Docu31419 VPLEX GeoSynchrony 6.0 Security Configuration Guide

EMC® VPLEX® GeoSynchrony Security Configuration Guide 300-010-493 REV 14

Copyright © 2016 EMC Corporation. All rights reserved. Published in the USA. EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. The information in this publication is provided as is. EMC Corporation makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. EMC², EMC, and the EMC logo are registered trademarks or trademarks of EMC Corporation in the United States and other countries. All other trademarks used herein are the property of their respective owners. For the most up-to-date regulatory document for your product line, go to EMC Online Support (https://support.emc.com). EMC Corporation Hopkinton, Massachusetts 01748-9103 1-508-435-1000 In North America 1-866-464-7381 www.EMC.com

2

GeoSynchrony Security Configuration Guide

CONTENTS

Tables

5 Preface

Chapter 1

7

Overview

11

VPLEX overview............................................................................................. 12

Chapter 2

Security Recommendations

15

Security recommendations............................................................................16

Chapter 3

VPLEX management server operating system and networking

17

Accessing the management server................................................................ 18 Using SSH to access the management server shell........................... 18 Using HTTPS to access the VPLEX GUI...............................................18 Using IPsec VPN in a VPLEX Metro implementation........................... 19 Using SCP to copy files.....................................................................19 Using a tunneled VNC connection to access the management server desktop........................................................................................... 21

Chapter 4

IP addresses and component IDs

23

Chapter 5

Implementing IPv6

29

Chapter 6

Security configuration settings

31

User roles, accounts, and privileges.............................................................. 32

Chapter 7

Configuring user authentication

37

Role-based access control feature overview.................................................. 38 Role descriptions ............................................................................ 38 Role-based access control and NDU................................................. 39 Implementing LDAP....................................................................................... 40 Password policy ........................................................................................... 41 Synchronizing service account password to MMCS peer................................ 45

Chapter 8

Manage user accounts

47

Adding user accounts....................................................................................48 View or modify user account details.............................................................. 48 Changing passwords..................................................................................... 50 Resetting passwords..................................................................................... 51 Changing the service account password........................................................ 51 Deleting user accounts..................................................................................52 GeoSynchrony Security Configuration Guide

3

CONTENTS

Chapter 9

Log file settings

53

Log file settings.............................................................................................54

Chapter 10

Communication Security Settings

55

Communication security settings...................................................................56 IP WAN COM.....................................................................................56 Accessibility.....................................................................................56 Port Usage....................................................................................... 57 Communications specifications - VPLEX Metro system..................... 58 Communications specifications - VPLEX Local system...................... 60 Network Encryption.......................................................................... 61 Creating a local Certification Authority..............................................62 Finding the host certificates's SHA256, SHA1 and (for GUI users) MD5 fingerprints...................................................................................... 63 Finding the SSH key fingerprint (for SSH users)................................ 63 Configurable HTTPS/TLS protocol..................................................... 64 Data security settings.......................................................................65

4


TABLES

1 2 3 4 5 6 7 8 9 10 11 12 13 14

Typographical conventions.............................................................................................. 8 Quad-engine cluster director IP addresses..................................................................... 25 Dual-engine cluster director IP addresses...................................................................... 26 Single-engine cluster director IP addresses....................................................................26 Last Octets of Director IP Addresses...............................................................................26 IPv6 support on VPLEX components...............................................................................29 VPLEX user accounts and privileges............................................................................... 32 VPLEX operations and account types............................................................................. 34 Description of roles in Role-based Access Control..........................................................39 Default password policies..............................................................................................41 VPLEX component log files.............................................................................................54 Port Usage..................................................................................................................... 57 Communication in a VPLEX Metro system.......................................................................59 Communication in a VPLEX Local system....................................................................... 61


5

TABLES

6


Preface

As part of an effort to improve its product lines, EMC periodically releases revisions of its software and hardware. Therefore, some functions described in this document might not be supported by all versions of the software or hardware currently in use. The product release notes provide the most up-to-date information on product features. Contact your EMC technical support professional if a product does not function properly or does not function as described in this document. Note

This document was accurate at publication time. Go to EMC Online Support (https:// support.emc.com) to ensure that you are using the latest version of this document. Purpose This document is part of the VPLEX documentation set, and describes the VPLEX features and use cases, configuration options, VPLEX software and its upgrade, and the hardware overview. Audience This guide is intended for use by customers who wish to understand the software and hardware features of VPLEX, the use cases of VPLEX, product offerings, and the configuration options. Related documents (available on EMC Online Support) include: l

EMC VPLEX Release Notes for GeoSynchrony Releases

l

EMC VPLEX Product Guide

l

EMC VPLEX Hardware Environment Setup Guide

l

EMC VPLEX Configuration Worksheet

l

EMC VPLEX Configuration Guide

l

EMC VPLEX Security Configuration Guide

l

EMC VPLEX CLI Reference Guide

l

EMC VPLEX Administration Guide

l

Unisphere for VPLEX Help

l

EMC VPLEX Element Manager API Guide

l

EMC VPLEX Open-Source Licenses

l

EMC VPLEX GPL3 Open-Source Licenses

l

Procedures provided through the SolVe Desktop Generator

l

EMC Host Connectivity Guides

l

EMC VPLEX Hardware Installation Guide

l

Various best practices technical notes available on EMC Online Support

Special notice conventions used in this document EMC uses the following conventions for special notices:

Preface

7

Preface

DANGER

Indicates a hazardous situation which, if not avoided, will result in death or serious injury. WARNING

Indicates a hazardous situation which, if not avoided, could result in death or serious injury. CAUTION

Indicates a hazardous situation which, if not avoided, could result in minor or moderate injury. NOTICE

Addresses practices not related to personal injury. Note

Presents information that is important, but not hazard-related. Typographical conventions EMC uses the following type style conventions in this document: Table 1 Typographical conventions

Bold

Used for names of interface elements, such as names of windows, dialog boxes, buttons, fields, tab names, key names, and menu paths (what the user specifically selects or clicks)

italic

Used for full titles of publications referenced in text

Monospace

Used for: l

System code

l

System output, such as an error message or script

l

Pathnames, filenames, prompts, and syntax

l

Commands and options

Monospace italic

Used for variables

Monospace bold

Used for user input

[]

Square brackets enclose optional values

|

Vertical bar indicates alternate selections - the bar means “or”

{}

Braces enclose content that the user must specify, such as x or y or z

...

Ellipses indicate nonessential information omitted from the example

Where to get help EMC support and product information can be obtained as follows: Product information — For documentation, release notes, software updates, or information about EMC products, go to EMC Online Support at: https://support.emc.com 8


Preface

Technical support — Go to EMC Online Support and click Service Center. You will see several options for contacting EMC Technical Support. Note that to open a service request, you must have a valid support agreement. Contact your EMC sales representative for details about obtaining a valid support agreement or with questions about your account. Online communities — Visit EMC Community Network at https://community.EMC.com for peer contacts, conversations, and content on product support and solutions. Interactively engage online with customers, partners, and certified professionals for all EMC products. Your comments Your suggestions will help to improve the accuracy, organization, and overall quality of the user publications. Send your opinions of this document to: [email protected]

9

Preface

10


CHAPTER 1 Overview

l

VPLEX overview..................................................................................................... 12

Overview

11

Overview

VPLEX overview An EMC® VPLEX® cluster consists of one, two, or four engines (each containing two directors), and a management server. A dual-engine or quad-engine cluster also contains a pair of Fibre Channel switches for communication between directors. Each engine is protected by a standby power supply (SPS), and each Fibre Channel switch gets its power through an uninterruptible power supply (UPS). In a dual-engine or quad-engine cluster, the management server also gets power from a UPS. The management server has a public Ethernet port, which provides cluster management services when connected to the customer network. The management server can also provide call-home services through the public Ethernet port by connecting to an EMC Secure Remote Support (ESRS) gateway deployed on the same network. The ESRS gateway is also used by EMC personnel to provide remote service. Two VPLEX implementations are available: l

VPLEX Local (single cluster)

l

VPLEX Metro (two clusters separated by synchronous distances)

In a VPLEX Metro implementation, the clusters are connected over IP between the management servers. VPLEX user authentication is configured locally on the management server or remotely on an OpenLDAP or Active Directory server which integrates with Unix using Service for UNIX 3.5, Identity Management for UNIX, or other authentication service. A management server in each VPLEX cluster authenticates users against account information kept on its local file system or against the LDAP/AD server. An authenticated user can manage resources in the local cluster. In a VPLEX Metro, users authenticated by either management server can manage all resources in both clusters. Figure 1 on page 13 shows a VPLEX cluster configuration (quad system) example.

