Docu31419 VPLEX Security Configuration Guide

EMC VPLEXThis guide provides an overview of VPLEX security configuration. Topics include:

VPLEX overview......................................................................................................... 1 Security recommendations........................................................................................ 3 IP addresses and component IDs .............................................................................. 7 Security configuration settings................................................................................ 13 Configuring user authentication .............................................................................. 15 Manage user accounts ............................................................................................ 18 Log file settings....................................................................................................... 21 Communication security settings ............................................................................ 21 Data security settings.............................................................................................. 29

VPLEX overviewAn EMC VPLEX cluster consists of one, two, or four engines (each containing two directors), and a management server. A dual-engine or quad-engine cluster also contains a pair of Fibre Channel switches for communication between directors.

Each engine is protected by a standby power supply (SPS), and each Fibre Channel switch gets its power through an uninterruptible power supply (UPS). In a dual-engine or quad-engine cluster, the management server also gets power from a UPS.

The management server has a public Ethernet port, which provides cluster management services when connected to the customer network. The management server can also provide call-home services through the public Ethernet port by connecting to an EMC Secure Remote Support (ESRS) gateway deployed on the same network. The ESRS gateway is also used by EMC personnel to provide remote service.

Three VPLEX implementations are available:

VPLEX Local (single cluster)

VPLEX Metro (two clusters separated by synchronous distances)

VPLEX Geo (two clusters separated by asynchronous distances)

In a VPLEX Metro or VPLEX Geo implementation, the clusters are connected over IP between the management servers.

Security Configuration GuideP/N 300-010-493-09

March 19, 2014

VPLEX overview

VPLEX user authentication is configured locally on the management server or remotely on an OpenLDAP or Active Directory server which integrates with Unix using Service for UNIX 3.5, Identity Management for UNIX, or other authentication service.

A management server in each VPLEX cluster authenticates users against account information kept on its local file system or against the LDAP/AD server. An authenticated user can manage resources in the local cluster.

In a VPLEX Metro or VPLEX Geo, users authenticated by either management server can manage all resources in both clusters. Figure 1 on page 2 shows a VPLEX cluster configuration (quad system) example.

Figure 1 VPLEX cluster configuration

SPS

Engine 1

Engine 2

SPS

SYM-002272

SPS SPS

Management Server

UPS A

FC Switch A

UPS B

FC Switch B

SPS

Engine 3

SPS

SPS SPS

Engine 42 EMC VPLEX Security Configuration Guide

Security recommendationsSecurity recommendationsWhile the Security Configuration Guide must be reviewed in its entirety, this section serves to highlight EMC's most important security recommendations to ensure the security of your data and environment.

Given the elevated permissions granted to the service account, its password must be changed in order to better protect VPLEX from misuse or abuse of those privileges. Changing the service account password on page 20 provides more information.

To protect your data in the communications between clusters in VPLEX Metro and Geo configurations, an external encryption solution such as IPSec must be used to guarantee confidentiality and authentication for the IP WAN COM link. IP WAN COM on page 21provides more information.

To protect the identity and integrity of your users and their account credentials, all LDAP communication must be configured to use the LDAPS protocol. Implementing LDAP on page 16 provides more information.

VPLEX management server operating system and networking The VPLEX management servers operating system (OS) is based on a Novell SUSE Linux Enterprise Server 10 SP2 distribution. Starting in Release 5.3, the management server will run SUSE Linux Enterprise Server 11 patch 3.

The operating system has been configured to meet EMC security standards by disabling or removing unused services and packages, and protecting access to network services through a firewall.

Used packages are hardened with security updates.

A management server has four Ethernet ports, identified as eth0 through eth3 by the operating system, and shown in Figure 2. A 1 Gb/s public management port (eth3) is the only Ethernet port in the VPLEX rack that may be connected to an external management LAN. Other components in the rack are connected to two redundant private management Ethernet networks, connected to the management server's eth0 and eth2 ports. A service port (eth1) can be connected to a local laptop, providing access to the same services as a host on the management LAN.

Figure 2 Management server, rear view

eth

Service cable

Management server

eth1Customer

workstation

Ethernet port eth3

Customer-providedEthernet cable

CustomerIP network

eth0 eth2EMC VPLEX Security Configuration Guide 3

VPLEX management server operating system and networking

Accessing the management server

Three protocols allow access to a VPLEX management server over a secure and encrypted connection: SSH, HTTPS, and IPsec VPN.

Using SSH to access the management server shellUsers can log in to the management server shell over SSH version 2, through the management server's public Ethernet port or service port. The SSH service is available on the standard port 22.

An SSH login with appropriate credentials allows access to a Linux shell on the management server. From there:

Users can access the VPLEX command line interface (VPlexcli).

A service account user can also inspect log files, start and stop services, and upgrade firmware and software.

