W E K A
WebsiteSupportDownloads/LicensingAWS Self-Service Portal
Search…
4.0
Weka documentation
Weka System Overview
About the Weka system
SSD capacity management
Filesystems, object stores, and filesystem groups
Weka networking
Data lifecycle management
Weka client and mount modes
Glossary
Getting Started with Weka
Quick installation guide
Manage the system using the Weka CLI
Manage the system using the Weka GUI
Run first IOs with WekaFS
Getting started with Weka REST API
Planning & Installation
Prerequisites for installation
Weka installation on bare metal
Weka installation on AWS
Performance
Weka performance tests
WekaFS Filesystems & Object Stores
Manage object stores
Manage filesystem groups
Manage filesystems
Attach or detach object store buckets
KMS management
Advanced data lifecycle management
Mount filesystems
Snapshots
Snap-To-Object
Quota management
Additional Protocols
NFS
SMB
S3
Operation Guide
Alerts
Events
Statistics
System congestion
Manage security
User management
Organizations
Expand and shrink cluster resources
Background tasks
Upgrade Weka versions
Billing & Licensing
License overview
Classic license
Pay-As-You-Go license
Support
Prerequisites and compatibility
Get support for your Weka system
The Weka support cloud
Diagnostics CLI command
Appendix
Weka CSI plugin
Monitor using external tools
Snapshot management
REST API Reference Guide
Powered By GitBook
Manage security
This page describes important security consideration for the Weka cluster management.
General security considerations are described below.
Related topics
  • For data security features, such as encryption by KMS, see KMS Management.
  • For security topics related to mounting and separation of organizations, see Organizations.
  • For the different user roles and AD/LDAP authentication, see User Management.

Obtain authentication tokens

The authentication tokens include two types: an access token and a refresh token.
  • Access token: The access token is a short-live token (five minutes) used for accessing the Weka cluster API and to allow the mounting of secure filesystems.
  • Refresh token: The refresh token is a long-live token (one year) used for obtaining an additional access token.
Procedure
Do one of the following:
  • To obtain the refresh token and access token, through the CLI, log in to the cluster using the command: weka user login.
    The system creates an authentication token file and saves it in: ~/.weka/auth-token.json. The token file contains both the access token and refresh token.
Auth-token file content example
  • To obtain the refresh token and access token, through the REST API, use the POST /login. The API returns the token in the response body.
REST API login response example

Generate an access token for API usage (for internal users only)

When working with the REST API, internal Weka users may require using a longer-lived access token (a token that doesn't require a refresh every 5 minutes).
You can generate a longer-lived access token using the CLI command:
weka user generate-token [--access-token-timeout timeout]
The default timeout is 30 days.
To revoke the access and refresh tokens, use the CLI command: weka user revoke-tokens.

TLS

By default, the Weka system deploys a self-signed certificate to access the GUI, CLI, and API through HTTPS.
The Weka system supports TLS 1.2 and higher with at least 128-bit ciphers.
You can deploy your certificates using the CLI command: weka security tls set.
The command receives an unencrypted private key.
Example: This command is similar to the OpenSSL command that Weka uses to generate the self-signed certificate: openssl req -x509 -newkey rsa:1024 -keyout key.pem -out cert.pem -days <days> -nodes

Certificate replacement and rotation

To replace the certificate with a new one, use the CLI command: weka security tls set.
Once you issue a certificate, it is used for connecting to the cluster (for the time it is issued), while the revocation is handled by the CA and propagating its revocation lists into the various clients.

Custom CA certificates

Weka uses well-known CAs to establish trust with external services. For example, when using a KMS.
If a different CA is required for Weka servers to establish trust, install this custom CA certificate on the Weka servers using the CLI command:
weka security ca-cert set

Password management

Password requirements

  • at least 8 characters
  • an uppercase letter
  • a lowercase letter
  • a number or a special character
The First User created by default is admin (with admin password), and the password is prompt to change on the first login.

Account lockout

To prevent brute force attacks, if several login attempts fail (default: 5), the user account is locked for several minutes (default: 2 minutes).
You can control the default values by using the CLI commands:
weka security lockout-config show/set/reset

GUI access

You can access the Weka GUI only from the backend servers through port 14000. The GUI session is automatically terminated, and the user is signed out after 30 minutes of inactivity.

Manage the login banner using the GUI

You can set a login banner containing a security statement or a legal message displayed on the sign-in page. You can also disable, edit, or reset the login banner.
Sign in page with a banner example
Procedure
  1. 1.
    From the menu, select Configure > Cluster Settings.
  2. 2.
    From the Cluster Settings pane, select Login banner.
Login Banner
3. Select Edit Banner.
Write the login banner statement
4. In the Edit Login Banner, write your organization statement in the banner text box.
5. Select Save.
6. To prevent displaying the login banner, select Disable Login Banner.
7. To clear the banner text, select Reset Banner.

Manage the login banner using the CLI

To manage the login banner, use the following CLI command:
weka security login-banner set|show|reset|enable|disable
Command options:
set: Sets the login banner text.
show: Displays the login banner text.
reset: Clears the login banner text.
enable: Displays the login banner when accessing the cluster.
disable: Prevents displaying the login banner when accessing the cluster.
​
Operation Guide - Previous
System congestion
Next
User management
Last modified 12d ago
Copy link
Contents
Obtain authentication tokens
Generate an access token for API usage (for internal users only)
TLS
Certificate replacement and rotation
Custom CA certificates
Password management
Password requirements
Account lockout
GUI access
Manage the login banner using the GUI
Manage the login banner using the CLI