XP array Internet connectivity and security white paper

For HP internal and partner use only

Contents
Revision History ................................................................................................................................... 3
Terms and definitions ........................................................................................................................... 4
Target Audience .................................................................................................................................. 4
Introduction......................................................................................................................................... 5
Overview of C-Track ............................................................................................................................ 6
Advantages of the C-Track Internet solution ......................................................................................... 6
Overview of XP Internet connectivity....................................................................................................... 7
Components of the XP Internet connectivity solution .............................................................................. 7
Internet connectivity security .................................................................................................................. 9
SVP to HP security measures............................................................................................................ 10
Maintenance of the CMS server ................................................................................................... 10
HP to SVP security measures............................................................................................................ 11
Common characteristics of hpVPN and COR VPN router options ..................................................... 11
SSH Direct characteristics............................................................................................................ 11
The HP router recommendation .................................................................................................... 12
Customer concerns and Internet connectivity security .......................................................................... 13
Remote access to customer environment and devices is controlled .................................................... 13
Authorization to remotely access the XP SVP is controlled ................................................................ 13
Remote access to customer XP data is not possible ......................................................................... 13
HP and customer responsibilities.......................................................................................................... 14
Appendix ACMS and CAS server requirements.................................................................................. 15
Hardware Requirements.................................................................................................................. 15
Operating Systems: ........................................................................................................................ 15
Software requirements (CMS/FSM) .................................................................................................. 16
Appendix BCustomer firewall requirements........................................................................................ 17
For more information.......................................................................................................................... 18

2
For HP internal and partner use only

Legal notices
Copyright 2008 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company makes no warranty of any kind with regard to this material, including, but not limited
to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be
liable for errors contained herein or for incidental or consequential damages in connection with the furnishing,
performance, or use of this material.
This document contains proprietary information, which is protected by copyright. No part of this document may
be photocopied, reproduced, or translated into another language without the prior written consent of HewlettPackard. The information is provided as is without warranty of any kind and is subject to change without
notice. The only warranties for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an additional
warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Microsoft, Windows, Windows NT, and Windows XP are U.S. registered trademarks of Microsoft Corporation
All other product names mentioned herein may be trademarks of their respective companies.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The
information is provided as is without warranty of any kind and is subject to change without notice.
The warranties for Hewlett-Packard Company products are set forth in the express limited warranty statements
accompanying such products. Nothing herein should be construed as constituting an additional warranty.
XP array Internet connectivity and security white paper

Version 1.40 (November 2008)

Printed in the U.S.A.

Revision History
Date

Edition

October 2008

1.00

First Release

July 2008

1.20

Updated for the CMS/RSP supportability

August 2008

1.30

Updated for:

November 2008

1.40

Revision

RSP A.05.10 MR

Including various corrections/enhancements.

Updated Appendix A. Added support for Windows Server 2008

3
For HP internal and partner use only

Terms and definitions

Term

Definition

CAS

Customer Access System

CASii

Plural of CAS

CMS

Central Management Server

COR

Customer Owned Router

C-Track

HP StorageWorks XP Continuous Track

DMZ

Demilitarized Zone

AMZ

Americas Data Depot

FSM

File Submitter Module

UR

Universal Router

IPsec

Internal Protocol Security

LAN

Local Area Network

RAP

Remote Access Portal

RDC

Remote Desktop Connection

RSP

Remote Support Pack

SSH

Secure Shell

SVP

Service Processor

SVS

Storage Virtualization System

VPN

Virtual Private Network

XP

eXtended Platform

Target Audience
This guide is intended for the external/internal audience to understand the high-level overview of the
end to end connectivity of C-Track XP/RSP solution. The following are the external audience who are
intended to use this guide:
Customers
Sales Engineers
Customer Engineers

