• Digitally signed firmware. The controller firmware verifies the authenticity of any downloadable
SANtricity firmware. Digitally signed firmware is required in controller firmware version 8.42
(SANtricity 11.40.2) and later. If you attempt to download unsigned firmware during the controller
upgrade process, an error is displayed, and the download is aborted.
• Certificate revocation checking using Online Certificate Status Protocol (OCSP). Certificate
management includes certificate revocation checking through an OCSP server. The OCSP server
determines whether the certificate authority (CA) has revoked any certificates before the scheduled
expiration date. The OCSP server then blocks the user from accessing a server if the certificate is
revoked. Revocation checking is performed whenever the storage array connects to an AutoSupport
server, external key management server, LDAP over SSL (LDAPS) server, or syslog server.
Configuration tasks are available from Settings > Certificates and require security admin permissions.
• Syslog server configuration for audit log archiving. In access management, you can configure a
syslog server to archive audit logs. After configuration, all new audit logs are sent to the syslog
server; however, previous logs are not transferred. Configuration tasks are available from Settings >
Access Management and require security admin permissions.
How MFA Works
MFA is provided through the industry-standard SAML protocol. SAML does not directly provide the MFA
functionality; instead, it allows the web service to send a request to an external system. The external
system requests credentials from the user and verifies those credentials. Information about the
authenticated user is then returned to the web service to allow the user to be assigned appropriate roles.
With the previous E-Series authentication methods, the web service was responsible for requesting the
user credentials and authenticating the user. With SAML, an external system provides all authentication
activity. The external system can be configured to require any amount and types of user authentication
factors.
SAML identifies two types of systems that cooperate to provide authentication of users:
• Identity provider. The identity provider (IdP) is the external system that does the actual
authentication of users by requesting the user credentials and verifying their validity. Maintenance
and configuration of the IdP is your responsibility.
• Service provider. The service provider (SP) is the system that sends a request to the IdP to have a
user authenticated. For E-Series storage arrays, the controllers are the service providers; each
controller is a separate SP.
Using SAML to provide MFA also enables single sign-on (SSO) capabilities. If multiple applications are
configured to use the same IdP, SSO enables them to accept the same user credentials without requiring
users to reenter them. The SSO feature is available only if the user is accessing these applications with
the same browser.
Note that when SAML is enabled, SANtricity System Manager is the only management access point.
There is therefore no access through the SANtricity CLI, the SANtricity Web Services REST API, in-band
management (I/O path that uses a host agent), or native SYMbol interface. The lack of SYMbol access
means that you cannot use the Storage Manager EMW or other SYMbol-based tools such as the NetApp
Storage Management Initiative Specification (SMI-S) provider.
For more information about MFA, see the E-Series online help center and the E-Series Documentation
Center. For detailed explanations about the full set of SANtricity management security features and
settings, see TR-4712: NetApp SANtricity Management Security.
To Next Page
Loading...
Need help?
General