12


Overview

Figure 1 VPLEX Cluster Configuration

VPLEX overview

13

Overview

14


CHAPTER 2 Security Recommendations

l

Security recommendations....................................................................................16


15


Security recommendations While the Security Configuration Guide must be reviewed in its entirety, this section serves to highlight EMC's most important security recommendations to ensure the security of your data and environment.

16

l

Given the elevated permissions granted to the service account, its password must be changed in order to better protect VPLEX from misuse or abuse of those privileges. Changing the Service Account Password on page 51 provides more information.

l

To protect your data in the communications between clusters in VPLEX Metro configuration, an external encryption solution such as IPSec must be used to guarantee confidentiality and authentication for the IP WAN COM link. IP WAN COM provides more information.

l

To protect the identity and integrity of your users and their account credentials, all LDAP communication must be configured to use the LDAPS protocol. Implementing LDAP on page 40 provides more information.


CHAPTER 3 VPLEX management server operating system and networking

The VPLEX management server’s operating system (OS) is based on a Novell SUSE Linux Enterprise Server 10 SP2 distribution. Starting in Release 5.3, the management server will run SUSE Linux Enterprise Server 11 patch 3. The operating system has been configured to meet EMC security standards by disabling or removing unused services and packages, and protecting access to network services through a firewall. Used packages are hardened with security updates. A management server has four Ethernet ports, identified as eth0 through eth3 by the operating system, and shown in Figure 2. A 1 Gb/s public management port (eth3) is the only Ethernet port in the VPLEX rack that may be connected to an external management LAN. Other components in the rack are connected to two redundant private management Ethernet networks, connected to the management server's eth0 and eth2 ports. A service port (eth1) can be connected to a local laptop, providing access to the same services as a host on the management LAN. Figure 2 Management server, rear view

l

Accessing the management server........................................................................ 18


17


Accessing the management server Three protocols allow access to a VPLEX management server over a secure and encrypted connection: SSH, HTTPS, and IPsec VPN.

Using SSH to access the management server shell Users can log in to the management server shell over SSH version 2, through the management server's public Ethernet port or service port. The SSH service is available on the standard port 22. An SSH login with appropriate credentials allows access to a Linux shell on the management server. From there: l

Users can access the VPLEX command line interface (VPlexcli).

l

A service account user can also inspect log files, start and stop services, and upgrade firmware and software.

SSH also can be used to establish a secure tunnel between the management server and the host running the SSH client. Using SSH to access the management server shell on page 18 provides more information.

Using HTTPS to access the VPLEX GUI The Unisphere for VPLEX graphical user interface (GUI) is accessible as a web service on the management server's public Ethernet port and the service port, using the HTTPS protocol. It is available on the standard port 443. The following URL initiates an HTTPS connection to the GUI: https://management_server_public_IP_address

To access the GUI using an IPv6 address, use the following URL: https://[mgmtserver_ipv6_addr]

For example: https://[3ffe:80c0:22c:803c:215:17ff:fed3:207]/smsflex/ VPlexConsole.html Note

Accessing the VPLEX GUI or the VPLEX CLI over IPv6 is possible only if the client machine is also in an IPv6 network. The readonly user has no GUI access. The GUI encrypts all traffic using a server certificate. Creating a host certificate on page 62 provides more information. Note

The GUI has a timer that logs the user out after 10 minutes of inactivity. You can modify the timeout value to a maximum of 12 hours.

18



Using IPsec VPN in a VPLEX Metro implementation The management server in each VPLEX Metro cluster must connect to each other over a Virtual Private Network (VPN) through the public Ethernet port, as shown in the following figure. Figure 3 IPSec VPN connection

Although you might have already secured the network connections between two VPLEX Metro clusters, the management servers must establish an explicit VPN connection, to acknowledge that the remote management server has full management control over the local cluster and its resources. The VPLEX management server uses strongSwan, an open source implementation of IPsec for Linux.

Using SCP to copy files The Secure Copy Protocol (SCP) allows users to transfer files to and from the management server. SCP uses the same credentials as SSH. Popular SCP clients are WinSCP and PSCP provided by the PuTTY package, and the SCP client provided by OpenSSH.

Transferring files to and from the management server using SCP VPLEX allows file transfer to/from the management server using SCP. In VPLEX release 6.0, SCP permissions will be granted with shell access. Before you begin To use SCP to transfer files to and from the management server, you must have shell access. Users with no shell access can transfer files to a specific management server directory. You can transfer files with SCP to a specified directory and retrieve files out from another directory located in management server. Note

You cannot transfer or retrieve directories. Files that are transferred with SCP into or out of the management server can be viewed in the contexts /management-server/users/share/in and /managementserver/users/share/out respectively. All users see identical output (independent of file ownership) under these in and out contexts. Only the owner of the file (admin or service users) can delete a file. Using IPsec VPN in a VPLEX Metro implementation

19


For example, if user testuser1 (with no shell access) uses SCP to transfer a file named a.txt into the management server, anyone logged into the management server will see a.txt displayed in the /management-server/users/share/in context. No one other than testuser1 (or admin or service) can delete a.txt from the management server. service and admin users are authorized to delete any existing file in the SCP subdirectories, using the CLI rm command. Other users are only authorized to delete files to which they have access. See the rm command in the EMC VPLEX CLI Reference Guide for details. To modify permissions for SCP file transfers to and from the management server, do the following. Procedure 1. Verify the attribute value for VPLEX local user testuser1 by listing the managementserver/users/local/testuser1 context. shell-access should be set to false by default VPlexcli:/management-server/users/local/testuser1> ls Name Value ------------ --------role-name vplexuser shell-access false user-name testuser1

2. Run the following examples to test SCP file transfers for restricted shell user testuser1. a. Transfer files from a remote server and verify the file transfer was successful by listing the management server SCP in context. admin@host1:~>scp monitor.xml [email protected]: Password: monitor.xml 100% 1532 1.5KB/s 00:00 VPlexcli:/> ll /management-server/share/in/ Name --------------logfile loginbanner.txt monitor.xml

b. Transfer files from the management server to an external host and verify the result in the management server. The file should be present in shell location /diag/ share/out/. This path equates to /managementserver/share/out/ in the CLI. VPlexcli:/> ll /management-server/share/out/ Name -------testfile

Copy files to a remote server using scp. admin@host1:~> scp [email protected]:testfile . Password: testfile 100% 0 0.0KB/s 00:00 20



admin@host1:~> ls bin monitor.xml testfile

c. Transfer files to a management server directory that is inaccessible to the shell restricted user testuser1 using scp. admin@host1:~> scp testfile testuser1@:/tmp/ admin@host1:~> scp logfile [email protected]:/tmp/ Warning: Permanently added '10.110.19.35' (ECDSA) to the list of known hosts. Password: [ERROR]/tmp/: Re-enter the command without the destination file path. Usage: 'scp @:'

Use SCP to transfer a file from the management server to an external host. The file is present in location /tmp/ admin@host1:~> scp [email protected]:/tmp/testfile .

