EMC® VPLEX®

GeoSynchrony

Security Configuration Guide

300-010-493
REV 19
Copyright © 2016-2019 Dell Inc. or its subsidiaries. All rights reserved.

Dell believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS-IS.“ DELL MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND
WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. USE, COPYING, AND DISTRIBUTION OF ANY DELL SOFTWARE DESCRIBED
IN THIS PUBLICATION REQUIRES AN APPLICABLE SOFTWARE LICENSE.

Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be the property of their respective owners.
Published in the USA.

Dell EMC
Hopkinton, Massachusetts 01748-9103
1-508-435-1000 In North America 1-866-464-7381
www.DellEMC.com

2 GeoSynchrony Security Configuration Guide

CONTENTS

Tables 5

Preface 7

Chapter 1 VPLEX overview 11

Chapter 2 Security recommendations 13

Chapter 3 VPLEX management server operating system and networking

15
Accessing the management server.............................................................. 17
Using SSH to access the management server shell........................ 17
Using HTTPS to access the VPLEX GUI......................................... 17
Using IPsec VPN in a VPLEX Metro implementation...................... 18
Using SCP to copy files..................................................................18
Using a tunneled VNC connection to access the management server
desktop......................................................................................... 20

Chapter 4 IP addresses and component IDs 23

Chapter 5 Implementing IPv6 27

Chapter 6 Security configuration settings 29

User roles, accounts, and privileges............................................................30

Chapter 7 Configuring user authentication 35

Role-based access control feature overview.............................................. 36
Role descriptions .......................................................................... 36
Role-based access control and NDU.............................................. 37
Implementing LDAP.................................................................................... 38
Password policy .........................................................................................39
Synchronizing service account password to MMCS peer........................... 43

Chapter 8 Manage user accounts 45

Adding user accounts................................................................................. 46
View or modify user account details........................................................... 46
Changing passwords...................................................................................48
Resetting passwords.................................................................................. 49
Changing the service account password.....................................................49
Deleting user accounts............................................................................... 50

Chapter 9 Log file settings 51

GeoSynchrony Security Configuration Guide 3

CONTENTS

Chapter 10 Communication Security Settings 53

Communication security settings............................................................... 54
IP WAN COM................................................................................ 54
Accessibility...................................................................................54
Port Usage.................................................................................... 55
Communications specifications - VPLEX Metro system.................57
Communications specifications - VPLEX Local system..................58
Network Encryption...................................................................... 60
Creating a local Certification Authority..........................................60
Finding the host certificates's SHA256, SHA1 and (for GUI users)
MD5 fingerprints............................................................................ 61
Finding the SSH key fingerprint (for SSH users)........................... 62
Configurable HTTPS/TLS protocol................................................63
Data security settings....................................................................64

4 GeoSynchrony Security Configuration Guide

TABLES

1 Typographical conventions........................................................................................... 8
2 Quad-engine cluster director IP addresses................................................................. 24
3 Dual-engine cluster director IP addresses...................................................................25
4 Single-engine cluster director IP addresses................................................................25
5 Last Octets of Director IP Addresses......................................................................... 25
6 IPv6 support on VPLEX components.......................................................................... 27
7 VPLEX user accounts and privileges...........................................................................30
8 VPLEX operations and account types......................................................................... 32
9 Description of roles in Role-based Access Control......................................................37
10 Default password policies........................................................................................... 39
11 VPLEX component log files......................................................................................... 51
12 Port Usage................................................................................................................. 55
13 Communication in a VPLEX Metro system..................................................................57
14 Communication in a VPLEX Local system...................................................................59

GeoSynchrony Security Configuration Guide 5

TABLES

6 GeoSynchrony Security Configuration Guide

Preface

As part of an effort to improve its product lines, EMC periodically releases revisions of
its software and hardware. Therefore, some functions described in this document
might not be supported by all versions of the software or hardware currently in use.
The product release notes provide the most up-to-date information on product
features.
Contact your EMC technical support professional if a product does not function
properly or does not function as described in this document.

Note

This document was accurate at publication time. Go to EMC Online Support (https://
support.emc.com) to ensure that you are using the latest version of this document.

Purpose
This document is part of the VPLEX documentation set, and describes the VPLEX
features and use cases, configuration options, VPLEX software and its upgrade, and
the hardware overview.
Audience
This guide is intended for use by customers who wish to understand the software and
hardware features of VPLEX, the use cases of VPLEX, product offerings, and the
configuration options.
Related documents (available on EMC Online Support) include:
l VPLEX Release Notes for GeoSynchrony Releases
l VPLEX Product Guide
l VPLEX Hardware Environment Setup Guide
l VPLEX Configuration Worksheet
l VPLEX Configuration Guide
l VPLEX Security Configuration Guide
l VPLEX CLI Reference Guide
l VPLEX Administration Guide
l Unisphere for VPLEX Help
l VPLEX Element Manager API Guide
l VPLEX Open-Source Licenses
l VPLEX GPL3 Open-Source Licenses
l Procedures provided through the SolVe Desktop
l EMC Host Connectivity Guides
l EMC VPLEX Hardware Installation Guide
l Various best practices technical notes available on EMC Online Support
Special notice conventions used in this document
EMC uses the following conventions for special notices:

Preface 7
Preface

DANGER

Indicates a hazardous situation which, if not avoided, will result in death or

serious injury.

WARNING

Indicates a hazardous situation which, if not avoided, could result in death or

serious injury.

CAUTION

Indicates a hazardous situation which, if not avoided, could result in minor or

moderate injury.

NOTICE

Addresses practices not related to personal injury.

Note

Presents information that is important, but not hazard-related.

Typographical conventions
EMC uses the following type style conventions in this document:

Table 1 Typographical conventions

Bold Used for names of interface elements, such as names of windows,

dialog boxes, buttons, fields, tab names, key names, and menu paths
(what the user specifically selects or clicks)

italic Used for full titles of publications referenced in text

Monospace Used for:
l System code
l System output, such as an error message or script
l Pathnames, filenames, prompts, and syntax
l Commands and options

Monospace italic Used for variables

Monospace bold Used for user input

[] Square brackets enclose optional values

| Vertical bar indicates alternate selections - the bar means “or”

{} Braces enclose content that the user must specify, such as x or y or

z

... Ellipses indicate nonessential information omitted from the example

Where to get help

Support and product information can be obtained as follows:
Product information — For documentation, release notes, software updates, or
information about products, go to EMC Online Support at:

8 GeoSynchrony Security Configuration Guide

 Preface

https://support.emc.com
Technical support — Go to EMC Online Support and click Service Center. You will see
several options for contacting EMC Technical Support. Note that to open a service
request, you must have a valid support agreement. Contact your EMC sales
representative for details about obtaining a valid support agreement or with questions
about your account.
Online communities — Visit EMC Community Network at https://
community.EMC.com for peer contacts, conversations, and content on product
support and solutions. Interactively engage online with customers, partners, and
certified professionals for all EMC products.
Your comments
Your suggestions will help to improve the accuracy, organization, and overall quality of
the user publications. Send your opinions of this document to:
[email protected]

9
Preface

10 GeoSynchrony Security Configuration Guide

CHAPTER 1
VPLEX overview

An EMC® VPLEX® cluster consists of one, two, or four engines (each containing two
directors), and a management server. A dual-engine or quad-engine cluster also
contains a pair of Fibre Channel switches for communication between directors.
Each engine is protected by a standby power supply (SPS), and each Fibre Channel
switch gets its power through an uninterruptible power supply (UPS). In a dual-engine
or quad-engine cluster, the management server also gets power from a UPS.
The management server has a public Ethernet port, which provides cluster
management services when connected to the customer network. The management
server can also provide call-home services through the public Ethernet port by
connecting to an EMC Secure Remote Support (ESRS) gateway deployed on the
same network. The ESRS gateway is also used by EMC personnel to provide remote
service.
Two VPLEX implementations are available:
l VPLEX Local (single cluster)
l VPLEX Metro (two clusters separated by synchronous distances)
In a VPLEX Metro implementation, the clusters are connected over IP between the
management servers.
VPLEX user authentication is configured locally on the management server or
remotely on an OpenLDAP or Active Directory server which integrates with Unix using
Service for UNIX 3.5, Identity Management for UNIX, or other authentication service.
A management server in each VPLEX cluster authenticates users against account
information kept on its local file system or against the LDAP/AD server. An
authenticated user can manage resources in the local cluster.
In a VPLEX Metro, users authenticated by either management server can manage all
resources in both clusters. Figure 1 shows a VPLEX cluster configuration (quad
system) example.

