Docu31419 VPLEX Security Configuration Guide

EMC VPLEX
Security Configuration Guide

P/N 300-010-493-09
March 19, 2014
This guide provides an overview of VPLEX security configuration. Topics include:
VPLEX overview......................................................................................................... 1
Security recommendations........................................................................................ 3
IP addresses and component IDs .............................................................................. 7
Security configuration settings ................................................................................ 13
Configuring user authentication .............................................................................. 15
Manage user accounts ............................................................................................ 18
Log file settings....................................................................................................... 21
Communication security settings ............................................................................ 21
Data security settings.............................................................................................. 29
VPLEX overview
An EMC VPLEX cluster consists of one, two, or four engines (each containing two
directors), and a management server. A dual-engine or quad-engine cluster also contains
a pair of Fibre Channel switches for communication between directors.
Each engine is protected by a standby power supply (SPS), and each Fibre Channel switch
gets its power through an uninterruptible power supply (UPS). In a dual-engine or
quad-engine cluster, the management server also gets power from a UPS.
The management server has a public Ethernet port, which provides cluster management
services when connected to the customer network. The management server can also
provide call-home services through the public Ethernet port by connecting to an EMC
Secure Remote Support (ESRS) gateway deployed on the same network. The ESRS
gateway is also used by EMC personnel to provide remote service.
Three VPLEX implementations are available:
VPLEX Local (single cluster)
VPLEX Metro (two clusters separated by synchronous distances)
VPLEX Geo (two clusters separated by asynchronous distances)
In a VPLEX Metro or VPLEX Geo implementation, the clusters are connected over IP
between the management servers.
VPLEX overview
VPLEX user authentication is configured locally on the management server or remotely on

an OpenLDAP or Active Directory server which integrates with Unix using Service for UNIX
3.5, Identity Management for UNIX, or other authentication service.
A management server in each VPLEX cluster authenticates users against account
information kept on its local file system or against the LDAP/AD server. An authenticated
user can manage resources in the local cluster.
In a VPLEX Metro or VPLEX Geo, users authenticated by either management server can
manage all resources in both clusters. Figure 1 on page 2 shows a VPLEX cluster
configuration (quad system) example.
Engine 4
SPS
SPS
Engine 3
SPS
SPS
FC Switch B
UPS B
FC Switch A
UPS A
Management Server
Engine 2
SPS
SPS
Engine 1
SPS
SPS
SYM-002272
Figure 1 VPLEX cluster configuration
EMC VPLEX Security Configuration Guide
Security recommendations
Security recommendations
While the Security Configuration Guide must be reviewed in its entirety, this section
serves to highlight EMC's most important security recommendations to ensure the
security of your data and environment.
Given the elevated permissions granted to the service account, its password must be
changed in order to better protect VPLEX from misuse or abuse of those privileges.
Changing the service account password on page 20 provides more information.
To protect your data in the communications between clusters in VPLEX Metro and Geo
configurations, an external encryption solution such as IPSec must be used to
guarantee confidentiality and authentication for the IP WAN COM link. IP WAN COM
on page 21provides more information.
To protect the identity and integrity of your users and their account credentials, all
LDAP communication must be configured to use the LDAPS protocol. Implementing
LDAP on page 16 provides more information.
VPLEX management server operating system and networking

The VPLEX management servers operating system (OS) is based on a Novell SUSE Linux
Enterprise Server 10 SP2 distribution. Starting in Release 5.3, the management server will
run SUSE Linux Enterprise Server 11 patch 3.
The operating system has been configured to meet EMC security standards by disabling or
removing unused services and packages, and protecting access to network services
through a firewall.
Used packages are hardened with security updates.
A management server has four Ethernet ports, identified as eth0 through eth3 by the
operating system, and shown in Figure 2. A 1 Gb/s public management port (eth3) is the
only Ethernet port in the VPLEX rack that may be connected to an external management
LAN. Other components in the rack are connected to two redundant private management
Ethernet networks, connected to the management server's eth0 and eth2 ports. A service
port (eth1) can be connected to a local laptop, providing access to the same services as a
host on the management LAN.
Customer
workstation
Ethernet port
Service cable
eth1
eth3
Customer
IP network
Customer-provided
Ethernet cable
Management server
eth0
eth2
eth
Figure 2 Management server, rear view
Accessing the management server

Three protocols allow access to a VPLEX management server over a secure and encrypted
connection: SSH, HTTPS, and IPsec VPN.
Using SSH to access the management server shell

Users can log in to the management server shell over SSH version 2, through the
management server's public Ethernet port or service port. The SSH service is available on
the standard port 22.
An SSH login with appropriate credentials allows access to a Linux shell on the
management server. From there:
Users can access the VPLEX command line interface (VPlexcli).
A service account user can also inspect log files, start and stop services, and upgrade
firmware and software.
SSH also can be used to establish a secure tunnel between the management server and
the host running the SSH client. Using a tunneled VNC connection to access the
management server desktop on page 5 provides more information.
Using HTTPS to access the VPLEX GUI

