Security Access Settings
ZStack ZSphere helps you improve access control security through IP blocklists and allowlists, certificate management, and security settings.
This chapter mainly covers the following topics:
IP Blocklist and Allowlist Management
IP blocklist and allowlist: By identifying and filtering visitor IPs, it intercepts
access from specific IPs or allows access from specific IPs, further enhancing the
access control security of ZStack ZSphere.
Basic Information
- If no IP blocklists or allowlists have been added, requests from all IP addresses are allowed by default.
- If only an IP blocklist is added, IPs in the blocklist are denied access to the platform, while other IPs are allowed.
- If the same IP is added to both lists, the allowlist takes precedence over the blocklist, allowing requests from that IP.
- You cannot use the IP allowlist alone. Make sure to add at least one IP blocklist before you use IP allowlist. Otherwise, the IP allowlist does not take effect.
Add IP Blocklist or Allowlist
You can follow these steps to add an IP blocklist or allowlist:
- Navigate to .
- Click Add IP Blocklist and Allowlist.
You can use the following example to complete the configuration:
- Name: The name of the IP blocklist or allowlist
- Description: The description of the IP blocklist or allowlist
- Type: Select blocklist or allowlist
- IP Address: You can enter IP addresses, IP address ranges, or IP/mask format. Separate multiple IP addresses with commas. You can add up to 100 entries.
Manage IP Blocklist and Allowlist
You can manage IP blocklists and allowlists, including editing names and
descriptions, modifying configurations, and deleting them.
- Navigate to .
- Select a list and then click Action.
- To modify the name and description of the list, select Edit Name and Description.
- To modify the IP addresses in the list, select Modify Configuration.
- To remove IP access restrictions for a particular list from the platform, select Delete.
Certificate Management
ZStack ZSphere supports configuration and management of SSL certificates.
Import Third-Party Certificate
Before you begin
- You have deployed the latest ZStack ZSphere environment. For a dual-management node environment, ensure that each management node is working properly.
- You need admin permissions to configure the certificates.
- You hold a valid commercial CA-issued certificate.
- Certificate files and certificate chains are supported in CTR or PEM format
only. Private keys for certificates must be in KEY or PEM format.
Note: If your
certificate does not meet these format requirements, convert it
accordingly.
Procedure
- In the navigation pane, choose .
- On the Certificate Management page, click Import Certificate.
-
In the Certificate Import dialog, set the following parameters:
- Import Mode: Select Third-party Certificate.
- Certificate File: Import or enter the certificate
public key.Note:
- Only CTR and PEM formats are supported.
- The certificate content must begin with
----BEGIN CERTIFICATE----and end with----END CERTIFICATE----.
- Certificate Private Key: Import or enter the
certificate private key.Note:
- Only KEY and PEM formats are supported.
- The private key content must begin with
----BEGIN (RSA/EC) PRIVATE KEY----and end with----END (RSA/EC) PRIVATE KEY----.
- Certificate Chain: Import or enter the
certificate chain.Note:
- Only CTR and PEM formats are supported.
- The certificate chain content must begin with
----BEGIN CERTIFICATE----and end with----END CERTIFICATE----.
- HTTP Redirection: Optional, enabled by default. When enabled, the system automatically redirects requests from port 80 of the HTTP address to port 443 of the HTTPS address.
- Review the certificate information and click OK.
Results
After successfully importing the third-party certificate, the system will re-establish the session and reconnect to the UI management interface through port 443 of the HTTPS protocol.Import System Self-Signed Certificate
Before you begin
- You have deployed the latest ZStack ZSphere environment. For a dual-management node environment, ensure that each management node is working properly.
- You need admin permissions to configure the certificates.
Procedure
- In the navigation pane, choose .
- On the Certificate Management page, click Import Certificate.
-
In the Certificate Import dialog, set the following parameters:
- Import Mode: Select System-Signed Certificate.
- Validity Period: Choose from 3 months, 1 year, 3 years, 5 years, or 10 years. The default is 3 years.
- HTTP Redirection: Optional, enabled by default. When enabled, the system automatically redirects requests from port 80 of the HTTP address to port 443 of the HTTPS address.
- Custom Information: Optional, disabled by
default. When enabled, you can customize the system-signed certificate
information:
- Common Name (CN): Optional, set the
common name; the default is localhost.
The length should be 1 to 64 characters, supporting only English letters in upper and lower case, numbers, and the following special characters: ~`@#$%^&*()-_+={}[]|:;'<>.?/.
- Organization (O): Optional, set the
organization name; the default is localhost.
The length should be 1 to 64 characters, supporting only English letters in upper and lower case, numbers, and the following special characters: ~`@#$%^&*()-_+={}[]|:;'<>.?/.
- Organizational Unit (OU): Optional, set
the department.
