Access Appliance Online Help

Last Published:
Product(s): Appliances (7.4.3)
Platform: Veritas 3340,Access Appliance OS
  1. Getting started
    1.  
      About Access Appliance
    2.  
      Enabling certificate-based authentication in Access Appliance
    3.  
      Configuring storage for LTR
    4.  
      About the dashboard
    5.  
      Setting up the storage type for provisioning
    6. About the CIFS shares
      1.  
        Creating a CIFS share with continuous replication
      2.  
        Creating a CIFS share with episodic replication
      3.  
        Creating a CIFS share with encryption
      4.  
        Creating a CIFS share with episodic replication and encryption
      5.  
        Creating a CIFS share without replication and encryption
    7. About managing CIFS shares for Enterprise Vault
      1.  
        Creating a CIFS share for Enterprise Vault with replication
      2.  
        Creating a CIFS share for Enterprise Vault without replication
    8. About the NFS shares
      1.  
        Creating an NFS share with continuous replication
      2.  
        Creating an NFS share with episodic replication
      3.  
        Creating an NFS share with encryption
      4.  
        Creating an NFS share with episodic replication and encryption
      5.  
        Creating an NFS share without replication and encryption
    9.  
      About an iSCSI target
    10.  
      Creating an iSCSI target and provisioning LUNs
    11. About S3 buckets for NetBackup
      1.  
        Creating an S3 bucket for NetBackup without a cloud tier
      2.  
        Creating an S3 bucket for NetBackup with a cloud tier
    12.  
      Using the Access Appliance product documentation
    13.  
      Changing your password
  2. Managing storage
    1. About storage provisioning and management
      1.  
        Adding disks to a storage pool
      2.  
        Removing disks from a storage pool
      3.  
        Viewing information about disks
      4.  
        Accessing disk details
      5.  
        Viewing information about a node in a cluster
      6.  
        Accessing node details
      7.  
        Discovering disks
      8.  
        Formatting a disk
  3. Managing file sharing services
    1.  
      About using the NFS server with Access Appliance
    2.  
      About configuring Access Appliance for CIFS
    3.  
      About the Object Store server
  4. Monitoring and troubleshooting
    1.  
      About troubleshooting
    2.  
      Monitoring command activity
    3.  
      Monitoring alerts
    4.  
      Monitoring events
    5.  
      Viewing reports
    6.  
      Viewing cluster storage usage
    7.  
      Viewing file system usage
    8.  
      About hardware monitoring
    9.  
      Viewing hardware monitoring
    10.  
      Running a full discovery
  5. Provisioning and managing file systems
    1. Creating a file system
      1.  
        Viewing the list of file systems
      2.  
        Viewing file system performance
      3.  
        Accessing file system details
      4.  
        Modifying a file system
      5.  
        Choosing a file system layout type
      6.  
        Setting up a file system online or offline
      7.  
        Deleting a file system
    2.  
      Setting the maximum IOPS
    3.  
      Creating a snapshot
    4.  
      Restoring a snapshot
    5. Configuring a replication job
      1.  
        Stopping or starting a replication job for VVR
      2.  
        Pausing and resuming a replication job for VVR
      3.  
        Enabling or disabling a replication job for VFR
      4.  
        Synchronizing a replication job for VFR
      5.  
        Failing over or failing back a replication job for VVR
      6.  
        Failing over or failing back a replication job for VFR
      7.  
        Unconfiguring a replication job for VFR
      8.  
        Unconfiguring a replication job for VVR
    6.  
      Viewing the list of iSCSI targets
    7.  
      Adding an initiator for an iSCSI target
    8.  
      Removing an initiator for an iSCSI target
    9.  
      Adding portal IPs for an iSCSI target
    10.  
      Setting up authentication for an iSCSI target
    11.  
      Viewing the list of initiators for an iSCSI target
    12.  
      Viewing the portal IPs for an iSCSI target
    13.  
      Removing portal IPs for an iSCSI target
    14.  
      Removing authentication settings for an iSCSI target
    15.  
      Removing an iSCSI target
    16.  
      Removing the file system store for an iSCSI target
    17.  
      Viewing the list of LUNs for an iSCSI target
    18.  
      Creating a LUN for an iSCSI target
    19.  
      Increasing the size of a LUN for an iSCSI target
    20.  
      Reducing the size of a LUN for an iSCSI target
    21.  
      Removing a LUN for an iSCSI target
    22.  
      Cloning a LUN for an iSCSI target
    23.  
      Creating a snapshot of a LUN for an iSCSI target
