with the LDAP server for SSL communication. For more
information about configuring LDAP authentication, see
Configuring your appliance to authenticate users with an LDAP directory.