VPLEX overview 11
VPLEX overview

Figure 1 VPLEX Cluster Configuration

12 GeoSynchrony Security Configuration Guide

CHAPTER 2
Security recommendations

While the Security Configuration Guide must be reviewed in its entirety, this section
serves to highlight EMC's most important security recommendations to ensure the
security of your data and environment.
l Given the elevated permissions granted to the service account, its password must
be changed in order to better protect VPLEX from misuse or abuse of those
privileges. Changing the Service Account Password provides more information.
l To protect your data in the communications between clusters in VPLEX Metro
configuration, an external encryption solution such as IPSec must be used to
guarantee confidentiality and authentication for the IP WAN COM link.
Communication Security Settings provides more information.
l To protect the identity and integrity of your users and their account credentials, all
LDAP communication must be configured to use the LDAPS protocol.
Implementing LDAP provides more information.

Security recommendations 13
Security recommendations

14 GeoSynchrony Security Configuration Guide

CHAPTER 3
VPLEX management server operating system
and networking

The operating system (OS) of the VPLEX management server is based on Novell
SUSE Linux Enterprise Server. The management server in GeoSynchrony releases 5.3
to 5.5.2 and patches run SUSE Linux Enterprise Server 11 patch 3. Starting release
6.0, the management server, including MMCS-A and MMCS-B on VS6, runs SUSE
Linux Enterprise Server 11 Service Pack 4,
The operating system has been configured to meet EMC security standards by
disabling or removing unused services and packages, and protecting access to
network services through a firewall.
Used packages are hardened with security updates.
A VS2 management server has four Ethernet ports, identified as eth0 through eth3 by
the operating system, shown in the figure below. A 1 Gb/s public management port
(eth3) is the only Ethernet port in the VPLEX rack that may be connected to an
external management LAN. Other components in the rack are connected to two
redundant private management Ethernet networks, connected to the management
server's eth0 and eth2 ports. A service port (eth1) can be connected to a local laptop,
providing access to the same services as a host on the management LAN.
Figure 2 VS2 Management server, rear view

In a VS6 system, the management server module (MMCS-A and MMCS-B) is located
in the first engine on the cluster. All the remaining engines will have Akula
management modules for the management connectivity. MMCS A is the Management
interface to a public network and to the other VPLEX components in the cluster.

VPLEX management server operating system and networking 15

VPLEX management server operating system and networking

Figure 3 Customer IP network connections on MMCS-A and MMCS-B

Customer network
connection
Engine 1
3x

0
0
0
1
DC DC

1
1
1
P

IB
AC AC

2
2
2
2

3
3
3
xxx-xxx-xxxx-xx xxx-xxx-xxxx-xx xxx-xxx-xxxx-xx
xxx-xxx-xxxx-xx xxx-xxx-xxxx-xx

xxx-xxx-xxxx-xx xxx-xxx-xxxx-xx xxx-xxx-xxxx-xx

xxx-xxx-xxxx-xx xxx-xxx-xxxx-xx

3
3

2
2

2
2
AC AC

IB
P
1

1
1
DC DC
0

0
0

1
x3

Customer network Service port

connection
VPLX-000643e

l Accessing the management server..................................................................... 17

16 GeoSynchrony Security Configuration Guide

 VPLEX management server operating system and networking

Accessing the management server

Three protocols allow access to a VPLEX management server over a secure and
encrypted connection: SSH, HTTPS, and IPsec VPN.

Using SSH to access the management server shell

Users can log in to the management server shell over SSH version 2, through the
management server's public Ethernet port or service port. The SSH service is available
on the standard port 22.
An SSH login with appropriate credentials allows access to a Linux shell on the
management server. From there:
l Users can access the VPLEX command line interface (VPlexcli).
l A service account user can also inspect log files, start and stop services, and
upgrade firmware and software.
SSH also can be used to establish a secure tunnel between the management server
and the host running the SSH client. Using SSH to access the management server
shell provides more information.

Using HTTPS to access the VPLEX GUI

The Unisphere for VPLEX graphical user interface (GUI) is accessible as a web service
on the management server's public Ethernet port and the service port, using the
HTTPS protocol. It is available on the standard port 443.
The following URL initiates an HTTPS connection to the GUI:

https://management_server_public_IP_address

To access the GUI using an IPv6 address, use the following URL:

https://[mgmtserver_ipv6_addr]

For example:

https://[3ffe:80c0:22c:803c:215:17ff:fed3:207]/smsflex/
VPlexConsole.html

Note

Accessing the VPLEX GUI or the VPLEX CLI over IPv6 is possible only if the client
machine is also in an IPv6 network. The readonly user has no GUI access.

The GUI encrypts all traffic using a server certificate. Creating a host certificate
provides more information.

Note

The GUI has a timer that logs the user out after 10 minutes of inactivity. You can
modify the timeout value to a maximum of 12 hours.

Accessing the management server 17

VPLEX management server operating system and networking

Using IPsec VPN in a VPLEX Metro implementation

The management server in each VPLEX Metro cluster must connect to each other
over a Virtual Private Network (VPN) through the public Ethernet port, as shown in
the following figure.
Figure 4 IPSec VPN connection

Although you might have already secured the network connections between two
VPLEX Metro clusters, the management servers must establish an explicit VPN
connection, to acknowledge that the remote management server has full management
control over the local cluster and its resources.
The VPLEX management server uses strongSwan, an open source implementation of
IPsec for Linux.

Using SCP to copy files

The Secure Copy Protocol (SCP) allows users to transfer files to and from the
management server. SCP uses the same credentials as SSH. Popular SCP clients are
WinSCP and PSCP provided by the PuTTY package, and the SCP client provided by
OpenSSH.

Transferring files to and from the management server using SCP

VPLEX allows file transfer to/from the management server using SCP. In VPLEX
release 6.0, SCP permissions will be granted with shell access.
Before you begin
To use SCP to transfer files to and from the management server, you must have shell
access.
Users with no shell access can transfer files to a specific management server
directory. You can transfer files with SCP to a specified directory and retrieve files out
from another directory located in management server.

Note

You cannot transfer or retrieve directories.

Files that are transferred with SCP into or out of the management server can be
viewed in the contexts /management-server/users/share/in and /
management-server/users/share/out respectively. All users see identical

18 GeoSynchrony Security Configuration Guide

 VPLEX management server operating system and networking

output (independent of file ownership) under these in and out contexts. Only the
owner of the file (admin or service users) can delete a file.
For example, if user testuser1 (with no shell access) uses SCP to transfer a file
named a.txt into the management server, anyone logged into the management
server will see a.txt displayed in the /management-server/users/share/in
context. No one other than testuser1 (or admin or service) can delete a.txt from
the management server.
service and admin users are authorized to delete any existing file in the SCP sub-
directories, using the CLI rm command. Other users are only authorized to delete files
to which they have access. See the rm command in the EMC VPLEX CLI Reference
Guide for details.
To modify permissions for SCP file transfers to and from the management server, do
the following.
Procedure
1. Verify the attribute value for VPLEX local user testuser1 by listing the
management-server/users/local/testuser1 context. shell-access
should be set to false by default

VPlexcli:/management-server/users/local/testuser1> ls
Name Value
------------ ---------
role-name vplexuser
shell-access false
user-name testuser1

2. Run the following examples to test SCP file transfers for restricted shell user
testuser1.
a. Transfer files from a remote server and verify the file transfer was
successful by listing the management server SCP in context.

admin@host1:~>scp monitor.xml [email protected]:

Password:
monitor.xml 100% 1532 1.5KB/s 00:00

VPlexcli:/> ll /management-server/share/in/

Name
---------------
logfile
loginbanner.txt
monitor.xml

b. Transfer files from the management server to an external host and verify the
result in the management server. The file should be present in shell
location /diag/share/out/. This path equates to /
managementserver/share/out/ in the CLI.

VPlexcli:/> ll /management-server/share/out/

Name
--------
testfile

Using SCP to copy files 19

VPLEX management server operating system and networking

Copy files to a remote server using scp.

admin@host1:~> scp [email protected]:testfile .

Password:
testfile 100% 0 0.0KB/s 00:00
admin@host1:~> ls
bin monitor.xml testfile

c. Transfer files to a management server directory that is inaccessible to the

shell restricted user testuser1 using scp.

admin@host1:~> scp testfile testuser1@<mgmt-server-ip>:/tmp/

admin@host1:~> scp logfile [email protected]:/tmp/

Warning: Permanently added '10.110.19.35' (ECDSA) to the

list of known hosts.
Password:
[ERROR]/tmp/: Re-enter the command without the destination
file path.
Usage: 'scp <absolute path to file> <user>@<public-ip-
address>:'

Use SCP to transfer a file from the management server to an external host.
The file is present in location /tmp/

admin@host1:~> scp [email protected]:/tmp/testfile .

After the command fails, display the log file to verify the cause of failure.

