Security Access Settings

ZStack ZSphere 4.10.6>ZStack ZSphere Documentation>ZStack ZSphere User Guide>System Management>Security Access Settings

ZStack ZSphere helps you improve access control security through console proxy, AccessKeys, IP blacklists and whitelists, and security settings.

This chapter mainly covers the following topics:

IP Blocklist and Allowlist Management

IP blocklist and allowlist: By identifying and filtering visitor IPs, it intercepts access from specific IPs or allows access from specific IPs, further enhancing the access control security of ZStack ZSphere.

Basic Information
Add IP Blocklist or Allowlist
Manage IP Blocklist and Allowlist

Basic Information

Before adding IP blocklists or allowlists, you can first understand the following basic information:

If no IP blocklists or allowlists have been added, all IP addresses are allowed by default.
If only an IP blocklist is added, access from blocklisted IPs will be denied, while other IPs are allowed.
If only an IP allowlist is added, access from allowlisted IPs is allowed, while other IPs are not.
If both IP blocklists and allowlists are added, the allowlist takes precedence over the blocklist. For example, if the same IP is added to both lists, requests from that IP will be allowed.

Add IP Blocklist or Allowlist

You can follow these steps to add an IP blocklist or allowlist:

Navigate to Menu > System Management > IP Blocklist and Allowlist.
Click Add IP Blocklist and Allowlist.

You can use the following example to complete the configuration:

Name: The name of the IP blocklist or allowlist
Description: The description of the IP blocklist or allowlist
Type: Select blocklist or allowlist
IP Address: You can enter IP addresses, IP address ranges, or IP/mask format. Separate multiple IP addresses with commas. You can add up to 100 entries.

Manage IP Blocklist and Allowlist

You can manage IP blocklists and allowlists, including editing names and descriptions, modifying configurations, and deleting them.

Navigate to Menu > System Management > IP Blocklist and Allowlist.
Select a list and then click Action.
- To modify the name and description of the list, select Edit Name and Description.
- To modify the IP addresses in the list, select Modify Configuration.
- To remove IP access restrictions for a particular list from the virtualization platform, select Delete.

Certificate Management

ZStack ZSphere supports configuration and management of SSL certificates.

Import Third-Party Certificate

Prerequisites

You have deployed the latest ZStack ZSphere environment. For a dual-management node environment, ensure that each management node is working properly.
You need admin permissions to configure the certificates.
You hold a valid commercial CA-issued certificate.
Certificate files and certificate chains are supported in CTR or PEM format only. Private keys for certificates must be in KEY or PEM format.
Note: If your certificate does not meet these format requirements, convert it accordingly.

Procedure

In the left navigation pane, click System Management > Certificate Management.
On the Certificate Management page, click Import Certificate.
In the Certificate Import dialog, set the following parameters:
- Import Mode: Select Third-party Certificate.
- Certificate File: Import or enter the certificate public key.
  Note:
  - Only CTR and PEM formats are supported.
  - The certificate content must begin with ----BEGIN CERTIFICATE---- and end with ----END CERTIFICATE----.
- Certificate Private Key: Import or enter the certificate private key.
  Note:
  - Only KEY and PEM formats are supported.
  - The private key content must begin with ----BEGIN (RSA/EC) PRIVATE KEY---- and end with ----END (RSA/EC) PRIVATE KEY----.
- Certificate Chain: Import or enter the certificate chain.
  Note:
  - Only CTR and PEM formats are supported.
  - The certificate chain content must begin with ----BEGIN CERTIFICATE---- and end with ----END CERTIFICATE----.
- HTTP Redirection: Optional, enabled by default. When enabled, the system automatically redirects requests from port 80 of the HTTP address to port 443 of the HTTPS address.
Review the certificate information and click OK.

Results

After successfully importing the third-party certificate, the system will re-establish the session and reconnect to the UI management interface through port 443 of the HTTPS protocol.

Next Chapter: System Settings