4
For HP internal and partner use only

Introduction
The XP array needs a reliable and secure Internet-based remote support solution, by virtue of its
positioning in the enterprise mission-critical application space.
Beginning with the introduction of the HP StorageWorks XP24000 Disk Array, HP offers optional
Internet-based communication between the customer environment and the HP support network,
complementing the alternative modem-based solution.
The XP Internet connectivity solution represents a functional extension of the following HP solutions:
HP StorageWorks XP Continuous Track (C-Track)
HP Remote Support Pack (RSP)
By leveraging from RSP, the XP Internet connectivity solution gains the advantages of a proven,
consolidated, and high-security enterprise-wide support model. In addition, the combination of RSP
and extensions to the functionality of C-Track yields a solution that adheres to security design
principles that result in data privacy, comprehensive operational security, and detailed logging and
auditing.
This white paper provides an overview of the XP Internet connectivity solution in terms of architecture,
features and functionality, and security provisions.
Note
For similar information on the alternative modem connectivity solution, refer
to the HP StorageWorks XP Disk Array Remote Support Service with
Continuous Track white paper, available from your HP representative or
from http://h71028.www7.hp.com/ERC/downloads/5982-5831EN.pdf

5
For HP internal and partner use only

Overview of C-Track
C-Track refers to a set of software modules installed at the customer location, enabling a remote
support solution for XP arrays (HP StorageWorks XP24000, XP20000, XP12000, XP10000, XP1024,
and XP128 Disk Arrays) and for HP StorageWorks 200 Storage Virtualization System (SVS200)
devices.
C-Track performs the following functions:
Proactively informs remote HP support personnel about potential XP issues by sending them
incident/event data for analysis.
Transfers array enhanced configuration files and configuration change event bundles for remote HP
support personnel access, whenever the configuration changes.
Provides a remote device access option, enabling HP remote support engineers to connect to the
SVP to perform diagnosis.

Advantages of the C-Track Internet solution

The advantages of the C-Track Internet solution in comparison to the alternative C-Track modem
solution are as follows:
More reliable and higher speed connections to the HP support backend
Transmission of larger filesfor example, configuration files and dump filesto enhance remote
troubleshooting
Support for more rapid remote repair
Support for higher availability
Elimination of telephone line and modem-related issues, including infrastructure setup and
maintenance costs

6
For HP internal and partner use only

Overview of XP Internet connectivity

Figure 1. Internet connectivity architecture

Components of the XP Internet connectivity solution

XP ArrayXP Array is the physical storage device that is being supported by the XP Internet
connectivity solution.
SVPSVP is the service processor attached to the XP array, and is connected to the customer LAN.
SVP componentsThe SVP components are C-Track software modules that are installed on the
SVP of the XP array and are activated when the C-Track application is installed. The SVP
components:
Enable configuration and viewing of C-Track settings and services by local and remote
HP engineers
Formulate incident/event and configuration-related files, and initiate transmission of these files to
HP
Respond to any remote commands received from HP
CMS - Central Management Server (CMS) is a customer provided server, which host FSM, RSP
Client and CMS Drop Box Services. This server acts as a central point through which the data
and/or events are routed from SVP to HP Backend.
CMS Drop Box CMS Drop Box Application is a web application provided by RSP Client on the
CMS System, which receives the data and/or events from SVP through https protocol. The FSM
constantly monitors CMS Drop Box folder.
FSM - File Submitter Module (FSM) is a software component of C-Track installed on CMS at the
customer location for Internet connectivity based arrays. FSM resides on the Central Management
Server (CMS) and acts as a transmitter of the data and/or events from SVP to RSP Client.

7
For HP internal and partner use only

 RSP Client - RSP client is an interface for sending events & data collection files to the HP backend
through https protocol. To use RSP client you need to setup a CMS Box where Software Manager
(SWM) will update/install the latest client version in a predefined directory.
FirewallsThe customer firewalls shown in Figure 1 support and enforce the customers network
security policy, while the HP firewall performs the corresponding function relative to the HP network
security policy. More specifically, the firewalls restrict access to the customer and HP networks from
the Internet. The security policies implemented on these firewalls govern the services that are
allowed, restrictions pertaining to IP address ranges, and the ports that can and cannot be
accessed. Firewalls represent network choke points due to the fact that all network-to-network
communication flows through them, and all of the associated traffic is inspected and restricted. The
physical firewall device may be a router, a server, or a specialized hardware device.
HP firewallA firewall that is located within the HP network.
Customer internal firewallAn optional firewall that if used is located inside the customers
network.
Customer external firewallAn optional firewall that if used is located outside the customers
network.
Note
For an external firewall, port number 443 should be opened or RSP utilize
customers outbound Web proxy (except with auto-configuration scripts).
Additionally if there is an internal Firewall between SVP and CMS then port
number 50000 should also be opened.