Warning: Permanently added '10.110.19.35' (ECDSA) to the

list of known hosts.
Password:
[ERROR]scp: /tmp/testfile: No such file or directory

d. Delete a.txt from the SCP share/in context using the rm command.

VPlexcli:/management-server/share/in> ls
a.txt b.txt

VPlexcli:/management-server/share/in> rm a.txt

VPlexcli:/management-server/share/in> ls
b.txt

Using a tunneled VNC connection to access the management server desktop

The SSH protocol provides a mechanism for sending unencrypted traffic through an
encrypted SSH connection. Most SSH clients, such as OpenSSH and PuTTY, allow
users to establish SSH tunnels by specifying a port on their local machine (source
port), and a port on the management server (destination port).
Access to the management server's desktop is provided by VNC access through an
SSH tunnel. Users must first establish an SSH tunnel between destination port 5901

20 GeoSynchrony Security Configuration Guide

 VPLEX management server operating system and networking

and local port 5901, and then connect a VNC viewer to local port 5901. Popular VNC
clients are RealVNC and TightVNC.
To establish a tunnel, you must log in with your standard SSH credentials. After a
successful login, the SSH client program must remain running, to allow the SSH tunnel
to remain operational.
Follow these steps to establish a tunneled VNC connection using PuTTY:
Procedure
1. Launch PuTTY.exe, and configure the PuTTY window as shown in the figure
below:
l Server address — Public IP address of the VPLEX management server.
l Session name — Type a name for the PuTTY session you are configuring.
This allows you to load the saved session if you need to reconnect later,
eliminating the need to configure the individual parameters again.
l Default settings — Verify, and set as shown if necessary.
Figure 5 PuTTY configuration window

2. Expand SSH in the Category list, and click Tunnels.

3. Configure the SSH port forwarding parameters as shown in the figure below,
and then click Add.

Using a tunneled VNC connection to access the management server desktop 21

VPLEX management server operating system and networking

Figure 6 PuTTY configuration: SSH port forwarding parameters

4. Click Open to establish an SSH tunnel to the management server.

When prompted, type the account password.

5. Authenticate as usual, and leave the PuTTY window open.

6. Launch the VNC viewer, and connect to localhost:5901.

22 GeoSynchrony Security Configuration Guide

CHAPTER 4
IP addresses and component IDs

The IP addresses of the VPLEX hardware components are determined by a set of

formulae that depend on the internal management network (A or B), the Cluster IP
Seed, and (for directors) the Enclosure ID (which matches the engine number).
The figures below show the IP addresses in a cluster with a Cluster IP Seed of 1 and
addresses for a Cluster IP Seed of 2. Note that the Cluster IP Seed is the same as the
Cluster ID, which depends on the following VPLEX implementation:
l VPLEX Local - The Cluster ID is always 1.
l VPLEX Metro - The Cluster ID for the first cluster that is set up is 1, and the
second cluster is 2.

Note

The management server supports the coexistence of both the IPv6 and IPv4 address.
However, the directors only support IPv4 addresses.

Figure 7 VPLEX VS2 hardware component IP addresses in cluster 1

IP addresses and component IDs 23

IP addresses and component IDs

Figure 8 VPLEX VS2 hardware component IP addresses in VPLEX Metro cluster 2

MMCS IP Addresses
This table lists the IP addresses of the MMCS modules on engine-1 of VPLEX VS6
systems.

MMCS Cluster 1 IP address Cluster 2 IP address

A 128.221.252.33 128.221.252.65
B 128.221.253.33 128.221.253.65

Director IP Addresses on VPLEX VS6

List of IP addresses of all directors on both clusters in a quad-engine VPLEX system.

Table 2 Quad-engine cluster director IP addresses

Director name Cluster 1 IP addresses Director name Cluster 2 IP addresses

Director-1-1-A 128.221.252.35 128.221.253.35 Director-2-1-A 128.221.252.67 128.221.253.67

Director-1-1-B 128.221.252.36 128.221.253.36 Director-2-1-B 128.221.252.68 128.221.253.68

Director-1-2-A 128.221.252.37 128.221.253.37 Director-2-2-A 128.221.252.69 128.221.253.69

Director-1-2-B 128.221.252.38 128.221.253.38 Director-2-2-B 128.221.252.70 128.221.253.70

Director-1-3-A 128.221.252.39 128.221.253.39 Director-2-3-A 128.221.252.71 128.221.253.71

Director-1-3-B 128.221.252.40 128.221.253.40 Director-2-3-B 128.221.252.72 128.221.253.72

Director-1-4-A 128.221.252.41 128.221.253.41 Director-2-4-A 128.221.252.73 128.221.253.73

Director-1-4-B 128.221.252.42 128.221.253.42 Director-2-4-B 128.221.252.74 128.221.253.74

24 GeoSynchrony Security Configuration Guide

 IP addresses and component IDs

Dual-engine Cluster - Director IP Addresses

List of IP addresses of all directors on both clusters in a dual-engine VPLEX system.

Table 3 Dual-engine cluster director IP addresses

Director name Cluster 1 IP addresses Director name Cluster 2 IP addresses

Director-1-1-A 128.221.252.35 128.221.253.35 Director-2-1-A 128.221.252.67 128.221.253.67

Director-1-1-B 128.221.252.36 128.221.253.36 Director-2-1-B 128.221.252.68 128.221.253.68

Director-1-2-A 128.221.252.37 128.221.253.37 Director-2-2-A 128.221.252.69 128.221.253.69

Director-1-2-B 128.221.252.38 128.221.253.38 Director-2-2-B 128.221.252.70 128.221.253.70

Single-engine Cluster - Director IP Addresses

List of IP addresses of all directors on both clusters in a single-engine VPLEX system.

Table 4 Single-engine cluster director IP addresses

Director name Cluster 1 IP addresses Director name Cluster 2 IP addresses

Director-1-1-A 128.221.252.35 128.221.253.35 Director-2-1-A 128.221.252.67 128.221.253.67

Director-1-1-B 128.221.252.36 128.221.253.36 Director-2-1-B 128.221.252.68 128.221.253.68

Last Octets of Director IP Addresses

Table 5 Last Octets of Director IP Addresses

Deployment Director name Cluster 1 octets Director name Cluster 2 octets

Single, Dual, Quad Director-1-1-A 35 Director-2-1-A 67

Single, Dual, Quad Director-1-1-B 36 Director-2-1-B 68

Dual, Quad Director-1-2-A 37 Director-2-2-A 69

Dual, Quad Director-1-2-B 38 Director-2-2-B 70

Quad Director-1-3-A 39 Director-2-3-A 71

Quad Director-1-3-B 40 Director-2-3-B 72

Quad Director-1-4-A 41 Director-2-4-A 73

Quad Director-1-4-B 42 Director-2-4-B 74

IP Addresses
Cable Director IP Address
Cable From To If cable is in Cluster 1 If cable is in Cluster 2
ID in
Figure

A1 MMCS-A Management A Eng-2 MM-A LAN Service Director-1-1-A, subnet B Director-2-1-A, subnet B
Fabric connector port 128.221.253.35 128.221.253.67

A2 Eng-2 MM-A LAN Eng-3 MM-A LAN Service Director-1-2-A, subnet B Director-2-2-A, subnet B
Management port port 128.221.253.37 128.221.253.69

25
IP addresses and component IDs

Cable Director IP Address

A3 Eng-3 MM-A LAN Eng-4 MM-A LAN Service Director-1-3-A, subnet B Director-2-3-A, subnet B
Management port port 128.221.253.39 128.221.253.71

B1 MMCS-B Management B Eng-4 MM-B LAN Director-1-1-B, subnet A Director-2-1-B, subnet A

Fabric connector Management port 128.221.252.36 128.221.252.68

B2 Eng-2 MM-B LAN Eng-3 MM-B LAN Service Director-1-2-B, subnet A Director-2-2-B, subnet A
Management port port 128.221.252.38 128.221.252.70

B3 Eng-3 MM-B LAN Eng-4 MM-B LAN Service Director-1-3-B, subnet A Director-2-3-B, subnet A
Management port port 128.221.252.40 128.221.252.72

26 GeoSynchrony Security Configuration Guide

CHAPTER 5
Implementing IPv6

In VPLEX, an IP address can either be an IPv4 address and/or an IPv6 address. While
VPLEX continues to support IPv4, it now also provides support for the full IPv6 stack
as well as dual stack IPv4/IPv6, including:
l Browser session
l VPN connection

Note

In a virtual private network, the end points must always be of the same address family.
That is, each leg in the VPN connection must either be IPv4 or IPv6.
l WAN link ports
l CLI session
l Cluster Witness
l Recover Point
In Release 5.3, IPv6 is available only with new installations.