SSH also can be used to establish a secure tunnel between the management server and the host running the SSH client. Using a tunneled VNC connection to access the management server desktop on page 5 provides more information.

Using HTTPS to access the VPLEX GUIThe Unisphere for VPLEX graphical user interface (GUI) is accessible as a web service on the management server's public Ethernet port and the service port, using the HTTPS protocol. It is available on the standard port 443.

The following URL initiates an HTTPS connection to the GUI:

https://

To access the GUI using an IPv6 address, use the following URL:

https://[mgmtserver_ipv6_addr]

For example:

https://[3ffe:80c0:22c:803c:215:17ff:fed3:207]/smsflex/VPlexConsole.html

Note: Accessing the VPLEX GUI or the VPLEX CLI over IPv6 is possible only if the client machine is also in an IPv6 network.

The GUI encrypts all traffic using a server certificate. Creating a host certificate on page 27 provides more information.

Note: The GUI has a timer that logs the user out after 10 minutes of inactivity. You can modify the timeout value to a maximum of 12 hours.

Using IPsec VPN in a VPLEX Metro implementationThe management server in each VPLEX Metro cluster must connect to each other over a Virtual Private Network (VPN) through the public Ethernet port, as shown in Figure 3.4 EMC VPLEX Security Configuration Guide

VPLEX management server operating system and networkingFigure 3 IPsec VPN connection

Although you might have already secured the network connections between two VPLEX Metro or VPLEX Geo clusters, the management servers must establish an explicit VPN connection, to acknowledge that the remote management server has full management control over the local cluster and its resources.

The VPLEX management server uses strongSwan, an open source implementation of IPsec for Linux.

Using SCP to copy files The Secure Copy Protocol (SCP) allows users to transfer files to and from the management server. SCP uses the same credentials as SSH. Popular SCP clients are WinSCP and PSCP provided by the PuTTY package, and the SCP client provided by OpenSSH.

Using a tunneled VNC connection to access the management server desktopThe SSH protocol provides a mechanism for sending unencrypted traffic through an encrypted SSH connection. Most SSH clients, such as OpenSSH and PuTTY, allow users to establish SSH tunnels by specifying a port on their local machine (source port), and a port on the management server (destination port).

Access to the management server's desktop is provided by VNC access through an SSH tunnel. Users must first establish an SSH tunnel between destination port 5901 and local port 5901, and then connect a VNC viewer to local port 5901. Popular VNC clients are RealVNC and TightVNC.

To establish a tunnel, you must log in with your standard SSH credentials. After a successful login, the SSH client program must remain running, to allow the SSH tunnel to remain operational.

Follow these steps to establish a tunneled VNC connection using PuTTY:

1. Launch PuTTY.exe, and configure the PuTTY window as shown in Figure 4 and the following:

Server address Public IP address of the VPLEX management server.

IPsec_VPN

Mgmt server 1 eth0 eth2

eth3

Subnet B128.221.253.32/27

Subnet A128.221.252.32/27

Mgmt server 2 eth0 eth2

eth3

Subnet B128.221.253.64/27

Subnet A128.221.252.64/27

Customer IP network

IPsec tunnel

Cluster 1 Cluster 2EMC VPLEX Security Configuration Guide 5

VPLEX management server operating system and networking

Session name Type a name for the PuTTY session you are configuring. This allows you to load the saved session if you need to reconnect later, eliminating the need to configure the individual parameters again.

Default settings Verify, and set as shown if necessary.

Figure 4 PuTTY Configuration window

2. Expand SSH in the Category list, and click Tunnels.

3. Configure the SSH port forwarding parameters as shown in Figure 5, and then click Add.

PuTTY_VNC

Server address

(default)

(default)

Session name6 EMC VPLEX Security Configuration Guide

IP addresses and component IDsFigure 5 PuTTY configuration: SSH port forwarding parameters

4. Click Open to establish an SSH tunnel to the management server.

When prompted, type the account password.

5. Authenticate as usual, and leave the PuTTY window open.

6. Launch the VNC viewer, and connect to localhost:5901.

IP addresses and component IDsThe IP addresses of the VPLEX hardware components are determined by a set of formulae that depend on the internal management network (A or B), the Cluster IP Seed, and (for directors) the Enclosure ID (which matches the engine number).

Figure 6 on page 8 shows the IP addresses in a cluster with a Cluster IP Seed of 1, and Figure 7 on page 9 shows the addresses for a Cluster IP Seed of 2. Note that the Cluster IP Seed is the same as the Cluster ID, which depends on the following VPLEX implementation:

VPLEX Local - The Cluster ID is always 1.

VPLEX Metro or VPLEX Geo - The Cluster ID for the first cluster that is set up is 1, and the second cluster is 2.

Note: The management server supports the coexistence of both the IPv6 and IPv4 address. However, the directors only support IPv4 addresses.