Universal Router (UR) - The UR (Universal Router) receives the data and/or events from RSP Client.
Based on the intended subscriber for the data and/or event at HP Backend, UR forwards the same
to the corresponding subscriber.
HP backendThis is the location where all of the files such as SIM files, configuration files, and
C-Track XML files are stored.
RAPThe Remote Access Portal (RAP) is a secure portal used by RSP solutions for remotely
accessing the RSP customer environment to troubleshoot, diagnose, and resolve issues with
monitored devices.
hpVPN Concentrator The VPN Concentrator creates a virtual private network by creating a secure
connection, called a tunnel, across the Internet (or more generally, a TCP/IP network). The VPN
Concentrator utilizes tunneling protocols to negotiate security parameters, create and manage
tunnels, encapsulate and transmit packets, unencapsulate received packets, and send packets to
their final destinations.
RoutersHP support engineers have the ability to access the customer system remotely by way of
the CAS using IPsec VPN over the Internet. The customer has a choice of one of the following router
options:
hpVPNA physical VPN router that is owned, pre-configured, installed, and maintained by HP.
COR VPNThis option relies on a customer owned and managed VPN device. At minimum the
customer owned device should be able to communicate using IPsec protocol with the HP remote
support VPN infrastructure. At present the XP Internet connectivity solution is compatible with
customer VPN solutions utilizing devices from these manufacturers:
o

Cisco (router, pix, or concentrator)

Stonesoft (Stonegate)

Checkpoint (various devices including Nokia)

Juniper (Netscreen)

8
For HP internal and partner use only

Nortel

However, additional customer VPN devices may be accommodated based on the evaluation and
approval of the customers proposed solution from HP.
Secure Shell Direct (SSH Direct)In the case of SSH Direct, the router functionality is implemented
on the CAS.
CASThe CAS is a system designated by the customer to serve as the entry point for remote device
access sessions that can be undertaken by HP. It provides a central point at which customers are
able to control remote access into their environment. This is accomplished by giving customers the
ability/control to set Windows-based access restrictions and enable/disable external access into
their environment. A single CAS can serve these purposes for multiple products and across multiple
product domains such as storage, servers, and so on.
Tip
For information on CMS and CAS-related server requirements, refer to
Appendix ACMS and CAS server requirements.

Internet connectivity security

Network security refers to the means by which a network is protected against threats of various forms.
This includes threats to the confidentiality, integrity, and availability of data.
Application and overall solution security likewise involve protection from threats to data
confidentiality, integrity, and availability.
The security measures that are applied in a well-designed solution result from the application of the
following process.
Identifying what is to be protected, and from whom or what
Developing effective protection measures
Reviewing the approach on a periodic basis, and making appropriate adjustments and
improvements
The XP Internet connectivity solution incorporates security measures that have been yielded from this
process. As such, the XP Internet connectivity solution provides protection from threats to data
confidentiality, integrity, and availability.

9
For HP internal and partner use only

Figure 2. XP Array Internet connectivity security architecture

Figure 2 identifies the points of application of security measures in the SVP to HP as well as the HP to
SVP data paths.

SVP to HP security measures

The red numerals 14 that are embedded in Figure 2 correspond to the following points of
application of security standards in the SVP to HP data transfer path.
1. SVP to CMSThe SVP transfers data to the FSM at CMS over https protocol, using the customer

LAN. It uses a self-signed X.509v3 digital certificate with1024-bit encryption and RSA algorithm
for authentication.
2. At the CMSThe FSM constantly monitors the CMS Drop box, which receives the data and/or

events from SVP.