    24.  
      Viewing the list of snapshots for an iSCSI target
    25.  
      Removing a LUN snapshot
    26.  
      Restoring a LUN snapshot
  6. Provisioning and managing shares
    1.  
      About file sharing protocols
    2.  
      About concurrent access
    3.  
      About concurrent access with NFS and S3
    4.  
      Sharing directories using CIFS and NFS protocols
    5.  
      Adding a share
    6.  
      NFS protocol options
    7.  
      CIFS protocol options
    8.  
      About buckets and objects
    9.  
      About Active Directory (AD)
    10.  
      Logging on as an active directory user
    11.  
      Creating access and secret keys for an active directory user
    12.  
      Exporting an NFS share as an S3 bucket
    13.  
      Viewing information about a share
    14.  
      Accessing share details
    15.  
      Configuring a favorite share
    16.  
      Deleting a share
    17.  
      Managing permissions for CIFS shares
    18.  
      Managing clients for the NFS shares
  7. Managing policies
    1.  
      About policies for storage provisioning
    2.  
      About policies for long-term data retention
    3.  
      About policies for archiving data using Enterprise Vault
    4.  
      About policies for file systems
    5.  
      About pattern matching for data movement policies
    6.  
      Viewing information about policies
    7.  
      Activating storage policy templates
    8.  
      Activating long-term data retention policies
    9.  
      Activating archival policies
    10.  
      Creating an S3 bucket
    11.  
      About cloud-storage tiering
    12.  
      Workflow for adding a cloud tier
    13.  
      About tiering policies
    14.  
      Adding a secondary tier
    15.  
      Viewing information about the secondary tier
    16.  
      Adding or editing a tier policy on a secondary tier
    17.  
      Creating a policy schedule
  8. Managing settings
    1.  
      Viewing Access Appliance settings
    2.  
      About the cloud gateway
    3.  
      Viewing information about cloud services
    4.  
      Adding and removing a cloud service
    5.  
      Viewing discovery information about your cluster
    6.  
      About the Lightweight Directory Access Protocol
    7.  
      Configuring LDAP
    8.  
      Configuring Active Directory
    9.  
      About user management
    10.  
      Adding and removing user roles using GUI
    11.  
      Performing user management using CLISH
    12.  
      Configuring the NTP server
    13.  
      Starting or stopping the CIFS or NFS servers
    14.  
      Starting or stopping the S3 server
    15.  
      Adding or removing storage pools for S3 users
    16.  
      Configuring the /etc/hosts file for mapping of S3 users
    17.  
      Registering a NetBackup master server or an EMM server
    18.  
      Modifying a NetBackup media server list
    19.  
      Viewing information about your NetBackup configuration with Access Appliance
    20.  
      About cluster management
    21.  
      Setting up the time and the time zone for the cluster
    22. About replication
      1.  
        Viewing information about replication
      2.  
        Setting up a virtual IP for replication
      3.  
        Creating a replication link
      4.  
        Deleting a replication link
      5.  
        Modifying a replication unit
      6.  
        Deleting a replication virtual IP
      7.  
        Setting a replication schedule
    23.  
      Viewing information about events
    24.  
      Purging events
    25. About Access Appliance product licensing
      1.  
        Adding a license
      2.  
        Per-TB licensing model
      3.  
        Notes and functional enforcements for licensing
      4.  
        Viewing information about licensing
    26.  
      Setting object server default parameters
    27.  
      Setting up the object server group-specific parameters
    28.  
      Viewing information about S3
    29.  
      Configuring the KMS server
    30.  
      About the CIFS service management
    31.  
      Setting up the home directory
    32. About the File Transfer Protocol
      1.  
        Configuring the File Transfer Protocol
      2.  
        Viewing information about FTP
    33. About Veritas Data Deduplication
      1.  
        Configuring Veritas Data Deduplication using the GUI
      2.  
        Viewing information about Veritas Data Deduplication
      3.  
        Starting or stopping the Veritas Data Deduplication service
      4.  
        Increasing storage for Veritas Data Deduplication
      5.  
        Unconfiguring Veritas Data Deduplication
    34. About alert management
      1.  
        Viewing information about alert management
      2.  
        Managing alerts
    35.  
      STIG overview for Access Appliance
    36.  
      FIPS compatibility list
  9.  
    Index