The transition from an IPv4 network to a network where IPv4 and IPv6 coexist is
challenging because the two protocols are not designed to be interoperable with each
other. Transition technologies such as tunneling, or other translator gateways are
required to exchange traffic between the two types of network.
The VPLEX management server uses the dual stack mechanism to deploy IPv6. This
mechanism provides complete support for both IPv4 and IPv6, and allows applications
to talk to both IPv4 and IPv6. However, the choice of IP version is based on the name
look up and application preference.
The following table describes IPv6 support on VPLEX components along with
additional notes.

Table 6 IPv6 support on VPLEX components

VPLEX Suppor Support Co- Notes

Components ts IPv4 s IPv6 existen
ce
Management Yes Yes Yes l The management server supports
server / MMCS- only global scope IPv6 static address
A configuration.
l The management server supports
the coexistence of both the IPv4 and
IPv6 address.

Implementing IPv6 27
Implementing IPv6

Table 6 IPv6 support on VPLEX components (continued)

VPLEX Suppor Support Co- Notes

Components ts IPv4 s IPv6 existen
ce
Director Yes No No Directors continue to support IPv4
address.

Cluster Witness Yes Yes Yes IPv6 address for a cluster witness can be
specified using the Vcenter or the
VMware console -> Configure Network

WAN COM Yes Yes No The IP-WAN-COM link either operates

on IPv4 or IPv6.

VASA Provider Yes No No Although VPLEX SMS supports IPv6,

VASA provider continues to support only
IPv4 in Release 5.3. Therefore, VASA
providers running in an IPv6 environment
must specify the IPv4 SMS address for
VASA provider setup or registration.

Recover Point Yes Yes Yes RecoverPoint can communicate with the
management server using either an IPv4
address or an IPv6 address.

LDAP/AD server Yes Yes Yes The IP address can be specified during
the LDAP configuration. To change the
configured IP address, the configuration
must be recreated.

The VPLEX Administration Guide provides additional information on IPv6.

28 GeoSynchrony Security Configuration Guide

CHAPTER 6
Security configuration settings

This section provides an overview of user accounts and privileges.

l User roles, accounts, and privileges................................................................... 30

Security configuration settings 29

Security configuration settings

User roles, accounts, and privileges

This table provides an overview of VPLEX accounts and associated privileges.

Table 7 VPLEX user accounts and privileges

Component Account Type Default Privileges

password
Management service Mi@Dim7T (2) l Access to the management
server (1) / server desktop, VPlexcli, and
MMCS-A Unisphere for VPLEX GUI
l Ability to start and stop
management server services
l Execute permissions for VPlexcli
related scripts
l Ability to execute VPlexcli
commands
l Read/write access to log files

admin teS6nAX2 (3) l Access to management server

desktop, VPlexcli, and Unisphere
for VPLEX GUI
l Ability to create, modify, and
delete new user accounts
l Ability to execute VPlexcli
commands
l Read-only access to log files

vplexuser null l Access dependent on that

(default user) granted with Role-based User
Access. See Role-based User
Access for complete
descriptions of user types and
permissions.

readonly null l Restricted access dependent on

that granted with Role-based
User Access. See Role-based
User Access for complete
descriptions of user types and
permissions.
l Root privileges are disabled.
l The list of commands supported
for readonly accounts is
provided for each release in the
SolVe Desktop, in
Administration > Configure
> "Restricted Commands".

30 GeoSynchrony Security Configuration Guide

 Security configuration settings

Table 7 VPLEX user accounts and privileges (continued)

Component Account Type Default Privileges

password

root null l Root privileges

l Access to management server
desktop
l Read-only access to log files

Fibre Channel service Mi@Dim7T l Access to the Fibre Channel

COM switch internal switch interface
(Excluding FRU
switches) (4)
l Ability to start and stop switch
services

admin Ry3fog4M l Access to the Fibre Channel

internal switch interface
l Ability to add and delete other
accounts on the switch interface
l Ability to change passwords on
the switch interface

Fibre Channel root fibranne l Access to the Fibre Channel

COM switch internal switch interface
(FRU switches
ONLY) (5)
l Ability to add and delete other
accounts on the switch interface
l Ability to change passwords on
the switch interface, including
the root and factory passwords

admin password l Access to the Fibre Channel

internal switch interface
l Ability to add and delete other
accounts on the switch interface
l Ability to change passwords on
the switch interface

Management root calvin l Root privileges

Server iDRAC
(For DELL
l Access to management server
PowerEdge desktop
Server only) l Change the Default password of
this component by connecting to
iDRAC port as per customers
password policy.

(1) You cannot delete the default management server accounts.

(2) Given the elevated permissions granted to the service account, its password must
be changed in order to better protect VPLEX from misuse or abuse of those privileges.
Changing the service account password provides more information.

User roles, accounts, and privileges 31

Security configuration settings

(3) The first user who attempts to log in as admin is prompted to change the admin
password before logging in. To change the password when prompted, follow the steps
in Changing Passwords. Follow all instructions except for changing the password after
you log in.
(4) Fibre Channel COM switches exist only in dual-engine and quad-engine VPLEX
clusters.
(5) In switches that are shipped for field replacement or hardware upgrade (rather
than as part of a cabinet system), there is no service account.
The table provides an overview of specific operations that each account type can
perform on a VPLEX component.

Table 8 VPLEX operations and account types

Component Operation service admin user

Management Startup and shutdown Yes No No
server / MMCS-A
Create, modify, and delete users No Yes No

Modify your own password Yes Yes Yes

Update or reset passwords for other No Yes No

users

Set IP configuration Yes No No

Change host names Yes No No

Start or stop NTP (1) Yes No No

Start or stop VPN Yes No No

Install, upgrade, backup, and restore Yes No No

Run CRON jobs Yes Yes Yes

VPLEX CLI Configure SNMP Yes Yes Yes

(VPLEX
Manage users and passwords No Yes No
management)
Manage password policy No Yes No

Configure CallHome Yes Yes Yes

Create or renew certificates Yes Yes Yes

Start and stop NTP (1) Yes Yes Yes

Configure LDAP Yes Yes Yes

Configure VPN Yes Yes Yes

Configure Cluster Witness Yes No No

Run EZ-Setup Yes No No

Configure and manage storage Yes Yes Yes

Fibre Channel Log in Yes Yes Yes

COM Switch
Run switch commands Yes Yes Yes

(1) ICMP/Ping is required between SMS(cluster 1) and external NT.P.

32 GeoSynchrony Security Configuration Guide

 Security configuration settings

Note

The root privileges for performing maintenance activities on Cluster Witness are
restricted to the Service account.

User roles, accounts, and privileges 33

Security configuration settings

34 GeoSynchrony Security Configuration Guide

CHAPTER 7
Configuring user authentication

VPLEX customers can choose to configure their user accounts using either:
l An external OpenLDAP or Active Directory server which integrates with Unix using
Service for UNIX 3.5, Identity Management for UNIX, or other authentication
service.
OpenLDAP and Active Directory users are authenticated by the server. Usernames
and passwords created on an external server are fetched from the remote system
to the VPLEX system each time they are used.
l The VPLEX management server
Usernames and passwords are created locally on VPLEX system, and are stored on
VPLEX.
Customers who do not want to use an external LDAP server for maintaining user
accounts create their user accounts on the VPLEX system itself.
VPLEX is pre-configured with two default user accounts: admin and service.
Refer to the EMC VPLEX CLI Command Reference Guide for information on the
commands used to configure user authentication.

l Role-based access control feature overview...................................................... 36

l Implementing LDAP............................................................................................38
l Password policy ................................................................................................ 39
l Synchronizing service account password to MMCS peer...................................43

Configuring user authentication 35

Configuring user authentication

Role-based access control feature overview

To improve security, beginning with GeoSynchrony release 6.0, shell access is limited
to the admin and service users only. Any user or script previously defined with shell
access (such as service, for example) will continue to have shell access in release
6.0. Users or scripts not having shell access prior to 6.0, must have their accounts
explicitly defined by Role-based access control.
See the EMC VPLEX CLI Reference Guide for more information about the User add
command with the -r option.
Users who are defined as either admin and service will be taken to the shell command
line once logged-in to the management server. Users not having shell access will be
redirected to the VPLEX CLI.
All users using LDAP credentials will be defined as vplexuser by default.
Individual login credentials can be set for LDAP users as every user account has a
different username and password. However, all LDAP users are given identical
privileges (same role and same shell access value). The Administrator can either grant
or revoke shell access to any customizable role, such as vplexuser.
Connecting to the management server (Local and Metro), Logging on to
VPLEXcli (Local and Metro),
Conceptual: Connect to Cluster 2 (Metro)
In previous releases, these sections had the user invoking CLI from the Shell. This will
not be needed for 6.0 and later releases. The user will automatically be taken to the
CLI (unless that user is admin or service or is defined as having shell privileges by the
Administrator). In these sections we may want to add a note, such as the following:

Note

In order to issue shell commands, you must either be logged in as admin and service
or have shell access explicitly granted by the Administrator. Refer to the EMC VPLEX
Security Configuration Guide for instructions on using the CLI to define accounts for
shell access.