5901

localhost:5901

tunnelsEMC VPLEX Security Configuration Guide 7

IP addresses and component IDs

VPLEX VS1 hardware

Figure 6 Component IP addresses in Cluster 1

Management network A addresses

Zep-028_1

FC switch A

128.221.252.42128.221.252.41

128.221.252.40128.221.252.39

128.221.252.38128.221.252.37

128.221.252.36128.221.252.35

128.221.253.42128.221.253.41

128.221.253.40128.221.253.39

128.221.252.34

FC switch B 128.221.253.34

128.221.253.38128.221.253.37

128.221.253.36128.221.253.35

Management network B addresses

Cluster IP Seed = 1Enclosure IDs = engine numbers

Engine 4:Director 4BDirector 4A








Management server

Public Ethernet portCustomer-assigned

Service port128.221.252.2

Mgt B port128.221.253.33

Mgt A port128.221.252.338 EMC VPLEX Security Configuration Guide

IP addresses and component IDsFigure 7 Component IP addresses in VPLEX Metro or VPLEX Geo Cluster 2

VPLEX VS2 hardware

Zep-028_2

FC switch A

128.221.252.74128.221.252.73

128.221.252.72128.221.252.71

128.221.252.70128.221.252.69

128.221.252.68128.221.252.67

128.221.253.74128.221.253.73

128.221.253.72128.221.253.71

128.221.252.66

FC switch B 128.221.253.66

128.221.253.70128.221.253.69

128.221.253.68128.221.253.67










Management server



Mgt B port128.221.253.65

Mgt A port128.221.252.65

Management network A addressesManagement network B addressesEMC VPLEX Security Configuration Guide 9

IP addresses and component IDs

Figure 8 Component IP addresses in Cluster 1

VPLX-000242

FC switch A 128.221.252.34

FC switch B 128.221.253.34


Management server



Mgt B port128.221.253.33

Mgt A port128.221.252.33

128.221.252.42128.221.253.42

Engine 4:Director 4B, A side:Director 4B, B side:

128.221.252.41128.221.253.41

Engine 4:Director 4A, A side:Director 4A, B side:

128.221.252.40128.221.253.40


128.221.252.39128.221.253.39


128.221.252.38128.221.253.38


128.221.252.37128.221.253.37


128.221.252.36128.221.253.36


128.221.252.35128.221.253.35

Engine 1:Director 1A, A side:Director 1A, B side:10 EMC VPLEX Security Configuration Guide

Implementing IPv6Figure 9 Component IP addresses in VPLEX Metro or VPLEX Geo Cluster 2

Implementing IPv6In VPLEX, an IP address can either be an IPv4 address and/or an IPv6 address. While VPLEX continues to support IPv4, it now also provides support for the full IPv6 stack as well as dual stack IPv4/IPv6, including:

Browser session

VPN connection

Note: In a virtual private network, the end points must always be of the same address family. That is, each leg in the VPN connection must either be IPv4 or IPv6.

WAN link ports

CLI session

Cluster Witness

VPLX-000243

FC switch A 128.221.252.66

FC switch B 128.221.253.66


Management server



Mgt B port128.221.253.65

Mgt A port128.221.252.65

128.221.252.74128.221.253.74


128.221.252.73128.221.253.73


128.221.252.72128.221.253.72


128.221.252.71128.221.253.71


128.221.252.70128.221.253.70


128.221.252.69128.221.253.69


128.221.252.68128.221.253.68


128.221.252.67128.221.253.67

Engine 1:Director 1A, A side:Director 1A, B side:EMC VPLEX Security Configuration Guide 11

Implementing IPv6

Recover Point

Note: In Release 5.3, IPv6 is available only with new installations.

The transition from an IPv4 network to a network where IPv4 and IPv6 coexist is challenging because the two protocols are not designed to be interoperable with each other. Transition technologies such as tunneling, or other translator gateways are required to exchange traffic between the two types of network.

The VPLEX management server uses the dual stack mechanism to deploy IPv6. This mechanism provides complete support for both IPv4 and IPv6, and allows applications to talk to both IPv4 and IPv6. However, the choice of IP version is based on the name look up and application preference.

Table 1describes IPv6 support on VPLEX components along with additional notes.

Table 1 IPv6 support on VPLEX components

VPLEX Components Supports IPv4Supports IPv6 Co-existence Notes

Management server Yes Yes Yes The management server supports only global scope IPv6 staticaddress configuration.

The management server supports the coexistence of both the IPv4 and IPv6 address.

Director Yes No No Directors continue to support IPv4 address.

Cluster Witness Yes Yes Yes IPv6 address for a cluster witness can be specified using the Vcenter or the VMware console -> Configure Network

WAN COM Yes Yes No The IP-WAN-COM link either operates on IPv4 or IPv6.12 EMC VPLEX Security Configuration Guide

Security configuration settingsThe VPLEX Administration Guide provides additional information on IPv6.

Security configuration settingsThis section provides an overview of user accounts and privileges.