Enabling certificate-based authentication in Access Appliance

Certificate-based authentication in Access Appliance allows the clients connect to the server securely and authenticate clients by using digital certificates. These certificates are trusted and are provided by the customer.

Note:

In case the trusted certificates are not available, the client can use the regular user name and password to log on to the Access Appliance application.

The digital certificates use the public key infrastructure (PKI). The following types of certificates are used for authentication:

  • Root certificate

    A root certificate is a public key certificate that identifies a root certificate authority (CA). This is stored in the browser.

  • Intermediate certificate

    An intermediate certificate is a subordinate certificate issued by the trusted root specifically to issue an end-entity server or client certificates. This is provided to the server. There can be one or more intermediate certificates.

  • Server or client certificate

    • Server certificate - It is issued by the intermediate authority to the specific website for securing a channel.

    • Client certificate - It is issued by the intermediate authority to a specific user for authentication purposes.

      Note:

      Server, intermediate, and root certificates are in Privacy Enhanced Mail (PEM) format. Client certificates are in PKCS#12 format.

      Root certificate and intermediate certificates should be the same for the client and the server.

Note:

The certificate-based authentication in Access Appliance bypasses the traditional log-on method of using user credentials.

Figure: Workflow for the initial SSL handshake for exchange of certificates between client and server

Workflow for the initial SSL handshake for exchange of certificates between client and server
Enabling the server to use the external certificates

  • system gui_servercertificate add: - should provide the server certificate, key, and the CA file.

Enabling the browser to list the client certificate

  • system gui_clientcertificate authentication enable; - should provide the Online Certificate Status Protocol (OCSP) URI and the client issuer certificate.

When the browser tries to connect to the server, an initial handshake is established by the client. The server sends its certificate and also requests the web browser to send the client certificate, which is stored in the browser. The client certificate contains details about the client for whom the certificate is to be issued. If the browser certificate is not present, the user cannot log on to Access Appliance.

Importing digital certificate in a browser

The digital certificate, which is purchased or received from the CA authority, can be imported in to the browser. The server connects to the client, verifies the certificate details, validates the user, and authenticates it. The digital certificates need to be purchased or received from the CA authority.

Note:

The procedure for importing the digital certificate differs depending on which browser is used to access Access Appliance. See the Veritas Access Installation Guide for the list of the supported browsers.

The following table provides instructions to import the digital certificate in various browsers:

Browser

To import the digital certificate

Mozilla Firefox

  1. From the menu bar, click Tools > Options.

  2. In the Options window, click the Advanced tab, and then click the Certificates tab.

  3. Click View Certificates.

  4. In the Certificate Manager window, click the Authorities tab, and then click Import.

  5. Browse to the location of the certificate file and open it.

  6. Click OK.

Microsoft Internet Explorer

  1. From the menu bar, click Tools > Internet Options.

  2. In the Internet Options window, click the Content tab, and then click Certificates.

  3. In the Certificates window, click the Trusted Root Certification Authorities tab, and then click Import.

  4. By using the Certificate Import wizard, browse the certificate.

  5. Click OK.

If the clients have not listed their own root CA in the standard CA list that comes with the operating system, the root CA also needs to be uploaded.

The following diagram describes the workflow for the browser-certificate validation:

Figure: Workflow for the browser-certificate validation

Workflow for the browser-certificate validation

There are different ways to validate a certificate for its revocation status.

  • CRL

  • OCSP (Access Appliance uses this method.)

Validating a certificate

The client receives a client certificate (external certificate) from the certificate authorization authority and imports it into the browser. When the client tries to log on to the Access Appliance application, the connection request is sent to the server.

The server connects to the browser and requests for the client certificate. The server converts the client certificate in to the PEM format if required and sends it to the OCSP URI. The OCSP URI validates the client certificate and the responder certificate is validated using the client issuer certificate provided by the user. Also, a check whether the client has the required rights to access the Access Appliance application is done.

In Access Appliance, the OCSP method is used to validate the client_pem. Each certificate vendor has an OCSP responder to validate the certificates. The OCSP URI is provided by the customer.

The OCSP responder returns the following status types to the server for the root-client certificate validation:

  • Good - When the OCSP responder finds that the detail of the certificate is good.

  • Revoked - When the OCSP responder finds the certificate is revoked.

  • Unknown - When the OCSP responder cannot find any details about the client certificate in its database. The client cannot log on.

Based on the status type that is returned by the OCSP responder, the server authenticates, or denies the client.

Authorizing a user

The details of the user who needs to be authorized are maintained in the Access Appliance database. The subject information in the certificate is used to authorize the user. If the certificate is good, the subject information is used to authorize the user against the authorization server.

The authorization should be changed according to the client's requirement to integrate with Active Directory (AD), Lightweight Directory Access Protocol (LDAP), and so on.

To enable the client authentication, run the following Access command-line interface commands:

  • system gui_servercertificate add: - provides the server certificate, key, and the CA file

  • system gui_clientcertificate authentication enable; - provides the OCSP URI

  • System guienable - starts the server with the newly provided details.

Note:

The server and client root CA should be the same.

Client certificates should be in .pkcs12 format.

All other certificates should be in PEM format.