SCP file transfers

VPLEX allows file transfer to/from the management server using SCP. In VPLEX
release 6.0, SCP permissions will be granted with shell access.
Users with no shell access can perform SCP on files only (not on directories) from or
to a single directory. An additional CLI context represents this SCP directory. See the
EMC Security Configuration Guide for detailed information and examples.

Note

If you do not have shell access, you can only access a single directory when uploading
and downloading files.

Role descriptions
This topic describes roles supported under role-based access.
Shell access is turned off by default for all new VPLEX accounts. Roles are defined as
follows:

36 GeoSynchrony Security Configuration Guide

 Configuring user authentication

l securityadmin - This role is to be used by the VPLEX administrator at the

customer site. There is only one securityadmin account allowed in the
management server. securityadmin has the same permissions as the vplexuser role
yet also manages user authorization and authentication (creating and deleting
accounts).
l service - This role is to be used by authorized EMC service personnel only in order
to configure VPLEX.
l vplexuser - This role is the basic minimum-access VPLEX user account. Best
practices encourage the majority of users be assigned this role with a unique
customized account name. Limit assigning securityadmin roles as much as possible
to ensure security in your installation. vplexuser role accounts correspond to
accounts created by the admin as well as authorized VPLEX LDAP accounts.
l readonly - The readonly role limits users to performing read-only commands with
the CLI, ensuring the user will not invoke commands that damage or inhibit VPLEX
functionality. It also provides a method of ensuring that automated monitoring
tools/scripts (CLI or REST) don't accidentally invoke damaging or unintended
commands. The Admin can create one or more accounts that have the readonly
role. vplexuser role accounts (as well as authorized VPLEX LDAP accounts)
created by the Administrator may be defined as readonly when deemed necessary.

Table 9 Description of roles in Role-based Access Control

Role User name Shell access(default)

securityadmin admin Customizable(true)

service service Always true

vplexuser Customized name Customizable(false)

readonly Customized name Customizable(false)

Current admin and service users continue to have shell access. It is possible for the
Administrator to turn shell access to service on or off per account basis as described
in this document.

Role-based access control and NDU

This topic describes the impact of role-based access in relation to NDUs.
Impact of role-based access control on NDU and Non-NDU tasks
For VPLEX release 6.0, NDU and non-NDU tasks are impacted as follows.
l For NDUs - There will be no noticeable change in behavior during NDU with
regards to shell access. However, we should note in the NDU that in the next
major release, explicit access must be granted through role-based access control
for shell access going forward (after upgrading to next major release). It is
possible this explicit access for next major release may be granted through an
automated step in the upgrade process, though this is not confirmed at this time.
l For non-NDU tasks - The Administrator must explicitly grant shell access after
creating new accounts (vplexuser and readonly roles). Shell access will continue
for preexisting accounts with shell access (admin and service). Again, we should
be warning that in subsequent releases all accounts will have to be granted explicit
shell access via role-based access control.

Example 1 Existing VPLEX customer NDUs to VPLEX release 6.0

Role-based access control and NDU 37

Configuring user authentication

Example 1 Existing VPLEX customer NDUs to VPLEX release 6.0 (continued)

John is an existing EMC customer. He is defined as admin and has always had
Administrator privileges and shell access. For VPLEX release 6.0, John sees no change
in behavior and does not need to grant himself shell access (using role-based access
control) when upgrading to VPLEX release 6.0. John will, however, need to grant
himself explicit shell access in future major releases.

Example 2 New VPLEX customer performs Greenfield install

Pete is a new EMC VPLEX customer performing a Greenfield install (no NDU). Pete
plans to login as either the admin or as the service user. admin and service users
have shell access by default in VPLEX release 6.0 so Pete does not need to perform
any tasks in order to execute shell commands.

Example 3 Existing VPLEX customer NDUs to VPLEX release 6.0 and adds new user

Mary is a VPLEX customer. She NDUs to VPLEX release 6.0. After the NDU, Mary
finds she needs to grant shell access to a new user, Paul. Mary must use role-based
access control to define Paul as a User with shell access, even though she doesn't
have to explicitly define shell access for herself until the next major release.

Example 4 Existing VPLEX customer with shell scripts

Susan is a VPLEX customer. She NDUs to VPLEX release 6.0. Susan has many scripts
that she runs which access the shell, running under her admin account (which had
shell access). Again, she will not have to explicitly grant shell access with role-based
access control for VPLEX release 6.0, but she will for the next major release.

Implementing LDAP
Starting in Release 5.2 and later, LDAP configuration is securely persisted using an
internal security component. This eliminates bind user credential vulnerabilities. The
new implementation of LDAP includes the following:
l Use a new internal security component that ensures information is securely
persisted.
l Support for Directory Server groups, a logical collection of users. Groups can be
specified using the configuration commands and can be added or removed using
the map and unmap commands.

Note

Nested groups and dynamic groups are not supported.

l Mapping of OrganizationalUnit (OUs) is not supported. Use of groups to map
multiple users is recommended.

For upgraded systems or systems that have not previously had LDAP configured,
existing configuration information or the way it is persisted is not automatically
modified. Authentications continue as they were prior to upgrade. However, users can
continue to be mapped or unmapped with the old configuration.

38 GeoSynchrony Security Configuration Guide

 Configuring user authentication

To use the new implementation in a system where an LDAP configuration already

exists, the LDAP configuration must be reconfigured (unconfigured and configured) to
leverage the new security features.

Note

EMC recommends using LDAPS protocol for secure communication between

Management Server and Directory Server.
LDAP configuration in the Management Server requires directory server attributes
which are not explicitly captured during the EZSetup interview process. Default values
are used instead causing configuration issues only for MicrosoftWindows Active
Directory Server. Instead, use the authentication directory-service configure
command for configuring the management server with Microsoft Windows Active
Directory configuration details after completing EZSetup.

The VPLEX CLI Guide provides information on the commands used to configure LDAP.

Password policy
Details password policies and default values
The VPLEX management server uses a Pluggable Authentication Module (PAM)
infrastructure to enforce minimum password quality. It uses pam_cracklib, a library
that checks for dictionary words, to check potential passwords.

Table 10 Default password policies

Policy name Description Default

value
Minimum password The minimum number of characters used when creating 8
length or changing a password. The minimum number of
characters includes numbers, uppercase and lowercase
letters, and special characters.

Minimum password The minimum number of days a password cannot be 1

age changed after the last password change. The service
account default is 0 days.

Maximum password The maximum number of days that a password can be 90

age used since the last password change. After the maximum
number of days, the account is locked and the user must
contact the admin user to reset the password. The
service account default is 3650 days.

Password expiration The number of days before the password expires. A 15

warning warning message indicating that the password must be
changed is displayed. The service account default is 30
days.

Password inactive The number of days after a password has expired before 1
days the account is locked.

In Release 5.2 and later, the management server uses the default value for the
password policies listed in the Default password policies table, and you can configure
each password policy to meet your specific needs. The new value will be updated in
the appropriate configuration file, and existing users will be updated with the new

Password policy 39
Configuring user authentication

configuration. Refer to the VPLEX CLI Command Reference Guide for information on
the commands used to set password policies and the values allowed.
Note the following:
l Password policies do not apply to users configured using the LDAP server.
l The Password inactive days policy does not apply to the admin account to protect
the admin user from account lockouts.
l During the management server software upgrade, an existing user’s password is
not changed−− only the user’s password age information changes.
l You must be an admin user to configure a password policy.

Note

VS6 systems support only the GeoSynchrony version 6.0 and later.

Password policy default values after an upgrade

l If upgrading from a release prior to 5.1 to release 5.2, the default values will be
new. If desired, you can change these values. Refer to the VPLEX CLI Command
Reference Guide for information on setting password policies.
l If upgrading from release 5.1 to 5.2, the admin user will no longer have the 90 day
expiration set. The default value for the minimum password length will be 14 as it
was set previously. You can change this value if desired. Refer to the VPLEX CLI
Command Reference Guide for information on setting password policies.
l After upgrading to release 5.2, the admin user will not be locked after the
password expires. If the password for the administrator account has not been
changed since the last 91 days, after upgrading to release 5.2, the admin user will
be forced to change the password on the first login (after it has expired).