VASA Provider Yes No No Although VPLEX SMS supports IPv6, VASA provider continues to support only IPv4 in Release 5.3. Therefore, VASA providers running in an IPv6 environment must specify the IPv4 SMS address for VASA provider setup or registration.

Recover Point Yes Yes Yes RecoverPoint can communicate with the management server using either an IPv4 address or an IPv6 address.

LDAP/AD server Yes Yes Yes The IP address can be specified during the LDAP configuration. To change the configured IP address, the configuration must be recreated.

Table 1 IPv6 support on VPLEX components

VPLEX Components Supports IPv4Supports IPv6 Co-existence NotesEMC VPLEX Security Configuration Guide 13

Security configuration settings

User roles, accounts, and privileges

Table 2 provides an overview of VPLEX accounts and associated privileges.

Table 2 VPLEX user accounts and privileges

Component Account TypeDefault password Privileges

Management server 1

1. You cannot delete the default management server accounts.

service Mi@Dim7T 2

2. Given the elevated permissions granted to the service account, its password must be changed in order to better protect VPLEX from misuse or abuse of those privileges. Changing the service account password on page 20 provides more information.

Access to the management server desktop, VPlexcli, and Unisphere for VPLEX GUI

Ability to start and stop management server services

Execute permissions for VPlexcli related scripts

Ability to execute VPlexcli commands Read/write access to log files

admin teS6nAX2 3

3. The first user who logs in as admin is prompted to change this password, which is required before any user can log in to the VPlexcli as admin. To change the password when prompted, follow the steps in Changing passwords on page 19, with the exception of step 4 (because you are asked to change the password after you log in).

Access to management server desktop, VPlexcli, and Unisphere for VPLEX GUI

Ability to create, modify, and delete new user accounts

Ability to execute VPlexcli commands Read-only access to log files

user Access to the management server desktop, VPlexcli, and Unisphere for VPLEX GUI

Restricted access to management server native functions

Read-only access to log files

Fibre Channel COM switch 4

4. Fibre Channel COM switches exist only in dual-engine and quad-engine VPLEX clusters.

service 5

5. In switches that are shipped for field replacement or hardware upgrade (rather than as part of a cabinet system), the admin account password is password, and there is no service account.

Mi@Dim7T 2 Access to the Fibre Channel internal switch interface

Ability to start and stop switch services

admin Ry3fog4M 4 Access to the Fibre Channel internal switch interface

Ability to add and delete other accounts on the switch interface

Ability to change passwords on the switch interface

user jYw13ABn Access to the Fibre Channel switch interface14 EMC VPLEX Security Configuration Guide

Configuring user authenticationVPLEX operations and account types

Table 3 provides an overview of specific operations that each account type can perform on a VPLEX component.

Configuring user authenticationVPLEX customers can choose to configure their user accounts using either:

An external OpenLDAP or Active Directory server which integrates with Unix using Service for UNIX 3.5, Identity Management for UNIX, or other authentication service.

Table 3 VPLEX operations and account types

Component Operation service admin user

Management server

Startup and shutdown Yes No No

Create, modify, and delete users No Yes No

Modify your own password Yes Yes Yes

Update or reset passwords for other users

No Yes No

Set IP configuration Yes No No

Change host names Yes No No

Start or stop NTP Yes No No

Start or stop VPN Yes No No

Install, upgrade, backup, and restore Yes No No

Run CRON jobs Yes Yes Yes

VPLEX CLI (VPLEX management)

Configure SNMP Yes Yes Yes

Manage users and passwords No Yes No

Manage password policy No Yes No

Configure CallHome Yes Yes Yes

Create or renew certificates Yes Yes Yes

Start and stop NTP Yes Yes Yes

Configure LDAP Yes Yes Yes

Configure VPN Yes Yes Yes

Configure Cluster Witness Yes Yes Yes

Run EZ-Setup Yes Yes Yes

Configure and manage storage Yes Yes Yes

Fibre Channel COM Switch

Log in Yes Yes Yes

Run switch commands Yes Yes YesEMC VPLEX Security Configuration Guide 15

Configuring user authentication

OpenLDAP and Active Directory users are authenticated by the server. Usernames and passwords created on an external server are fetched from the remote system to the VPLEX system each time they are used.

The VPLEX management server

Usernames and passwords are created locally on VPLEX system, and are stored on VPLEX.

Customers who do not want to use an external LDAP server for maintaining user accounts create their user accounts on the VPLEX system itself.

VPLEX is pre-configured with two default user accounts: admin and service.

Refer to the VPLEX CLI Guide for information on the commands used to configure user authentication.

Implementing LDAP

Starting in Release 5.2 and later, LDAP configuration is securely persisted using an internal security component. This eliminates bind user credential vulnerabilities. The new implementation of LDAP includes the following:

Use a new internal security component that ensures information is securely persisted.