After the command fails, display the log file to verify the cause of failure. Warning: Permanently added '10.110.19.35' (ECDSA) to the list of known hosts. Password: [ERROR]scp: /tmp/testfile: No such file or directory

d. Delete a.txt from the SCP share/in context using the rm command. VPlexcli:/management-server/share/in> ls a.txt b.txt VPlexcli:/management-server/share/in> rm a.txt VPlexcli:/management-server/share/in> ls b.txt

Using a tunneled VNC connection to access the management server desktop The SSH protocol provides a mechanism for sending unencrypted traffic through an encrypted SSH connection. Most SSH clients, such as OpenSSH and PuTTY, allow users to establish SSH tunnels by specifying a port on their local machine (source port), and a port on the management server (destination port). Access to the management server's desktop is provided by VNC access through an SSH tunnel. Users must first establish an SSH tunnel between destination port 5901 and local port 5901, and then connect a VNC viewer to local port 5901. Popular VNC clients are RealVNC and TightVNC. To establish a tunnel, you must log in with your standard SSH credentials. After a successful login, the SSH client program must remain running, to allow the SSH tunnel to remain operational. Follow these steps to establish a tunneled VNC connection using PuTTY: Procedure 1. Launch PuTTY.exe, and configure the PuTTY window as shown in the figure below: Using a tunneled VNC connection to access the management server desktop

21


l

Server address — Public IP address of the VPLEX management server.

l

Session name — Type a name for the PuTTY session you are configuring. This allows you to load the saved session if you need to reconnect later, eliminating the need to configure the individual parameters again.

l

Default settings — Verify, and set as shown if necessary. Figure 4 PuTTY configuration window

2. Expand SSH in the Category list, and click Tunnels. 3. Configure the SSH port forwarding parameters as shown in the figure below, and then click Add. Figure 5 PuTTY configuration: SSH port forwarding parameters

4. Click Open to establish an SSH tunnel to the management server. When prompted, type the account password. 5. Authenticate as usual, and leave the PuTTY window open. 6. Launch the VNC viewer, and connect to localhost:5901. 22


CHAPTER 4 IP addresses and component IDs

The IP addresses of the VPLEX hardware components are determined by a set of formulae that depend on the internal management network (A or B), the Cluster IP Seed, and (for directors) the Enclosure ID (which matches the engine number). Figure 6 on page 8 shows the IP addresses in a cluster with a Cluster IP Seed of 1, and Figure 7 on page 9 shows the addresses for a Cluster IP Seed of 2. Note that the Cluster IP Seed is the same as the Cluster ID, which depends on the following VPLEX implementation: l

VPLEX Local - The Cluster ID is always 1.

l

VPLEX Metro - The Cluster ID for the first cluster that is set up is 1, and the second cluster is 2.

Note

The management server supports the coexistence of both the IPv6 and IPv4 address. However, the directors only support IPv4 addresses. Figure 6 VPLEX VS1 hardware component IP addresses in cluster 1


23


Figure 7 VPLEX VS1 hardware component IP addresses in VPLEX Metro cluster 2

Figure 8 VPLEX VS2 hardware component IP addresses in cluster 1

24



Figure 9 VPLEX VS2 hardware component IP addresses in VPLEX Metro cluster 2

MMCS IP Addresses This table lists the IP addresses of the MMCS modules on engine-1 of VPLEX VS6 systems. MMCS

Cluster 1 IP address

Cluster 2 IP address

A

128.221.252.33

128.221.252.65

B

128.221.253.33

128.221.253.65

Director IP Addresses on VPLEX VS6 List of IP addresses of all directors on both clusters in a quad-engine VPLEX system. Table 2 Quad-engine cluster director IP addresses

Director name

Cluster 1 IP addresses

Director name


Director-1-1-A

128.221.252.35

128.221.253.35

Director-2-1-A

128.221.252.67

128.221.253.67

Director-1-1-B

128.221.252.36

128.221.253.36

Director-2-1-B

128.221.252.68

128.221.253.68

Director-1-2-A

128.221.252.37

128.221.253.37

Director-2-2-A

128.221.252.69

128.221.253.69

Director-1-2-B

128.221.252.38

128.221.253.38

Director-2-2-B

128.221.252.70

128.221.253.70

Director-1-3-A

128.221.252.39

128.221.253.39

Director-2-3-A

128.221.252.71

128.221.253.71

Director-1-3-B

128.221.252.40

128.221.253.40

Director-2-3-B

128.221.252.72

128.221.253.72

Director-1-4-A

128.221.252.41

128.221.253.41

Director-2-4-A

128.221.252.73

128.221.253.73

Director-1-4-B

128.221.252.42

128.221.253.42

Director-2-4-B

128.221.252.74

128.221.253.74

25


Dual-engine Cluster - Director IP Addresses List of IP addresses of all directors on both clusters in a dual-engine VPLEX system. Table 3 Dual-engine cluster director IP addresses

Director name


Director name


Director-1-1-A

128.221.252.35

128.221.253.35

Director-2-1-A

128.221.252.67

128.221.253.67

Director-1-1-B

128.221.252.36

128.221.253.36

Director-2-1-B

128.221.252.68

128.221.253.68

Director-1-2-A

128.221.252.37

128.221.253.37

Director-2-2-A

128.221.252.69

128.221.253.69

Director-1-2-B

128.221.252.38

128.221.253.38

Director-2-2-B

128.221.252.70

128.221.253.70

Single-engine Cluster - Director IP Addresses List of IP addresses of all directors on both clusters in a single-engine VPLEX system. Table 4 Single-engine cluster director IP addresses

Director name


Director name


Director-1-1-A

128.221.252.35

128.221.253.35

Director-2-1-A

128.221.252.67

128.221.253.67

Director-1-1-B

128.221.252.36

128.221.253.36

Director-2-1-B

128.221.252.68

128.221.253.68

Last Octets of Director IP Addresses Table 5 Last Octets of Director IP Addresses

Deployment

Director name

Cluster 1 octets

Director name

Cluster 2 octets

Single, Dual, Quad

Director-1-1-A

35

Director-2-1-A

67

Single, Dual, Quad

Director-1-1-B

36

Director-2-1-B

68

Dual, Quad

Director-1-2-A

37

Director-2-2-A

69

Dual, Quad

Director-1-2-B

38

Director-2-2-B

70

Quad

Director-1-3-A

39

Director-2-3-A

71

Quad

Director-1-3-B

40

Director-2-3-B

72

Quad

Director-1-4-A

41

Director-2-4-A

73

Quad

Director-1-4-B

42

Director-2-4-B

74

IP Addresses Cable

Director IP Address

Cable ID in Figure

From

To

If cable is in Cluster 1

A1

MMCS-A Management A Fabric connector

Eng-2 MM-A LAN Service port

Director-1-1-A, subnet B Director-2-1-A, subnet B 128.221.253.35 128.221.253.67

26


If cable is in Cluster 2


Cable

Director IP Address

A2

Eng-2 MM-A LAN Management port



A3

Eng-3 MM-A LAN Management port



B1

MMCS-B Management B Fabric connector

Eng-4 MM-B LAN Management port

Director-1-1-B, subnet A Director-2-1-B, subnet A 128.221.252.36 128.221.252.68

B2


Eng-3 MM-B LAN Service port


B3


Eng-4 MM-B LAN Service port


27


28


CHAPTER 5 Implementing IPv6

In VPLEX, an IP address can either be an IPv4 address and/or an IPv6 address. While VPLEX continues to support IPv4, it now also provides support for the full IPv6 stack as well as dual stack IPv4/IPv6, including: l

Browser session

l

VPN connection

Note

In a virtual private network, the end points must always be of the same address family. That is, each leg in the VPN connection must either be IPv4 or IPv6. l

WAN link ports

l

CLI session

l

Cluster Witness

l

Recover Point

In Release 5.3, IPv6 is available only with new installations. The transition from an IPv4 network to a network where IPv4 and IPv6 coexist is challenging because the two protocols are not designed to be interoperable with each other. Transition technologies such as tunneling, or other translator gateways are required to exchange traffic between the two types of network. The VPLEX management server uses the dual stack mechanism to deploy IPv6. This mechanism provides complete support for both IPv4 and IPv6, and allows applications to talk to both IPv4 and IPv6. However, the choice of IP version is based on the name look up and application preference. The following table describes IPv6 support on VPLEX components along with additional notes. Table 6 IPv6 support on VPLEX components

VPLEX Components

Supports IPv4

Supports IPv6

Coexistence

Management server

Yes

Yes

Yes

Director

Yes

No

No

Notes

l

The management server supports only global scope IPv6 static address configuration.

l

The management server supports the coexistence of both the IPv4 and IPv6 address.

