Hi everyone,

I need to disable http access (maintening https access) to all my flashsystem storage, but I haven't find any command to do this.

Is there someone that has just do that yet?

Thanks

Hello Massimo,

Which FlashSystem do you have and which Virtualize versions are installed on it?

This is usually controlled using the chsecurity command or under Settings -> Security -> Security Protocol Levels. Here you can configure the required SSL level, whereby the default level corresponds to compatibility mode.

The newer the Virtualize version, the more options are available for the requirements.

https://www.ibm.com/docs/en/flashsystem-7x00/8.5.0?topic=commands-chsecurity

https://www.ibm.com/docs/en/flashsystem-7x00/8.7.0?topic=commands-chsecurity

I hope this helps.

Hi everyone,

I need to disable http access (maintening https access) to all my flashsystem storage, but I haven't find any command to do this.

Is there someone that has just do that yet?

Thanks

Hello Patrik,

my firmware version is 8.5.0.5 but in Settings -> Security I don't have Security Protocol Levels but Secure Communications 

I read the chsecurity command guide but I don't understand how to disable only http access to the web gui.

Thanks in advance for help.

Hello Massimo,

Which FlashSystem do you have and which Virtualize versions are installed on it?

This is usually controlled using the chsecurity command or under Settings -> Security -> Security Protocol Levels. Here you can configure the required SSL level, whereby the default level corresponds to compatibility mode.

The newer the Virtualize version, the more options are available for the requirements.

https://www.ibm.com/docs/en/flashsystem-7x00/8.5.0?topic=commands-chsecurity

https://www.ibm.com/docs/en/flashsystem-7x00/8.7.0?topic=commands-chsecurity

I hope this helps.

Hi everyone,

I need to disable http access (maintening https access) to all my flashsystem storage, but I haven't find any command to do this.

Is there someone that has just do that yet?

Thanks

Hi everyone,

I need to disable http access (maintening https access) to all my flashsystem storage, but I haven't find any command to do this.

Is there someone that has just do that yet?

Thanks

Hello Massimo

You can use this command, the full chapter is in the following redbook

IBM Storage Virtualize, IBM Storage FlashSystem, and IBM SAN Volume Controller Security Feature Checklist - For IBM Storage Virtualize 8.6

https://www.redbooks.ibm.com/redpapers/pdfs/redp5716.pdf

Login interfaces
The system provides a CLI, GUI, and a REST application programming interface (API), all of
which authenticate users and allow them to administer the system. All interfaces implement
data in-flight encryption to secure the login and all subsequent interactions with the system.
Command line interface
Users log in to the CLI by using an SSH client terminal window. Logging in to the system by
using a terminal places the user in a highly restricted shell. For example, the user cannot run
a change directory command and can run only the commands that are designated by IBM as
required to administer the system.
Consider the following points:
 This login interface can be disabled on a per-user group basis.
 This login interface cannot be disabled for the superuser.
For more information. see the following IBM Documentation web pages:
 UNIX commands available in interactive SSH sessions
 Command-line interface
 Changing user groups
Graphical user interface
Users log in to the GUI is by using a Hypertext Transfer Protocol Secure (HTTPS) connection
from Transport Layer Security by using a supported web browser.
You can install certificates signed by a certificate authority (CA) with the suitable certificate
chain. The system supports the following system certificate key types:
 RSA 2048-bit
 ECDSA 384-bit
 ECDSA 521-bit
The system presents the installed system certificate and chain to web browsers when they
connect to the system.
This login interface can be disabled on a per user group basis.
By default, the superuser is exempt from disabling this interface. To disable this interface for
the superuser, run the chsecurity -disablesuperusergui yes command.

Hi everyone,

I need to disable http access (maintening https access) to all my flashsystem storage, but I haven't find any command to do this.

Is there someone that has just do that yet?

Thanks

Howdy,
Already in this port list for Virtualize 8.5 (the oldest supported release as of today, GA 03/2022), port 80 is listed as being forwarded to https transport: Security levels and supported security ciphers - IBM Documentation

Out of four available security levels to choose from, even the weakest did not support TLS1.1 or lower.

Regard,

Ilja

Hello Massimo

You can use this command, the full chapter is in the following redbook

IBM Storage Virtualize, IBM Storage FlashSystem, and IBM SAN Volume Controller Security Feature Checklist - For IBM Storage Virtualize 8.6

https://www.redbooks.ibm.com/redpapers/pdfs/redp5716.pdf

Login interfaces
The system provides a CLI, GUI, and a REST application programming interface (API), all of
which authenticate users and allow them to administer the system. All interfaces implement
data in-flight encryption to secure the login and all subsequent interactions with the system.
Command line interface
Users log in to the CLI by using an SSH client terminal window. Logging in to the system by
using a terminal places the user in a highly restricted shell. For example, the user cannot run
a change directory command and can run only the commands that are designated by IBM as
required to administer the system.
Consider the following points:
 This login interface can be disabled on a per-user group basis.
 This login interface cannot be disabled for the superuser.
For more information. see the following IBM Documentation web pages:
 UNIX commands available in interactive SSH sessions
 Command-line interface
 Changing user groups
Graphical user interface
Users log in to the GUI is by using a Hypertext Transfer Protocol Secure (HTTPS) connection
from Transport Layer Security by using a supported web browser.
You can install certificates signed by a certificate authority (CA) with the suitable certificate
chain. The system supports the following system certificate key types:
 RSA 2048-bit
 ECDSA 384-bit
 ECDSA 521-bit
The system presents the installed system certificate and chain to web browsers when they
connect to the system.
This login interface can be disabled on a per user group basis.
By default, the superuser is exempt from disabling this interface. To disable this interface for
the superuser, run the chsecurity -disablesuperusergui yes command.

