Dell PowerStore 500T EMC PowerStore Security Configuration Guide
Dell PowerStore 500T Manual
View all Dell PowerStore 500T manuals
Add to My Manuals
Save this manual to your list of manuals |
Dell PowerStore 500T manual content summary:
- Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 1
Dell EMC PowerStore Security Configuration Guide Version 2.x June 2021 Rev. A06 - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 2
and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2020 - 2021 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 3
Reset admin and service account passwords...12 Certificates...14 Viewing certificates...14 Secure communication between PowerStore appliances within a cluster 15 Secure communication for replication and data import 15 vSphere Storage API for Storage Awareness support - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 4
settings...48 Configure email notifications...49 Configure SNMP...49 Appendix A: TLS cipher suites...51 Supported TLS cipher suites...51 Appendix B: Directory Services 52 Configuring Directory Services...52 Configure LDAP server...52 Verify LDAP configuration...54 Configure Secure LDAP...55 Verify - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 5
PowerStore Documentation page at https:// www.dell.com/powerstoredocs. ● Troubleshooting For information about products, software updates, licensing, and service, go to https://www.dell.com/support and locate the appropriate product support page. ● Technical support For technical support and service - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 6
between PowerStore appliances within a cluster • Secure communication for replication and data import • vSphere Storage API for Storage Awareness support Access Protocol (LDAP) is an application protocol for querying directory services running on TCP/IP networks. LDAP provides central management of - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 7
is recommended that you initially configure PowerStore using PowerStore Manager rather than using the API, CLI, or Service Scripts interfaces. It ensures that all of alphanumeric characters Maximum number of alphanumeric characters Supported special characters Username requirement Must start and - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 8
of numeric characters Minimum number of special characters ● Supported characters NOTE: The password cannot include single quote for ESXi on a PowerStore X model appliance is in the following format: _123!, where is the seven-character Dell Service Tag for the appliance - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 9
file The following table lists the roles and privileges related to file that the system supports: NOTE: A in a box denotes a supported privilege for that role while a blank box denotes the privilege is not supported for that role. Table 3. Roles and privileges related to file Task Operator VM - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 10
Table 3. Roles and privileges related to file (continued) Task Operator VM Security Storage Administrator Storage Administrator Administrator Administrator Operator View the following: ● List of file DNS servers or a specified DNS server ● List of file FTP servers or a specified FTP server ● - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 11
Table 3. Roles and privileges related to file (continued) Task Operator VM Security Storage Administrator Storage Administrator Administrator Administrator Operator Add a file system, or modify or delete a specified file system on an existing NAS server Add a clone or snapshot to a - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 12
both passwords. Reset admin and service account passwords to their default values in a PowerStore T model appliance About this task For a PowerStore T model appliance, the primary method to reset the admin or service user passwords is to use a USB drive. Supported file systems include FAT32 and ISO - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 13
passwords that you would like to reset. You can reset the admin or service account password, or both. 3. To create an empty file on the drive a PowerStore X model appliance, use an ISO image and mount it from vSphere. Pre-created image files can be downloaded from https://www.dell.com/support. You - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 14
PowerStore X model appliance. For example, DataCenter-WX-D6013 > PowerStore D6013 2. Under Files, select ISOs. 3. Select Upload and upload the reset.iso file, either the pre-created image file from https://www.dell.com/support . The cluster admin password, or service password, or both, are now - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 15
exchange with persistence, to establish a secure connection between a Dell EMC storage system (a VNX, Unity, Storage Center (SC), or a Peer Storage (PS) system) and a PowerStore cluster. vSphere Storage API for Storage Awareness support vSphere Storage API for Storage Awareness (VASA) is a VMware - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 16
PowerStore VASA provider in vCenter Server is required to use vVols. To manually establish an initial connection to a vCenter server and to register a PowerStore or a vCenter Server service fails, terminating the connection. If vCenter or the vCenter Server service cannot reestablish the SSL - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 17
Provider using the client Storage Monitoring Service(SMS) certificate validated against the previously registered root could lose access to the volumes. PowerStore does not support iSCSI CHAP Discovery mode. The following table shows the limitations of PowerStore related to iSCSI CHAP Discovery mode - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 18
host later, manually register the host in the PowerStore Manager, under PowerStore REST API Reference Guide. ● svc_service_config - A service command that you can enter directly as the service user on the appliance. For more information about this command, see the PowerStore Service Scripts Guide - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 19
of problem diagnostic, system configuration, and system recovery scripts are installed on the appliance's software version. These scripts provide an in-depth level of information and a lower level of system control than is available through PowerStore Manager. The PowerStore Service Scripts Guide - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 20
