Authors: @Harishkumar Bhokare @Mahendra Takwale @Kalyani Kulkarni
Introduction
IBM® Storage FlashSystem offers block storage virtualization. It helps organizations address multiple use cases to help customers maintain business continuity and safeguard the precious data throughout lifecycle. Having said that, IBM® Storage FlashSystem is an integral part of data centers. Being a responsible storage solution, security is one of the most critical feature IBM® Storage FlashSystem offers. In this blog, we will discuss one of the authentication models with zero trust approach, Multifactor authentication (MFA). It is used as an additional layer of authentication method to protect access for both local, including superuser, and remote users.
Multifactor authentication requires system users to provide multiple pieces of evidence during authentication to prove their identity. IBM® Storage FlashSystem integrates with IBM® Security Verify to provide multifactor authentication for system users. With IBM® Security Verify, security administrators can configure the system as an application that requires two factors for users and user groups to access the system with either the management Graphical User Interface (GUI) or Command Line Interface (CLI). IBM® Security Verify configures the management GUI and the command-line interface as separate API clients that require separate credentials. For GUI-based logins, the system communicates with IBM® Security Verify through the OpenID Connect (OIDC) protocol. Enable MFA “natively” to allow IBM® Storage FlashSystem to handle first factor authentication, and delegate second factor authentication to the MFA provider.
Local User with Multi Factor Authentication:
First authentication performed by IBM® Storage FlashSystem with user credentials. Second-factor authentication performed by the MFA provider (IBM® Security Verify).
Remote User with Multi Factor Authentication:
First authentication performed by the LDAP authentication. Second-factor authentication performed by the MFA provider(IBM® Security Verify).
IBM® Storage FlashSystem MFA with IBM® Security Verify
IBM® Storage FlashSystem MFA blends very well with IBM® Security Verify. It provides strong authentication mechanism. Let’s discuss how we can configure end to end MFA for IBM® Storage FlashSystem with IBM® Security Verify.
IBM® Security Verify Configuration
We first need to go to the applications section from the IBM® Security Verify Left side panel and select “Add application”.
The “add application” button will open a pop-up screen with a search bar. To find applications, we can type “storage virtualize” in the search bar, which will return a match for “IBM Storage Virtualize”. We can then click on “Add Application”.
Note: Each system must be added as a separate application.
On the IBM Storage Virtualize application form, we have the general tab, where we need to specify Name, Description and Company name.
We can then move to the following configuration tab called “Sign-on”. On the right side panel, detailed configuration instructions are listed. Following table explains the significance of various fields in Sign-On tab.
|
Field
|
Action
|
Details
|
|
Application URL
|
Enter the URL for your system.
|
Enter the URL that is used to access the management GUI.
|
|
Grant type
|
Select Authorization code and JWT bearer.
|
Two grant types are required for setting up MFA for the system. Authorization code indicates that the client can request access to protected resources on behalf of users.
|
|
Client ID
|
This value is automatically generated when the system is saved as an application.
|
This value must be entered to the Multifactor authentication page in the management GUI under OpenID Credentials.
|
|
Client secret
|
This value is automatically generated when the system is saved as an application.
|
This value must be entered to the Multifactor authentication page in the management GUI under OpenID Credentials.
|
|
Field
|
Action
|
Details
|
|
User consent
|
Select Do not ask for consent.
|
Enter the URL that is used to access the management GUI.
|
|
Redirect URIs
|
Enter the locations where the authorization server sends users after they are successfully authorized and granted an authorization code or access token.
|
Multiple redirect URIs can be specified for both the management GUI and the service assistant GUI. For management GUI access, the redirect URI is comprised of the management IP address or hostname followed by /mfa. For the service assistant interface, the redirect URI is comprised of the hostname or IP address for the system followed by service/mfa. For example:
https://hostname.com/mfa
https://hostname/service/mfa
|
|
JWT bearer user identification
|
Select Username.
|
Indicates that the username field in the JWT bearer is used to find users in the Cloud Directory and determines what second factors IBM Security Verify presents to users when they log into the system.
|
|
JWT bearer default identity source
|
Ensure Cloud Directory is selected.
|
Indicates that the IBM Security Verify Cloud Directory is used to look up the second factor for the username. After you configure multifactor authentication on the system, users and user groups must be added to the Cloud Directory.
|
Ensure that “Generate refresh token” option is unchecked.