Support for Directory Server groups, a logical collection of users. Groups can be specified using the configuration commands and can be added or removed using the map and unmap commands.

Note: Nested groups and dynamic groups are not supported.

Mapping of OrganizationalUnit (OUs) is not supported. Use of groups to map multiple users is recommended.

For upgraded systems or systems that have not previously had LDAP configured, existing configuration information or the way it is persisted is not automatically modified. Authentications continue as they were prior to upgrade. However, users can continue to be mapped or unmapped with the old configuration.

To use the new implementation in a system where an LDAP configuration already exists, the LDAP configuration must be reconfigured (unconfigured and configured) to leverage the new security features.

Note: The default configuration of LDAP does not support TLS, it is recommended to use LDAPS protocol for secure communication between Management Server and Directory Server.

Note: LDAP configuration in the Management Server requires directory server attributes which are not explicitly captured during the EZSetup interview process. Default values are used instead causing configuration issues only for MicrosoftWindows Active Directory Server. Instead, use the authentication directory-service configure command for configuring the management server with Microsoft Windows Active Directory configuration details after completing EZSetup.16 EMC VPLEX Security Configuration Guide

Configuring user authenticationThe VPLEX CLI Guide provides information on the commands used to configure LDAP.

Password policy

The VPLEX management server uses a Pluggable Authentication Module (PAM) infrastructure to enforce minimum password quality. It uses pam_cracklib, a library that checks for dictionary words, to check potential passwords.

In Release 5.2 and later, the management server uses the default value for the password policies listed in Table 4, and you can configure each password policy to meet your specific needs. The new value will be updated in the appropriate configuration file, and existing users will be updated with the new configuration. Refer to the VPLEX CLI Guide for information on the commands used to set password policies and the values allowed.

Note the following:

Password policies do not apply to users configured using the LDAP server.

Password policies do not apply to the service account.

The Password inactive days policy does not apply to the admin account to protect the admin user from account lockouts.

During the management server software upgrade, an existing users password is not changedonly the users password age information changes.

You must be an admin user to configure a password policy.

Password policy default values after an upgrade

Note the following:

If upgrading from a release prior to 5.1 to release 5.2, the default values will be new (see Table 4). If desired, you can change these values. Refer to the VPLEX CLI Guide for information on setting password policies.

Table 4 Default password policies

Policy name Description Default value

Minimum password length

The minimum number of characters used when creating or changing a password.

8

Minimum password age The minimum number of days a password cannot be changed after the last password change.

1

Maximum password age

The maximum number of days that a password can be used since the last password change. After the maximum number of days, the account is locked and the user must contact the admin user to reset the password.

90

Password expiration warning

The number of days before the password expires. A warning message indicating that the password must be changed is displayed.

15

Password inactive days The number of days after a password has expired before the account is locked.

1EMC VPLEX Security Configuration Guide 17

Manage user accounts

If upgrading from release 5.1 to 5.2, the admin user will no longer have the 90 day expiration set. The default value for the minimum password length will be 14 as it was set previously. You can change this value if desired. Refer to the VPLEX CLI Guide for information on setting password policies.

After upgrading to release 5.2, the admin user will not be locked after the password expires. If the password for the administrator account has not been changed since the last 91 days, after upgrading to release 5.2, the admin user will be forced to change the password on the first login (after it has expired).

Valid password characters

The following characters are allowed in a VPlexcli password:

A-Z

a - z

0 - 9

. ? / * @ ^ % # + = - _ ~ : space

Note: A space is allowed only between the characters in a password, not in the beginning or the end of the password.

Manage user accounts Adding user accounts on page 18

Changing passwords on page 19

Resetting passwords on page 19

Changing the service account password on page 20

Deleting user accounts on page 20

Adding user accounts

Note: In VPLEX Metro and Geo configuration, VPLEX CLI accounts created on one management server are not propagated to the second management server. The user list command displays only those accounts configured on the local management server, not both server.

A user with an admin account can create a new account as follows:

1. Launch PuTTY (or a similar SSH client), and establish a connection to the public IP address of the VPLEX management server.

2. Log in with username admin.

3. From the Linux shell prompt, type the applicable command to connect to the VPlexcli:

If VPLEX GeoSynchrony 4.0.x is running on the cluster:

telnet localhost 4950018 EMC VPLEX Security Configuration Guide

Manage user accounts If VPLEX GeoSynchrony 4.1.x or later is running on the cluster:

vplexcli

Log in with username admin.

4. From the VPlexcli prompt, type the following command:

user add -u

a. When prompted, type the admin account password.

b. When prompted for a password for the new user, type a password that adheres to the rules in Password policy on page 17.

c. When prompted, retype the new password.

Note: The new user must change the password the first time he or she logs in.

