Beruflich Dokumente
Kultur Dokumente
Contents
Revision History ................................................................................................................................... 3
Terms and definitions ........................................................................................................................... 4
Target Audience .................................................................................................................................. 4
Introduction......................................................................................................................................... 5
Overview of C-Track ............................................................................................................................ 6
Advantages of the C-Track Internet solution ......................................................................................... 6
Overview of XP Internet connectivity....................................................................................................... 7
Components of the XP Internet connectivity solution .............................................................................. 7
Internet connectivity security .................................................................................................................. 9
SVP to HP security measures............................................................................................................ 10
Maintenance of the CMS server ................................................................................................... 10
HP to SVP security measures............................................................................................................ 11
Common characteristics of hpVPN and COR VPN router options ..................................................... 11
SSH Direct characteristics............................................................................................................ 11
The HP router recommendation .................................................................................................... 12
Customer concerns and Internet connectivity security .......................................................................... 13
Remote access to customer environment and devices is controlled .................................................... 13
Authorization to remotely access the XP SVP is controlled ................................................................ 13
Remote access to customer XP data is not possible ......................................................................... 13
HP and customer responsibilities.......................................................................................................... 14
Appendix ACMS and CAS server requirements.................................................................................. 15
Hardware Requirements.................................................................................................................. 15
Operating Systems: ........................................................................................................................ 15
Software requirements (CMS/FSM) .................................................................................................. 16
Appendix BCustomer firewall requirements........................................................................................ 17
For more information.......................................................................................................................... 18
2
For HP internal and partner use only
Legal notices
Copyright 2008 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company makes no warranty of any kind with regard to this material, including, but not limited
to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be
liable for errors contained herein or for incidental or consequential damages in connection with the furnishing,
performance, or use of this material.
This document contains proprietary information, which is protected by copyright. No part of this document may
be photocopied, reproduced, or translated into another language without the prior written consent of HewlettPackard. The information is provided as is without warranty of any kind and is subject to change without
notice. The only warranties for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an additional
warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Microsoft, Windows, Windows NT, and Windows XP are U.S. registered trademarks of Microsoft Corporation
All other product names mentioned herein may be trademarks of their respective companies.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The
information is provided as is without warranty of any kind and is subject to change without notice.
The warranties for Hewlett-Packard Company products are set forth in the express limited warranty statements
accompanying such products. Nothing herein should be construed as constituting an additional warranty.
XP array Internet connectivity and security white paper
Revision History
Date
Edition
October 2008
1.00
First Release
July 2008
1.20
August 2008
1.30
Updated for:
November 2008
1.40
Revision
RSP A.05.10 MR
3
For HP internal and partner use only
Definition
CAS
CASii
Plural of CAS
CMS
COR
C-Track
DMZ
Demilitarized Zone
AMZ
FSM
UR
Universal Router
IPsec
LAN
RAP
RDC
RSP
SSH
Secure Shell
SVP
Service Processor
SVS
VPN
XP
eXtended Platform
Target Audience
This guide is intended for the external/internal audience to understand the high-level overview of the
end to end connectivity of C-Track XP/RSP solution. The following are the external audience who are
intended to use this guide:
Customers
Sales Engineers
Customer Engineers
4
For HP internal and partner use only
Introduction
The XP array needs a reliable and secure Internet-based remote support solution, by virtue of its
positioning in the enterprise mission-critical application space.
Beginning with the introduction of the HP StorageWorks XP24000 Disk Array, HP offers optional
Internet-based communication between the customer environment and the HP support network,
complementing the alternative modem-based solution.
The XP Internet connectivity solution represents a functional extension of the following HP solutions:
HP StorageWorks XP Continuous Track (C-Track)
HP Remote Support Pack (RSP)
By leveraging from RSP, the XP Internet connectivity solution gains the advantages of a proven,
consolidated, and high-security enterprise-wide support model. In addition, the combination of RSP
and extensions to the functionality of C-Track yields a solution that adheres to security design
principles that result in data privacy, comprehensive operational security, and detailed logging and
auditing.
This white paper provides an overview of the XP Internet connectivity solution in terms of architecture,
features and functionality, and security provisions.
Note
For similar information on the alternative modem connectivity solution, refer
to the HP StorageWorks XP Disk Array Remote Support Service with
Continuous Track white paper, available from your HP representative or
from http://h71028.www7.hp.com/ERC/downloads/5982-5831EN.pdf
5
For HP internal and partner use only
Overview of C-Track
C-Track refers to a set of software modules installed at the customer location, enabling a remote
support solution for XP arrays (HP StorageWorks XP24000, XP20000, XP12000, XP10000, XP1024,
and XP128 Disk Arrays) and for HP StorageWorks 200 Storage Virtualization System (SVS200)
devices.
