Академический Документы
Профессиональный Документы
Культура Документы
VPLEX overview......................................................................................................... 1
Security recommendations........................................................................................ 3
IP addresses and component IDs .............................................................................. 7
Security configuration settings ................................................................................ 13
Configuring user authentication .............................................................................. 15
Manage user accounts ............................................................................................ 18
Log file settings....................................................................................................... 21
Communication security settings ............................................................................ 21
Data security settings.............................................................................................. 29
VPLEX overview
An EMC VPLEX cluster consists of one, two, or four engines (each containing two
directors), and a management server. A dual-engine or quad-engine cluster also contains
a pair of Fibre Channel switches for communication between directors.
Each engine is protected by a standby power supply (SPS), and each Fibre Channel switch
gets its power through an uninterruptible power supply (UPS). In a dual-engine or
quad-engine cluster, the management server also gets power from a UPS.
The management server has a public Ethernet port, which provides cluster management
services when connected to the customer network. The management server can also
provide call-home services through the public Ethernet port by connecting to an EMC
Secure Remote Support (ESRS) gateway deployed on the same network. The ESRS
gateway is also used by EMC personnel to provide remote service.
Three VPLEX implementations are available:
In a VPLEX Metro or VPLEX Geo implementation, the clusters are connected over IP
between the management servers.
VPLEX overview
Engine 4
SPS
SPS
Engine 3
SPS
SPS
FC Switch B
UPS B
FC Switch A
UPS A
Management Server
Engine 2
SPS
SPS
Engine 1
SPS
SPS
SYM-002272
Security recommendations
Security recommendations
While the Security Configuration Guide must be reviewed in its entirety, this section
serves to highlight EMC's most important security recommendations to ensure the
security of your data and environment.
Given the elevated permissions granted to the service account, its password must be
changed in order to better protect VPLEX from misuse or abuse of those privileges.
Changing the service account password on page 20 provides more information.
To protect your data in the communications between clusters in VPLEX Metro and Geo
configurations, an external encryption solution such as IPSec must be used to
guarantee confidentiality and authentication for the IP WAN COM link. IP WAN COM
on page 21provides more information.
To protect the identity and integrity of your users and their account credentials, all
LDAP communication must be configured to use the LDAPS protocol. Implementing
LDAP on page 16 provides more information.
Customer
workstation
Ethernet port
Service cable
eth1
eth3
Customer
IP network
Customer-provided
Ethernet cable
Management server
eth0
eth2
eth
A service account user can also inspect log files, start and stop services, and upgrade
firmware and software.
SSH also can be used to establish a secure tunnel between the management server and
the host running the SSH client. Using a tunneled VNC connection to access the
management server desktop on page 5 provides more information.
To access the GUI using an IPv6 address, use the following URL:
https://[mgmtserver_ipv6_addr]
For example:
https://[3ffe:80c0:22c:803c:215:17ff:fed3:207]/smsflex/VPlexConsole
.html
Note: Accessing the VPLEX GUI or the VPLEX CLI over IPv6 is possible only if the client
machine is also in an IPv6 network.
The GUI encrypts all traffic using a server certificate. Creating a host certificate on
page 27 provides more information.
Note: The GUI has a timer that logs the user out after 10 minutes of inactivity. You can
modify the timeout value to a maximum of 12 hours.
Customer IP network
IPsec tunnel
eth3
Mgmt server 1
eth0
Subnet B
128.221.253.32/27
eth2
Subnet A
128.221.252.32/27
Cluster 1
eth3
Mgmt server 2
eth0
Subnet B
128.221.253.64/27
eth2
Subnet A
128.221.252.64/27
Cluster 2
IPsec_VPN
Although you might have already secured the network connections between two VPLEX
Metro or VPLEX Geo clusters, the management servers must establish an explicit VPN
connection, to acknowledge that the remote management server has full management
control over the local cluster and its resources.
The VPLEX management server uses strongSwan, an open source implementation of IPsec
for Linux.
Session name Type a name for the PuTTY session you are configuring. This
allows you to load the saved session if you need to reconnect later, eliminating the
need to configure the individual parameters again.
Default settings Verify, and set as shown if necessary.
Server address
(default)
Session name
(default)
PuTTY_VNC
5901
localhost:5901
tunnels
VPLEX Metro or VPLEX Geo - The Cluster ID for the first cluster that is set up is 1, and
the second cluster is 2.