Changing passwords

Any user can change his/her own password as follows:


2. Log in with the applicable username.



telnet localhost 49500

If VPLEX GeoSynchrony 4.1.x or later is running on the cluster:

vplexcli

Log in with the applicable username.


user passwd -u

a. When prompted, type the old password.

b. When prompted for a new password, type a password that adheres to the rules in Password policy on page 17.


Resetting passwords

A user with an admin account can reset passwords for other users as follows:



3. From the Linux shell prompt, type the applicable command to connect to the VPlexcli:EMC VPLEX Security Configuration Guide 19

Manage user accounts




vplexcli

Log in with username admin.


user reset -u

a. When prompted, type the admin account password.

b. When prompted for a password for the new user, type a password that adheres to the rules in Password policy on page 17.


Note: The user must change the password the next time he or she logs in.

Changing the service account password

EMC recommends that you change the default service password. For instructions on changing the password, see Changing passwords; or you must ask the EMC representative installing VPLEX to modify the password. In order to provide optimal protection for the powerful service account, changing its default password must be considered a requirement. The service account is used by EMC to provide remote support through the EMC ESRS gateway. Therefore, the service password must be updated or recorded in the customer service database in order to provide this support.

The service password must be changed in two locations:

Management server

Fibre Channel switches

To change the service password on the Fibre Channel switches, use the switch's passwd command.

Deleting user accounts

A user with an admin account can delete a different account as follows:







vplexcli20 EMC VPLEX Security Configuration Guide

ngothsHighlight

Log file settingsLog in with username admin.


user remove -u

When prompted, type the admin account password.

Log file settingsThis section describes log files relevant to security.

Log file location

Table 5 lists the name and location of VPLEX component log files relevant to security.

Log file management and retrieval

All logs rotate automatically, to avoid unbounded consumption of disk space.

Communication security settingsThis section describes the communication security settings that enable you to establish secure communication channels between VPLEX components, as well as VPLEX components and external systems.

IP WAN COM

A VPLEX Metro or a VPLEX Geo system does not support native encryption over an IP WANCOM link. EMC recommends that you deploy an external encryption solution such as IPSec to achieve data confidentiality and end point authentication over IP WAN COM links between clusters.

Accessibility

To establish secure communication, note the following:

The following protocols must be allowed on the customer firewall (both in the outbound and inbound filters):

# Encapsulating Security Payload (ESP): IP protocol number 50

Table 5 VPLEX component log files

Component Location

Unisphere for VPLEX /var/log/VPlex/cli/session.log_

management server OS

/var/log/messages

ConnectEMC /var/log/ConnectEMC/logs/ConnectEMC.log files

Firewall /var/log/firewall

VPN (ipsec) /var/log/events.logEMC VPLEX Security Configuration Guide 21

Communication security settings

# Authentication Header (AH): IP protocol number 51

The following ports must be allowed on the customer firewall:

# Internet Key Exchange (IKE): UDP port 500

# NAT Traversal in the IKE (IPsec NAT-T): UDP port 4500

# Secure Shell (SSH): TCP port 22

Static IP addresses must be assigned to the public ports on each management server (eth3) and the public port in the Cluster Witness Server. If these IP addresses are in different subnets, the IP management network must be able to route packets between all such subnets.

The firewall configuration settings in the IP management network must not prevent the creation of IPsec tunnels. Cluster Witness traffic as well as VPLEX management traffic leverages VPN tunnels established on top of IPsec.

IP management network must be capable of transferring SSH traffic between management servers and Cluster Witness Server.

IP management network must be capable of transferring ICMP traffic between management servers and Cluster Witness Server in order to enable configuration, upgrade, and diagnostics of Cluster Witness.

The required minimum value for Maximum Transmission Unit (MTU) is 1500 bytes. Configure MTU as 1500 or larger.

Note: The IP management network must not be able to route to the following reserved VPLEX subnets: 128.221.252.0/24, 128.221.253.0/24, and 128.221.254.0/24.

Note: If VPLEX is deployed with IP inter-cluster network, the inter-cluster network must not be able to route to the following reserved VPLEX subnets: 128.221.252.0/24, 128.221.253.0/24, and 128.221.254.0/24.22 EMC VPLEX Security Configuration Guide

Communication security settingsPort usage

Table 6 lists all the network ports and services used by VPLEX components. This information, along with the firewall settings is needed to use the product.

Table 6 Port Usage

Serial Number Port Function Service

Management server 1

Management Server 2

Cluster Witness

1 Public port TCP/22 Log in to management server OS, copy files to and from the management server using the SCP sub-service, and establish SSH tunnels

SSH Yes Yes Yes

2 Service port TCP/22

3 Public port TCP/21 ESRS (EMC Secure Remote Service) access to VPLEX

ESRS Yes Yes No

4 Public port TCP/443

5 Public port TCP/5400 to 5413

6 Public port UDP/500 IPSECVPN ISAKMP Yes Yes Yes

7 Public port UDP/4500 IPSEC VPN IPSEC NAT traversal

Yes Yes Yes

8 Public port UDP/123 Time synchronization service

NTP Yes Yes No

9 Public port TCP/161 Get performance statistics

SNMP Yes Yes No

10 Public port UDP/161

11 Public port TCP/443 Web access to the VPLEX Unisphere for VPLEXs graphical user interface

HTTPS Yes Yes No

12 Service port TCP/443

13 Localhost TCP/59011 Access to the management server's desktop. Not available on the public network. Must be accessed through SSH tunnel.