C-Track performs the following functions:
Proactively informs remote HP support personnel about potential XP issues by sending them
incident/event data for analysis.
Transfers array enhanced configuration files and configuration change event bundles for remote HP
support personnel access, whenever the configuration changes.
Provides a remote device access option, enabling HP remote support engineers to connect to the
SVP to perform diagnosis.
6
For HP internal and partner use only
7
For HP internal and partner use only
RSP Client - RSP client is an interface for sending events & data collection files to the HP backend
through https protocol. To use RSP client you need to setup a CMS Box where Software Manager
(SWM) will update/install the latest client version in a predefined directory.
FirewallsThe customer firewalls shown in Figure 1 support and enforce the customers network
security policy, while the HP firewall performs the corresponding function relative to the HP network
security policy. More specifically, the firewalls restrict access to the customer and HP networks from
the Internet. The security policies implemented on these firewalls govern the services that are
allowed, restrictions pertaining to IP address ranges, and the ports that can and cannot be
accessed. Firewalls represent network choke points due to the fact that all network-to-network
communication flows through them, and all of the associated traffic is inspected and restricted. The
physical firewall device may be a router, a server, or a specialized hardware device.
HP firewallA firewall that is located within the HP network.
Customer internal firewallAn optional firewall that if used is located inside the customers
network.
Customer external firewallAn optional firewall that if used is located outside the customers
network.
Note
For an external firewall, port number 443 should be opened or RSP utilize
customers outbound Web proxy (except with auto-configuration scripts).
Additionally if there is an internal Firewall between SVP and CMS then port
number 50000 should also be opened.
Universal Router (UR) - The UR (Universal Router) receives the data and/or events from RSP Client.
Based on the intended subscriber for the data and/or event at HP Backend, UR forwards the same
to the corresponding subscriber.
HP backendThis is the location where all of the files such as SIM files, configuration files, and
C-Track XML files are stored.
RAPThe Remote Access Portal (RAP) is a secure portal used by RSP solutions for remotely
accessing the RSP customer environment to troubleshoot, diagnose, and resolve issues with
monitored devices.
hpVPN Concentrator The VPN Concentrator creates a virtual private network by creating a secure
connection, called a tunnel, across the Internet (or more generally, a TCP/IP network). The VPN
Concentrator utilizes tunneling protocols to negotiate security parameters, create and manage
tunnels, encapsulate and transmit packets, unencapsulate received packets, and send packets to
their final destinations.
RoutersHP support engineers have the ability to access the customer system remotely by way of
the CAS using IPsec VPN over the Internet. The customer has a choice of one of the following router
options:
hpVPNA physical VPN router that is owned, pre-configured, installed, and maintained by HP.
COR VPNThis option relies on a customer owned and managed VPN device. At minimum the
customer owned device should be able to communicate using IPsec protocol with the HP remote
support VPN infrastructure. At present the XP Internet connectivity solution is compatible with
customer VPN solutions utilizing devices from these manufacturers:
o
Stonesoft (Stonegate)
Juniper (Netscreen)
8
For HP internal and partner use only
Nortel
However, additional customer VPN devices may be accommodated based on the evaluation and
approval of the customers proposed solution from HP.
Secure Shell Direct (SSH Direct)In the case of SSH Direct, the router functionality is implemented
on the CAS.
CASThe CAS is a system designated by the customer to serve as the entry point for remote device
access sessions that can be undertaken by HP. It provides a central point at which customers are
able to control remote access into their environment. This is accomplished by giving customers the
ability/control to set Windows-based access restrictions and enable/disable external access into
their environment. A single CAS can serve these purposes for multiple products and across multiple
product domains such as storage, servers, and so on.
Tip
For information on CMS and CAS-related server requirements, refer to
Appendix ACMS and CAS server requirements.
9
For HP internal and partner use only
Figure 2 identifies the points of application of security measures in the SVP to HP as well as the HP to
SVP data paths.
LAN. It uses a self-signed X.509v3 digital certificate with1024-bit encryption and RSA algorithm
for authentication.
2. At the CMSThe FSM constantly monitors the CMS Drop box, which receives the data and/or
same to the HP backend [the FSM and RSP v5 client are hosted on the same server (CMS}].
4. RSP v5 client to HP backendThe RSP v5 client transfers the data and/or event files to the HP
Backend through Universal Router (UR) using https communication. These files are sent through the
optional customer firewalls as well as the HP firewall.