Directors continue to support IPv4 address.

Implementing IPv6

29

Implementing IPv6

Table 6 IPv6 support on VPLEX components (continued)

VPLEX Components

Supports IPv4

Supports IPv6

Coexistence

Notes

Cluster Witness

Yes

Yes

Yes

IPv6 address for a cluster witness can be specified using the Vcenter or the VMware console -> Configure Network

WAN COM

Yes

Yes

No

The IP-WAN-COM link either operates on IPv4 or IPv6.

VASA Provider

Yes

No

No

Although VPLEX SMS supports IPv6, VASA provider continues to support only IPv4 in Release 5.3. Therefore, VASA providers running in an IPv6 environment must specify the IPv4 SMS address for VASA provider setup or registration.

Recover Point

Yes

Yes

Yes

RecoverPoint can communicate with the management server using either an IPv4 address or an IPv6 address.

LDAP/AD server

Yes

Yes

Yes

The IP address can be specified during the LDAP configuration. To change the configured IP address, the configuration must be recreated.

The EMC VPLEX Administration Guide provides additional information on IPv6.

30


CHAPTER 6 Security configuration settings

This section provides an overview of user accounts and privileges. l

User roles, accounts, and privileges...................................................................... 32


31


User roles, accounts, and privileges This table provides an overview of VPLEX accounts and associated privileges. Table 7 VPLEX user accounts and privileges

Component

Account Type

Management server (1)

service

admin

vplexuser (default user)

32


Default password

Privileges

Mi@Dim7T(2)

l

Access to the management server desktop, VPlexcli, and Unisphere for VPLEX GUI

l

Ability to start and stop management server services

l

Execute permissions for VPlexcli related scripts

l

Ability to execute VPlexcli commands

l

Read/write access to log files

l

Access to management server desktop, VPlexcli, and Unisphere for VPLEX GUI

l

Ability to create, modify, and delete new user accounts

l

Ability to execute VPlexcli commands

l

Read-only access to log files

l

Access dependent on that granted with Role-based User Access. See Role-based User Access on page 38 for complete descriptions of

teS6nAX2(3)


Table 7 VPLEX user accounts and privileges (continued)

Component

Account Type

Default password

Privileges user types and permissions.

readonly

root

Fibre Channel COM switch (4)

service (5)

admin

user

Mi@Dim7T

Ry3fog4M5

jYw13ABn

l

Restricted access dependent on that granted with Rolebased User Access. See Rolebased User Access on page 38 for complete descriptions of user types and permissions.

l

Root privileges are disabled.

l

Root privileges

l

Access to management server desktop

l

Read-only access to log files

l

Access to the Fibre Channel internal switch interface

l

Ability to start and stop switch services

l

Access to the Fibre Channel internal switch interface

l

Ability to add and delete other accounts on the switch interface

l

Ability to change passwords on the switch interface

l

Access to the Fibre Channel switch interface

User roles, accounts, and privileges

33


Table 7 VPLEX user accounts and privileges (1) You cannot delete the default management server accounts. (2) Given the elevated permissions granted to the service account, its password must be changed in order to better protect VPLEX from misuse or abuse of those privileges. Changing the service account password on page 51 provides more information. (3) The first user who attempts to log in as admin is prompted to change the admin password before logging in. To change the password when prompted, follow the steps in Changing Passwords on page 50. Follow all instructions except for changing the password after you log in. (4) Fibre Channel COM switches exist only in dual-engine and quad-engine VPLEX clusters. (5) In switches that are shipped for field replacement or hardware upgrade (rather than as part of a cabinet system), the admin account password is password, and there is no service account.

The table provides an overview of specific operations that each account type can perform on a VPLEX component. Table 8 VPLEX operations and account types

Component

Operation

service admin user

Management server

Startup and shutdown

Yes

No

No

Create, modify, and delete users

No

Yes

No

Modify your own password

Yes

Yes

Yes

Update or reset passwords for other users

No

Yes

No

Set IP configuration

Yes

No

No

Change host names

Yes

No

No

Start or stop NTP

Yes

No

No

Start or stop VPN

Yes

No

No

Install, upgrade, backup, and restore

Yes

No

No

Run CRON jobs

Yes

Yes

Yes

Yes

Yes

Yes

Manage users and passwords

No

Yes

No

Manage password policy

No

Yes

No

Configure CallHome

Yes

Yes

Yes

Create or renew certificates

Yes

Yes

Yes

Start and stop NTP

Yes

Yes

Yes

Configure LDAP

Yes

Yes

Yes

Configure VPN

Yes

Yes

Yes

Configure Cluster Witness

Yes

No

No

Run EZ-Setup

Yes

No

No

VPLEX CLI (VPLEX management) Configure SNMP

34



Table 8 VPLEX operations and account types (continued)

Component

Fibre Channel COM Switch

Operation

service admin user

Configure and manage storage

Yes

Yes

Yes

Log in

Yes

Yes

Yes

Run switch commands

Yes

Yes

Yes

User roles, accounts, and privileges

35


36


CHAPTER 7 Configuring user authentication

VPLEX customers can choose to configure their user accounts using either: l

An external OpenLDAP or Active Directory server which integrates with Unix using Service for UNIX 3.5, Identity Management for UNIX, or other authentication service. OpenLDAP and Active Directory users are authenticated by the server. Usernames and passwords created on an external server are fetched from the remote system to the VPLEX system each time they are used.

l

The VPLEX management server Usernames and passwords are created locally on VPLEX system, and are stored on VPLEX.

Customers who do not want to use an external LDAP server for maintaining user accounts create their user accounts on the VPLEX system itself. VPLEX is pre-configured with two default user accounts: admin and service. Refer to the EMC VPLEX CLI Command Reference Guide for information on the commands used to configure user authentication. l l l l

Role-based access control feature overview.......................................................... 38 Implementing LDAP............................................................................................... 40 Password policy ................................................................................................... 41 Synchronizing service account password to MMCS peer........................................ 45


37


Role-based access control feature overview To improve security, beginning with GeoSynchrony release 6.0, shell access is limited to the admin and service users only. Any user or script previously defined with shell access (such as service, for example) will continue to have shell access in release 6.0. Users or scripts not having shell access prior to 6.0, must have their accounts explicitly defined by Role-based access control. See the EMC VPLEX CLI Reference Guide for more information about the User add command with the -r option. Users who are defined as either admin and service will be taken to the shell command line once logged-in to the management server. Users not having shell access will be redirected to the VPLEX CLI. All users using LDAP credentials will be defined as vplexuser by default. Individual login credentials can be set for LDAP users as every user account has a different username and password. However, all LDAP users are given identical privileges (same role and same shell access value). The Administrator can either grant or revoke shell access to any customizable role, such as vplexuser. Connecting to the management server (Local and Metro), Logging on to VPLEXcli (Local and Metro), Conceptual: Connect to Cluster 2 (Metro) In previous releases, these sections had the user invoking CLI from the Shell. This will not be needed for 6.0 and later releases. The user will automatically be taken to the CLI (unless that user is admin or service or is defined as having shell privileges by the Administrator). In these sections we may want to add a note, such as the following: Note

In order to issue shell commands, you must either be logged in as admin and service or have shell access explicitly granted by the Administrator. Refer to the EMC VPLEX Security Configuration Guide for instructions on using the CLI to define accounts for shell access. SCP file transfers VPLEX allows file transfer to/from the management server using SCP. In VPLEX release 6.0, SCP permissions will be granted with shell access. Users with no shell access can perform SCP on files only (not on directories) from or to a single directory. An additional CLI context represents this SCP directory. See the EMC Security Configuration Guide for detailed information and examples. Note

If you do not have shell access, you can only access a single directory when uploading and downloading files.