VNC Yes Yes NoEMC VPLEX Security Configuration Guide 23


Communication specifications - VPLEX Geo/Metro system

Figure 10 illustrates the communication between VPLEX components in a VPLEX Metro or a VPLEX Geo system.

Figure 10 VPLEX Geo or a VPLEX Metro system

14 Localhost TCP/495002 VPlexcli. Not available on the public network. Must be accessed through SSH.

Telnet Yes Yes No

15 Public port UDP/53 Domain Name Service

DNS Yes Yes Yes

16 Any firewall between the Cluster Witness Server and the management servers need to allow traffic for the IP protocol number 1 (ICMP), 50 (ESP) und 51 (AH)

Yes Yes Yes

1. No specific customer firewall settings are required.2. No specific customer firewall settings are required.

Table 6 Port Usage

Serial Number Port Function Service

Management server 1

Management Server 2

Cluster Witness

CustomerIP Network

Management Server

VPLEX Cluster 1

Management Server

VPLEX Cluster 2

VPLEX ClusterWitness

ESRS ServerVPLEX

ManagementClient

A

B C

D

E

VPLX-00055724 EMC VPLEX Security Configuration Guide

Communication security settingsTable 7 describes the possible communication between the VPLEX components in a VPLEX Geo or a VPLEX Metro system.

Legend:

A - VPLEX Management Client

B - Management Server 1

C - Management Server 2

D - VPLEX Cluster Witness

E - ESRS Server

Communication specifications - VPLEX Local system

Figure 11 illustrates the communication between VPLEX components in a VPLEX Local system.

Table 7 Communication in a VPLEX Geo/Metro system

Serial Number A B A C A D B C B D B E C D C E

1 Yes Yes Yes (only for initial setup)

Yes Yes (only for code upgrades)

Yes (only for code upgrades)

2 Yes Yes Yes (only for initial setup)

Yes Yes (only for code upgrades)

Yes (only for code upgrades)

3 Yes Yes

4 Yes Yes

5 Yes Yes

6 Yes Yes Yes

7 Yes Yes Yes

8 Yes

9 Yes Yes

10 Yes Yes

11 Yes Yes

12 Yes Yes

13 Yes Yes

14 Yes Yes

15 Yes Yes

16 Yes Yes YesEMC VPLEX Security Configuration Guide 25


Figure 11 VPLEX Local System

Table 8 describes the possible communication between the VPLEX components in a VPLEX Local system.

Legend:

CustomerIP Network

Management Server

VPLEX Cluster 1

ESRS ServerVPLEX

ManagementClient

A

B

C

VPLX-000558

Table 8 Communication in a VPLEX Local system

Serial Number A B B C

1 Yes

2 Yes

3 Yes

4 Yes

5 Yes

6

7

8

9 Yes

10 Yes

11 Yes

12 Yes

13 Yes

14 Yes

15

1626 EMC VPLEX Security Configuration Guide

Communication security settings A - VPLEX Management Client

B - Management Server 1

C - ESRS Server

Network encryption

The VPLEX management server supports SSH through the sshd daemon provided by the FIPS compliant OpenSSH package. It supports version 2 of the SSH protocol.

When the management server starts for the first time, the sshd daemon generates key-pairs (private and public key) for communication with SSH clients. rsa and dsa key-pairs are generated to support communication with SSH version 2 clients. All keys have a 2048 bit length.

The HTTPS protocol and the IPsec VPN use a X.509 host certificate to identify the server and encrypt all traffic. X.509 host certificates use a 2048 bit host key. During initial setup of a VPLEX cluster, a local Certification Authority (which signs the host certificate request) is created automatically.

Currently, VPLEX does not support a corporate Certification Authority signing the host certificate requests.

Creating a local Certification Authority A Certification Authority (CA) on the VPLEX management server must be created solely for the purposes of signing management server certificates.

The VPlexcli command security create-ca-cert creates a CA certificate file and private key protected by a passphrase. By default, this command creates the following:

A 2048-bit CA key in /etc/ipsec.d/private/strongswanKey.pem

A CA certificate in /etc/ipsec.d/cacerts/strongswanCert.pem that remains valid for 1825 days (5 years)

You must provide a passphrase for the CA key and the CA certificate subject. The CA certificate subject must be the VPLEX cluster's serial number (found on the label attached to the top of the VPLEX cabinet). If you are creating a CA certificate for a VPLEX Metro or VPLEX Geo implementation, you can use either cluster's serial number.