10
For HP internal and partner use only
digital badge. The support engineer must be an active HP employee for the login credentials to be
valid. This is validated electronically against the HP corporate directory.
2. RAP to CAS connectionFrom the RAP, the support engineer connects to the CAS at the customer
location. To initiate a connection with the CAS, the HP support engineer must use a digital badge
provided by HP. The connection between the RAP and the CAS is secured by using IPsec tunneling
(VPN). The customer can further enhance security by using SSH server software on the CAS
system. Remote connection with SSH over IPsec tunneling yields a highly secure means of
protecting the customer environment from unauthorized access.
Each of the three router options (hpVPN, COR VPN, and SSH Direct) has certain associated
characteristics.
Common characteristics of hpVPN and COR VPN router options
VPN tunnel using IPsec communication between HP and the customer site.
The customer has access to the Windows security logs, which enables tracking of certain user
access details at the CAS.
NT domain authentication
SSH Direct is a direct TCP connection from HP to the customer site by way of Internet and is
not encapsulated in a VPN tunnel.
F-Secure SSH server software component (recommended by HP) enables the following:
Secure tunneling of Internet protocol services like e-mail, web browsing, and so on.
Simple and secure file transfer over insecure networks, facilitated by a GUI.
11
For HP internal and partner use only
Specific services like Terminal Services, FTP, and Secure Shell are enabled to establish a
firewall.
The hpVPN router option is more secure when compared to SSH Direct, due to its utilization of
IPsec tunneling.
The COR VPN option places certain maintenance burdens on the customer that instead
become the responsibility of HP in the case of the hpVPN option. With the hpVPN option, the
HP owned router is pre-configured by HP, shipped to the customer location, installed by an HP
field service engineer, and maintained/supported by HPall at no cost to the customer. (On the
other hand, if the customer already has an operational VPN infrastructure, then the COR VPN
option may be an attractive alternative to the hpVPN option.)
3. At the CASAfter the RAP initiates a connection to the CAS, the HP support engineer remotely
logs in to the CAS using a remote connection mechanism like RDC. To log in to the CAS, the
support engineer uses the Windows login credentials provided by the customer. HP recommends
that a site-specific user name and password be established by the customer for usage by
HP support engineers who have a need to gain remote access to the customer environment for
troubleshooting. If the customer chooses instead to control access to the individual person level,
then the ability of HP to provide timely support and service in alignment with certain terms and
conditions will be impaired.
4. CAS to SVPWhen authenticated at the CAS, the support engineer can connect to the SVP of the
array, using a remote connection mechanism like RDC, and perform remote diagnosis. The support
engineer must use the SVP Windows login credentials to connect to the SVP.
5. CAS to CMSWhen authenticated at the CAS, the support engineer can also connect to the CMS
system, using a remote connection mechanism like RDC, and perform remote diagnosis of the
CMS/FSM. The support engineer must use the CMS Windows login credentials provided by the
customer to connect to the CMS system.
12
For HP internal and partner use only
13
For HP internal and partner use only
HP
SVP components
Customer
Routers
Required changes to customer
firewall
hpVPN
14
For HP internal and partner use only
The CMS must be provided by the customer, based on the following minimum system requirements.
Hardware Requirements
Any HP ProLiant x86 system running a supported OS that meets the minimum specifications
Any HP ProLiant x64 system running a supported OS that meets the minimum specifications
Minimum Specifications:
Note
The following HP servers that meet these minimum requirements can be
ordered from www.hp.com.
HP ProLiant with 1 GB of RAM and a 72-GB drive (for example,
HP ProLiant DL385 server)
or
HP Integrity with 1 GB of RAM and a 72-GB drive (for example,
HP Integrity rx1620 server, HP Integrity rx2620 server) (or) equivalent
Operating Systems:
Microsoft Windows Server 2003 Standard or Enterprise Edition for x86 with SP1 (running on 86 or
x64/AMD64 platforms)
Microsoft Windows Server 2003 for x64
Microsoft Windows 2003 SMB, with SP1
Microsoft Windows 2003 Server with installed Multilingual User Interface Pack (MUI)
Microsoft Windows 2003 with International Server
Microsoft Windows Server 2008
Note:
The latest service packs and security patches are recommended to be used.
15
For HP internal and partner use only
Note
An RSP standard configuration server or advanced configuration server
cannot be used to host the FSM software package in the Asia Pacific
region. This is because the server monitoring infrastructure is different from
the XP monitoring infrastructure for Asia Pacific.
16
For HP internal and partner use only
The customers DMZ is the area of the customers network that exists between the customers external
and internal firewalls.
Note
For more information on firewall requirements and related information,
contact your HP representative.
17
For HP internal and partner use only