The Unisphere for VPLEX graphical user interface (GUI) is accessible as a web service on
the management server's public Ethernet port and the service port, using the HTTPS
protocol. It is available on the standard port 443.
The following URL initiates an HTTPS connection to the GUI:
https://<management_server_public_IP_address>
To access the GUI using an IPv6 address, use the following URL:
https://[mgmtserver_ipv6_addr]
For example:
https://[3ffe:80c0:22c:803c:215:17ff:fed3:207]/smsflex/VPlexConsole
.html
Note: Accessing the VPLEX GUI or the VPLEX CLI over IPv6 is possible only if the client
machine is also in an IPv6 network.
The GUI encrypts all traffic using a server certificate. Creating a host certificate on
page 27 provides more information.
Note: The GUI has a timer that logs the user out after 10 minutes of inactivity. You can
modify the timeout value to a maximum of 12 hours.
Using IPsec VPN in a VPLEX Metro implementation

The management server in each VPLEX Metro cluster must connect to each other over a
Virtual Private Network (VPN) through the public Ethernet port, as shown in Figure 3.
Customer IP network
IPsec tunnel
eth3
Mgmt server 1
eth0
Subnet B
128.221.253.32/27
eth2
Subnet A
128.221.252.32/27
Cluster 1
eth3
Mgmt server 2
eth0
Subnet B
128.221.253.64/27
eth2
Subnet A
128.221.252.64/27
Cluster 2
IPsec_VPN
Figure 3 IPsec VPN connection
Although you might have already secured the network connections between two VPLEX
Metro or VPLEX Geo clusters, the management servers must establish an explicit VPN
connection, to acknowledge that the remote management server has full management
control over the local cluster and its resources.
The VPLEX management server uses strongSwan, an open source implementation of IPsec
for Linux.
Using SCP to copy files

The Secure Copy Protocol (SCP) allows users to transfer files to and from the management
server. SCP uses the same credentials as SSH. Popular SCP clients are WinSCP and PSCP
provided by the PuTTY package, and the SCP client provided by OpenSSH.
Using a tunneled VNC connection to access the management server desktop

The SSH protocol provides a mechanism for sending unencrypted traffic through an
encrypted SSH connection. Most SSH clients, such as OpenSSH and PuTTY, allow users to
establish SSH tunnels by specifying a port on their local machine (source port), and a port
on the management server (destination port).
Access to the management server's desktop is provided by VNC access through an SSH
tunnel. Users must first establish an SSH tunnel between destination port 5901 and local
port 5901, and then connect a VNC viewer to local port 5901. Popular VNC clients are
RealVNC and TightVNC.
To establish a tunnel, you must log in with your standard SSH credentials. After a
successful login, the SSH client program must remain running, to allow the SSH tunnel to
remain operational.
Follow these steps to establish a tunneled VNC connection using PuTTY:
1. Launch PuTTY.exe, and configure the PuTTY window as shown in Figure 4 and the
following:
Server address Public IP address of the VPLEX management server.
Session name Type a name for the PuTTY session you are configuring. This
allows you to load the saved session if you need to reconnect later, eliminating the
need to configure the individual parameters again.
Default settings Verify, and set as shown if necessary.
Server address
(default)
Session name
(default)
PuTTY_VNC
Figure 4 PuTTY Configuration window
2. Expand SSH in the Category list, and click Tunnels.

3. Configure the SSH port forwarding parameters as shown in Figure 5, and then click
Add.
IP addresses and component IDs
5901
localhost:5901
tunnels
Figure 5 PuTTY configuration: SSH port forwarding parameters
4. Click Open to establish an SSH tunnel to the management server.

When prompted, type the account password.
5. Authenticate as usual, and leave the PuTTY window open.
6. Launch the VNC viewer, and connect to localhost:5901.

The IP addresses of the VPLEX hardware components are determined by a set of formulae
that depend on the internal management network (A or B), the Cluster IP Seed, and (for
directors) the Enclosure ID (which matches the engine number).
Figure 6 on page 8 shows the IP addresses in a cluster with a Cluster IP Seed of 1, and
Figure 7 on page 9 shows the addresses for a Cluster IP Seed of 2. Note that the Cluster IP
Seed is the same as the Cluster ID, which depends on the following VPLEX
implementation:
VPLEX Local - The Cluster ID is always 1.
VPLEX Metro or VPLEX Geo - The Cluster ID for the first cluster that is set up is 1, and
the second cluster is 2.
Note: The management server supports the coexistence of both the IPv6 and IPv4
address. However, the directors only support IPv4 addresses.
VPLEX VS1 hardware
Cluster IP Seed = 1
Enclosure IDs = engine numbers
Management network A addresses
Management network B addresses
Engine 4:
Director 4B
Director 4A
128.221.253.42
128.221.253.41
Engine 4:
Director 4B
Director 4A
128.221.252.42
128.221.252.41
Engine 3:
Director 3B
Director 3A
128.221.253.40
128.221.253.39
Engine 3:
Director 3B
Director 3A
128.221.252.40
128.221.252.39
FC switch B 128.221.253.34
Service port
128.221.252.2
Public Ethernet port