Note

VS6 systems support only the GeoSynchrony version 6.0 and later.
l After upgrading to 5.5 from 5.2 or earlier, 5.3 or 5.4, if you did not change the
default service password, you must do so within 30 days. A message displays to
remind you that the default service password will expire in 30 days.
l After upgrading to 6.0.x from 5.5.x or earlier, if you did not change the default
service password, you must do so within 30 days. During an NDU, every upgrade
path does not revisit the password policy and the password settings of the service
account. So, an upgrade path can miss noticing the use of the default service
account password. Within the 6.0.x versions, setting the service account
password back to the default one can cause an upgrade path to notice the default
password and the password can be forced to expire in 30 days, if it was not caught
in the previous upgrade paths.
l When installing VPLEX 5.5 on a new system, follow these prompts to change the
default service password.

Checking if the default password is in use...

Changing password for service.

Please enter the old password:

Please enter the new password:
Please reenter the new password:

Successfully completed password change for service.

40 GeoSynchrony Security Configuration Guide

 Configuring user authentication

Similar steps to change default service password are executed, after the upgrade
from VPLEX 5.2/5.4/5.5 to VPLEX 5.5. These are not encountered if the default
service password has already been changed prior to VPLEX 5.5 upgrade.
Valid password characters
The following characters are allowed in a VPLEXcli password:
l A-Z
l a-z
l 0-9
l . ? / * @ ^ % # + = - _ ~ : space
Note the following rules:
l A space is allowed only between the characters in a password, not in the beginning
or the end of the password.
l The # cannot be used in the beginning of a password.
l The passphrase used during the VPN configuration can contain letters, numbers,
and special characters.
Cluster Witness passwords
When upgrading to VPLEX 6.0, the Cluster Witness default password is automatically
changed, for security reasons, to a random value, which can be displayed by the
Administrator.
The Administrator can change the password to a specific value by running the
configuration cw-change-password command. See the VPLEX CLI Command
Reference Guide for more information.
Cluster Witness passwords allow additional characters:
l !
l $
l &
l (
l )
l [
l ]

Example 5 Changing Cluster Witness passwords

1. Update the cws password to a random password string (works if

default
CWS password is set currently):

VPlexcli:/> configuration cw-change-password

This command will change the Cluster Witness Server password.

Are you sure you want to continue? (Y/N): Y

Cluster Witness Server credentials updated successfully

----------

2. Update the cws password (works if default CWS password is set

Password policy 41
Configuring user authentication

Example 5 Changing Cluster Witness passwords (continued)

currently):

VPlexcli:/> configuration cw-change-password -p

This command will change the Cluster Witness Server password.

Are you sure you want to continue? (Y/N): Y

Enter the new cluster witness password:

Re-enter password:

The Cluster Witness Server password is changed successfully

----------

3. Force update the CWS password:

VPlexcli:/> configuration cw-change-password -f -p

Enter the new cluster witness password:

Re-enter password:

The Cluster Witness Server password is changed successfully

----------

4. Force update the CWS password from a known pre-set password to

new password:

VPlexcli:/> configuration cw-change-password -c -p -f

Enter the existing cluster witness service user's password:

Re-enter password:

Enter the new cluster witness password:

Re-enter password:

The Cluster Witness Server password is changed successfully

----------

5. Force update the CWS password from a known pre-set password to a

random string:

VPlexcli:/> configuration cw-change-password -c -f

Enter the existing cluster witness service user's password:

Re-enter password:

The Cluster Witness Server password is changed successfully

42 GeoSynchrony Security Configuration Guide

 Configuring user authentication

Synchronizing service account password to MMCS peer

In certain cases, you may need to manually synchronize the service account password
for both MMCS-A and MMCS-B.
In some cases, the service account password may need to be resynchronized to the
peer MMCS. Use the security configure-mmcs-users command to
accomplish this. See the EMC VPLEX CLI Reference Guide for more information.
Execute this command only in a troubleshooting scenario, ideally when advised to do
so by EMC Customer Support.

Example 6 Running the security configure-mmcs-users command

Running the command on a VS6 system produces the following result.

VPlexcli:/> security configure-mmcs-users

MMCS user configuration was successful.

Running the command on a non-VS6 system produces the following result.

VPlexcli:/> security configure-mmcs-users

This command is supported to run on VPlex VS6 hardware
configuration only.

Synchronizing service account password to MMCS peer 43

Configuring user authentication

44 GeoSynchrony Security Configuration Guide

CHAPTER 8
Manage user accounts

l Adding user accounts.........................................................................................46

l View or modify user account details...................................................................46
l Changing passwords.......................................................................................... 48
l Resetting passwords..........................................................................................49
l Changing the service account password............................................................ 49
l Deleting user accounts.......................................................................................50

Manage user accounts 45

Manage user accounts

Adding user accounts

Note

In a VPLEX Metro configuration, VPLEX CLI accounts created on one management

server are not propagated to the second management server. The user list command
displays only those accounts configured on the local management server, not both
server.

A user with an admin account can create a new account as follows:

Procedure
1. Launch PuTTY (or a similar SSH client), and establish a connection to the public
IP address of the VPLEX management server.
2. Log in with username admin.
3. From the Linux shell prompt, type this command to connect to the VPlexcli:
vplexcli
4. Log in with username admin.
5. From the VPlexcli prompt, type the following command:

user add -u username

a. When prompted, type the admin account password.

b. When prompted for a password for the new user, type a password that
adheres to the rules in Password policy.
c. When prompted, retype the new password.

Note

The new user must change the password the first time he or she logs in.

View or modify user account details

View or modify user accounts by changing attributes of the users context.
Before you begin
When modifying user accounts, determine if the user needs shell access or not.
You must have administrator privileges to modify user accounts.
For an overview of role-based access control functionality and impact, see the VPLEX
Security Configuration Guide.
You grant or restrict shell access by modifying attributes with shell-access, invoking
the set command in the users context. vplexuser and readonly roles are defined
with customizable user names. Either the local or ldap context is defined depending
on the method that is used to access a user account (either LDAP or Local access).

46 GeoSynchrony Security Configuration Guide

 Manage user accounts

List the management-server/users context to view both LDAP and Local users.
For example:

VPlexcli:/management-server/users> ll

l ldap context - The ldap context displays the role-name and the shell-
access associated with an LDAP user. All LDAP users are given identical
privileges and every LDAP user is treated the same.
Attributes associated with an ldap user account are:
n role-name - Name of the role with which the user account is associated
n shell-access - Defines the user's shell access privileges.
In this example, the role-name vplexuser has shell access as an LDAP user:

VPlexcli:/management-server/users/ldap> ll
Name Value
role-name vplexuser
shell-access true

l local context - The local context displays the role-name and the shell-
access associated for a user with local access. By default, admin and service are
local users. In addition, any user in the system created by admin are local users.
Attributes associated with a local user account are:
n user-name - Name of the user
n role-name - Name of the role with which the user account is associated
n shell-access - Defines the user's shell access privileges.
In this example, the admin user is defined with role securityadmin and shell-
access disabled.

VPlexcli:/management-server/users/local/admin> ll
Name Value

role-name securityadmin

shell-access false

user-name admin

To modify attributes such as role-name or shell-access, run the set command

on the appropriate user account context.
Procedure
1. List the attributes of the user (testuser in this example) by navigating to the
appropriate context and running the ll command.

VPlexcli:/management-server/users/local/testuser> ll
role-name : user
shell-access : false
user-name : testuser

2. To grant shell access for testuser, run the set command.

a. Set shell-access to true as follows: set shell-access true.

View or modify user account details 47

Manage user accounts

b. Enter the administrator password.

c. Verify that the attributes of the user (testuser in this example) have been
successfully modified by navigating to the appropriate context and running
the ll command.

3. To revoke or restrict shell access for testuser, use the set command.
a. Set shell-access to true as follows: set shell-access false.
b. Enter the administrator password.
c. Verify that the attributes of the user (testuser in this example) have been
successfully modified by navigating to the appropriate context and running
the ll command. If shell-access was granted, the following output is
displayed.

VPlexcli:/management-server/users/local/testuser> ll
role-name : user
shell-access : false
user-name : testuser

Note

l role-name and shell-access are the only two writable attributes.

user-name is not modifiable.
l The service account cannot be restricted from having shell access.
l The role-name of admin and service accounts is not modifiable. For local
user/LDAP accounts, role-name can be modified to either vplexuser or
readonly. If any other role-name is provided, the command fails with the
following error message:

set: Evaluation of <<set role-name service>> failed.

cause: Failed to update value of 'role-name'.
cause: Failure committing new value for role-name on admin.
cause: Invalid role-name. Valid values are 'readonly' and
'vplexuser'. All values are case-sensitive.

Changing passwords
Any user can change his/her own password as follows:
Procedure
1. Launch PuTTY (or a similar SSH client), and establish a connection to the public
IP address of the VPLEX management server.
2. Log in with the applicable username.
3. From the Linux shell prompt, type this command to connect to the VPlexcli:
vplexcli
4. Log in with username admin.