Creating a host certificate

Note: Host certificates are created as a part of EZsetup during a first time installation.

The VPlexcli command security create-host-certificate generates a host certificate request and signs it with the Certification Authority certificate created in the Creating a local Certification Authority on page 27. By default, this command creates the following:

A 2048 key in /etc/ipsec.d/private/hostKey.pem

A host certificate in /etc/ipsec.d/certs/hostCert.pem that remains valid for 730 days (2 years)

You must provide the CA key passphrase for the host key and the host certificate subject which must be the cluster's serial number (found on the label attached to the top of the EMC VPLEX Security Configuration Guide 27

VPLEX cabinet).


Installing the host certificate for use by HTTPSAt the Linux shell prompt on the management server, type the following command to transform the X.509 certificate into jks format for use by tomcat:

sudo /opt/emc/VPlex/tools/utils/JKSsetup.pl

You must provide the host certificate's passphrase before converting the host certificate into a format suitable for HTTPS service.

Obtaining host certificate and host key fingerprintsWhen users first connect to the management server over SSH or by connecting to the GUI using the HTTPs protocol, they are asked to confirm the server's identity. Most client programs display the management server's fingerprints as MD5 or SHA1 checksums, allowing you to verify that they are connected to the VPLEX management server and not to another machine, possibly deployed to harvest logins and passwords for a man-in-the-middle attack.

Once a user confirms the management server's identity, subsequent connections will not ask for this confirmation, but instead warn the user if the management server's fingerprint has changed, which may be another indication of man-in-the-middle attacks.

A VPLEX administrator might be asked by security-conscious users for the fingerprints of both the X.509 certificate used for the GUI and for the host keys used for SSH access to the management server.

To find the host certificate's SHA1 and (for GUI users) MD5 fingerprints

1. At the Linux shell prompt, type the following command:

/etc/ipsec.d/certs # openssl x509 -noout -in hostCert.pem -fingerprint -md5

Output example:

MD5 Fingerprint=6E:2C:A5:8E:86:11:45:26:02:09:62:97:6F:18:FD:62

2. Type the following command:

/etc/ipsec.d/certs # openssl x509 -noout -in hostCert.pem -fingerprint -sha1

Output example:

SHA1 Fingerprint=2E:B0:DD:59:DD:C3:29:96:33:74:19:CC:A0:81:28:28:6F:4F:76:E4

To find the SSH key fingerprint (for SSH users)

1. At the Linux shell prompt, type the following command:

/etc/ssh > ssh-keygen -l -f ssh_host_dsa_key

Output example:

1024 52:42:70:0c:22:aa:2f:e3:09:18:93:c8:20:a4:78:0c ssh_host_dsa_key.pub


/etc/ssh > ssh-keygen -l -f ssh_host_rsa_key28 EMC VPLEX Security Configuration Guide

Output example:

Data security settings1024 a4:d8:64:d0:24:b9:2c:3d:06:24:5f:3a:30:ba:83:f8 ssh_host_rsa_key.pub


/etc/ssh > ssh-keygen -l -f ssh_host_ecdsa_key

Output example:

256 ca:05:f3:9a:3e:51:fe:53:51:90:39:bf:6b:f5:78:56 [MD5]root@ManagementServer (ECDSA)

Data security settings

Encryption of data at rest: user passwordsHashed user passwords are stored in /etc/shadow on the VPLEX management server.

GeoSynchrony uses a hardcoded hashing algorithm to encrypt the passwords.EMC VPLEX Security Configuration Guide 29


Copyright 2014 EMC Corporation. All rights reserved.

EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED AS IS. EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.

For the most up-to-date regulatory document for your product line, go to the Technical Documentation and Advisories section on EMC Powerlink.

For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com.

All other trademarks used herein are the property of their respective owners.30 EMC VPLEX Security Configuration Guide

VPLEX overviewSecurity recommendationsVPLEX management server operating system and networkingAccessing the management server

IP addresses and component IDsVPLEX VS1 hardwareVPLEX VS2 hardware

Implementing IPv6Security configuration settingsUser roles, accounts, and privilegesVPLEX operations and account types

Configuring user authenticationImplementing LDAPPassword policyPassword policy default values after an upgradeValid password characters

Manage user accountsAdding user accountsChanging passwordsResetting passwordsChanging the service account passwordDeleting user accounts

Log file settingsLog file locationLog file management and retrieval

Communication security settingsIP WAN COMAccessibilityPort usageCommunication specifications - VPLEX Geo/Metro systemCommunication specifications - VPLEX Local systemNetwork encryptionTo find the host certificate's SHA1 and (for GUI users) MD5 fingerprintsTo find the SSH key fingerprint (for SSH users)


Docu31419 VPLEX Security Configuration Guide

Documents

Transcript of Docu31419 VPLEX Security Configuration Guide