Customer-assigned
FC switch A 128.221.252.34
Mgt B port
128.221.253.33
Mgt A port
128.221.252.33
Management server
Engine 2:
Director 2B
Director 2A
128.221.253.38
128.221.253.37
Engine 2:
Director 2B
Director 2A
128.221.252.38
128.221.252.37
Engine 1:
Director 1B
Director 1A
128.221.253.36
128.221.253.35
Engine 1:
Director 1B
Director 1A
128.221.252.36
128.221.252.35
Zep-028_1
Figure 6 Component IP addresses in Cluster 1
Cluster IP Seed = 2
Management network B addresses
Management network A addresses
Engine 4:
Director 4B
Director 4A
128.221.253.74
128.221.253.73
Engine 4:
Director 4B
Director 4A
128.221.252.74
128.221.252.73
Engine 3:
Director 3B
Director 3A
128.221.253.72
128.221.253.71
Engine 3:
Director 3B
Director 3A
128.221.252.72
128.221.252.71
FC switch B 128.221.253.66
Service port
128.221.252.2

Customer-assigned
FC switch A 128.221.252.66
Mgt B port
128.221.253.65
Mgt A port
128.221.252.65
Management server
Engine 2:
Director 2B
Director 2A
128.221.253.70
128.221.253.69
Engine 2:
Director 2B
Director 2A
128.221.252.70
128.221.252.69
Engine 1:
Director 1B
Director 1A
128.221.253.68
128.221.253.67
Engine 1:
Director 1B
Director 1A
128.221.252.68
128.221.252.67
Zep-028_2
Figure 7 Component IP addresses in VPLEX Metro or VPLEX Geo Cluster 2
VPLEX VS2 hardware
Cluster IP Seed = 1
Engine 4:
Director 4B, A side: 128.221.252.42
Director 4B, B side: 128.221.253.42
Engine 4:
Director 4A, A side: 128.221.252.41
Director 4A, B side: 128.221.253.41
Engine 3:
Engine 3:
FC switch B 128.221.253.34
Service port
128.221.252.2

Customer-assigned
FC switch A 128.221.252.34
Mgt B port
128.221.253.33
Mgt A port
128.221.252.33
Management server
Engine 2:
Engine 2:
Engine 1:
Engine 1:
VPLX-000242
Figure 8 Component IP addresses in Cluster 1
10
Implementing IPv6
Cluster IP Seed = 2
Engine 4:
Engine 4:
Engine 3:
Engine 3:
FC switch B 128.221.253.66
Service port
128.221.252.2

Customer-assigned
FC switch A 128.221.252.66
Mgt B port
128.221.253.65
Mgt A port
128.221.252.65
Management server
Engine 2:
Engine 2:
Engine 1:
Engine 1:
VPLX-000243
Figure 9 Component IP addresses in VPLEX Metro or VPLEX Geo Cluster 2
Implementing IPv6
In VPLEX, an IP address can either be an IPv4 address and/or an IPv6 address. While
VPLEX continues to support IPv4, it now also provides support for the full IPv6 stack as
well as dual stack IPv4/IPv6, including:
Browser session
VPN connection
Note: In a virtual private network, the end points must always be of the same address
family. That is, each leg in the VPN connection must either be IPv4 or IPv6.
WAN link ports
CLI session
Cluster Witness
11
Implementing IPv6
Recover Point
Note: In Release 5.3, IPv6 is available only with new installations.

The transition from an IPv4 network to a network where IPv4 and IPv6 coexist is
challenging because the two protocols are not designed to be interoperable with each
other. Transition technologies such as tunneling, or other translator gateways are
required to exchange traffic between the two types of network.
The VPLEX management server uses the dual stack mechanism to deploy IPv6. This
mechanism provides complete support for both IPv4 and IPv6, and allows applications to
talk to both IPv4 and IPv6. However, the choice of IP version is based on the name look up
and application preference.
Table 1describes IPv6 support on VPLEX components along with additional notes.
Table 1 IPv6 support on VPLEX components
12
VPLEX Components
Supports
IPv4
Supports
IPv6
Co-existence
Notes
Management server
Yes
Yes
Yes
The management
server supports only
global scope IPv6 static
address configuration.
The management
server supports the
coexistence of both the
IPv4 and IPv6 address.
Director
Yes
No
No
Directors continue to
support IPv4 address.
Cluster Witness
Yes
Yes
Yes
IPv6 address for a cluster

witness can be specified
using the Vcenter or the
VMware console ->
Configure Network
WAN COM
Yes
Yes
No
The IP-WAN-COM link

either operates on IPv4 or
IPv6.
Security configuration settings
Table 1 IPv6 support on VPLEX components

VPLEX Components
Supports
IPv4
Supports
IPv6
Co-existence
Notes
VASA Provider
Yes
No
No
Although VPLEX SMS

supports IPv6, VASA
provider continues to
support only IPv4 in
Release 5.3. Therefore,
VASA providers running in
an IPv6 environment must
specify the IPv4 SMS
address for VASA provider
setup or registration.
Recover Point
Yes
Yes
Yes
RecoverPoint can
communicate with the
management server using
either an IPv4 address or
an IPv6 address.
LDAP/AD server
Yes
Yes
Yes
The IP address can be

specified during the LDAP
configuration. To change
the configured IP address,
the configuration must be
recreated.
The VPLEX Administration Guide provides additional information on IPv6.