3. FSM to RSP v5 clientThe FSM submits the files to the RSP v5 client, which in turn submits the

same to the HP backend [the FSM and RSP v5 client are hosted on the same server (CMS}].
4. RSP v5 client to HP backendThe RSP v5 client transfers the data and/or event files to the HP

Backend through Universal Router (UR) using https communication. These files are sent through the
optional customer firewalls as well as the HP firewall.

Maintenance of the CMS server

The customer performs the CMS user account management and system maintenance activities
including security updates/patches, anti-virus updates, and so on.

10
For HP internal and partner use only

HP to SVP security measures

The blue numerals 15 embedded in Figure 2 correspond to the following points of application of
security standards in the HP to SVP data transfer path.
1. At the RAPThe HP support engineer logs in to the RAP using HP provided login credentials or a

digital badge. The support engineer must be an active HP employee for the login credentials to be
valid. This is validated electronically against the HP corporate directory.

2. RAP to CAS connectionFrom the RAP, the support engineer connects to the CAS at the customer

location. To initiate a connection with the CAS, the HP support engineer must use a digital badge
provided by HP. The connection between the RAP and the CAS is secured by using IPsec tunneling
(VPN). The customer can further enhance security by using SSH server software on the CAS
system. Remote connection with SSH over IPsec tunneling yields a highly secure means of
protecting the customer environment from unauthorized access.
Each of the three router options (hpVPN, COR VPN, and SSH Direct) has certain associated
characteristics.
Common characteristics of hpVPN and COR VPN router options

A physical router-based solution, which is more secure than a software-based configuration.

VPN tunnel using IPsec communication between HP and the customer site.

The customer has access to the Windows security logs, which enables tracking of certain user
access details at the CAS.

By implementing the following industry-standard encryption and authentication technologies, the

hpVPN and COR VPN router options satisfy key security-related objectives that are of interest to
the customer:
Privacy of data:

128-bit RC4 encryption ciphers

IPsec/ESP VPN with 3DES encryption cipher

SSH2 with 3DES encryption cipher

Integrity of data:

MD5 message digest with X.509v3 digital certificate standard

Authenticity of data:

SSL with X.509v3 certificate standard

MD5 message digest with X.509v3 digital certificate standard

Authenticity of users:

PKI authentication (X.509v3 digital certificate standard)

NT domain authentication

SSH Direct characteristics

SSH Direct is a direct TCP connection from HP to the customer site by way of Internet and is
not encapsulated in a VPN tunnel.
F-Secure SSH server software component (recommended by HP) enables the following:

Secure login session tunneling through insecure networks.

Secure tunneling of Internet protocol services like e-mail, web browsing, and so on.

Simple and secure file transfer over insecure networks, facilitated by a GUI.

Elimination of a direct connection to the Internet by reliance on an external and internal

firewall.

11
For HP internal and partner use only

Specific services like Terminal Services, FTP, and Secure Shell are enabled to establish a
firewall.

The HP router recommendation

HP recommends the hpVPN router option, for the following reasons:

The hpVPN router option is more secure when compared to SSH Direct, due to its utilization of
IPsec tunneling.

The COR VPN option places certain maintenance burdens on the customer that instead
become the responsibility of HP in the case of the hpVPN option. With the hpVPN option, the
HP owned router is pre-configured by HP, shipped to the customer location, installed by an HP
field service engineer, and maintained/supported by HPall at no cost to the customer. (On the
other hand, if the customer already has an operational VPN infrastructure, then the COR VPN
option may be an attractive alternative to the hpVPN option.)

