Configuring remote authentication service with IBM Security Services using the CLI

You can use the command-line interface (CLI) to configure the system to allow users of Lenovo Storage V7000 management applications, such as Spectrum Control, to authenticate to the clustered system by using IBM Security Services.

To configure the system to allow users to authenticate to it by using IBM Security Services (referred to as TIP in the CLI), follow these steps:

  1. Configure the system with the location of the remote authentication server.
    Issue the chauthservice command to change system settings, and issue the lssystem command to view system settings.
    Remember: You can use either an http or https connection to the server. If you use http, the user, password, and SSH key information is transmitted as clear text over the IP network.
  2. Configure user groups (with roles) on the system by matching those that are used by the authentication service.
    For each group of interest that is known to the authentication service, a Lenovo Storage V7000 user group must be created with the same name and with the remote setting enabled. If members of a group that is called sysadmins, for example, require the Lenovo Storage V7000 Administrator (Administrator) role, issue the following command: 
    mkusergrp -name sysadmins -remote -role Administrator

    If none of the groups for a user match any of the Lenovo Storage V7000 user groups, the user cannot access the system.

  3. Configure users who do not require Secure Shell (SSH) access.
    Lenovo Storage V7000 users who use the remote authentication service and do not require SSH access should be deleted from the system.
    Remember: A superuser password authority cannot be deleted from the system, and a person that uses the superuser ID cannot use the remote authentication service.
  4. Configure users who require SSH access.
    All Lenovo Storage V7000 users who use the remote authentication service and require SSH access must have remote settings that are enabled and the same password and an SSH key set both on the system and on the authentication service.
  5. Configure the system time.
    The current time of both the Lenovo Storage V7000 clustered system and the system that is running the remote authentication service must match.
    Important: Use the same Network Time Protocol (NTP) server for both systems.
Parent topic: Configuring remote authentication service using CLI