This section provides an overview of user accounts and privileges.
13
User roles, accounts, and privileges

Table 2 provides an overview of VPLEX accounts and associated privileges.
Table 2 VPLEX user accounts and privileges
Component
Account Type
Default
password
Management
server 1
service
Mi@Dim7T 2
Access to the management server

desktop, VPlexcli, and Unisphere for
VPLEX GUI
Ability to start and stop management
server services
Execute permissions for VPlexcli
related scripts
Ability to execute VPlexcli commands
Read/write access to log files
admin
teS6nAX2 3
Access to management server

VPLEX GUI
Ability to create, modify, and delete
new user accounts
Ability to execute VPlexcli commands
Read-only access to log files
user
Fibre Channel
COM switch 4
Privileges
Access to the management server

VPLEX GUI
Restricted access to management
server native functions
Read-only access to log files
service 5
Mi@Dim7T 2
Access to the Fibre Channel internal

switch interface
Ability to start and stop switch
services
admin
Ry3fog4M 4
Access to the Fibre Channel internal

switch interface
Ability to add and delete other
accounts on the switch interface
Ability to change passwords on the
switch interface
user
jYw13ABn
Access to the Fibre Channel switch

interface
1. You cannot delete the default management server accounts.

2. Given the elevated permissions granted to the service account, its password must be changed in order to
better protect VPLEX from misuse or abuse of those privileges. Changing the service account
password on page 20 provides more information.
3. The first user who logs in as admin is prompted to change this password, which is required before any
user can log in to the VPlexcli as admin. To change the password when prompted, follow the steps in
Changing passwords on page 19, with the exception of step 4 (because you are asked to change the
password after you log in).
4. Fibre Channel COM switches exist only in dual-engine and quad-engine VPLEX clusters.
5. In switches that are shipped for field replacement or hardware upgrade (rather than as part of a cabinet
system), the admin account password is password, and there is no service account.
14
Configuring user authentication
VPLEX operations and account types

Table 3 provides an overview of specific operations that each account type can perform on
a VPLEX component.
Table 3 VPLEX operations and account types

Component
Operation
service
admin
user
Management
server
Startup and shutdown
Yes
No
No
Create, modify, and delete users
No
Yes
No
Modify your own password
Yes
Yes
Yes
Update or reset passwords for other

users
No
Yes
No
Set IP configuration
Yes
No
No
Change host names
Yes
No
No
Start or stop NTP
Yes
No
No
Start or stop VPN
Yes
No
No
Install, upgrade, backup, and restore Yes
No
No
Run CRON jobs
Yes
Yes
Yes
Configure SNMP
Yes
Yes
Yes
Manage users and passwords
No
Yes
No
Manage password policy
No
Yes
No
Configure CallHome
Yes
Yes
Yes
Create or renew certificates
Yes
Yes
Yes
Start and stop NTP
Yes
Yes
Yes
Configure LDAP
Yes
Yes
Yes
Configure VPN
Yes
Yes
Yes
Configure Cluster Witness
Yes
Yes
Yes
Run EZ-Setup
Yes
Yes
Yes
Configure and manage storage
Yes
Yes
Yes
Log in
Yes
Yes
Yes
Run switch commands
Yes
Yes
Yes
VPLEX CLI (VPLEX

management)
Fibre Channel
COM Switch

VPLEX customers can choose to configure their user accounts using either:
An external OpenLDAP or Active Directory server which integrates with Unix using
Service for UNIX 3.5, Identity Management for UNIX, or other authentication service.
15
OpenLDAP and Active Directory users are authenticated by the server. Usernames and
passwords created on an external server are fetched from the remote system to the
VPLEX system each time they are used.
The VPLEX management server

Usernames and passwords are created locally on VPLEX system, and are stored on
VPLEX.
Customers who do not want to use an external LDAP server for maintaining user accounts
create their user accounts on the VPLEX system itself.
VPLEX is pre-configured with two default user accounts: admin and service.
Refer to the VPLEX CLI Guide for information on the commands used to configure user
authentication.
Implementing LDAP
Starting in Release 5.2 and later, LDAP configuration is securely persisted using an
internal security component. This eliminates bind user credential vulnerabilities. The new
implementation of LDAP includes the following:
Use a new internal security component that ensures information is securely persisted.
Support for Directory Server groups, a logical collection of users. Groups can be
specified using the configuration commands and can be added or removed using the
map and unmap commands.
Note: Nested groups and dynamic groups are not supported.
Mapping of OrganizationalUnit (OUs) is not supported. Use of groups to map multiple