Ensure that “Send all known user attributes in the ID token” this option is checked.
For access policies, complete these steps:
- Deselect Use default policy
- Click the Edit icon
- Select Always require 2FA in all devices
- Click OK
This action creates an access policy which controls the authentication steps for system access. Access policies can specify different authentication requirements based on properties of the user or connection. In this case, all users must complete a second factor authentication every time they access the system from all devices.
Ensure that “Restrict custom scopes” option is unchecked.
We can then move to the following configuration tab called “API access”.
The API access tab is used to add the command-line interface as an API-based client and create credentials for multifactor authentication access for CLI users. To add the command-line as a separate API client, click Add API client. Give name to identify command line interface as the API client.
Select the APIs to which you want to grant access:
Ensure that all APIs are selected by moving the toggle to display On.
Click Save. After the system is saved as a new application, the Custom Application reloads with the Entitlements tab selected. On the Entitlements tab, select Automatic access for all users and groups.
Click Save. Select Applications and select the application name that represents the system. On the Sign-on tab, copy the Client ID and the Client secret. These values must be specified as the OpenID credentials on the Multifactor authentication page in the management GUI. On the API access tab, click the edit icon and copy the Client ID and the Client secret. These values must be specified as the API Client credentials on the Multifactor authentication page in the management GUI.
IBM® Storage FlashSystem MFA Configuration
Login using superuser credentials
Select Settings > Security > Multifactor Authentication.
Select IBM security Verify
Enter the host name and port of the authentication server. For IBM® Security Verify, enter the following:
tenant.verify.ibm.com
Here, tenant is the name that is associated with your subscription. Port 443 is the default for the authentication server.
For the OpenID Credentials, add the Client ID and Client Secret that is copied on from the Sign-on tab in the IBM® Security Verify interface.
For the API Client Credentials, add the Client ID and Client Secret that is copied on from the API access tab in the IBM® Security Verify interface.
On the Multifactor Authentication page, click Export Certificate to export the system certificate to your device. Copy the system ID alias that displays. This value must be used as the friendly name of the certificate in IBM® Security Verify.
In IBM® security verify, perform following steps:
Select Security > Certificates. Under Signer certificates, select Add signer certificate.
On the Add signer certificate page, select Add file and navigate to where you exported the certificate on your device. In the Friendly name field, copy the system ID alias that displays on the Multifactor Authentication page in the management GUI.
Click OK
Screenshots of IBM® security verify for adding signer certificate:
Return to the Multifactor Authentication page in the management GUI and click Save. On the confirmation page, click Confirm to enable multifactor authentication for the system.
Now, configure users and groups in IBM® Storage FlashSystem GUI.
Here, note that “admin” user group is created in IBM® security verify as well. Also, “demomfauser” user is part of “admin” user group in IBM® security verify as well.
Note: “admin” and “demomfauser” is just used for reference purpose only.
In IBM® security verify, go to Directory -> Users & Groups. Make sure user and group matches the user and group in IBM® Storage FlashSystem:
Multifactor authentication is now enabled for the system!
Once you click “Sign In”, it does first factor authentication. If password is correct, user is taken to IBM® security verify for second factor authentication. Acknowledge the MFA requirement.
If second factor authentication is correct, user logs in to IBM® Storage FlashSystem GUI.
Summary:
In a nutshell, IBM® Storage FlashSystem Multi Factor Auth and IBM® Security Verify allows protected access to both local users, including superuser, and remote users. As of this writing, native multifactor authentication requires IBM® Security Verify cloud-based software as the authentication service, which can be configured to enforce a wide range of other authentication options.
References:
For any queries, feel free to contact:
Pankaj Deshpande: pankaj.deshpande@in.ibm.com
Harishkumar Bhokare: harishkumar.bhokare1@ibm.com
Mahendra Takwale: mahendra.takwale@ibm.com
Pradip Waykos: pradip_waykos@in.ibm.com
#Highlights#Highlights-home