The length should be 1 to 64 characters, supporting only English letters in upper and lower case, numbers, and the following special characters: ~`@#$%^&*()-_+={}[]|:;'<>.?/.
- Country/Region (C): Optional, set the country/region; only CN is supported.
- State/Province (S): Optional, set the
state/province.
The length should be 1 to 128 characters, supporting Chinese characters, English letters in upper and lower case, numbers, and the following special characters: ~`@#$%^&*()-_+={}[]|:;'<>.?/.
- Locality (L): Optional, set the
city.
The length should be 1 to 128 characters, supporting Chinese characters, English letters in upper and lower case, numbers, and the following special characters: ~`@#$%^&*()-_+={}[]|:;'<>.?/.
- Email Address: Optional, set the email address.
- Common Name (CN): Optional, set the
common name; the default is localhost.
- Review the certificate information and click OK.
Results
After successfully importing the system-signed certificate, the system will re-establish the session and reconnect to the UI management interface through port 443 of the HTTPS protocol.Update Certificate
Before you begin
- You have deployed the latest ZStack ZSphere environment. For a dual-management node environment, ensure that each management node is working properly.
- You need admin permissions to configure the certificates.
- If an added certificate has changed or is nearing its expiration date, you need to update the certificate information promptly.
Procedure
- In the navigation pane, choose .
- In the Certificate Management page, click Import New Certificate.
-
In the Import Certificate dialog, update the certificate
configuration information.
Note: When updating a certificate, the system checks the current certificate
path and writes the certificate information to that path.
- Review the certificate information and click OK.
Results
After successfully updating the certificate, you can continue to access the UI management interface through port 443 of the HTTPS protocol.Switch to HTTP Login
Before you begin
- You have deployed the latest ZStack ZSphere environment. For a dual-management node environment, ensure that each management node is working properly.
- You need admin permissions to configure the certificates.
- You have configured the SSL certificate.
Procedure
- In the navigation pane, choose .
- In the Certificate Management page, click Switch to HTTP.
- In the confirmation dialog, review and confirm the risk warning information.
Results
After successfully switching to HTTP protocol for accessing the UI management interface, the system will re-establish the session and reconnect to the UI management interface through port 80 of the HTTP protocol.Security Settings
ZStack ZSphere provides security settings suitable for highly secure platform scenarios.
Modifying Security Settings
You can follow these steps to modify security settings:
- Navigate to the .
- Select the item you want to modify, then click the Edit icon to make changes.
Appendix: Security Settings Items
| Category | Item Name | Item Description |
|---|---|---|
| Login Policy | Prohibit Multiple Session Connections for the Same User | Default is off. This setting determines whether multiple session connections for the same user are prohibited. If enabled, only one login session is allowed for the same user, and historical sessions will be forcibly terminated. |
| Session Timeout | Default is 2 hours, measured in seconds/minutes/hours/days. After the session time exceeds this duration, the system becomes unavailable and requires re-login. | |
| Platform Login Verification Code Policy | Default is off. This setting determines whether the verification code function in login control is enabled. If enabled, after exceeding the maximum number of consecutive login failures, the verification code protection mechanism is triggered, requiring the correct username, password, and verification code to successfully log in to the platform. The default maximum number of consecutive login failures is 6 times. | |
| Platform Login Password Update Cycle | Default is off. This setting determines whether the password should be changed periodically. If enabled, when the password usage time reaches the specified update cycle, a prompt to change the password will appear upon re-login, with the default being 90 days. When resetting the password, the new password cannot repeat any previously used passwords. The non-repetition count can be configured, with the default being 5, indicating that the new password cannot match any of the previous 3 used passwords. | |
| Platform Consecutive Login Failure User Lockout | Default is off. This setting determines whether consecutive login failures lock the user. If enabled, the account will be locked for a period of time after the specified number of consecutive login failures. The default maximum number of consecutive login failures is 6, and the default lockout duration is 10 minutes. | |
| Platform Login Password Strength | Default is off. If enabled, manual setting of password length and selection of whether to enable a combination of numbers, upper and lower case letters, and special characters is possible. | |
| Platform Login Two-Factor Authentication | Default is off. This setting determines whether two-factor authentication is enabled for logging into the platform. | |
| Virtual Machine | VNC Console Password | Default is off. This setting determines whether password login to the VNC console is enabled. Note: The VNC password length range format is m-n, with values ranging from [6, 8] integers, defaulting to 6-8, and supporting the option to enable a combination of numbers, upper and lower case letters, and special characters. |
| Virtual Machine Password Strength |
Default is off. This setting determines whether password login to the virtual machine is enabled.
|
|
| Host | Host Password Encryption Storage |
Default is None. This setting determines the encryption storage policy for host passwords in the database. Available strategies are: None, LocalEncryption.
|