3. At the CASAfter the RAP initiates a connection to the CAS, the HP support engineer remotely

logs in to the CAS using a remote connection mechanism like RDC. To log in to the CAS, the
support engineer uses the Windows login credentials provided by the customer. HP recommends
that a site-specific user name and password be established by the customer for usage by
HP support engineers who have a need to gain remote access to the customer environment for
troubleshooting. If the customer chooses instead to control access to the individual person level,
then the ability of HP to provide timely support and service in alignment with certain terms and
conditions will be impaired.
4. CAS to SVPWhen authenticated at the CAS, the support engineer can connect to the SVP of the

array, using a remote connection mechanism like RDC, and perform remote diagnosis. The support
engineer must use the SVP Windows login credentials to connect to the SVP.
5. CAS to CMSWhen authenticated at the CAS, the support engineer can also connect to the CMS

system, using a remote connection mechanism like RDC, and perform remote diagnosis of the
CMS/FSM. The support engineer must use the CMS Windows login credentials provided by the
customer to connect to the CMS system.

12
For HP internal and partner use only

Customer concerns and Internet connectivity security

The HP RSP-based Internet connectivity solutions effectively address key customer concerns relating to
security. In the case of the XP Internet connectivity solution, the overall solution design, security
architecture, and specific application of the security measures described in this document work
together to ensure the following.
Remote access to customer environment and devices is controlled
The customer has the ability to enable and disable any form of external access to his or her
environment, by means of CAS settings.
When external access is enabled, only actively employed and authorized HP support personnel
who are in possession of a site-specific or individual person customer-provided CAS user name and
password are able to gain access to the customer environment through the RAP and the CAS.
The customer has the ability to modify CAS login user names and passwords at any time.
The customer has the ability control CAS login user names and passwords to the individual person
level, although in this case the ability of HP to provide timely remote support in alignment with
certain terms and conditions will be impaired.
When external access is enabled, the customer can ensure that HP support engineers can access
only the specific customer-approved devices (servers, storage, and so on) in the customer
environment. The customer can easily achieve this by positioning the CAS (or CASii) in the customer
network with appropriate access control rules, allowing communication only between specific IP
addresses using specific protocols.
Authorization to remotely access the XP SVP is controlled
Accessing the XP SVP is a specific example of accessing a device in the customer environment. See
the previous section.
Remote access to customer XP data is not possible
The design of the XP array prevents the ability to retrieve, view, or modify the customer data, which
are stored on the XP arrayfrom the SVP. In other words, there is no connection within the XP array
that provides the ability to access customer data from the SVP, even for onsite or remote HP support
engineers.
Important
The default login credentials to access the CAS will consist of a site-specific
user name and a passwordestablished by the customerto be used by
HP support engineers who have a need to gain remote access to the
customer environment for troubleshooting. If the customer chooses instead
to control access to the individual person level, then the ability of HP to
provide timely remote support in alignment with certain terms and
conditions will be impaired. The customer can modify the site-specific user
name and password according to his or her policies. However, the
customer will need to notify HP of this in a coordinated manner to be
ensured of the necessary level of remote support on a continuous basis.

13
For HP internal and partner use only

HP and customer responsibilities

The following table outlines the responsibilities of HP and the customer with reference to the provision
and maintenance of the various components of the end-to-end solution.
Component

HP

SVP components

FSM: HP installed software

Customer

CMS: Hardware, operating system,

access control, anti-virus updates,
and security patch updates

CAS: Hardware, operating system,

access control, anti-virus updates,
and security patch updates

Routers
Required changes to customer
firewall

hpVPN

COR VPN/SSH Direct

14
For HP internal and partner use only

Appendix ACMS and CAS server requirements

The FSM software package and RSP v5 client can be installed on any customer-provided server, CMS
that meets the following hardware and software requirements.
Important
The same hardware and operating system requirements apply to the CAS
server as well. One common server meeting these requirements can be
used to host both the CMS and the CAS.

The CMS must be provided by the customer, based on the following minimum system requirements.

