EMCEMC XtremIO Storage Array XIOS Versions 4.0.2, 4.0.4 and 4.0.10 XMS Version 4.2.0 Security Configuration Guide P/N 302-002-970 REV 01 June 15, 2016 Topics include: Overview................................................................................................................... 2 Access Control Settings............................................................................................. 3 Log Settings.............................................................................................................. 7 Communication Security Settings.............................................................................. 7 Data Security Settings............................................................................................. 10 Note: This document was accurate at publication time. Go to EMC Online Support (https://support.emc.com) to ensure that you are using the latest version of this document. This document provides specific information on XtremIO clusters that are managed by XMS version 4.2.0. For XtremIO clusters that are managed by XMS version 4.0.2 or 4.0.4, refer to the appropriate XtremIO product documents which are provided for these versions. describes settings for protecting and erasing user data handled by the XtremIO Storage Array.describes internal and external settings that limit end-user access to the cluster. Secure serviceability settings . Security settings are sub-categorized as follows: Access control settings . 2 EMC XtremIO Storage Array Security Configuration Guide .describes settings related to logging of events.describes settings that ensure control of service operations performed on XtremIO Storage Arrays by EMC or its service partners.Overview Overview This guide provides an overview of the available security configuration settings that are applied in the XtremIO Storage Array to ensure its secure operation and data protection. Communication security settings . Data security settings .describes settings related to XtremIO Storage Array network communications. Log settings . operation and user management rp_user XMS CLI / RESTful API Internal built-in account for integration with RecoverPoint only odx_user XMS CLI / RESTful API Internal built-in account for ODX integration only smi_s_provi ECOM/SMI-S Provider Internal built-in account for integration der with ECOM/SMI-S Provider only.). graphical. etc. Default Accounts The following default accounts are pre-configured on the XtremIO Storage Array User Account Component Description xinstall Storage Controller and XMS Initial configuration and software operating system installation xmsupload XMS operating system Uploading SW images to the XMS for installation and upgrade xmsadmin XMS operating system Direct access to the XMCLI shell from console or SSH root Storage Controller and XMS Advanced support operating system ADMIN Storage Controller IPMI HW management and monitoring tech XMS CLI / GUI / RESTful API (for EMC technician account for cluster accessing admin level commands) creation and part replacement admin XMS CLI / GUI / RESTful API Storage Array configuration. Access Control Settings Access Control Settings Access control settings enable protecting the cluster’s resources from unauthorized access. This account must be present and set up in both XMS and ECOM. XtremIO Storage Array Security Configuration Guide 3 . User Authentication User authentication settings control the process of verifying an identity claimed by a user for accessing the various product’s user interfaces (shell access. command line. for ECOM to obtain necessary initialization and setup information from XMS. The XMS Server LDAP Configuration feature allows using a single or multiple servers for the external users’ authentication for their login to the XMS server.Access Control Settings If needed. The LDAP operation is performed once when logging with external user credentials to an XMS server. the external user authentication is performed internally by the XMS server. xmsupload and root on the cluster. The XMS server will re-perform the LDAP Search only after the LDAP Configuration cache expires (cache expiration default value is 24 hours) or at the next successful external user login if the external user credentials were removed from the XMS Server User Administration manually. 