Note: The management server supports the coexistence of both the IPv6 and IPv4
address. However, the directors only support IPv4 addresses.
Cluster IP Seed = 1
Enclosure IDs = engine numbers
Management network A addresses
Management network B addresses
Engine 4:
Director 4B
Director 4A
128.221.253.42
128.221.253.41
Engine 4:
Director 4B
Director 4A
128.221.252.42
128.221.252.41
Engine 3:
Director 3B
Director 3A
128.221.253.40
128.221.253.39
Engine 3:
Director 3B
Director 3A
128.221.252.40
128.221.252.39
FC switch B 128.221.253.34
Service port
128.221.252.2
Mgt B port
128.221.253.33
Mgt A port
128.221.252.33
Management server
Engine 2:
Director 2B
Director 2A
128.221.253.38
128.221.253.37
Engine 2:
Director 2B
Director 2A
128.221.252.38
128.221.252.37
Engine 1:
Director 1B
Director 1A
128.221.253.36
128.221.253.35
Engine 1:
Director 1B
Director 1A
128.221.252.36
128.221.252.35
Zep-028_1
Cluster IP Seed = 2
Enclosure IDs = engine numbers
Management network B addresses
Engine 4:
Director 4B
Director 4A
128.221.253.74
128.221.253.73
Engine 4:
Director 4B
Director 4A
128.221.252.74
128.221.252.73
Engine 3:
Director 3B
Director 3A
128.221.253.72
128.221.253.71
Engine 3:
Director 3B
Director 3A
128.221.252.72
128.221.252.71
FC switch B 128.221.253.66
Service port
128.221.252.2
Mgt B port
128.221.253.65
Mgt A port
128.221.252.65
Management server
Engine 2:
Director 2B
Director 2A
128.221.253.70
128.221.253.69
Engine 2:
Director 2B
Director 2A
128.221.252.70
128.221.252.69
Engine 1:
Director 1B
Director 1A
128.221.253.68
128.221.253.67
Engine 1:
Director 1B
Director 1A
128.221.252.68
128.221.252.67
Zep-028_2
Cluster IP Seed = 1
Enclosure IDs = engine numbers
Engine 4:
Director 4B, A side: 128.221.252.42
Director 4B, B side: 128.221.253.42
Engine 4:
Director 4A, A side: 128.221.252.41
Director 4A, B side: 128.221.253.41
Engine 3:
Director 3B, A side: 128.221.252.40
Director 3B, B side: 128.221.253.40
Engine 3:
Director 3A, A side: 128.221.252.39
Director 3A, B side: 128.221.253.39
FC switch B 128.221.253.34
Service port
128.221.252.2
Mgt B port
128.221.253.33
Mgt A port
128.221.252.33
Management server
Engine 2:
Director 2B, A side: 128.221.252.38
Director 2B, B side: 128.221.253.38
Engine 2:
Director 2A, A side: 128.221.252.37
Director 2A, B side: 128.221.253.37
Engine 1:
Director 1B, A side: 128.221.252.36
Director 1B, B side: 128.221.253.36
Engine 1:
Director 1A, A side: 128.221.252.35
Director 1A, B side: 128.221.253.35
VPLX-000242
10
Implementing IPv6
Cluster IP Seed = 2
Enclosure IDs = engine numbers
Engine 4:
Director 4B, A side: 128.221.252.74
Director 4B, B side: 128.221.253.74
Engine 4:
Director 4A, A side: 128.221.252.73
Director 4A, B side: 128.221.253.73
Engine 3:
Director 3B, A side: 128.221.252.72
Director 3B, B side: 128.221.253.72
Engine 3:
Director 3A, A side: 128.221.252.71
Director 3A, B side: 128.221.253.71
FC switch B 128.221.253.66
Service port
128.221.252.2
Mgt B port
128.221.253.65
Mgt A port
128.221.252.65
Management server
Engine 2:
Director 2B, A side: 128.221.252.70
Director 2B, B side: 128.221.253.70
Engine 2:
Director 2A, A side: 128.221.252.69
Director 2A, B side: 128.221.253.69
Engine 1:
Director 1B, A side: 128.221.252.68
Director 1B, B side: 128.221.253.68
Engine 1:
Director 1A, A side: 128.221.252.67
Director 1A, B side: 128.221.253.67
VPLX-000243
Implementing IPv6
In VPLEX, an IP address can either be an IPv4 address and/or an IPv6 address. While
VPLEX continues to support IPv4, it now also provides support for the full IPv6 stack as
well as dual stack IPv4/IPv6, including:
Browser session
VPN connection
Note: In a virtual private network, the end points must always be of the same address
family. That is, each leg in the VPN connection must either be IPv4 or IPv6.