users is recommended.
For upgraded systems or systems that have not previously had LDAP configured, existing
configuration information or the way it is persisted is not automatically modified.
Authentications continue as they were prior to upgrade. However, users can continue to
be mapped or unmapped with the old configuration.
To use the new implementation in a system where an LDAP configuration already exists,
the LDAP configuration must be reconfigured (unconfigured and configured) to leverage
the new security features.
Note: The default configuration of LDAP does not support TLS, it is recommended to use
LDAPS protocol for secure communication between Management Server and Directory
Server.
Note: LDAP configuration in the Management Server requires directory server attributes
which are not explicitly captured during the EZSetup interview process. Default values are
used instead causing configuration issues only for MicrosoftWindows Active Directory
Server. Instead, use the authentication directory-service configure command for
configuring the management server with Microsoft Windows Active Directory configuration
details after completing EZSetup.
16
The VPLEX CLI Guide provides information on the commands used to configure LDAP.
Password policy
The VPLEX management server uses a Pluggable Authentication Module (PAM)
infrastructure to enforce minimum password quality. It uses pam_cracklib, a library that
checks for dictionary words, to check potential passwords.
Table 4 Default password policies
Policy name
Description
Default value
Minimum password
length
The minimum number of characters used when

creating or changing a password.
Minimum password age The minimum number of days a password cannot

be changed after the last password change.
Maximum password
age
The maximum number of days that a password can

be used since the last password change.
After the maximum number of days, the account is
locked and the user must contact the admin user
to reset the password.
90
Password expiration
warning
The number of days before the password expires.

A warning message indicating that the password
must be changed is displayed.
15
Password inactive days
The number of days after a password has expired

before the account is locked.
In Release 5.2 and later, the management server uses the default value for the password
policies listed in Table 4, and you can configure each password policy to meet your
specific needs. The new value will be updated in the appropriate configuration file, and
existing users will be updated with the new configuration. Refer to the VPLEX CLI Guide for
information on the commands used to set password policies and the values allowed.
Note the following:
Password policies do not apply to users configured using the LDAP server.
Password policies do not apply to the service account.
The Password inactive days policy does not apply to the admin account to protect the
admin user from account lockouts.
During the management server software upgrade, an existing users password is not
changedonly the users password age information changes.
You must be an admin user to configure a password policy.
Password policy default values after an upgrade

Note the following:
If upgrading from a release prior to 5.1 to release 5.2, the default values will be new
(see Table 4). If desired, you can change these values. Refer to the VPLEX CLI Guide for
information on setting password policies.
17
Manage user accounts
If upgrading from release 5.1 to 5.2, the admin user will no longer have the 90 day
expiration set. The default value for the minimum password length will be 14 as it was
set previously. You can change this value if desired. Refer to the VPLEX CLI Guide for
information on setting password policies.
After upgrading to release 5.2, the admin user will not be locked after the password
expires. If the password for the administrator account has not been changed since the
last 91 days, after upgrading to release 5.2, the admin user will be forced to change
the password on the first login (after it has expired).
Valid password characters

The following characters are allowed in a VPlexcli password:
A-Z
a-z
0-9
. ? / * @ ^ % # + = - _ ~ : space
Note: A space is allowed only between the characters in a password, not in the beginning
or the end of the password.
Adding user accounts on page 18
Changing passwords on page 19
Resetting passwords on page 19
Changing the service account password on page 20
Deleting user accounts on page 20
Adding user accounts

Note: In VPLEX Metro and Geo configuration, VPLEX CLI accounts created on one
management server are not propagated to the second management server. The user list
command displays only those accounts configured on the local management server, not
both server.
A user with an admin account can create a new account as follows:
1. Launch PuTTY (or a similar SSH client), and establish a connection to the public IP
address of the VPLEX management server.
2. Log in with username admin.
3. From the Linux shell prompt, type the applicable command to connect to the VPlexcli:
If VPLEX GeoSynchrony 4.0.x is running on the cluster:
telnet localhost 49500
18
If VPLEX GeoSynchrony 4.1.x or later is running on the cluster:

vplexcli
Log in with username admin.

4. From the VPlexcli prompt, type the following command:
user add -u <username>
a. When prompted, type the admin account password.

b. When prompted for a password for the new user, type a password that adheres to
the rules in Password policy on page 17.
c. When prompted, retype the new password.
Note: The new user must change the password the first time he or she logs in.
Changing passwords
Any user can change his/her own password as follows:
2. Log in with the applicable username.

vplexcli
Log in with the applicable username.

user passwd -u <username>
a. When prompted, type the old password.

b. When prompted for a new password, type a password that adheres to the rules in
Password policy on page 17.
Resetting passwords
A user with an admin account can reset passwords for other users as follows:
19


vplexcli

user reset -u <username>
a. When prompted, type the admin account password.

b. When prompted for a password for the new user, type a password that adheres to
the rules in Password policy on page 17.
Note: The user must change the password the next time he or she logs in.
Changing the service account password

EMC recommends that you change the default service password. For instructions on
changing the password, see Changing passwords; or you must ask the EMC
representative installing VPLEX to modify the password. In order to provide optimal
protection for the powerful service account, changing its default password must be
considered a requirement. The service account is used by EMC to provide remote support
through the EMC ESRS gateway. Therefore, the service password must be updated or
recorded in the customer service database in order to provide this support.
The service password must be changed in two locations:
Management server
Fibre Channel switches
To change the service password on the Fibre Channel switches, use the switch's passwd
command.
Deleting user accounts

