|
|
NOTE: This is an optional configuration, and only necessary if Domain users in a login group are expected to authenticate to the QoreStor UI. |
After you configure your QoreStor within the same ADS domain, you must ensure that a login group exists and add it to the domain. Adding a login group is only possible when the QoreStor system is joined to a domain. Also, you must be logged in as a domain user that is part of an enabled login group.
To add a login group in an ADS domain, complete the following steps:
- On the left navigation menu, click.
- On the Active Directory page, find the domain pane and clickAdd Login Group.
- In the Add Login Group pane, type the name of the login group including the domain name; for example, Domain\Domain Admins. If your login group name contains spaces, you must not enclose it in quotation marks. (This differs from the equivalent CLI command.)
- Click Add Login Group to add the login group.
|
|
NOTE: Changes made to the login group take effect on the next log in attempt (unlike Windows ADS, no active checking is done on the group). |
To remove a configured ADS login group from the QoreStor system, complete the following steps.
- On the left navigation menu, click .
- On the Active Directory page, find the domain pane and click Remove Login Group.
- When prompted to confirm, click OK.
|
|
NOTE: Changes made to the login group take effect on the next log in attempt (unlike Windows ADS, no active checking is done on the group). |
QoreStor UI provides a way to disable "root" user login over SSH to the QoreStor server. This is provided in QoreStor UI for convenience to secure the system.
After you log in to the QoreStor UI, navigate to the System -> Configuration page. Check the status of the SSH service. If it is enabled, you can disable root login over SSH.
|
|
Warning: Ensure that there is an alternate way to re-enable root login (over SSH) in case the QoreStor UI is not accessible. This is required to ensure that the root is not permanently locked out of the server. Another way to access the QoreStor server in such condition could be to log in via the system console, or via SSH as a different user that has superuser privileges either by default, or with sudo. |
NOTE:When the status of 'root login over SSH' is shown as 'Unknown' it means the SSH access is either restricted (i.e. password authentication is prohibited) or QoreStor is not able to determine the status of the SSH server.
FIPS 140-2, when installed on systems running RHEL/Oracle Linux/AlmaLinux/Rocky Linux 9.x, QoreStor can make use of FIPS-compliant implementations of cryptographic routines provided by the OS vendor.
|
|
NOTE: Currently, QoreStor running on RHEL/Oracle Linux/AlmaLinux/Rocky Linux 8.x systems will not be impacted by turning on system-wide support for FIPS. Despite using techniques permitted by FIPS 140-2, QoreStor encryption does not employ FIPS-compliant implementations of those algorithms. |
Enabling support for FIPS 140-2:
To enable FIPS system-wide support, execute the following commands with the Superuser credentials:
fips-mode-setup --enable
update-crypto-policies --set FIPS
reboot
After a successful reboot, the QoreStor will automatically start using the FIPS-compliant implementations.
To check if the QoreStor is operating in FIPS mode, examine the /var/log/oca/ocafsd.log file and check for the following entry in the log:
NOTICE: FIPS status: enabled
Limitations with FIPS 140-2
CIFS, NFS, Object Containers, NDMP, and iSCSI protocols are not supported when the QoreStor is executing in a FIPS mode. Additionally, while cloud-tier and archive-tier support is available in FIPS mode, currently only Amazon-S3 and Azure are supported as cloud providers.