CLI session
Cluster Witness
EMC VPLEX Security Configuration Guide
11
Implementing IPv6
Recover Point
12
VPLEX Components
Supports
IPv4
Supports
IPv6
Co-existence
Notes
Management server
Yes
Yes
Yes
The management
server supports only
global scope IPv6 static
address configuration.
The management
server supports the
coexistence of both the
IPv4 and IPv6 address.
Director
Yes
No
No
Directors continue to
support IPv4 address.
Cluster Witness
Yes
Yes
Yes
WAN COM
Yes
Yes
No
Supports
IPv4
Supports
IPv6
Co-existence
Notes
VASA Provider
Yes
No
No
Recover Point
Yes
Yes
Yes
RecoverPoint can
communicate with the
management server using
either an IPv4 address or
an IPv6 address.
LDAP/AD server
Yes
Yes
Yes
13
Account Type
Default
password
Management
server 1
service
Mi@Dim7T 2
admin
teS6nAX2 3
user
Fibre Channel
COM switch 4
Privileges
service 5
Mi@Dim7T 2
admin
Ry3fog4M 4
user
jYw13ABn
14
Operation
service
admin
user
Management
server
Yes
No
No
No
Yes
No
Yes
Yes
Yes
No
Yes
No
Set IP configuration
Yes
No
No
Yes
No
No
Yes
No
No
Yes
No
No
No
No
Yes
Yes
Yes
Configure SNMP
Yes
Yes
Yes
No
Yes
No
No
Yes
No
Configure CallHome
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Configure LDAP
Yes
Yes
Yes
Configure VPN
Yes
Yes
Yes
Yes
Yes
Yes
Run EZ-Setup
Yes
Yes
Yes
Yes
Yes
Yes
Log in
Yes
Yes
Yes
Yes
Yes
Yes
Fibre Channel
COM Switch
An external OpenLDAP or Active Directory server which integrates with Unix using
Service for UNIX 3.5, Identity Management for UNIX, or other authentication service.
15
OpenLDAP and Active Directory users are authenticated by the server. Usernames and
passwords created on an external server are fetched from the remote system to the
VPLEX system each time they are used.
Customers who do not want to use an external LDAP server for maintaining user accounts
create their user accounts on the VPLEX system itself.
VPLEX is pre-configured with two default user accounts: admin and service.
Refer to the VPLEX CLI Guide for information on the commands used to configure user
authentication.
Implementing LDAP
Starting in Release 5.2 and later, LDAP configuration is securely persisted using an
internal security component. This eliminates bind user credential vulnerabilities. The new
implementation of LDAP includes the following:
Use a new internal security component that ensures information is securely persisted.
Support for Directory Server groups, a logical collection of users. Groups can be
specified using the configuration commands and can be added or removed using the
map and unmap commands.
For upgraded systems or systems that have not previously had LDAP configured, existing
configuration information or the way it is persisted is not automatically modified.
Authentications continue as they were prior to upgrade. However, users can continue to
be mapped or unmapped with the old configuration.
To use the new implementation in a system where an LDAP configuration already exists,
the LDAP configuration must be reconfigured (unconfigured and configured) to leverage
the new security features.
Note: The default configuration of LDAP does not support TLS, it is recommended to use
LDAPS protocol for secure communication between Management Server and Directory
Server.
Note: LDAP configuration in the Management Server requires directory server attributes
which are not explicitly captured during the EZSetup interview process. Default values are
used instead causing configuration issues only for MicrosoftWindows Active Directory
Server. Instead, use the authentication directory-service configure command for
configuring the management server with Microsoft Windows Active Directory configuration
details after completing EZSetup.
16
The VPLEX CLI Guide provides information on the commands used to configure LDAP.