4 EMC XtremIO Storage Array Security Configuration Guide . The XtremIO Storage Array supports LDAP users’ authentication. Note: Changing the cluster’s default passwords per this knowledge base article.emc. you need to make the corresponding change in ECOM. the XMS redirects users’ authentication to the configured LDAP or Active Directory (AD) servers and allows access to authenticated users only. you can change the default passwords for xinstall. refer to EMC knowledge-base article# 183472 (https://support. Note: The root account enables troubleshooting before cluster installation. If the authentication is successful. Users’ XMS permissions are defined. From that point. ECOM and the XtremIO XMS server.The Lightweight Directory Access Protocol (LDAP) is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. using the pre-configured LDAP Configuration profile and the external user login credentials. Once configured for LDAP authentication. running on an external server. based on a mapping between the users’ LDAP/AD groups and XMS roles. without connecting to an external server.com/kb/183472). This username is not the one SMI-S clients should use for communicating with ECOM. The XMS server operates as an LDAP client and connects to an LDAP service. Note: If you change the default username/password for the SMI-S provider user on the XMS server. SMI-S clients who wish to communicate with ECOM must set up a unique username/password in Microsoft SCVMM. requires EMC Global Services approval via RPQ. The LDAP Search is performed. Authentication Configuration LDAP Authentication . The external user’s credentials are saved in the XMS Cache and a new user profile is created in the XMS User Administration configuration. Note: To block root access. For the procedure guidelines. the external user logs in to the XMS server and accesses the full or limited XMS server functionality (according to the XMS Role that was assigned to the AD user’s Group). contact Support. XtremIO client inactivity timeout is set by default to ten minutes. • LDAPS – secure LDAP communication using Transport Layer Security (TLS) between the XMS and the LDAP server. Start TLS uses port 389 or port 3268 for global catalog.4. XtremIO Storage Array supports a new user type.starting from version 2. When timeout expires. the user is prompted for the user name and password again. Access Control Settings XtremIO LDAP integration supports the following LDAP options: • LDAP – clear text LDAP communication between XMS and LDAP server.no timeout. This user type can be used for running scripts from a remote system. that is restricted to CLI access and uses an SSH certificate rather than a password for authentication. new users are created with the new value. For detailed procedures. via CLI commands or GUI. You can customize the banner by adding text. Inactivity Timeout Time out is configured for each user to allow monitoring clients to be connected without disconnections. refer to the XtremIO Storage Array User Guide. SSH key authentication . LDAP uses default port 389 or port 3268 for global catalog. The user is prompted sixty seconds before the timeout expires. The timeout can be changed in full minute granularity (ranging from 0 . The login banner text is displayed on three screens: XtremIO launch screen XMS login screen Login to XMCLI after providing the user name User Actions Performed without Authentication The XtremIO Storage Array blocks unauthenticated or anonymous user actions. For detailed procedures. Re-logging returns the user to the last opened screen. refer to the XtremIO Storage Array User Guide. LDAP user authentication can be configured and managed via either GUI or CLI. Customized Login Banner The XtremIO cluster enables you to customize your login banner in SSH. LDAPS uses default port 636 or 3269 for global catalog. After the default timeout is changed. XtremIO Storage Array Security Configuration Guide 5 . HTML and Java. • Start TLS – secure LDAP communication that starts at a non-secure port and enhances the security mid-session. LDAPS can be used either with a root certificate to validate the server authenticity or without it. to 12 hours). All login and re-login actions are logged. They are built-in with the Administrator role to enable integration with external systems and are not visible to regular (non-tech) XMS users in the user accounts list. num_volumes) include the resources used by the unexposed objects.g. rp_user and odx_user are authorized to access all RecoverPoint and ODX objects. 