Role descriptions This topic describes roles supported under role-based access. Shell access is turned off by default for all new VPLEX accounts. Roles are defined as follows: l

38

securityadmin - This role is to be used by the VPLEX administrator at the customer site. There is only one securityadmin account allowed in the management server.



securityadmin has the same permissions as the vplexuser role yet also manages user authorization and authentication (creating and deleting accounts). l

service - This role is to be used by authorized EMC service personnel only in order to configure VPLEX.

l

vplexuser - This role is the basic minimum-access VPLEX user account. Best practices encourage the majority of users be assigned this role with a unique customized account name. Limit assigning securityadmin roles as much as possible to ensure security in your installation. vplexuser role accounts correspond to accounts created by the admin as well as authorized VPLEX LDAP accounts.

l

readonly - The readonly role limits users to performing read-only commands with the CLI, ensuring the user will not invoke commands that damage or inhibit VPLEX functionality. It also provides a method of ensuring that automated monitoring tools/ scripts (CLI or REST) don't accidentally invoke damaging or unintended commands. The Admin can create one or more accounts that have the readonly role. vplexuser role accounts (as well as authorized VPLEX LDAP accounts) created by the Administrator may be defined as readonly when deemed necessary.

Table 9 Description of roles in Role-based Access Control

Role

User name

Shell access(default)

securityadmin admin

Customizable(true)

service

service

Always true

vplexuser

Customized name Customizable(false)

readonly

Customized name Customizable(false)

Current admin and service users continue to have shell access. It is possible for the Administrator to turn shell access to service on or off per account basis as described in this document.

Role-based access control and NDU This topic describes the impact of role-based access in relation to NDUs. Impact of role-based access control on NDU and Non-NDU tasks For VPLEX release 6.0, NDU and non-NDU tasks are impacted as follows. l

For NDUs - There will be no noticeable change in behavior during NDU with regards to shell access. However, we should note in the NDU that in the next major release, explicit access must be granted through role-based access control for shell access going forward (after upgrading to next major release). It is possible this explicit access for next major release may be granted through an automated step in the upgrade process, though this is not confirmed at this time.

l

For non-NDU tasks - The Administrator must explicitly grant shell access after creating new accounts (vplexuser and readonly roles). Shell access will continue for preexisting accounts with shell access (admin and service). Again, we should be warning that in subsequent releases all accounts will have to be granted explicit shell access via role-based access control.

Role-based access control and NDU

39


Example 1 Existing VPLEX customer NDUs to VPLEX release 6.0

John is an existing EMC customer. He is defined as admin and has always had Administrator privileges and shell access. For VPLEX release 6.0, John sees no change in behavior and does not need to grant himself shell access (using role-based access control) when upgrading to VPLEX release 6.0. John will, however, need to grant himself explicit shell access in future major releases. Example 2 New VPLEX customer performs Greenfield install

Pete is a new EMC VPLEX customer performing a Greenfield install (no NDU). Pete plans to login as either the admin or as the service user. admin and service users have shell access by default in VPLEX release 6.0 so Pete does not need to perform any tasks in order to execute shell commands. Example 3 Existing VPLEX customer NDUs to VPLEX release 6.0 and adds new user

Mary is a VPLEX customer. She NDUs to VPLEX release 6.0. After the NDU, Mary finds she needs to grant shell access to a new user, Paul. Mary must use role-based access control to define Paul as a User with shell access, even though she doesn't have to explicitly define shell access for herself until the next major release. Example 4 Existing VPLEX customer with shell scripts

Susan is a VPLEX customer. She NDUs to VPLEX release 6.0. Susan has many scripts that she runs which access the shell, running under her admin account (which had shell access). Again, she will not have to explicitly grant shell access with role-based access control for VPLEX release 6.0, but she will for the next major release.

Implementing LDAP Starting in Release 5.2 and later, LDAP configuration is securely persisted using an internal security component. This eliminates bind user credential vulnerabilities. The new implementation of LDAP includes the following: l

Use a new internal security component that ensures information is securely persisted.

l

Support for Directory Server groups, a logical collection of users. Groups can be specified using the configuration commands and can be added or removed using the map and unmap commands.

Note

Nested groups and dynamic groups are not supported. l

Mapping of OrganizationalUnit (OUs) is not supported. Use of groups to map multiple users is recommended.

For upgraded systems or systems that have not previously had LDAP configured, existing configuration information or the way it is persisted is not automatically modified. Authentications continue as they were prior to upgrade. However, users can continue to be mapped or unmapped with the old configuration. 40



To use the new implementation in a system where an LDAP configuration already exists, the LDAP configuration must be reconfigured (unconfigured and configured) to leverage the new security features. Note

EMC recommends using LDAPS protocol for secure communication between Management Server and Directory Server. LDAP configuration in the Management Server requires directory server attributes which are not explicitly captured during the EZSetup interview process. Default values are used instead causing configuration issues only for MicrosoftWindows Active Directory Server. Instead, use the authentication directory-service configure command for configuring the management server with Microsoft Windows Active Directory configuration details after completing EZSetup. The VPLEX CLI Guide provides information on the commands used to configure LDAP.

Password policy Details password policies and default values The VPLEX management server uses a Pluggable Authentication Module (PAM) infrastructure to enforce minimum password quality. It uses pam_cracklib, a library that checks for dictionary words, to check potential passwords. Table 10 Default password policies

Policy name

Description

Default value

Minimum password length

The minimum number of characters used when creating or 8 changing a password. The minimum number of characters includes numbers, uppercase and lowercase letters, and special characters.

Minimum password age

The minimum number of days a password cannot be changed after the last password change. The service account default is 0 days.

Maximum password age

The maximum number of days that a password can be used 90 since the last password change. After the maximum number of days, the account is locked and the user must contact the admin user to reset the password. The service account default is 3650 days.

Password expiration warning

The number of days before the password expires. A warning message indicating that the password must be changed is displayed. The service account default is 30 days.

15

Password inactive days

The number of days after a password has expired before the account is locked.

1

1

In Release 5.2 and later, the management server uses the default value for the password policies listed in the Default password policies table, and you can configure each password policy to meet your specific needs. The new value will be updated in the appropriate configuration file, and existing users will be updated with the new

Password policy

41


configuration. Refer to the EMC VPLEX CLI Command Reference Guide for information on the commands used to set password policies and the values allowed. Note the following: l

Password policies do not apply to users configured using the LDAP server.

l

The Password inactive days policy does not apply to the admin account to protect the admin user from account lockouts.

l

During the management server software upgrade, an existing user’s password is not changed−− only the user’s password age information changes.

l

You must be an admin user to configure a password policy.

Password policy default values after an upgrade l

If upgrading from a release prior to 5.1 to release 5.2, the default values will be new. If desired, you can change these values. Refer to the EMC VPLEX CLI Command Reference Guide for information on setting password policies.

l

If upgrading from release 5.1 to 5.2, the admin user will no longer have the 90 day expiration set. The default value for the minimum password length will be 14 as it was set previously. You can change this value if desired. Refer to the EMC VPLEX CLI Command Reference Guide for information on setting password policies.

l

After upgrading to release 5.2, the admin user will not be locked after the password expires. If the password for the administrator account has not been changed since the last 91 days, after upgrading to release 5.2, the admin user will be forced to change the password on the first login (after it has expired).

l

After upgrading to 5.5 from 5.2 or earlier, 5.3 or 5.4, if you did not change the default service password, you must do so within 30 days. A message displays to remind you that the default service password will expire in 30 days.

l

When installing VPLEX 5.5 on a new system, follow these prompts to change the default service password. Checking if the default password is in use... Changing password for service. Please enter the old password: Please enter the new password: Please reenter the new password: Successfully completed password change for service.