Password policy
The VPLEX management server uses a Pluggable Authentication Module (PAM)
infrastructure to enforce minimum password quality. It uses pam_cracklib, a library that
checks for dictionary words, to check potential passwords.
Table 4 Default password policies
Policy name
Description
Default value
Minimum password
length
Maximum password
age
90
Password expiration
warning
15
In Release 5.2 and later, the management server uses the default value for the password
policies listed in Table 4, and you can configure each password policy to meet your
specific needs. The new value will be updated in the appropriate configuration file, and
existing users will be updated with the new configuration. Refer to the VPLEX CLI Guide for
information on the commands used to set password policies and the values allowed.
Note the following:
Password policies do not apply to users configured using the LDAP server.
The Password inactive days policy does not apply to the admin account to protect the
admin user from account lockouts.
During the management server software upgrade, an existing users password is not
changedonly the users password age information changes.
If upgrading from a release prior to 5.1 to release 5.2, the default values will be new
(see Table 4). If desired, you can change these values. Refer to the VPLEX CLI Guide for
information on setting password policies.
17
If upgrading from release 5.1 to 5.2, the admin user will no longer have the 90 day
expiration set. The default value for the minimum password length will be 14 as it was
set previously. You can change this value if desired. Refer to the VPLEX CLI Guide for
information on setting password policies.
After upgrading to release 5.2, the admin user will not be locked after the password
expires. If the password for the administrator account has not been changed since the
last 91 days, after upgrading to release 5.2, the admin user will be forced to change
the password on the first login (after it has expired).
A-Z
a-z
0-9
. ? / * @ ^ % # + = - _ ~ : space
Note: A space is allowed only between the characters in a password, not in the beginning
or the end of the password.
18
Changing passwords
Any user can change his/her own password as follows:
1. Launch PuTTY (or a similar SSH client), and establish a connection to the public IP
address of the VPLEX management server.
2. Log in with the applicable username.
3. From the Linux shell prompt, type the applicable command to connect to the VPlexcli:
If VPLEX GeoSynchrony 4.0.x is running on the cluster:
telnet localhost 49500
Resetting passwords
A user with an admin account can reset passwords for other users as follows:
1. Launch PuTTY (or a similar SSH client), and establish a connection to the public IP
address of the VPLEX management server.
2. Log in with username admin.
3. From the Linux shell prompt, type the applicable command to connect to the VPlexcli:
19
Management server
To change the service password on the Fibre Channel switches, use the switch's passwd
command.
20
Location
/var/log/VPlex/cli/session.log_<username>
management server
OS
/var/log/messages
ConnectEMC
/var/log/ConnectEMC/logs/ConnectEMC.log files
Firewall
/var/log/firewall
VPN (ipsec)
/var/log/events.log
IP WAN COM
A VPLEX Metro or a VPLEX Geo system does not support native encryption over an IP
WANCOM link. EMC recommends that you deploy an external encryption solution such as
IPSec to achieve data confidentiality and end point authentication over IP WAN COM links
between clusters.
Accessibility
To establish secure communication, note the following:
The following protocols must be allowed on the customer firewall (both in the
outbound and inbound filters):
# Encapsulating Security Payload (ESP): IP protocol number 50
21
Static IP addresses must be assigned to the public ports on each management server
(eth3) and the public port in the Cluster Witness Server. If these IP addresses are in
different subnets, the IP management network must be able to route packets between
all such subnets.
The firewall configuration settings in the IP management network must not prevent the
creation of IPsec tunnels. Cluster Witness traffic as well as VPLEX management traffic
leverages VPN tunnels established on top of IPsec.
The required minimum value for Maximum Transmission Unit (MTU) is 1500 bytes.
Configure MTU as 1500 or larger.
Note: The IP management network must not be able to route to the following reserved
VPLEX subnets: 128.221.252.0/24, 128.221.253.0/24, and 128.221.254.0/24.
Note: If VPLEX is deployed with IP inter-cluster network, the inter-cluster network must not
be able to route to the following reserved VPLEX subnets: 128.221.252.0/24,
128.221.253.0/24, and 128.221.254.0/24.
22
Port usage
Table 6 lists all the network ports and services used by VPLEX components. This
information, along with the firewall settings is needed to use the product.