48 GeoSynchrony Security Configuration Guide

 Manage user accounts

5. From the VPlexcli prompt, type the following command:

user passwd -u username

a. When prompted, type the old password.

b. When prompted for a new password, type a password that adheres to the
rules in Password policy.
c. When prompted, retype the new password.

Resetting passwords
A user with an admin account can reset passwords for other users as follows:
Procedure
1. Launch PuTTY (or a similar SSH client), and establish a connection to the public
IP address of the VPLEX management server.
2. Log in with username admin.
3. From the Linux shell prompt, type this command to connect to the VPlexcli:
vplexcli
4. Log in with username admin.
5. From the VPlexcli prompt, type the following command:

user reset -u username

a. When prompted, type the admin account password.

b. When prompted for a password for the new user, type a password that
adheres to the rules in Password policy.
c. When prompted, retype the new password.

Note

The user must change the password the next time he or she logs in.

Changing the service account password

Beginning with release 5.5, users are required to change the service password upon
first use. EZSetup prompts the user to change the service user password during the
initial setup. Note that the policies for passwords listed in Password policy apply to the
service password.
The service password change is required in order to provide optimal protection for the
powerful service account. The service account is used by EMC to provide remote
support through the EMC ESRS gateway. Therefore, the service password must be
updated or recorded in the customer service database in order to provide this support.
The service password must be changed in two locations:
l Management server

Resetting passwords 49
Manage user accounts

l Fibre Channel switches

To change the service password on the Fibre Channel switches, use the switch's
passwd command.

Deleting user accounts

A user with an admin account can delete a different account as follows:
Procedure
1. Launch PuTTY (or a similar SSH client), and establish a connection to the public
IP address of the VPLEX management server.
2. Log in with username admin.
3. From the Linux shell prompt, type this command to connect to the VPlexcli:
vplexcli
4. Log in with username admin.
5. From the VPlexcli prompt, type the following command:

user remove -u username

When prompted, type the admin account password.

50 GeoSynchrony Security Configuration Guide

CHAPTER 9
Log file settings

This section describes log files relevant to security.

Log file location
The following table lists the name and location of VPLEX component log files relevant
to security.

Table 11 VPLEX component log files

Component Location
Unisphere for VPLEX /var/log/VPlex/cli/
session.log_username

management server OS /var/log/messages

ConnectEMC /var/log/ConnectEMC/logs/
ConnectEMC.log files

Firewall /var/log/firewall

VPN (ipsec) /var/log/events.log

Log file management and retrieval

All logs rotate automatically, to avoid unbounded consumption of disk space.

Log file settings 51

Log file settings

52 GeoSynchrony Security Configuration Guide

CHAPTER 10
Communication Security Settings

This chapter contains the following topics.

l Communication security settings....................................................................... 54

Communication Security Settings 53

Communication Security Settings

Communication security settings

This section describes the communication security settings that enable you to
establish secure communication channels between VPLEX components, as well as
VPLEX components and external systems.

IP WAN COM
A VPLEX Metro system does not support native encryption over an IP WANCOM link.
EMC recommends that you deploy an external encryption solution such as IPSec to
achieve data confidentiality and end point authentication over IP WAN COM links
between clusters.

Accessibility
To establish secure communication, note the following:
l The following protocols must be allowed on the customer firewall (both in the
outbound and inbound filters):
# Encapsulating Security Payload (ESP): IP protocol number 50
# Authentication Header (AH): IP protocol number 51
l The following ports must be allowed on the customer firewall:
# Internet Key Exchange (IKE): UDP port 500
# NAT Traversal in the IKE (IPsec NAT-T): UDP port 4500
# Secure Shell (SSH): TCP port 22
l Static IP addresses must be assigned to the public ports on each management
server (eth3) and the public port in the Cluster Witness Server. If these IP
addresses are in different subnets, the IP management network must be able to
route packets between all such subnets.
l The firewall configuration settings in the IP management network must not
prevent the creation of IPsec tunnels. Cluster Witness traffic as well as VPLEX
management traffic leverages VPN tunnels established on top of IPsec.
l IP management network must be capable of transferring SSH traffic between
management servers and Cluster Witness Server.
l IP management network must be capable of transferring ICMP traffic between
management servers and Cluster Witness Server in order to enable configuration,
upgrade, and diagnostics of Cluster Witness.
l The required minimum value for Maximum Transmission Unit (MTU) is 1500 bytes.
Configure MTU as 1500 or larger.

Note

The IP management network must not be able to route to the following reserved
VPLEX subnets: 128.221.252.0/24, 128.221.253.0/24, and 128.221.254.0/24.
If VPLEX is deployed with IP inter-cluster network, the inter-cluster network must not
be able to route to the following reserved VPLEX subnets: 128.221.252.0/24,
128.221.253.0/24, and 128.221.254.0/24.

54 GeoSynchrony Security Configuration Guide

 Communication Security Settings

Port Usage

The following table lists all the network ports and services used by VPLEX
components. This information, along with the firewall settings is needed to use the
product.

Table 12 Port Usage

Serial Port Function Servic Manage Manage Cluster

Number e ment ment Witness
server 1 Server 2
1 Public port Log in to SSH Yes Yes Yes
TCP/22 management server
OS, copy files to and
2 Service
from the
port
management server
TCP/22
using the SCP sub-
service, and
establish SSH
tunnels

3 Public port ESRS (EMC Secure ESRS Yes Yes No

TCP/21 Remote Service)
access to VPLEX
4 Public port
TCP/443

5 Public port
TCP/5400
to 5413

6 Public port IPSECVPN ISAKMP Yes Yes Yes

UDP/500

7 Public port IPSEC VPN IPSEC Yes Yes Yes

UDP/4500 NAT
traversa
l

8 Public port Time NTP (1) Yes Yes No

UDP/123 synchronization
service

9 Public port Get performance SNMP Yes Yes No

TCP/161 statistics

10 Public port
UDP/161

11 Public port Web access to the HTTPS Yes Yes No

TCP/443 VPLEX Unisphere
for VPLEX’s
12 Service
graphical user
port
interface
TCP/443

Port Usage 55
Communication Security Settings

Table 12 Port Usage (continued)

Serial Port Function Servic Manage Manage Cluster

Number e ment ment Witness
server 1 Server 2
13 Localhost Access to the VNC Yes Yes No
TCP/5901 management
(No server's desktop.
specific Not available on the
customer public network. Must
firewall be accessed through
settings SSH tunnel.
are
required)

14 Localhost VPlexcli. Not Telnet Yes Yes No

TCP/ available on the
49500 (No public network. Must
specific be accessed through
customer SSH.
firewall
settings
are
required)

15 Public port Domain Name DNS Yes Yes Yes

UDP/53 Service

16 Any firewall N/A N/A Yes Yes Yes

between
the Cluster
Witness
Server and
the
manageme
nt servers
need to
allow
traffic for
the IP
protocol
number 1
(ICMP), 50
(ESP) und
51 (AH)

CAUTION

For VPLEX Performance Monitor, ensure that Port 443 is open on the firewall
between VPLEX Performance Monitor and VPLEX. Refer to the Knowledge Base
article 474842 for more information on configuring the firewall policy for VPLEX
IP WAN-COM communications over filter based firewall.

56 GeoSynchrony Security Configuration Guide

 Communication Security Settings

Notes
(1) ICMP/Ping is required between the management server (cluster 1) and external
NTP.

Communications specifications - VPLEX Metro system

This figure illustrates the communication between VPLEX components in a VPLEX
Metro system.
Figure 9 VPLEX Metro system

This table describes the possible communication between the VPLEX components in a
VPLEX Metro system.

Table 13 Communication in a VPLEX Metro system

Serial A <-> B A <-> C A <-> D B <->C B <-> D B <-> E C <-> D C <-> E

Numbe
r
1 Yes Yes Yes Yes Yes Yes
(only for (only for (only for
initial code code
setup) upgrade upgrade
s) s)

2 Yes Yes Yes Yes Yes Yes

(only for (only for (only for
code code

Communications specifications - VPLEX Metro system 57

Communication Security Settings

Table 13 Communication in a VPLEX Metro system (continued)

Serial A <-> B A <-> C A <-> D B <->C B <-> D B <-> E C <-> D C <-> E

Numbe
r
initial upgrade upgrade
setup) s) s)

3 Yes Yes

4 Yes Yes

5 Yes Yes

6 Yes Yes Yes

7 Yes Yes Yes

8 Yes

9 Yes Yes

10 Yes Yes

11 Yes Yes

12 Yes Yes

13 Yes Yes

14 Yes Yes

15 Yes Yes

16 Yes Yes Yes

Legend:
l A - VPLEX Management Client
l B - Management Server 1
l C - Management Server 2
l D - VPLEX Cluster Witness
l E - ESRS Server

Communications specifications - VPLEX Local system

This figure illustrates the communication between VPLEX components in a VPLEX
Local system.

