Dell PowerStore 7000X EMC PowerStore Security Configuration Guide
Dell PowerStore 7000X Manual
View all Dell PowerStore 7000X manuals
Add to My Manuals
Save this manual to your list of manuals |
Dell PowerStore 7000X manual content summary:
- Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 1
Dell EMC PowerStore Security Configuration Guide 1.x July 2020 Rev. A03 - Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 2
use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2020 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC - Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 3
Reset admin and service account passwords...11 Certificates...13 Viewing certificates...13 Secure communication between PowerStore appliances within a cluster 13 Secure communication for replication and data import 13 vSphere Storage API for Storage Awareness support - Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 4
35 Resetting an appliance to factory settings...35 Chapter 5: Secure serviceability settings 36 Operational description of SupportAssist™...36 SupportAssist options...37 SupportAssist 39 Configure SupportAssist...39 Appendix A: TLS cipher suites...41 Supported TLS cipher suites...41 4 Contents - Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 5
to the PowerStore Documentation page at www.dell.com/ powerstoredocs. • Troubleshooting For information about products, software updates, licensing, and service, go to www.dell.com/support and locate the appropriate product support page. • Technical support For technical support and service requests - Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 6
PowerStore appliances within a cluster • Secure communication for replication and data import • vSphere Storage API for Storage Awareness support recommended that you initially configure PowerStore using the PowerStore Manager UI rather than using the API, CLI, or Service Scripts interfaces. It will - Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 7
of alphanumeric characters Maximum number of alphanumeric characters Supported special characters Username requirement Must start and for ESXi on a PowerStore X model appliance is in the following format: _123!, where is the seven-character Dell Service Tag for the - Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 8
and register/re-register the VMware certificate authority (VMCA)/CA certificate Roles and privileges related to file The system supports the following roles and privileges related to file: NOTE: A in a box denotes a supported privilege for that role while a blank box denotes the privilege is not - Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 9
Task Operator • List of file DNS servers or a specified DNS server • List of file FTP servers or a specified FTP server • List of file interfaces or specified file interface • List of file interface routes or a specified interface route • List of file Kerberos servers or a specified Kerberos - Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 10
Task Operator Add a file virus checker, or modify or delete a specified file virus checker, or upload a specified file virus checker configuration Download a specified file virus checker configuration Add an SMB or NFS server, or modify, delete, join or unjoin a specified SMB or NFS server Add an - Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 11
both passwords. Reset admin and service account passwords to their default values in a PowerStore T model appliance About this task For a PowerStore T model appliance, the primary method to reset the admin or service user passwords is to use a USB drive. Supported file systems include FAT32 and ISO - Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 12
a PowerStore X model appliance, use an ISO image and mount it from vSphere. Pre-created image files can be downloaded from www.dell.com/support. You and service users. Steps 1. In vSphere underStorage, select your PowerStore X model appliance. For example, DataCenter-WX-D6013 > PowerStore D6013 - Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 13
About this task The following information appears in PowerStore Manager for each certificate that is stored on the appliance: • Service • Type • Scope • Issued by • connections once the trust is established PowerStore supports the following certificate management functionality: Authentication and access - Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 14
(PS) system) and a PowerStore cluster. vSphere Storage API for Storage Awareness support vSphere Storage API for Storage subsequent requests from the vCenter. No manual steps are required to install or Server service fails, terminating the connection. If vCenter or the vCenter Server service cannot - Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 15
Storage Monitoring Service(SMS) certificate validated against the previously registered root signing you could lose access to the volumes. PowerStore does not support iSCSI CHAP Discovery mode. The following table shows the limitations of PowerStore related to iSCSI CHAP Discovery mode. Table - Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 16
later, manually register the host in the PowerStore Manager, under PowerStore REST API Reference Guide. • svc_service_config - A service command that you can enter directly as the service user on the appliance. For more information about this command, refer to the PowerStore Service Scripts Guide - Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 17
of problem diagnostic, system configuration, and system recovery scripts are installed on the appliance's software version. These scripts provide an in-depth level of information and a lower level of system control than is available through PowerStore Manager. The PowerStore Service Scripts Guide - Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 18
on the particular file system. NOTE: If the older SMB1 protocol needs to be supported in your environment, it can be enabled by using the svc_nas_cifssupport service command. For more information about this service command, see the PowerStore Service Scripts Guide. 18 Authentication and access - Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 19
user mapping, access policies, and user credentials, refer to the PowerStore Manager online help. User mapping In a multiprotocol context, a Windows and primary group identifier (GID) for a particular UNIX account name. The supported services are: • LDAP • NIS • Local files • None (the only possible - Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 20
Windows resolvers Windows resolvers are used to do the following for user mapping: • Return the corresponding Windows account name for a particular security identifier (SID) • Return the corresponding SID for a particular Windows account name The Windows resolvers are: • The domain controller (DC) - Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 21
SID sseeccmImnaapp? Yes UID and Primary GID No In Local Files Yes or UDS? No UID and Primary GID In Local Group Yes Database? No Windows Name used for SMB-only access Automatic Yes Mapping? No UID and Primary GID In Domain Controller? Windows Yes Name In ntxmap? Yes UNIX Name No - Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 22
