Browse Prior Art Database

Method to boot-strap secure, centralized authentication for multi-chassis blade system

IP.com Disclosure Number: IPCOM000198562D
Publication Date: 2010-Aug-09
Document File: 2 page(s) / 26K

Publishing Venue

The IP.com Prior Art Database

Abstract

Disclosed is a mechanism to automatically configure the LDAP client in the management controller of chassis components as devices are powered up in the chassis. From installation, this allows efficient, reliable, centralized authentication and management for multi-chassis blade systems.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 51% of the total text.

Page 1 of 2

Method to boot-strap secure, centralized authentication for multi-chassis blade system

Implementing a large, multi-chassis server blade installation creates unique challenges in managing user IDs, passwords, roles and access rights.

Components in a blade installation must have a security mechanism to limit access to the device. Where a user requires access to a management microcontroller (MC) on a component such as a network switch or blade, administrators must limit access to valid and authenticated users.

Typically MCs come from the factory with a well known and public default user id/password for initial setup. Usually, the end user changes the default password to secure the element. The chassis elements use a local store on the element to store the security credentials. This requires that the user maintain a separately stored user id/password on each of the components, which leads to logistical problems such as the user not changing the default values, or changing the password on some of the elements and not others, and the user having to access each individual component to change all of the passwords periodically. In addition, central user management allows administrators to easily add and delete users, thereby providing access when needed but removing the risk of 'stale' user credentials on chassis components.

A more efficient and consistent method is for users or administrators to have the ability to manage the entire set of chassis as a single system, centrally managing the user ids across all the various chassis components. Such a management scheme must ensure that any hot-pluggable blade or modules must be under the authority of the centralized authentication and authorization, and must ensure that no back-door user accounts can exist in the blades or modules.

Lightweight directory access protocol (LDAP) servers can provide a centralized directory for authenticating users. The process of configuring each service processor, switch, storage controller and other devices in the chassis to connect to a specific LDAP domain is a manual, time consuming, and error prone process. An administrator must still access every chassis component and manually set the LDAP domain server name or IP address and certificates, then change the login policy to use LDAP only, instead of local component authentication. If the LDAP domain server is changed, then the administrator is again required to access every chassis component and update the LDAP server IP address.

Furthermore, there are no guarantees that every device across all the chassis is configured to use the correct LDAP service. For example,...