6 EMC XtremIO Storage Array Security Configuration Guide . Object Type RecoverPoint User ODX User Regular User Tech User RecoverPoint Exposed Not Exposed Not exposed Exposed ODX Not exposed Exposed Not exposed Exposed Regular Exposed Exposed Exposed Exposed The CLI/GUI/REST list of the VSG (Volume Snapshot Groups) does not display RP and ODX volumes and does not allow non-RP users to access them. user account and cluster administration commands and manage all user accounts. respectively. Cannot manage users.Access Control Settings User Authorization The XtremIO Storage Array supports four levels of users’ roles. Configuration Authorized to perform all storage array configuration actions. RP users must be assigned a password to integrate with the XMS. unknown passwords. the properties of owner and permission are not exposed to the user in CLI/GUI/REST. System objects counters (e. RP users and ODX users are created with random. using the following CLI command: modify-password usr-id="rp_user" ODX users do not require assigning a password. Cannot perform any configuration changes. Used only by XtremIO Storage Array trained support personnel. Any user with admin or tech permissions can assign the password. as shown in the following table: User Role Description Technician Authorized to perform all commands and manage all user accounts. Read-Only Authorized to view all storage array information. The displayed number of internal volumes differs according to the current users visibility. the num_internal_volumes parameter provides the number of objects that are consuming resources but are not exposed (appears in the output of the show-volume snapshot-groups CLI command and in the GUI displaying VSG). Note: Assigning a password cannot be done via GUI because rp_user is not visible to admin users. except for technician user accounts. Administrator Authorized to perform all configuration. The following table summarizes the different objects and their exposure to different users. However. To further enhance the security of the communication channel between the XMS and the Storage Controller. Make sure that all ports that are marked “XMS -> XtremIO Storage Controller” are allowed. Communication Security Settings Communication security settings enable the establishment of secure communication channels between the product’s components. You can configure up to 6 syslog servers and use the event handlers’ configuration to select the events that will be sent via the syslog interface. iSCSI SAN Security XtremIO supports CHAP authentication for hosts using the iSCSI protocol. Component Access Control Component access control settings define external access settings for secure iSCSI and IPMI connectivity. The XtremIO Storage Array enables you to send events to a remote syslog server. Public reports can be viewed by all users. For detailed procedures. refer to the XtremIO Storage Array User Guide. For details. as well as between product components and external systems or components. SMTP can be configured via the GUI or CLI. Events consist of configuration. Remote syslog can be configured via the GUI or CLI. by configuring unique cluster’s credentials for each initiator to allow the initiator to authenticate the target. refer to the XtremIO Storage Array User Guide. it is recommended to use an external FW device to ensure that only the XMS IP address can access the Storage Controllers management IP address. Log Settings Private reports are accessible to the report’s creator and to tech users. For detailed procedures. Log Management & Retrieval XtremIO allows configuring external log reporting as follows: SNMP can be configured via the GUI or CLI. CHAP username and passwords can be configured for target discovery and initiator authentication. audit and any system event. Mutual CHAP can also be configured. Log Settings The XtremIO Storage Array keeps event logs in the XMS database. For detailed procedures. XtremIO Storage Array Security Configuration Guide 7 . refer to the XtremIO Storage Array User Guide. refer to the XtremIO Storage Array User Guide. and can be edited and deleted by the report’s creator and by tech users. refer to EMC XtremIO Storage Array Site Preparation Guide. (TCP/23000-23032) 11112) 11032) XMS Connect XIOS SMI-S Reporting UI OS NTP Authentication Manager XMS EMC SSH (TCP/22) SNMP Syslog HTTPS HTTPS LDAP (UDP/ (UDP/ (TCP/443) (TCP/ NTP (TCP/389 and 3268) 162) 514) 443 (UDP/123) SMTP LDAPS & 8443) (TCP/25) (TCP/636 and 3269) HTTPS SSH FTPS HTTPS (TCP/ (TCP/22) (TCP/ (TCP/ 443) 990 443 & 989) & 8443) Corporate Corporate ESRS Email Active Directory GWs Server LDAP Server Corporate External NTP ESRS Logging Server System Figure 1 Ports and Protocols1 1.Communication Security Settings Port Usage For the list of the ports and protocols that are used by the XtremIO Storage Array. Figure 1 describes the mapping of the ports and protocols. used by the XtremIO Storage Array. 