Similar steps to change default service password are executed, after the upgrade from VPLEX 5.2/5.4/5.5 to VPLEX 5.5. These are not encountered if the default service password has already been changed prior to VPLEX 5.5 upgrade. Valid password characters The following characters are allowed in a VPLEXcli password: l

A-Z

l

a-z

l

0-9

l

. ? / * @ ^ % # + = - _ ~ : space

Note the following rules: l

42

A space is allowed only between the characters in a password, not in the beginning or the end of the password.



l

The # cannot be used in the beginning of a password.

l

Cluster Witness passwords When upgrading to VPLEX 6.0, the Cluster Witness default password is automatically changed, for security reasons, to a random value, which can be displayed by the Administrator. The Administrator can change the password to a specific value by running the configuration cw-change-password command. See the EMC VPLEX CLI Command Reference Guide for more information. Cluster Witness passwords allow additional characters: l

!

l

$

l

&

l

(

l

)

l

[

l

]

Password policy

43


Example 5 Changing Cluster Witness passwords

1. Update the cws password to a random password string (works if default CWS password is set currently): VPlexcli:/> configuration cw-change-password This command will change the Cluster Witness Server password. Are you sure you want to continue? (Y/N): Y Cluster Witness Server credentials updated successfully ---------2. Update the cws password (works if default CWS password is set currently): VPlexcli:/> configuration cw-change-password -p This command will change the Cluster Witness Server password. Are you sure you want to continue? (Y/N): Y Enter the new cluster witness password: Re-enter password: The Cluster Witness Server password is changed successfully ---------3. Force update the CWS password: VPlexcli:/> configuration cw-change-password -f -p Enter the new cluster witness password: Re-enter password: The Cluster Witness Server password is changed successfully ---------4. Force update the CWS password from a known pre-set password to new password: VPlexcli:/> configuration cw-change-password -c -p -f Enter the existing cluster witness service user's password: Re-enter password: Enter the new cluster witness password: Re-enter password: The Cluster Witness Server password is changed successfully ---------5. Force update the CWS password from a known pre-set password to a random string: VPlexcli:/> configuration cw-change-password -c -f

44



Example 5 Changing Cluster Witness passwords (continued) Enter the existing cluster witness service user's password: Re-enter password: The Cluster Witness Server password is changed successfully

Synchronizing service account password to MMCS peer In certain cases, you may need to manually synchronize the service account password for both MMCS-A and MMCS-B. In some cases, the service account password may need to be resynchronized to the peer MMCS. Use the security configure-mmcs-users command to accomplish this. See the EMC VPLEX CLI Reference Guide for more information. Execute this command only in a troubleshooting scenario, ideally when advised to do so by EMC Customer Support. Example 6 Running the security configure-mmcs-users command

Running the command on a VS6 system produces the following result.

VPlexcli:/> security configure-mmcs-users MMCS user configuration was successful.

Running the command on a non-VS6 system produces the following result.

VPlexcli:/> security configure-mmcs-users This command is supported to run on VPlex VS6 hardware configuration only.

Synchronizing service account password to MMCS peer

45


46


CHAPTER 8 Manage user accounts

l l l l l l

Adding user accounts............................................................................................48 View or modify user account details...................................................................... 48 Changing passwords............................................................................................. 50 Resetting passwords............................................................................................. 51 Changing the service account password................................................................ 51 Deleting user accounts..........................................................................................52


47


Adding user accounts Note

In a VPLEX Metro configuration, VPLEX CLI accounts created on one management server are not propagated to the second management server. The user list command displays only those accounts configured on the local management server, not both server. A user with an admin account can create a new account as follows: Procedure 1. Launch PuTTY (or a similar SSH client), and establish a connection to the public IP address of the VPLEX management server. 2. Log in with username admin. 3. From the Linux shell prompt, type the applicable command to connect to the VPlexcli: l

If VPLEX GeoSynchrony 4.0.x is running on the cluster: telnet localhost 49500

l

If VPLEX GeoSynchrony 4.1.x or later is running on the cluster: vplexcli

Log in with username admin. 4. From the VPlexcli prompt, type the following command: user add -u username

a. When prompted, type the admin account password. b. When prompted for a password for the new user, type a password that adheres to the rules in Password policy on page 41. c. When prompted, retype the new password. Note

The new user must change the password the first time he or she logs in.

View or modify user account details View or modify user accounts by changing attributes of the users context. Before you begin When modifying user accounts, determine if the user needs shell access or not. You must have administrator privileges to modify user accounts. For an overview of role-based access control functionality and impact, see the EMC VPLEX Security Configuration Guide. You grant or restrict shell access by modifying attributes with shell-access, invoking the set command in the users context. vplexuser and readonly roles are defined with customizable user names. Either the local or ldap context is defined depending on the method that is used to access a user account (either LDAP or Local access). 48



List the management-server/users context to view both LDAP and Local users. For example: VPlexcli:/management-server/users> ll l

ldap context - The ldap context displays the role-name and the shell-access associated with an LDAP user. All LDAP users are given identical privileges and every LDAP user is treated the same. Attributes associated with an ldap user account are: n

role-name - Name of the role with which the user account is associated

n

shell-access - Defines the user's shell access privileges.

In this example, the role-name vplexuser has shell access as an LDAP user: VPlexcli:/management-server/users/ldap> ll Name Value role-name vplexuser shell-access true l

local context - The local context displays the role-name and the shell-access associated for a user with local access. By default, admin and service are local users. In addition, any user in the system created by admin are local users. Attributes associated with a local user account are: n

user-name - Name of the user

n

role-name - Name of the role with which the user account is associated

n

shell-access - Defines the user's shell access privileges.

In this example, the admin user is defined with role securityadmin and shell-access disabled. VPlexcli:/management-server/users/local/admin> ll Name Value role-name securityadmin shell-access false user-name admin

To modify attributes such as role-name or shell-access, run the set command on the appropriate user account context. Procedure 1. List the attributes of the user (testuser in this example) by navigating to the appropriate context and running the ll command. VPlexcli:/management-server/users/local/testuser> ll role-name : user shell-access : false user-name : testuser

2. To grant shell access for testuser, run the set command. a. Set shell-access to true as follows: set shell-access true. b. Enter the administrator password.

View or modify user account details

49


c. Verify that the attributes of the user (testuser in this example) have been successfully modified by navigating to the appropriate context and running the ll command. 3. To revoke or restrict shell access for testuser, use the set command. a. Set shell-access to true as follows: set shell-access false. b. Enter the administrator password. c. Verify that the attributes of the user (testuser in this example) have been successfully modified by navigating to the appropriate context and running the ll command. If shell-access was granted, the following output is displayed. VPlexcli:/management-server/users/local/testuser> ll role-name : user shell-access : false user-name : testuser Note l

role-name and shell-access are the only two writable attributes. username is not modifiable.

l

The service account cannot be restricted from having shell access.

l

The role-name of admin and service accounts is not modifiable. For local user/ LDAP accounts, role-name can be modified to either vplexuser or readonly. If any other role-name is provided, the command fails with the following error message: set: Evaluation of <> failed. cause: Failed to update value of 'role-name'. cause: Failure committing new value for role-name on admin. cause: Invalid role-name. Valid values are 'readonly' and 'vplexuser'. All values are case-sensitive.

Changing passwords Any user can change his/her own password as follows: Procedure 1. Launch PuTTY (or a similar SSH client), and establish a connection to the public IP address of the VPLEX management server. 2. Log in with the applicable username. 3. From the Linux shell prompt, type the applicable command to connect to the VPlexcli: l


l


Log in with the applicable username.