Hi everyone,

I need to disable http access (maintening https access) to all my flashsystem storage, but I haven't find any command to do this.

Is there someone that has just do that yet?

Thanks

Hi all,

as I can understand there is a proxy server that redirect http call on port 80 to https address.

So next question is if there is the possibility to disable this proxy service.

Thanks

Howdy,
Already in this port list for Virtualize 8.5 (the oldest supported release as of today, GA 03/2022), port 80 is listed as being forwarded to https transport: Security levels and supported security ciphers - IBM Documentation

Out of four available security levels to choose from, even the weakest did not support TLS1.1 or lower.

Regard,

Ilja

Hello Massimo

You can use this command, the full chapter is in the following redbook

IBM Storage Virtualize, IBM Storage FlashSystem, and IBM SAN Volume Controller Security Feature Checklist - For IBM Storage Virtualize 8.6

https://www.redbooks.ibm.com/redpapers/pdfs/redp5716.pdf

Login interfaces
The system provides a CLI, GUI, and a REST application programming interface (API), all of
which authenticate users and allow them to administer the system. All interfaces implement
data in-flight encryption to secure the login and all subsequent interactions with the system.
Command line interface
Users log in to the CLI by using an SSH client terminal window. Logging in to the system by
using a terminal places the user in a highly restricted shell. For example, the user cannot run
a change directory command and can run only the commands that are designated by IBM as
required to administer the system.
Consider the following points:
 This login interface can be disabled on a per-user group basis.
 This login interface cannot be disabled for the superuser.
For more information. see the following IBM Documentation web pages:
 UNIX commands available in interactive SSH sessions
 Command-line interface
 Changing user groups
Graphical user interface
Users log in to the GUI is by using a Hypertext Transfer Protocol Secure (HTTPS) connection
from Transport Layer Security by using a supported web browser.
You can install certificates signed by a certificate authority (CA) with the suitable certificate
chain. The system supports the following system certificate key types:
 RSA 2048-bit
 ECDSA 384-bit
 ECDSA 521-bit
The system presents the installed system certificate and chain to web browsers when they
connect to the system.
This login interface can be disabled on a per user group basis.
By default, the superuser is exempt from disabling this interface. To disable this interface for
the superuser, run the chsecurity -disablesuperusergui yes command.

Hi everyone,

I need to disable http access (maintening https access) to all my flashsystem storage, but I haven't find any command to do this.

Is there someone that has just do that yet?

Thanks

Hi all,

as I can understand there is a proxy server that redirect http call on port 80 to https address.

So next question is if there is the possibility to disable this proxy service.

Thanks

Howdy,
Already in this port list for Virtualize 8.5 (the oldest supported release as of today, GA 03/2022), port 80 is listed as being forwarded to https transport: Security levels and supported security ciphers - IBM Documentation

Out of four available security levels to choose from, even the weakest did not support TLS1.1 or lower.

Regard,

Ilja

Hello Massimo

You can use this command, the full chapter is in the following redbook

IBM Storage Virtualize, IBM Storage FlashSystem, and IBM SAN Volume Controller Security Feature Checklist - For IBM Storage Virtualize 8.6

https://www.redbooks.ibm.com/redpapers/pdfs/redp5716.pdf

Login interfaces
The system provides a CLI, GUI, and a REST application programming interface (API), all of
which authenticate users and allow them to administer the system. All interfaces implement
data in-flight encryption to secure the login and all subsequent interactions with the system.
Command line interface
Users log in to the CLI by using an SSH client terminal window. Logging in to the system by
using a terminal places the user in a highly restricted shell. For example, the user cannot run
a change directory command and can run only the commands that are designated by IBM as
required to administer the system.
Consider the following points:
 This login interface can be disabled on a per-user group basis.
 This login interface cannot be disabled for the superuser.
For more information. see the following IBM Documentation web pages:
 UNIX commands available in interactive SSH sessions
 Command-line interface
 Changing user groups
Graphical user interface
Users log in to the GUI is by using a Hypertext Transfer Protocol Secure (HTTPS) connection
from Transport Layer Security by using a supported web browser.
You can install certificates signed by a certificate authority (CA) with the suitable certificate
chain. The system supports the following system certificate key types:
 RSA 2048-bit
 ECDSA 384-bit
 ECDSA 521-bit
The system presents the installed system certificate and chain to web browsers when they
connect to the system.
This login interface can be disabled on a per user group basis.
By default, the superuser is exempt from disabling this interface. To disable this interface for
the superuser, run the chsecurity -disablesuperusergui yes command.

Hi everyone,

I need to disable http access (maintening https access) to all my flashsystem storage, but I haven't find any command to do this.

Is there someone that has just do that yet?

Thanks