its file systems. There are two kinds of security, UNIX and Windows. For UNIX security authentication, the credential is built from the UNIX Directory Services (UDS) with the exception for non-secure NFS access, where the credential is provided by the host client. User rights are determined from the - Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 23
Windows user is used. NOTE: If the default UNIX user is not set in the UNIX Directory Services (UDS), SMB access is denied for unmapped users. If the default Windows user is not found in respectively, and can be configured on the system through PowerStore Manager. Authentication and access 23 - Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 24
UNIX credential for NFS requests To handle NFS requests for an NFS only or multi-protocol file system with a UNIX or native access policy, a UNIX credential must be used. The UNIX credential is always embedded in each request; however, the credential is limited to 16 extra groups. The NFS server - Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 25
upgrades for both new releases and patch releases. A master GNU Privacy Guard (GPG) key signs all PowerStore software packages and Dell EMC controls this GPG key. The PowerStore software upgrade process verifies the signature of the software package, and rejects invalid signatures that might - Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 26
need to support these connections. NOTE: For additional information about ports, see Knowledge Base Article 542240, PowerStore: Customer Network to your PowerStore deployment. Appliance network ports The following table outlines the collection of network ports and the corresponding services that - Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 27
and ESXi host iSCSI services: access • External host iSCSI access • Bi-directional for • External or PowerStore embedded ESXi replication host VNX2 systems If closed, iSCSI services will be unavailable. Used by Data mobility to support reasonable replication performance on low latency - Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 28
21 FTP TCP 22 SFTP TCP 53 DNS TCP/UDP 88 Kerberos TCP/UDP 111 RPC bind (for TCP/UDP SDNAS namespaces; otherwise, host service) 123 NTP UDP 135 Microsoft RPC TCP 137 Microsoft Netbios UDP; TCP/UDP WINS 138 Microsoft Netbios UDP BROWSE 139 Microsoft CIFS TCP 389 LDAP - Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 29
(AH) traffic to be forwarded. If closed, IPsec connection between PowerStore appliances will be unavailable. Secure LDAP queries. If closed, secure LDAP functions for NFS. If closed, NAS statd services will be unavailable. Used to provide NFS lockd services. lockd is the NFS file-locking daemon. - Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 30
password for a variety of environments. For three-way backup/restore sessions, NAS Servers use ports 10500 to 10531. Required for the Antivirus checker service. Network ports related to PowerStore X model appliances The following table outlines the collection of network ports and the corresponding - Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 31
Table 4. Network ports related to PowerStore X model appliances (continued) Port Service Protocol Access Direction Description 5989 CIM Secure Server TCP Inbound Server for CIM. 6999 NSX Virtual UDP Distributed Logical Router, rabbitmqproxy • Bi-directional for • For - Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 32
events that are audited are not just security related, all set operations (that is, POST/PATCH/DELETE) are audit logged. Other interfaces such as the PowerStore Manager UI and the CLI can be used to search and view audit events. 32 Auditing - Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 33
drive to an appliance, the appliance raises an error. Also, having un-encrypted appliances in an encrypted cluster is not supported. Encryption activation The Data at Rest Encryption feature on PowerStore appliances is set at the factory. In all countries that allow the import of an appliance that - Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 34
be decommissioned before it can be used. Key management An embedded key manager service (KMS) runs on the active node of each PowerStore appliance. This service manages the local keystore file lockbox storage to support automatic encryption key backup to system and boot drives. It also controls the - Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 35
appliance remains in the cluster, you can run svc_factory_reset to reset that appliance. NOTE: It is recommended that these scripts be run by only a qualified service provider. For more information about these scripts, refer to the PowerStore Service Scripts Guide. Data security settings 35 - Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 36
time to resolution. If you do not enable the SupportAssist feature, you may need to collect appliance information manually to assist Dell EMC Support with troubleshooting and resolving problems with your appliance. Also, the SupportAssist feature must be enabled on the appliance for data to be sent - Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 37
the state of the connection between PowerStore and the Dell EMC backend Support services and the quality of service of the connection. The connection available by which to send appliance information to Dell EMC Support for remote troubleshooting are: • Gateway Connect without remote access - For - Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 38
information manually to assist support representatives with troubleshooting and resolving problems with the Support in the PowerStore Manager. These actions set up the appliance to use a secure connection between itself and Dell EMC Support. You can select one of the following remote service - Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 39
manually add or remove an appliance from the gateway server. Only add or remove an appliance from a gateway server with the PowerStore PowerStore REST API Reference Guide. To determine the status of the SupportAssist feature, click Settings and under Support select SupportAssist in the PowerStore - Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 40
should take to test connectivity), contact Online Support. 7. Select Send Test Alert to send a test alert to Dell EMC Support to ensure end-to-end connectivity. 8. Your SupportAssist Contact Information is critical for quick response to support issues and must be accurate and current. 9. Select Apply - Dell PowerStore 7000X | EMC PowerStore Security Configuration Guide - Page 41
: AES (256 or 128 bits) • Hash algorithm (ensuring data by providing a way to determine if data has been modified). Examples: SHA-2 or SHA-1 The supported cipher suites combine all these items. The following list gives the OpenSSL names of the TLS cipher suites for the appliance and the associated
Dell EMC PowerStore
Security Configuration Guide
1.x
July 2020
Rev. A03