Hello and welcome to this module. After the initial setup and configuration of IBM PowerVC, there are several administrative tasks that can be performed depending on your needs. This module will serve as a guide to a lot of these post-installation tasks and features. In this module, we will cover lessons on IBM PowerVC security and user management features. Procedure to check messages in log files. Procedure to access IBM PowerVC REST APIs, IBM PowerVC commands to manage services. The backup and restore procedure in IBM PowerVC. Generate settings, templates, storage, and network settings in IBM PowerVC. Now let's talk about security and user management. IBM PowerVC uses the Unix operating system security features. There are some other extra IBM PowerVC security features that I'd like to talk about. First, customization of users and groups. PowerVC lets you create your own groups and add users to these groups. This is on top of the operating system users and groups. This way it lets you completely separate PowerVC users with the operating system users. Not quite clear yet? Well, let me explain. For example, you may have a bunch of data center administrators, who should be part of the enterprise wide access control requirements. They can access the operating system on which PowerVC is running. However, they would not need to access several Virtual Machines that other end users of the organization are creating and deleting, so they don't need to be a part of the PowerVC management group. PowerVC lets you add custom, users, and groups that only specific administrators will have access to. Once PowerVC is installed, you have access to its web-based graphical user interface. But we use an internal certificate authority and make it use HTTPS by default. This is the secure version of HTTP which uses SSL. That means, all traffic to and from the interface is encrypted and harder to break. We also have host key and certification validation for all of the endpoints you can manage from IBM PowerVC. In the web interface, you'll be prompted to verify the authenticity of the end point via pop-ups. The IBM PowerVC software also has commands that can be used to encrypt and decrypt strings. This can come in handy when enterprises have strict password storage standards. In fact, in modern enterprises, no administrator is allowed to store any password anywhere. PowerVC can encrypt any such string you want and decrypt it when it cease to be used again. Once IBM PowerVC is installed, you can configure it to work with an existing Lightweight Directory Access Protocol or LDAP server. Run the PowerVC LDAP config command and answer the questions to configure IBM PowerVC to use LDAP for account authentication. You should also remember from a previous lesson, that keystone in OpenStack also provides several identity management and security features, which are also available with IBM PowerVC. After installing the product, only the root user can access the graphical user interface. However, the root administrator can create more users and administrators depending on their use case. For accountability purposes, many organizations prefer not to use the root user, but to let individual admin accounts perform tasks. There are also a few other users created just for OpenStack services to internally communicate with other services. It's best not to touch these accounts. In modern additions, user accounts are visible in the IBM PowerVC graphical user interface. To view this, click "Configuration" from the front page of PowerVC and select the Users and Groups option. A screenshot of this is shown here. As you can see, we have created a new user, "admin 1" to perform a lot of the tasks that we'll talk about in this module. The IBM PowerVC application, at least as of the release of this video, doesn't let you create users from the graphical user interface. Administrators typically use the Linux operating systems commands to create users and modify them, like adding them to groups and so forth. The useradd command, lets you create users. The usermod command, lets you modify or change any attributes of an already created user accounts, like changing their group. If you ever wanted to delete a user, both from the PowerVC application and from the operating system, you can use the userdel command. But what if you wanted a user to remain part of the operating system, but didn't want them to log in or to see any resources using PowerVC? That's where PowerVC repositories come in. Users added to other groups besides the PowerVC-filter group do not appear in the IBM PowerVC GUI users application. The root user belongs to the predefined root group. Once the users are added to the operating system and the PowerVC identity repositories, an administrator can assign roles to them. The syntax to do that is shown here. You can use the OpenStack role add command to do this then we add the minus minus project attribute to specify the project to which the user belongs to, minus minus user, to specify the username, and finding the name of the row that should be assigned to this user in this project. The roles shown here are from IBM Cloud PowerVC Manager version 1.4.1. These roles are predefined and available right after installation. The names of the roles are self-explanatory. You'll learn more about these roles in the rest of this course. You can add users and assign them a role for a project they are part of. Looking into the IBM PowerVC GUI as that user is the best way to learn what the role can do. In general, the admin role has all the priorities, and can do all the tasks. Other typical roles are self-service and viewer. We just spoke about user-related commands, here are a few examples. The first example in the slide above shows adding an account that is named sam. The second example shows more flags. The -c flag allows you to add comments, or description about this account. The third example shows modifying a user account and adding it to another group. If, for example, there was a user that was already created in the operating system, and you wanted that user to be able to login to the IBM PowerVC GUI, then you can add them to one of your IBM PowerVC groups by using the minus g flag, that's uppercase G. The lowercase minus g is used to change a user's primary group. Also, remember to use the password command to set the new users password. It's recommended that you create a new admin user account for any administrator using your private cloud environment. This lets you clearly see audit trails for anyone using your environment. It's just an obviously better practice from an order saying standpoint. In the current release, we usually add users from the command line, as we've seen before. However, an administrator can view the available accounts, and their properties from the graphical user interface. To do that, you can click on the configuration link from the homepage of your IBM PowerVC system. Inside it, there is a link to users and groups, inside it, click the username you'd like to display the properties of for that user account. There is also a button, as you can see here, to edit assigned roles. You can use that to change the role of any user. This is the same function as the OpenStack role add command, which we saw earlier. When we are talking about authentication, there are two main types. One is the regular password-based authentication, everyone is familiar with. These days in the cloud world, the certificate-based authentication is quite common and popular. The basic idea here is to create a public and private pair of keys. By the way, the keys can be signed with a password for an additional layer of security, the public key is sent to a public entity such as IBM PowerVC. Then when you want administrator to access this interface, they just need to have a private key setup in their local machine. The system will automatically know that the keys match and this user is authenticated. The Secure Socket Layer, or SSL protocol, governs server authentication, client authentication, and encrypted communication between servers and clients. SSL requires an SSL server certificate. As part of the initial SSL handshake, the server presents a certificate to the client to authenticate the service identity. The authentication uses public key encryption and digital signatures to confirm that the server is what the server claims to be. Once the server is authenticated, the client and server use symmetric key encryption, which is fast to encrypt all the information that is exchanged for the remainder of the session. Self-signed certificates are not publicly trusted because, anyone can create one. You can replace default, expired, or corrupted certificates with a newer certificate. The locations for the private key and certificate are shown here. They are the ones you need to replace, if you'd like to use your organization's own certificate. By default, IBM PowerVC persistent data is not encrypted. If you need to encrypt certain pieces of data within the product, you can use the command PowerVC encrypt. This command prompts the user for a string, then encrypts the string, and returns the encrypted value. You can use this command to encrypt passwords, tokens, and strings that are stored by IBM PowerVC. In the next video, we'll take a look at messages and logs.