50



4. From the VPlexcli prompt, type the following command: user passwd -u username

a. When prompted, type the old password. b. When prompted for a new password, type a password that adheres to the rules in Password policy on page 41. c. When prompted, retype the new password.

Resetting passwords A user with an admin account can reset passwords for other users as follows: Procedure 1. Launch PuTTY (or a similar SSH client), and establish a connection to the public IP address of the VPLEX management server. 2. Log in with username admin. 3. From the Linux shell prompt, type the applicable command to connect to the VPlexcli: l


l


Log in with username admin. 4. From the VPlexcli prompt, type the following command: user reset -u username

a. When prompted, type the admin account password. b. When prompted for a password for the new user, type a password that adheres to the rules in Password policy on page 41. c. When prompted, retype the new password. Note

The user must change the password the next time he or she logs in.

Changing the service account password Beginning with release 5.5, users are required to change the service password upon first use. EZSetup prompts the user to change the service user password during the initial setup. Note that the policies for passwords listed in Password policy on page 41 apply to the service password. The service password change is required in order to provide optimal protection for the powerful service account. The service account is used by EMC to provide remote support through the EMC ESRS gateway. Therefore, the service password must be updated or recorded in the customer service database in order to provide this support. The service password must be changed in two locations: Resetting passwords

51


l

Management server

l

Fibre Channel switches

To change the service password on the Fibre Channel switches, use the switch's passwd command.

Deleting user accounts A user with an admin account can delete a different account as follows: Procedure 1. Launch PuTTY (or a similar SSH client), and establish a connection to the public IP address of the VPLEX management server. 2. Log in with username admin. 3. From the Linux shell prompt, type the applicable command to connect to the VPlexcli: l


l


Log in with username admin. 4. From the VPlexcli prompt, type the following command: user remove -u username

When prompted, type the admin account password.

52


CHAPTER 9 Log file settings

l

Log file settings.....................................................................................................54

Log file settings

53

Log file settings

Log file settings This section describes log files relevant to security. Log file location The following table lists the name and location of VPLEX component log files relevant to security. Table 11 VPLEX component log files

Component

Location

Unisphere for VPLEX

/var/log/VPlex/cli/session.log_username

management server OS /var/log/messages ConnectEMC

/var/log/ConnectEMC/logs/ConnectEMC.log files

Firewall

/var/log/firewall

VPN (ipsec)

/var/log/events.log

Log file management and retrieval All logs rotate automatically, to avoid unbounded consumption of disk space.

54


CHAPTER 10 Communication Security Settings

l

Communication security settings...........................................................................56


55


Communication security settings This section describes the communication security settings that enable you to establish secure communication channels between VPLEX components, as well as VPLEX components and external systems.

IP WAN COM A VPLEX Metro system does not support native encryption over an IP WANCOM link. EMC recommends that you deploy an external encryption solution such as IPSec to achieve data confidentiality and end point authentication over IP WAN COM links between clusters.

Accessibility To establish secure communication, note the following: l

The following protocols must be allowed on the customer firewall (both in the outbound and inbound filters): # Encapsulating Security Payload (ESP): IP protocol number 50 # Authentication Header (AH): IP protocol number 51

l

The following ports must be allowed on the customer firewall: # Internet Key Exchange (IKE): UDP port 500 # NAT Traversal in the IKE (IPsec NAT-T): UDP port 4500 # Secure Shell (SSH): TCP port 22

l

Static IP addresses must be assigned to the public ports on each management server (eth3) and the public port in the Cluster Witness Server. If these IP addresses are in different subnets, the IP management network must be able to route packets between all such subnets.

l

The firewall configuration settings in the IP management network must not prevent the creation of IPsec tunnels. Cluster Witness traffic as well as VPLEX management traffic leverages VPN tunnels established on top of IPsec.

l

IP management network must be capable of transferring SSH traffic between management servers and Cluster Witness Server.

l

IP management network must be capable of transferring ICMP traffic between management servers and Cluster Witness Server in order to enable configuration, upgrade, and diagnostics of Cluster Witness.

l

The required minimum value for Maximum Transmission Unit (MTU) is 1500 bytes. Configure MTU as 1500 or larger.

Note

The IP management network must not be able to route to the following reserved VPLEX subnets: 128.221.252.0/24, 128.221.253.0/24, and 128.221.254.0/24. If VPLEX is deployed with IP inter-cluster network, the inter-cluster network must not be able to route to the following reserved VPLEX subnets: 128.221.252.0/24, 128.221.253.0/24, and 128.221.254.0/24.

56



Port Usage The following table lists all the network ports and services used by VPLEX components. This information, along with the firewall settings is needed to use the product. Table 12 Port Usage

Serial Port Number

Function

Service Management Management Cluster server 1 Server 2 Witness

1

Public port TCP/22

Yes

Yes

Yes

2

Service port TCP/22

Log in to SSH management server OS, copy files to and from the management server using the SCP sub-service, and establish SSH tunnels

3

Public port TCP/21

ESRS

Yes

Yes

No

4

Public port TCP/443

ESRS (EMC Secure Remote Service) access to VPLEX

5

Public port TCP/5400 to 5413

6

Public port UDP/500

IPSECVPN

ISAKMP

Yes

Yes

Yes

7

Public port UDP/4500

IPSEC VPN

IPSEC Yes NAT traversal

Yes

Yes

8

Public port UDP/123

Time synchronization service

NTP

Yes

Yes

No

9

Public port TCP/161

Get performance SNMP statistics

Yes

Yes

No

10

Public port UDP/161

11

Public port TCP/443

HTTPS

Yes

Yes

No

12

Service port TCP/443

Web access to the VPLEX Unisphere for VPLEX’s graphical user interface

13

Localhost TCP/5901(1)

Access to the management server's

VNC

Yes

Yes

No

Port Usage

57


Table 12 Port Usage (continued)

Serial Port Number

Function

Service Management Management Cluster server 1 Server 2 Witness

desktop. Not available on the public network. Must be accessed through SSH tunnel. 14

Localhost TCP/ 49500(1)

VPlexcli. Not available on the public network. Must be accessed through SSH.

Telnet

Yes

Yes

No

15

Public port UDP/53

Domain Name Service

DNS

Yes

Yes

Yes

16

Any firewall between the Cluster Witness Server and the management servers need to allow traffic for the IP protocol number 1 (ICMP), 50 (ESP) und 51 (AH)

Yes

Yes

Yes

Table 12 Port Usage (1) No specific customer firewall settings are required.

Note

For VPLEX Performance Monitor, ensure that Port 443 is open on the firewall between VPLEX Performance Monitor and VPLEX.

Communications specifications - VPLEX Metro system This figure illustrates the communication between VPLEX components in a VPLEX Metro system.

58



Figure 10 VPLEX Metro system

This table describes the possible communication between the VPLEX components in a VPLEX Metro system. Table 13 Communication in a VPLEX Metro system

Serial Number

A <-> B

A <-> C

A <-> D

B <->C B <-> D

B <-> E

C <-> D

1

Yes

Yes

Yes (only for initial setup)

Yes

Yes (only for code upgrades)


2

Yes

Yes

Yes (only for initial setup)

Yes



C <-> E

3

Yes

Yes

4

Yes

Yes

5

Yes

Yes

6

Yes

Yes

Yes

7

Yes

Yes

Yes

8

Yes

9

Yes

Yes

10

Yes

Yes

Communications specifications - VPLEX Metro system

59


Table 13 Communication in a VPLEX Metro system (continued)

Serial Number

A <-> B

A <-> C

11

Yes

Yes

12

Yes

Yes

13

Yes

Yes

14

Yes

Yes

A <-> D

B <->C B <-> D

15

Yes

16

Yes

B <-> E

C <-> D

C <-> E

Yes Yes

Yes

Legend: l

A - VPLEX Management Client

l

B - Management Server 1

l

C - Management Server 2

l

D - VPLEX Cluster Witness

l

E - ESRS Server

Communications specifications - VPLEX Local system This figure illustrates the communication between VPLEX components in a VPLEX Local system. Figure 11 VPLEX Local system