A user with an admin account can delete a different account as follows:

vplexcli
20
Log file settings

user remove -u <username>
When prompted, type the admin account password.
Log file settings

This section describes log files relevant to security.
Log file location

Table 5 lists the name and location of VPLEX component log files relevant to security.
Table 5 VPLEX component log files
Component
Location
Unisphere for VPLEX
/var/log/VPlex/cli/session.log_<username>
management server
OS
/var/log/messages
ConnectEMC
/var/log/ConnectEMC/logs/ConnectEMC.log files
Firewall
/var/log/firewall
VPN (ipsec)
/var/log/events.log
Log file management and retrieval

All logs rotate automatically, to avoid unbounded consumption of disk space.
Communication security settings

This section describes the communication security settings that enable you to establish
secure communication channels between VPLEX components, as well as VPLEX
components and external systems.
IP WAN COM
A VPLEX Metro or a VPLEX Geo system does not support native encryption over an IP
WANCOM link. EMC recommends that you deploy an external encryption solution such as
IPSec to achieve data confidentiality and end point authentication over IP WAN COM links
between clusters.
Accessibility
To establish secure communication, note the following:
The following protocols must be allowed on the customer firewall (both in the
outbound and inbound filters):
# Encapsulating Security Payload (ESP): IP protocol number 50
21
# Authentication Header (AH): IP protocol number 51
The following ports must be allowed on the customer firewall:

# Internet Key Exchange (IKE): UDP port 500
# NAT Traversal in the IKE (IPsec NAT-T): UDP port 4500
# Secure Shell (SSH): TCP port 22
Static IP addresses must be assigned to the public ports on each management server
(eth3) and the public port in the Cluster Witness Server. If these IP addresses are in
different subnets, the IP management network must be able to route packets between
all such subnets.
The firewall configuration settings in the IP management network must not prevent the
creation of IPsec tunnels. Cluster Witness traffic as well as VPLEX management traffic
leverages VPN tunnels established on top of IPsec.
IP management network must be capable of transferring SSH traffic between

management servers and Cluster Witness Server.
IP management network must be capable of transferring ICMP traffic between

management servers and Cluster Witness Server in order to enable configuration,
upgrade, and diagnostics of Cluster Witness.
The required minimum value for Maximum Transmission Unit (MTU) is 1500 bytes.
Configure MTU as 1500 or larger.
Note: The IP management network must not be able to route to the following reserved
VPLEX subnets: 128.221.252.0/24, 128.221.253.0/24, and 128.221.254.0/24.
Note: If VPLEX is deployed with IP inter-cluster network, the inter-cluster network must not
be able to route to the following reserved VPLEX subnets: 128.221.252.0/24,
128.221.253.0/24, and 128.221.254.0/24.
22
Port usage
Table 6 lists all the network ports and services used by VPLEX components. This
information, along with the firewall settings is needed to use the product.
Table 6 Port Usage
Serial
Number Port
Function
Service
Management Management Cluster

server 1
Server 2
Witness
Log in to
management server
OS, copy files to
and from the
management server
using the SCP
sub-service, and
establish SSH
tunnels
SSH
Yes
Yes
Yes
ESRS (EMC Secure

Remote Service)
access to VPLEX
ESRS
Yes
Yes
No
Public port TCP/22
Service port TCP/22
Public port TCP/21
Public port TCP/443
Public port TCP/5400

to 5413
Public port UDP/500
IPSECVPN
ISAKMP
Yes
Yes
Yes
Public port UDP/4500
IPSEC VPN
IPSEC
NAT
traversal
Yes
Yes
Yes
Public port UDP/123
Time
synchronization
service
NTP
Yes
Yes
No
Public port TCP/161
Get performance
statistics
SNMP
Yes
Yes
No
10
Public port UDP/161
11
Public port TCP/443
HTTPS
Yes
Yes
No
12
Service port TCP/443
Web access to the

VPLEX Unisphere
for VPLEXs
graphical user
interface
13
Localhost TCP/59011
Access to the
management
server's desktop.
Not available on the
public network.
Must be accessed
through SSH
tunnel.
VNC
Yes
Yes
No
23
Table 6 Port Usage

Serial
Number Port
Function
Service
Management Management Cluster

server 1
Server 2
Witness
14
Localhost TCP/495002 VPlexcli. Not

available on the
public network.
Must be accessed
through SSH.
Telnet
Yes
Yes
No
15
Public port UDP/53
DNS
Yes
Yes
Yes
16
Any firewall between

the Cluster Witness
Server and the
management servers
need to allow traffic
for the IP protocol
number 1 (ICMP), 50
(ESP) und 51 (AH)
Yes
Yes
Yes
Domain Name
Service
1. No specific customer firewall settings are required.