is supported. Along with NFS secure, this also impacts SMB and LDAP. These encryptions are now supported by Service (UDS). Since NIS is not secured, it is not recommended to use it with NFS secure. It is recommended to use Kerberos with LDAP or LDAPS. NFS secure can be configured through PowerStore - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 21
system. NOTE: If the older SMB1 protocol needs to be supported in your environment, it can be enabled by using the svc_nas_cifssupport service command. For more information about this service command, see the PowerStore Service Scripts Guide. UNIX security model When the UNIX policy is selected, any - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 22
name for a particular user identifier (UID). ● Return the corresponding UID and primary group identifier (GID) for a particular UNIX account name. The supported services are: ● LDAP ● NIS ● Local files ● None (the only possible mapping is through the default user) There should be one UDS enabled - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 23
SID sseeccmImnaapp? Yes UID and Primary GID No In Local Files Yes or UDS? No UID and Primary GID In Local Group Yes Database? No Windows Name used for SMB-only access Automatic Yes Mapping? No UID and Primary GID In Domain Controller? Windows Yes Name In ntxmap? Yes UNIX Name No - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 24
its file systems. There are two kinds of security, UNIX and Windows. For UNIX security authentication, the credential is built from the UNIX Directory Services (UDS) with the exception for non-secure NFS access, where the credential is provided by the host client. User rights are determined from the - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 25
Windows user is used. NOTE: If the default UNIX user is not set in the UNIX Directory Services (UDS), SMB access is denied for unmapped users. If the default Windows user is not found in respectively, and can be configured on the system through PowerStore Manager. Authentication and access 25 - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 26
UNIX credential for NFS requests To handle NFS requests for an NFS only or multi-protocol file system with a UNIX or native access policy, a UNIX credential must be used. The UNIX credential is always embedded in each request; however, the credential is limited to 16 extra groups. The NFS server - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 27
CAVA, which is part of Common Event Enabler (CEE), see Using the Common Event Enabler on Windows Platforms at https://www.dell.com/powerstoredocs. Code signing PowerStore is designed to accept software upgrades for both new releases and patch releases. A master GNU Privacy Guard (GPG) key signs all - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 28
outline the collection of network ports and the corresponding services that may be found on the appliance. The PowerStore: Customer Network Firewall Rules - TCP/UDP Ports. Go to https://www.dell.com/support/kbdoc/en-us/542240. The Customer Network Firewall Rules tool enables you to filter and review - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 29
and ESXi to iSCSI services: host access ● External host iSCSI access ● Bi-directional for ● External or PowerStore embedded replication ESXi host and VNX2 systems If closed, iSCSI services will be unavailable. Used by Data mobility to support reasonable replication performance on low latency - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 30
by enabling FTP. Authentication is performed on port 21 and defined by the FTP protocol. Port 21 is the control port on which the FTP service listens for incoming FTP requests. Allows alert notifications through SFTP (FTP over SSH). SFTP is a client/server protocol. Users can use SFTP to perform - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 31
UDP Outbound Description The NETBIOS Name Service is associated with the appliance SMB file sharing services and is a core component of Header (AH) traffic to be forwarded. If closed, IPsec connection between PowerStore appliances will be unavailable. Allows the appliance to send log messages to - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 32
left open by the replicator as soon as some data has to be replicated. After it is started, there is no way to stop the service. ● Enables you to control the backup and recovery of a Network Data Management Protocol (NDMP) server through a network backup application, without installing third party - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 33
The following table outlines the collection of network ports and the corresponding services that may be found on PowerStore X model appliances. Table 7. Network ports related to PowerStore X model appliances Port Service Protocol Access Direction 22 SSH server TCP Inbound 80, 9000 162 or - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 34
Router service ● Outbound for rabbitmqproxy ● For NSX Virtual Distributed Router service, the firewall port associated with this service is protocol that allows for secure communication over a network. PowerStore supports TLS 1.2 by default. PowerStore uses the TLS 1.2 protocol as both a server - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 35
. For more information about the REST API, see the PowerStore REST API Reference Guide. Use either of these methods to enable or disable TLS 1.1 protocol support. To determine the status of Transport Layer Security in PowerStore Manager, click Settings and, under Security, select Transport Layer - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 36
the PowerStore Manager UI and the CLI can be used to search and view audit events. Remote logging The storage system supports Encryption. To review or update remote logging settings, log in to PowerStore Manager and the Remote Logging page for certificates: ● Service - Remote Logging ● Type - Server - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 37
Add. The syslog server is added to the list of servers under Remote Sysyslog Servers. 9. (Optional) Select Send Test Message to verify the connection between PowerStore and the remote syslog server. The Send Test Message slide out appears. 10. (Optional) Type your test message in the Message box. 11 - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 38
file or have the certificate text available to copy and paste for import. About this task To import a certificate using the PowerStore Manager, do the following: Steps 1. Click Settings and under Security select Remote Logging. The Remote logging page appears. 2. Under Certificates, select - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 39
