Dell PowerStore 500T EMC PowerStore Security Configuration Guide - Page 6

1 Authentication and access This chapter contains the following information: Topics: • Hardware root of trust • Authenticating and Managing User Accounts, Roles, and Privileges • Certificates • Secure communication between PowerStore appliances within a cluster • Secure communication for replication and data import • vSphere Storage API for Storage Awareness support • CHAP authentication • Configuring CHAP • External SSH access • Configuring external SSH access • NFS secure • Security on file system objects • File systems access in a multiprotocol environment • Understanding Common AntiVirus Agent (CAVA) • Code signing Hardware root of trust The PowerStore hardware provides the following security features for firmware images and the operating system through the Secure Boot and x86 Secure Boot technologies that are provided through the enclosure management software on the system: ● Authentication and root of trust provides the capability to authenticate boot loader and firmware, and immutable hardware root of trust. ● Ensure a verified and measured boot. ● Authenticate firmware images and operating system boot loader at boot time. ● Digitally signed firmware upgrades ensure that root of trust authenticates all signed upgrade firmware images. Authenticating and Managing User Accounts, Roles, and Privileges Authentication for access to the cluster is performed based on the credentials of a user (local or LDAP) account. User accounts are created and subsequently managed from the Users page, which is accessible in PowerStore Manager through Settings > Users > Users. The authorizations that apply depend on the role associated with the user account. When the user specifies the network address of the cluster as the URL in a web browser, the user will be presented with a login page from which the user can authenticate as either a local user or through an LDAP directory server. The credentials that the user provides will be authenticated and a session will be created on the system. Subsequently, the user can monitor and manage the cluster within the capabilities of the role assigned to the user. The cluster authenticates its users by validating user names and passwords through a secure connection with the management server. NOTE: When users attempt to perform an action in PowerStore Manager for which they are not authorized, a notification appears stating that the action is not authorized. The Lightweight Directory Access Protocol (LDAP) is an application protocol for querying directory services running on TCP/IP networks. LDAP provides central management of authentication and identity and group information used for authorization on the cluster. Integrating the system into an existing LDAP environment provides a way to control user and user group access to the system through PowerStore Manager, RESTful API or CLI. 6 Authentication and access