58 GeoSynchrony Security Configuration Guide

 Communication Security Settings

Figure 10 VPLEX Local system

This table describes the possible communication between the VPLEX components in a
VPLEX Local system.

Table 14 Communication in a VPLEX Local system

Serial Number A <-> B B <-> C

1 Yes

2 Yes

3 Yes

4 Yes

5 Yes

9 Yes

10 Yes

11 Yes

12 Yes

13 Yes

14 Yes

15

Communications specifications - VPLEX Local system 59

Communication Security Settings

Table 14 Communication in a VPLEX Local system (continued)

Serial Number A <-> B B <-> C

16

Legend:
l A - VPLEX Management Client
l B - Management Server 1
l C - ESRS Server

Network Encryption
The VPLEX management server supports SSH through the sshd daemon provided by
the FIPS compliant OpenSSH package. It supports version 2 of the SSH protocol.
When the management server starts for the first time, the sshd daemon
generateskey-pairs (private and public key) for communication with SSH clients.
rsa, dsa and ecdsa key-pairs are generated to support communication with SSH
version 2 clients.
The HTTPS protocol and the IPsec VPN use a X.509 host certificate to identify the
server and encrypt all traffic. X.509 host certificates use a 2048 bit host key. During
initial setup of a VPLEX cluster, a local Certification Authority (which signs the host
certificate request) is created automatically.
VPLEX supports a corporate Certification Authority signing the host certificate
requests. Users can import the corporate Certificate Authority signed CA, host
certificate and key file. The IPSec encryption can use RSA or ECDSA cryptography
generated key-pair certificates. You can use only one type (RSA or ECDSA) in
configuring VPN in all the three components of VPLEX, for example, the two
management servers and the cluster witness server. Note that for a VPLEX Metro
configuration, the host certificates for both web and VPN to be imported on both
clusters should be signed and created using the same CA certificate.
To import the corporate Certificate Authority signed certificates, refer to the VPLEX
CLI Guide.

Creating a local Certification Authority

A Certification Authority (CA) on the VPLEX management server must be created
solely for the purposes of signing management server certificates.
The VPlexcli command security create-ca-cert creates a CA certificate file and private
key protected by a passphrase. By default, this command creates the following:
l A 2048-bit CA key in /etc/ipsec.d/private/strongswanKey.pem
l A CA certificate in /etc/ipsec.d/cacerts/strongswanCert.pem that remains valid
for 1825 days (5 years)
You must provide a passphrase for the CA key and the CA certificate subject. The CA
certificate subject must be the VPLEX cluster's serial number (found on the label
attached to the top of the VPLEX cabinet). If you are creating a CA certificate for a
VPLEX Metro implementation, you can use either cluster's serial number.

60 GeoSynchrony Security Configuration Guide

 Communication Security Settings

Creating a host certificate

Note

Host certificates are created as a part of EZsetup during a first time installation.

The VPlexcli command security create-host-certificate generates a host certificate

request and signs it with the Certification Authority certificate created in the Creating
a local Certification Authority on page 60. By default, this command creates the
following:
l A 2048 key in /etc/ipsec.d/private/hostKey.pem
l A host certificate in /etc/ipsec.d/certs/hostCert.pem that remains valid for 730
days (2 years)
You must provide the CA key passphrase for the host key and the host certificate
subject which must be the cluster's serial number (found on the label attached to the
top of the VPLEX cabinet).

Installing the host certificate for use by HTTPS

Use the security web-configure command to install the host certificate for HTTPS.
See the EMC VPLEX CLI Reference Guide for more information.

Obtaining host certificate and host key fingerprints

When users first connect to the management server over SSH or by connecting to the
GUI using the HTTPs protocol, they are asked to confirm the server's identity. Most
client programs display the management server's fingerprints as MD5 or SHA1
checksums, allowing you to verify that they are connected to the VPLEX management
server and not to another machine, possibly deployed to harvest logins and passwords
for a man-in-the-middle attack.
Once a user confirms the management server's identity, subsequent connections will
not ask for this confirmation, but instead warn the user if the management server's
fingerprint has changed, which may be another indication of man-in-the-middle
attacks.
A VPLEX administrator might be asked by security-conscious users for the
fingerprints of both the X.509 certificate used for the GUI and for the host keys used
for SSH access to the management server.

Finding the host certificates's SHA256, SHA1 and (for GUI users) MD5
fingerprints
To find the host certificate's SHA1 and (for GUI users) MD5 fingerprints, do the
following.
Procedure
1. Type the following command:

openssl x509 -noout -in hostCert.pem -fingerprint -sha256

Finding the host certificates's SHA256, SHA1 and (for GUI users) MD5 fingerprints 61
Communication Security Settings

Output example:

SHA256 Fingerprint=91:65:4C:02:80:C0:C8:54:24:4A:
71:2B:BF:C1:D5:3C:08:A2:2B:36:BC:7B:3D:A2:B3:8A:
72:83:66:E1:36:25

2. Type the following command:

/etc/ipsec.d/certs # openssl x509 -noout -in hostCert.pem -

fingerprint -sha1

Output example:

SHA1 Fingerprint=2E:B0:DD:
59:DD:C3:29:96:33:74:19:CC:A0:81:28:28:6F:4F:76:E4

3. At the Linux shell prompt, type the following command:

/etc/ipsec.d/certs # openssl x509 -noout -in hostCert.pem -

fingerprint -md5

Output example:

MD5 Fingerprint=6E:2C:A5:8E:86:11:45:26:02:09:62:97:6F:18:FD:
62

Finding the SSH key fingerprint (for SSH users)

To find the SSH key fingerprint (for SSH users), do the following
Procedure
1. At the Linux shell prompt, type the following command:

/etc/ssh > ssh-keygen -l -f ssh_host_dsa_key

Output example:

1024 52:42:70:0c:22:aa:2f:e3:09:18:93:c8:20:a4:78:0c
ssh_host_dsa_key.pub

2. Type the following command:

/etc/ssh > ssh-keygen -l -f ssh_host_rsa_key

62 GeoSynchrony Security Configuration Guide

 Communication Security Settings

Output example:

1024 a4:d8:64:d0:24:b9:2c:3d:06:24:5f:3a:30:ba:83:f8
ssh_host_rsa_key.pub

3. Type the following command:

/etc/ssh > ssh-keygen -l -f ssh_host_ecdsa_key

Output example:

256 ca:05:f3:9a:3e:51:fe:53:51:90:39:bf:6b:f5:78:56
[MD5]root@ManagementServer (ECDSA)

Configurable HTTPS/TLS protocol

From VPLEX 6.0, the HTTPS/TLS protocol is configurable for webserver-client
connections.
Ability to configure the HTTPS/TLS protocol mitigates the POODLE (Passing Oracle
on Downgraded Legacy Encryption) vulnerability over TLS-encrypted client-server
HTTPS connections.
You can now choose TLS levels TLSv1.0, TLSv1.1 and TLSv1.2 over SSLv3 (which has
POODLE vulnerability).

Set TLS version for Web server HTTPS connection

Use the following procedure to set the TLS version for Web server HTTPS
connections in order to mitigate security risks from POODLE (Passing Oracle on
Downgraded Legacy Encryption).
Procedure
1. Enter the set sslversion command to set the TLS version for a Web server
HTTPS connection.
Use the following command format:

set sslversion TLSv1, SSLv2Hello,TLSversion'

where TLSversion is one of the following values:

l TLSv1.0
l TLSv1.1
l TLSv1.2

Note

TLSv1.2 is the recommended protocol version by default

2. Enter the webserver restart command to apply the changes.

Configurable HTTPS/TLS protocol 63

Communication Security Settings

Example 7 Setting TLS version

VPlexcli:/security/web-server> set sslversion TLSv1,

SSLv2Hello,TLSv1.2

Note

After entering the CLI command, restart the Web server with the webserver
restart command to apply the changes.

Data security settings

Encryption of data at rest: user passwords
Hashed user passwords are stored in /etc/shadow on the VPLEX management server.
GeoSynchrony uses a hardcoded hashing algorithm to encrypt the passwords.
From version 6.0, the SHA-512 encryption algorithm is used to encrypt and store
passwords, using the UNIX crypt(3) function.
Passwords are stored in the VPLEX password database in following format:

$6$<salt>$<encrypted>

$6$ = encryption method, i.e. SHA-512

<salt> = 16 character salt string
<encrypted> = 86 character encrypted password string

64 GeoSynchrony Security Configuration Guide