remote syslog server to be deleted, then click Delete. Send Test Message To send a test message to verify the connection between the PowerStore cluster and the remote syslog server. Sending a test message can only be performed on a single remote syslog server. 3. For certificates, click: Option - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 40
drive to an appliance, the appliance raises an error. Also, having un-encrypted appliances in an encrypted cluster is not supported. Encryption activation The Data at Rest Encryption feature on PowerStore appliances is set at the factory. In all countries that allow the import of an appliance that - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 41
be decommissioned before it can be used. Key management An embedded key manager service (KMS) runs on the active node of each PowerStore appliance. This service manages the local keystore file lockbox storage to support automatic encryption key backup to system and boot drives. It also controls the - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 42
appliance remains in the cluster, you can run svc_factory_reset to reset that appliance. NOTE: It is recommended that these scripts be run by only a qualified service provider. For more information about these scripts, refer to the PowerStore Service Scripts Guide. 42 Data security settings - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 43
you may need to collect appliance information manually to assist Dell EMC Support with troubleshooting and resolving problems with your appliance. Also, the SupportAssist manage SupportAssist using the PowerStore Manager or the REST API. You can enable or disable the service and provide the - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 44
as one of the following based on the average of all the appliances in the cluster when PowerStore is connected to the Dell EMC backend Support services: ● Evaluating - The quality of service for the connection will be undetermined for the first 10 minutes after SupportAssist is first initialized - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 45
Dell EMC Support will not receive notifications about issues with the appliance. You may need to collect appliance information manually to assist support representatives with troubleshooting and resolving problems be added to the gateway from the PowerStore Manager. If the appliance is added from - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 46
on ports 443 and 8443 (outbound) to Dell EMC Support. Failure to open port 8443 results in PowerStore REST API Reference Guide. To determine the status of the SupportAssist feature, click Settings and under Support select SupportAssist in the PowerStore Support. 46 Secure serviceability settings - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 47
want to allow support engineers authorized by Dell EMC to securely troubleshoot your system, clear the checkbox; otherwise, leave the checkbox selected. 10. The Remote Secure Credentials checkbox is not selected by default; if you want to allow authorized Dell EMC service personnel to authenticate - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 48
only to a v3 SNMP destination) SupportAssist provides an IP-based connection that enables Dell Support to receive error files and alert messages from the PowerStore cluster, and to perform remote troubleshooting resulting in a fast and efficient time to resolution. NOTE: For SupportAssist to work - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 49
Dell EMC-hosted service that uses data (logs, system configuration, alerts, performance metrics, and capacity metrics and capacity forecast data) collected by SupportAssist to allow users to monitor performance in near real-time and utilization and health time across multiple PowerStore supported. - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 50
○ Version ○ Trap Community String ● For SNMPv3 ○ Network Name or IP address ○ Port ○ Minimal Severity Level of Alerts ○ Version ○ Security Level NOTE: Depending on the security level selected, additional fields appear. ■ For the level None, only Username appears. ■ For the level Authentication only, - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 51
(ensuring data by providing a way to determine if data has been modified). Examples: SHA-2 or SHA-1 The supported cipher suites combine all these items. NOTE: Security is improved in PowerStore version 2.0.x with the removal of weak ciphers, such as those starting with TLS_RSA_. For example - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 52
to control management access based on established user and group accounts within the LDAP directory. PowerStore supports the following LDAP server types: ● Active Directory-a Microsoft directory service. It runs on Windows Server and allows administrators to manage permissions and access to network - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 53
are selected, the Directory Services slide out panel appears. manually add a server address, click Configure IPs Manually, enter the IP address and click Add. NOTE: Only IP addresses are accepted, FQDN is not supported These actions will minimize any troubleshooting that may be necessary when - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 54
LDAP configuration change. To verify connection to the LDAP server will be successful, do the following: Steps 1. Click Verify Connection on the Directory Services page. If the configuration is valid, a connection will be established with the LDAP server and a green check mark along with the text - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 55
from the LDAP server when the TLS session is established. PowerStore does not support DNS for LDAP. The LDAP server certificate must have IP , do the following: Steps 1. Click Edit LDAP Configuration. The Directory Services slide out panel appears. 2. Under Domain Settings, select the LDAP Secure - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 56
, the following steps are recommended to troubleshoot the failure: a. Verify the Directory Services configuration information, in particular the port this task The procedure for creating an LDAP user or group account on PowerStore is similar. However, the LDAP group must also be created on the LDAP - Dell PowerStore 500T | EMC PowerStore Security Configuration Guide - Page 57
transaction. The added LDAP user or group account appears in the list of accounts on the PowerStore Users page. 9. If the adding LDAP account operation fails, do the following to troubleshoot the failure: a. Verify the fields in User Search Settings under Advanced Setting are correct. b. Verify the
Dell EMC PowerStore
Security Configuration Guide
Version 2.x
June 2021
Rev. A06