Hardware Requirements
Any HP ProLiant x86 system running a supported OS that meets the minimum specifications
Any HP ProLiant x64 system running a supported OS that meets the minimum specifications
Minimum Specifications:

2.4-GHz processor with 2 GB RAM

500 MB free disk space

Note
The following HP servers that meet these minimum requirements can be
ordered from www.hp.com.
HP ProLiant with 1 GB of RAM and a 72-GB drive (for example,
HP ProLiant DL385 server)
or
HP Integrity with 1 GB of RAM and a 72-GB drive (for example,
HP Integrity rx1620 server, HP Integrity rx2620 server) (or) equivalent

Operating Systems:
Microsoft Windows Server 2003 Standard or Enterprise Edition for x86 with SP1 (running on 86 or
x64/AMD64 platforms)
Microsoft Windows Server 2003 for x64
Microsoft Windows 2003 SMB, with SP1
Microsoft Windows 2003 Server with installed Multilingual User Interface Pack (MUI)
Microsoft Windows 2003 with International Server
Microsoft Windows Server 2008
Note:
The latest service packs and security patches are recommended to be used.

15
For HP internal and partner use only

Software requirements (CMS/FSM)

HP Systems Insight Manager 5.1 or Higher
HP System Management Homepage (SMH) 2.1.7 or higher
HP Remote Support Software Manager (RSSWM)
JRE 1.5.xx)
Important
For the convenience of users, one of the supported versions (JRE 1.5 update
16) is bundled as part of the FSM CD. Alternately, the latest JRE 1.5.xx is
available for download at Sun Java website
(http://java.sun.com/products/archive/).

Antivirus Software (compliant with customer policy)

Firewall Software (based on customer policies)
WinZip 9.0 or higher (optional)
RSP Client version - A.05.10
FSM Software Package
Note
The FSM software package cannot be installed on HP StorageWorks
Command View or Performance Analyzer (PA) workstations because they
do not meet the minimum software requirements.

Note
An RSP standard configuration server or advanced configuration server
cannot be used to host the FSM software package in the Asia Pacific
region. This is because the server monitoring infrastructure is different from
the XP monitoring infrastructure for Asia Pacific.

16
For HP internal and partner use only

Appendix BCustomer firewall requirements

Customers external firewallRSP remote connectivity does not require that the customer have an
external firewall. If the customer does have a firewall, it must be configured to allow remote
connectivity to HP based on the router alternative selected (hpVPN, COR VPN, SSH Direct) and http
traffic.
Customers internal firewallRSP remote connectivity supports customers with or without an internal
firewall. The customers internal firewall, if it exists, may require port setting modifications to support
communications between devices utilized by the Internet connectivity solution in the customers DMZ
and the customers enterprise network.
Note
For an external firewall, port number 443 should be opened or RSP utilize
customers outbound Web proxy (except with auto-configuration scripts).
Additionally if there is an internal Firewall between SVP and CMS then port
number 50000 should also be opened.

The customers DMZ is the area of the customers network that exists between the customers external
and internal firewalls.
Note
For more information on firewall requirements and related information,
contact your HP representative.

17
For HP internal and partner use only

For more information

For more information about HP StorageWorks XP Continuous Track (C-Track)including more
detailed information pertaining to Internet connectivity site preparation, solution implementation,
and securitycontact your HP representative.
For more information on HP Remote Support Pack (RSP), and full range of products supported by
RSP visit: http://h20219.www2.hp.com/services/cache/452199-0-0-225-121.html
For more information on HP Services, contact your local HP Account Support Team or any of our
worldwide sales offices, or visit us at: www.hp.com/go/services
Additional information about XP array storage devices may be found from the Manuals page of the
HP Business Support Center website: http://www.hp.com/support/manuals. In the Storage section,
click Disk Storage Systems and then select the product (for example, XP24000).
For the Disaster Proof video and other information, visit: www.hp.com/go/DisasterProof
For any other information, contact your HP representative.

2008 Hewlett-Packard Development Company, L.P. The information contained

herein is subject to change without notice. The only warranties for HP products and
services are set forth in the express warranty statements accompanying such
products and services. Nothing herein should be construed as constituting an
additional warranty. HP shall not be liable for technical or editorial errors or
omissions contained herein.
Microsoft and Windows are U.S. registered trademarks of Microsoft Corporation.
4AA1-3017ENW, November 2008

For HP internal and partner use only