This table describes the possible communication between the VPLEX components in a VPLEX Local system. 60



Table 14 Communication in a VPLEX Local system

Serial Number A <-> B B <-> C 1

Yes

2

Yes

3

Yes

4

Yes

5

Yes

6 7 8 9

Yes

10

Yes

11

Yes

12

Yes

13

Yes

14

Yes

15 16

Legend: l

A - VPLEX Management Client

l

B - Management Server 1

l

C - ESRS Server

Network Encryption The VPLEX management server supports SSH through the sshd daemon provided by the FIPS compliant OpenSSH package. It supports version 2 of the SSH protocol. When the management server starts for the first time, the sshd daemon generateskey-pairs (private and public key) for communication with SSH clients. rsa, dsa and ecdsa key-pairs are generated to support communication with SSH version 2 clients. The HTTPS protocol and the IPsec VPN use a X.509 host certificate to identify the server and encrypt all traffic. X.509 host certificates use a 2048 bit host key. During initial setup of a VPLEX cluster, a local Certification Authority (which signs the host certificate request) is created automatically. VPLEX supports a corporate Certification Authority signing the host certificate requests. Users can import the corporate Certificate Authority signed CA, host certificate and key file. The IPSec encryption can use RSA or ECDSA cryptography generated key-pair certificates. You can use only one type (RSA or ECDSA) in configuring VPN in all the three components of VPLEX, for example, the two management servers and the cluster witness server. Note that for a VPLEX Metro configuration, the host certificates for both web and VPN to be imported on both clusters should be signed and created using the same CA certificate. Network Encryption

61


To import the corporate Certificate Authority signed certificates, refer to the VPLEX CLI Guide.

Creating a local Certification Authority A Certification Authority (CA) on the VPLEX management server must be created solely for the purposes of signing management server certificates. The VPlexcli command security create-ca-cert creates a CA certificate file and private key protected by a passphrase. By default, this command creates the following: l

A 2048-bit CA key in /etc/ipsec.d/private/strongswanKey.pem

l

A CA certificate in /etc/ipsec.d/cacerts/strongswanCert.pem that remains valid for 1825 days (5 years)

You must provide a passphrase for the CA key and the CA certificate subject. The CA certificate subject must be the VPLEX cluster's serial number (found on the label attached to the top of the VPLEX cabinet). If you are creating a CA certificate for a VPLEX Metro implementation, you can use either cluster's serial number.

Creating a host certificate Note

Host certificates are created as a part of EZsetup during a first time installation. The VPlexcli command security create-host-certificate generates a host certificate request and signs it with the Certification Authority certificate created in the Creating a local Certification Authority on page 62. By default, this command creates the following: l

A 2048 key in /etc/ipsec.d/private/hostKey.pem

l

A host certificate in /etc/ipsec.d/certs/hostCert.pem that remains valid for 730 days (2 years)

You must provide the CA key passphrase for the host key and the host certificate subject which must be the cluster's serial number (found on the label attached to the top of the VPLEX cabinet).

Installing the host certificate for use by HTTPS Use the security web-configure command to install the host certificate for HTTPS. See the EMC VPLEX CLI Reference Guide for more information.

Obtaining host certificate and host key fingerprints When users first connect to the management server over SSH or by connecting to the GUI using the HTTPs protocol, they are asked to confirm the server's identity. Most client programs display the management server's fingerprints as MD5 or SHA1 checksums, allowing you to verify that they are connected to the VPLEX management server and not to another machine, possibly deployed to harvest logins and passwords for a man-in-themiddle attack. Once a user confirms the management server's identity, subsequent connections will not ask for this confirmation, but instead warn the user if the management server's fingerprint has changed, which may be another indication of man-in-the-middle attacks. A VPLEX administrator might be asked by security-conscious users for the fingerprints of both the X.509 certificate used for the GUI and for the host keys used for SSH access to the management server. 62



Finding the host certificates's SHA256, SHA1 and (for GUI users) MD5 fingerprints To find the host certificate's SHA1 and (for GUI users) MD5 fingerprints, do the following. Procedure 1. Type the following command: openssl x509 -noout -in hostCert.pem -fingerprint -sha256

Output example: SHA256 Fingerprint=91:65:4C:02:80:C0:C8:54:24:4A:71:2B:BF:C1:D5:3C: 08:A2:2B:36:BC:7B:3D:A2:B3:8A:72:83:66:E1:36:25

2. Type the following command: /etc/ipsec.d/certs # openssl x509 -noout -in hostCert.pem fingerprint -sha1

Output example: SHA1 Fingerprint=2E:B0:DD: 59:DD:C3:29:96:33:74:19:CC:A0:81:28:28:6F:4F:76:E4

3. At the Linux shell prompt, type the following command: /etc/ipsec.d/certs # openssl x509 -noout -in hostCert.pem fingerprint -md5

Output example: MD5 Fingerprint=6E:2C:A5:8E:86:11:45:26:02:09:62:97:6F:18:FD:62

Finding the SSH key fingerprint (for SSH users) To find the SSH key fingerprint (for SSH users), do the following Procedure 1. At the Linux shell prompt, type the following command: /etc/ssh > ssh-keygen -l -f ssh_host_dsa_key

Output example: 1024 52:42:70:0c:22:aa:2f:e3:09:18:93:c8:20:a4:78:0c ssh_host_dsa_key.pub

2. Type the following command: /etc/ssh > ssh-keygen -l -f ssh_host_rsa_key

Finding the host certificates's SHA256, SHA1 and (for GUI users) MD5 fingerprints

63


Output example: 1024 a4:d8:64:d0:24:b9:2c:3d:06:24:5f:3a:30:ba:83:f8 ssh_host_rsa_key.pub

3. Type the following command: /etc/ssh > ssh-keygen -l -f ssh_host_ecdsa_key

Output example: 256 ca:05:f3:9a:3e:51:fe:53:51:90:39:bf:6b:f5:78:56 [MD5]root@ManagementServer (ECDSA)

Configurable HTTPS/TLS protocol From VPLEX 6.0, the HTTPS/TLS protocol is configurable for webserver-client connections. Ability to configure the HTTPS/TLS protocol mitigates the POODLE (Passing Oracle on Downgraded Legacy Encryption) vulnerability over TLS-encrypted client-server HTTPS connections. You can now choose TLS levels TLSv1.0, TLSv1.1 and TLSv1.2 over SSLv3 (which has POODLE vulnerability).

Set TLS version for Web server HTTPS connection Use the following procedure to set the TLS version for Web server HTTPS connections in order to mitigate security risks from POODLE (Passing Oracle on Downgraded Legacy Encryption). Procedure 1. Enter the set sslversion command to set the TLS version for a Web server HTTPS connection. Use the following command format: set sslversion TLSv1, SSLv2Hello,TLSversion'

where TLSversion is one of the following values: l

TLSv1.0

l

TLSv1.1

l

TLSv1.2

Note

TLSv1.2 is the recommended protocol version by default 2. Enter the webserver restart command to apply the changes.

64



Example 7 Setting TLS version

VPlexcli:/security/web-server> set sslversion TLSv1, SSLv2Hello,TLSv1.2

Note

After entering the CLI command, restart the Web server with the webserver restart command to apply the changes.

Data security settings Encryption of data at rest: user passwords Hashed user passwords are stored in /etc/shadow on the VPLEX management server. GeoSynchrony uses a hardcoded hashing algorithm to encrypt the passwords. From version 6.0, the SHA-512 encryption algorithm is used to encrypt and store passwords, using the UNIX crypt(3) function. Passwords are stored in the VPLEX password database in following format: $6$$ $6$ = encryption method, i.e. SHA-512 = 16 character salt string = 86 character encrypted password string

Data security settings

65


66


Docu31419 VPLEX GeoSynchrony 6.0 Security Configuration Guide

Recommend Documents