Table 6 Port Usage
Serial
Number Port
Function
Service
Log in to
management server
OS, copy files to
and from the
management server
using the SCP
sub-service, and
establish SSH
tunnels
SSH
Yes
Yes
Yes
ESRS
Yes
Yes
No
IPSECVPN
ISAKMP
Yes
Yes
Yes
IPSEC VPN
IPSEC
NAT
traversal
Yes
Yes
Yes
Time
synchronization
service
NTP
Yes
Yes
No
Get performance
statistics
SNMP
Yes
Yes
No
10
11
HTTPS
Yes
Yes
No
12
13
Localhost TCP/59011
Access to the
management
server's desktop.
Not available on the
public network.
Must be accessed
through SSH
tunnel.
VNC
Yes
Yes
No
23
Function
Service
14
Telnet
Yes
Yes
No
15
DNS
Yes
Yes
Yes
16
Yes
Yes
Yes
Domain Name
Service
VPLEX Cluster 1
VPLEX Cluster 2
D
Customer
IP Network
Management Server
VPLEX
Management
Client
24
Management Server
ESRS Server
VPLX-000557
A <-> C
A <-> D
B <->C
B <-> D
Yes
Yes
Yes (only
for initial
setup)
Yes
Yes (only
for code
upgrade
s)
Yes (only
for code
upgrade
s)
Yes
Yes
Yes (only
for initial
setup)
Yes
Yes (only
for code
upgrade
s)
Yes (only
for code
upgrade
s)
B <-> E
C <-> D
C <-> E
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
10
Yes
Yes
11
Yes
Yes
12
Yes
Yes
13
Yes
Yes
14
Yes
Yes
15
Yes
16
Yes
Yes
Yes
Yes
Legend:
B - Management Server 1
C - Management Server 2
E - ESRS Server
25
VPLEX Cluster 1
Customer
IP Network
Management Server
VPLEX
Management
Client
ESRS Server
VPLX-000558
A <-> B
Yes
Yes
Yes
Yes
Yes
6
7
8
9
Yes
10
Yes
11
Yes
12
Yes
13
Yes
14
Yes
15
16
Legend:
26
B <-> C
B - Management Server 1
C - ESRS Server
Network encryption
The VPLEX management server supports SSH through the sshd daemon provided by the
FIPS compliant OpenSSH package. It supports version 2 of the SSH protocol.
When the management server starts for the first time, the sshd daemon generates
key-pairs (private and public key) for communication with SSH clients. rsa and dsa
key-pairs are generated to support communication with SSH version 2 clients. All keys
have a 2048 bit length.
The HTTPS protocol and the IPsec VPN use a X.509 host certificate to identify the server
and encrypt all traffic. X.509 host certificates use a 2048 bit host key. During initial setup
of a VPLEX cluster, a local Certification Authority (which signs the host certificate request)
is created automatically.
Currently, VPLEX does not support a corporate Certification Authority signing the host
certificate requests.
You must provide a passphrase for the CA key and the CA certificate subject. The CA
certificate subject must be the VPLEX cluster's serial number (found on the label attached
to the top of the VPLEX cabinet). If you are creating a CA certificate for a VPLEX Metro or
VPLEX Geo implementation, you can use either cluster's serial number.
You must provide the CA key passphrase for the host key and the host certificate subject
which must be the cluster's serial number (found on the label attached to the top of the
VPLEX cabinet).
EMC VPLEX Security Configuration Guide
27
You must provide the host certificate's passphrase before converting the host certificate
into a format suitable for HTTPS service.
To find the host certificate's SHA1 and (for GUI users) MD5 fingerprints
1. At the Linux shell prompt, type the following command:
/etc/ipsec.d/certs # openssl x509 -noout -in hostCert.pem -fingerprint -md5
Output example:
MD5 Fingerprint=6E:2C:A5:8E:86:11:45:26:02:09:62:97:6F:18:FD:62
Output example:
SHA1 Fingerprint=2E:B0:DD:59:DD:C3:29:96:33:74:19:CC:A0:81:28:28:6F:4F:76:E4
Output example:
1024 52:42:70:0c:22:aa:2f:e3:09:18:93:c8:20:a4:78:0c ssh_host_dsa_key.pub
Output example:
28
Output example:
256 ca:05:f3:9a:3e:51:fe:53:51:90:39:bf:6b:f5:78:56 [MD5]root@ManagementServer (ECDSA)
29
30