8 EMC XtremIO Storage Array Security Configuration Guide . ICMP between the XMS and the Storage Controller is used for diagnostic purposes only. X-Brick Clients RESTful SMI-S CLI GUI API Storage Controller SLP HTTPS HTTPS HTTPS HTTPS SCSI (UDP/ (TCP/ (TCP/443) (TCP/443) (TCP/443) NTP XIOS OS BMC Targets 427) 5989) ISCSI Fibre (TCP/ Channel 3260) HTTPS SSH ICMP SSH (TCP/443) (TCP/22) (TCP/22 and NTP XMLRPC 22000 - Hosts (UDP/ (TCP/ 22032) 123) 11111 IPV6 and IPMI (TCP/ 11000 . For detailed procedures. The XMS comes pre-installed with a self-signed certificate that can be replaced via CLI commands with a third party signed certificate. Communication Security Settings InfiniBand Network Settings The XtremIO cluster uses InfiniBand (IB) networking for internal communication between the Storage Controllers. It is possible to define a route per VLAN. When VLAN tagging is used. Remote CLI. Network Encryption The XtremIO cluster management is carried out over HTTPS. To lock the SSH firewall. run the following command: modify-ssh-firewall ssh-firewall-mode="locked" XtremIO Storage Array Security Configuration Guide 9 . Connecting the InfiniBand Switches to any external network or connecting any foreign device to any of the switches is not allowed. the Storage Controllers are connected back-to-back) and the switches are connected to each other to create a full mesh. SSH Firewall SSH firewall in locked mode prevents opening outgoing connections from the cluster’s Storage Controllers to the customer network. Each Storage Controller is connected to two InfiniBand Switches for high-availability (in case of a single X-Brick cluster. The IB network is crucial for the functionality of the cluster and must not be interrupted. XtremIO supports IEEE 802. VLAN Support The XtremIO cluster supports up to 4094 VLANs. For each VLAN the user defines a portal. For HA purposes it is possible to assign the same VLAN to physical ports that belong to different controllers. On the receive path. The system issues an alert if a VLAN is assigned to only one physical port to ensure multipath for each VLAN. and allows both untagged and tagged VLANs. a packet with a wrong VLAN tag is dropped by the port. GUI and RESTful API communicate with the XMS over a secure SSL channel.1q VLAN tagging. refer to the XtremIO Storage Array User Guide. using internal addresses. the port assigns a tag to the outgoing packets according to the destination address. Network Separation The XtremIO cluster uses a separate port dedicated to IPMI. Data Erasure Secure Data Erasure is offered as a service from EMC Global Services. When encryption is enabled.4. Data Security Settings Data security settings prevent unauthorized access to data by defining procedures for configuring data encryption and erasure.Data Security Settings Unique SSH Key XtremIO XMS uses SSH-Key-based authentication (together with user password authentication) to access the cluster’s Storage Controllers for maintenance purposes. During the process.0. the new PINs are kept in memory and the old PINs are retired. Data at Rest Encryption XtremAPP versions 2. When the process is complete. The cluster is shipped from the factory with a default SSH key. to ensure access to SSDs that are not yet changed. all SSDs (both in the Storage Controllers and in the DAEs) are locked using a PIN code which is stored securely in the cluster. Old PINs are kept for as long as the operation continues. refer to the XtremIO Storage Array Software Installation and Upgrade Guide. the software generates a new PIN per each SSD. Data Integrity Data integrity is built into the XtremIO Data Protection mechanism and does not require any configuration. For details. Note: Enabling and disabling Data encryption require service shutdown. Media Encryption Keys are stored on the SSD’s dedicated hardware and cannot be accessed.0. refer to the EMC XtremIO Storage Array User Guide. Note: As of version 4.1 and above support Data at Rest Encryption on 20TB X-Brick type clusters and on 10TB Encryption Capable X-Brick types. The SSD PIN can be modified to comply with key rollover requirements. It is possible to enable encryption without losing data. For details. such as log bundle collection. contact EMC Support. 10 EMC XtremIO Storage Array Security Configuration Guide . newly-created clusters that support encryption are encrypted upon creation. For information on refreshing the unique SSH key.
Report "Docu71061 XtremIO XIOS 4.0.2, 4.0.4, And 4.0.10 With XMS 4.2.0 Storage Array Security Configuration Guide"