2. No specific customer firewall settings are required.
Communication specifications - VPLEX Geo/Metro system

Figure 10 illustrates the communication between VPLEX components in a VPLEX Metro or
a VPLEX Geo system.
VPLEX Cluster
Witness
VPLEX Cluster 1
VPLEX Cluster 2
D
Customer
IP Network
Management Server
VPLEX
Management
Client
Figure 10 VPLEX Geo or a VPLEX Metro system
24
Management Server
ESRS Server
VPLX-000557
Table 7 describes the possible communication between the VPLEX components in a

VPLEX Geo or a VPLEX Metro system.
Table 7 Communication in a VPLEX Geo/Metro system
Serial
Number A <-> B
A <-> C
A <-> D
B <->C
B <-> D
Yes
Yes
Yes (only
for initial
setup)
Yes
Yes (only
for code
upgrade
s)
Yes (only
for code
upgrade
s)
Yes
Yes
Yes (only
for initial
setup)
Yes
Yes (only
for code
upgrade
s)
Yes (only
for code
upgrade
s)
B <-> E
C <-> D
C <-> E
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
10
Yes
Yes
11
Yes
Yes
12
Yes
Yes
13
Yes
Yes
14
Yes
Yes
15
Yes
16
Yes
Yes
Yes
Yes
Legend:
A - VPLEX Management Client
B - Management Server 1
C - Management Server 2
D - VPLEX Cluster Witness
E - ESRS Server
Communication specifications - VPLEX Local system

Figure 11 illustrates the communication between VPLEX components in a VPLEX Local
system.
25
VPLEX Cluster 1
Customer
IP Network
Management Server
VPLEX
Management
Client
ESRS Server
VPLX-000558
Figure 11 VPLEX Local System
Table 8 describes the possible communication between the VPLEX components in a

VPLEX Local system.
Table 8 Communication in a VPLEX Local system
Serial Number
A <-> B
Yes
Yes
Yes
Yes
Yes
6
7
8
9
Yes
10
Yes
11
Yes
12
Yes
13
Yes
14
Yes
15
16
Legend:
26
B <-> C
A - VPLEX Management Client
B - Management Server 1
C - ESRS Server
Network encryption
The VPLEX management server supports SSH through the sshd daemon provided by the
FIPS compliant OpenSSH package. It supports version 2 of the SSH protocol.
When the management server starts for the first time, the sshd daemon generates
key-pairs (private and public key) for communication with SSH clients. rsa and dsa
key-pairs are generated to support communication with SSH version 2 clients. All keys
have a 2048 bit length.
The HTTPS protocol and the IPsec VPN use a X.509 host certificate to identify the server
and encrypt all traffic. X.509 host certificates use a 2048 bit host key. During initial setup
of a VPLEX cluster, a local Certification Authority (which signs the host certificate request)
is created automatically.
Currently, VPLEX does not support a corporate Certification Authority signing the host
certificate requests.
Creating a local Certification Authority

A Certification Authority (CA) on the VPLEX management server must be created solely for
the purposes of signing management server certificates.
The VPlexcli command security create-ca-cert creates a CA certificate file and private key
protected by a passphrase. By default, this command creates the following:
A 2048-bit CA key in /etc/ipsec.d/private/strongswanKey.pem
A CA certificate in /etc/ipsec.d/cacerts/strongswanCert.pem that remains valid for

1825 days (5 years)
You must provide a passphrase for the CA key and the CA certificate subject. The CA
certificate subject must be the VPLEX cluster's serial number (found on the label attached
to the top of the VPLEX cabinet). If you are creating a CA certificate for a VPLEX Metro or
VPLEX Geo implementation, you can use either cluster's serial number.
Creating a host certificate

Note: Host certificates are created as a part of EZsetup during a first time installation.
The VPlexcli command security create-host-certificate generates a host certificate request
and signs it with the Certification Authority certificate created in the Creating a local
Certification Authority on page 27. By default, this command creates the following:
A 2048 key in /etc/ipsec.d/private/hostKey.pem
A host certificate in /etc/ipsec.d/certs/hostCert.pem that remains valid for 730 days

(2 years)
You must provide the CA key passphrase for the host key and the host certificate subject
which must be the cluster's serial number (found on the label attached to the top of the
VPLEX cabinet).
27
Installing the host certificate for use by HTTPS

At the Linux shell prompt on the management server, type the following command to
transform the X.509 certificate into jks format for use by tomcat:
sudo /opt/emc/VPlex/tools/utils/JKSsetup.pl
You must provide the host certificate's passphrase before converting the host certificate
into a format suitable for HTTPS service.
Obtaining host certificate and host key fingerprints

When users first connect to the management server over SSH or by connecting to the GUI
using the HTTPs protocol, they are asked to confirm the server's identity. Most client
programs display the management server's fingerprints as MD5 or SHA1 checksums,
allowing you to verify that they are connected to the VPLEX management server and not to
another machine, possibly deployed to harvest logins and passwords for a
man-in-the-middle attack.
Once a user confirms the management server's identity, subsequent connections will not
ask for this confirmation, but instead warn the user if the management server's fingerprint
has changed, which may be another indication of man-in-the-middle attacks.
A VPLEX administrator might be asked by security-conscious users for the fingerprints of
both the X.509 certificate used for the GUI and for the host keys used for SSH access to
the management server.
To find the host certificate's SHA1 and (for GUI users) MD5 fingerprints
1. At the Linux shell prompt, type the following command:
/etc/ipsec.d/certs # openssl x509 -noout -in hostCert.pem -fingerprint -md5
Output example:
MD5 Fingerprint=6E:2C:A5:8E:86:11:45:26:02:09:62:97:6F:18:FD:62
2. Type the following command:

/etc/ipsec.d/certs # openssl x509 -noout -in hostCert.pem -fingerprint -sha1
Output example:
SHA1 Fingerprint=2E:B0:DD:59:DD:C3:29:96:33:74:19:CC:A0:81:28:28:6F:4F:76:E4
To find the SSH key fingerprint (for SSH users)

1. At the Linux shell prompt, type the following command:
/etc/ssh > ssh-keygen -l -f ssh_host_dsa_key
Output example:
1024 52:42:70:0c:22:aa:2f:e3:09:18:93:c8:20:a4:78:0c ssh_host_dsa_key.pub

/etc/ssh > ssh-keygen -l -f ssh_host_rsa_key
Output example:
28
Data security settings
1024 a4:d8:64:d0:24:b9:2c:3d:06:24:5f:3a:30:ba:83:f8 ssh_host_rsa_key.pub

/etc/ssh > ssh-keygen -l -f ssh_host_ecdsa_key
Output example:
256 ca:05:f3:9a:3e:51:fe:53:51:90:39:bf:6b:f5:78:56 [MD5]root@ManagementServer (ECDSA)

Encryption of data at rest: user passwords
Hashed user passwords are stored in /etc/shadow on the VPLEX management server.
GeoSynchrony uses a hardcoded hashing algorithm to encrypt the passwords.
29
Copyright 2014 EMC Corporation. All rights reserved.

EMC believes the information in this publication is accurate as of its publication date. The information is subject
to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED AS IS. EMC CORPORATION MAKES NO REPRESENTATIONS
OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY
DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Use, copying, and distribution of any EMC software described in this publication requires an applicable software
license.
For the most up-to-date regulatory document for your product line, go to the Technical Documentation and
Advisories section on EMC Powerlink.
For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com.
All other trademarks used herein are the property of their respective owners.
30

Docu31419 VPLEX Security Configuration Guide

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Docu31419 VPLEX Security Configuration Guide

Hochgeladen von

Copyright:

Verfügbare Formate

EMC VPLEX

Security Configuration Guide

This guide provides an overview of VPLEX security configuration. Topics include:

VPLEX Local (single cluster)

VPLEX Metro (two clusters separated by synchronous distances)

VPLEX Geo (two clusters separated by asynchronous distances)

VPLEX user authentication is configured locally on the management server or remotely on

Figure 1 VPLEX cluster configuration

EMC VPLEX Security Configuration Guide

VPLEX management server operating system and networking

Figure 2 Management server, rear view

EMC VPLEX Security Configuration Guide

VPLEX management server operating system and networking

Accessing the management server

Using SSH to access the management server shell

Users can access the VPLEX command line interface (VPlexcli).

Using HTTPS to access the VPLEX GUI

Using IPsec VPN in a VPLEX Metro implementation

EMC VPLEX Security Configuration Guide

VPLEX management server operating system and networking

Figure 3 IPsec VPN connection

Using SCP to copy files

Using a tunneled VNC connection to access the management server desktop

EMC VPLEX Security Configuration Guide

VPLEX management server operating system and networking

Figure 4 PuTTY Configuration window

2. Expand SSH in the Category list, and click Tunnels.

EMC VPLEX Security Configuration Guide

IP addresses and component IDs

Figure 5 PuTTY configuration: SSH port forwarding parameters

4. Click Open to establish an SSH tunnel to the management server.

IP addresses and component IDs

VPLEX Local - The Cluster ID is always 1.

EMC VPLEX Security Configuration Guide

IP addresses and component IDs

VPLEX VS1 hardware

Public Ethernet port

Figure 6 Component IP addresses in Cluster 1

EMC VPLEX Security Configuration Guide

IP addresses and component IDs

Management network A addresses

Public Ethernet port

Figure 7 Component IP addresses in VPLEX Metro or VPLEX Geo Cluster 2

VPLEX VS2 hardware

EMC VPLEX Security Configuration Guide

IP addresses and component IDs

Public Ethernet port

Figure 8 Component IP addresses in Cluster 1

EMC VPLEX Security Configuration Guide

Public Ethernet port

Figure 9 Component IP addresses in VPLEX Metro or VPLEX Geo Cluster 2

WAN link ports

Note: In Release 5.3, IPv6 is available only with new installations.

Table 1 IPv6 support on VPLEX components

IPv6 address for a cluster

The IP-WAN-COM link

EMC VPLEX Security Configuration Guide

Security configuration settings

Table 1 IPv6 support on VPLEX components

Although VPLEX SMS

The IP address can be

The VPLEX Administration Guide provides additional information on IPv6.

Security configuration settings

EMC VPLEX Security Configuration Guide