Dell EMC PowerStore Security Configuration Guide Version 1.x December 2020 Rev.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2020 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Contents Additional Resources.....................................................................................................................5 Chapter 1: Authentication and access............................................................................................6 Authenticating and Managing User Accounts, Roles, and Privileges......................................................................6 Factory default management........................................................................
Data at Rest Encryption.................................................................................................................................................. 34 Encryption activation........................................................................................................................................................34 Encryption status..................................................................................................................................................
Preface As part of an improvement effort, revisions of the software and hardware are periodically released. Some functions that are described in this document are not supported by all versions of the software or hardware currently in use. The product release notes provide the most up-to-date information about product features. Contact your technical support professional if a product does not function properly or does not function as described in this document.
1 Authentication and access This chapter contains the following information: Topics: • • • • • • • • • • • • • • Authenticating and Managing User Accounts, Roles, and Privileges Certificates Secure communication between PowerStore appliances within a cluster Secure communication for replication and data import vSphere Storage API for Storage Awareness support CHAP authentication Configuring CHAP External SSH access Configuring external SSH access NFS secure Security on file system objects File systems acc
Account type Username Password Privileges System management admin Password123# Administrator privileges for resetting default passwords, configuring appliance settings, and managing user accounts. Service service service For performing service operations. NOTE: The service user exists for secure shell (SSH) access. However, you cannot log into PowerStore Manager using the service user. Session rules Sessions on the cluster have the following characteristics: ● Expiration term of one hour.
ESXi passwords The default root password for ESXi on a PowerStore X model appliance is in the following format: _123!, where is the seven-character Dell Service Tag for the appliance. Do not change the default ESXi password until the initial cluster configuration is complete. For more information about changing an ESXi password, see the VMware ESXi documentation. CAUTION: It is critical that you do not lose the ESXi password.
NOTE: A for that role.
Task Operator Add a file system, or modify or delete a specified file system on an existing NAS server Add a clone or snapshot to a specified file system, or refresh or restore a specified file system, or refresh the quota of a specified file system Add a file tree quota, or modify, delete, or refresh a specified file tree quota Add a file user quota, or modify, delete, or refresh a specified file user quota Add a file virus checker, or modify or delete a specified file virus checker, or upload a specifie
User account management based on role privileges A user with either an Administrator or Security Administrator role can do the following with regards to user account management: ● Create a new user account. ● Delete any user account except the built-in Administrator account. NOTE: The built-in Administrator account cannot be deleted. ● Change another user to any role. ● Reset another user's password. ● Lock or unlock another user account.
NOTE: The appliance will not mount the USB drive without the RSTPWD label. After labeling the USB drive, insert an empty file for the account passwords that you would like to reset. You can reset the admin or service account password, or both. 3. To create an empty file on the drive, use one or both of the following commands as needed: copy NUL d:\admin copy NUL d:\service 4. Insert the USB drive into the USB port of either node of the appliance, wait 10 seconds, and then remove it.
4. In vSphere under Host and Clusters, select the primary node of the primary PowerStore X model appliance in the cluster. For example, DataCenter-WX-D6013 > Cluster WX-D6013 > PSTX-44W1BW2-A 5. Under Summary, click CD/DVD drive 1 and select Connect to datastore ISO file. The Choose an ISO image to mount window appears. 6. Under Datastores, click the primary PowerStore X model appliance in the cluster and select the ISOs folder. The reset.iso file should appear under Contents. 7. Select the reset.
Secure communication between PowerStore appliances within a cluster During cluster creation, the primary node of the cluster master appliance creates a certificate authority (CA) certificate, also known as the cluster CA. The master appliance passes the cluster CA certificate to the appliances joining the cluster. Each PowerStore appliance in a cluster generates its own unique IPsec certificate which is signed by the cluster CA certificate.
NOTE: The VM Administrator role is strictly used as a means to register certificates. ○ for local users use the syntax: local/ ○ for LDAP users use the syntax: / ● Password associated with this user. The PowerStore Manager credentials used here are only used during this initial step of the connection. If the PowerStore Manager credentials are valid for the target cluster, the certificate of the vCenter Server is automatically registered with the cluster.
PowerStore does not support iSCSI CHAP Discovery mode. The following table shows the limitations of PowerStore related to iSCSI CHAP Discovery mode. Table 1. iSCSI CHAP Discovery mode limitations CHAP Mode Single Mode (initiator enabled) Mutual Mode (initiator and target enabled) Discovery PowerStore will not authenticate (challenge) the host. Authentication cannot be used to preclude the discovery of targets. This does not result in unintended access to user data.
● SSH Management – A SSH settings page that you can access from the PowerStore Manager (click Settings and under Security select SSH Management). ● REST API server – Application interface that can receive REST API requests to configure SSH settings. For more information about the REST API, refer to the PowerStore REST API Reference Guide. ● svc_service_config – A service command that you can enter directly as the service user on the appliance.
Appliance node Ethernet service port and IPMItool Your appliance provides console access over an Ethernet service port that is on each node. This access requires the use of the IPMItool. The IPMItool is a network tool similar to SSH or Telnet that interfaces with each node over an Ethernet connection by using the IPMI protocol. The IPMItool is a Windows utility that negotiates a secure communication channel to access the node console of an appliance.
If the administrator selects to use the configured Windows domain, there is nothing else to do. Every SPN used by the NFS service is automatically added/removed into the KDC when joining/unjoining the SMB server. Note that the SMB server cannot be destroyed if NFS secure is configured to use the SMB configuration. If the administrator selects to use a UNIX based Kerberos realm, more configuration is needed: ● Realm name: The name of the Kerberos realm, which generally contains all upper-case letters.
File systems access in a multiprotocol environment File access is provided through NAS servers. A NAS server contains a set of file systems where data is stored. The NAS server provides access to this data for NFS and SMB file protocols by sharing file systems through SMB shares and NFS shares. The NAS server mode for multiprotocol sharing allows the sharing of the same data between SMB and NFS.
ntxmap ntxmap is used to associate a Windows account to a UNIX account when the name is different. For example, if there is a user who has an account that is called Gerald on Windows but the account on UNIX is called Gerry, ntxmap is used to make the correlation between the two. SID to UID, primary GID mapping The following sequence is the process used to resolve an SID to a UID, primary GID mapping: 1. secmap is searched for the SID. If the SID is found, the UID and GID mapping is resolved. 2.
1. secmap is searched for the UID. If the UID is found, the SID mapping is resolved. 2. If the UID is not found in secmap, the UNIX name related to the UID must be found. a. The UDS (NIS server, LDAP server, or local files) is searched using the UID. If the UID is found, the related UNIX name is the user name. b. If the UID is not found in the UDS but there is a default Windows account, the UID is mapped to the SID of the default Windows account. 3.
The following table describes the access policies that define what security is used by which protocols: Access policy Description Native (default) ● Each protocol manages access with its native security. ● Security for NFS shares uses the UNIX credential associated with the request to check the NFSv3 UNIX mode bits or NFSv4 ACL. The access is then granted or denied. ● Security for SMB shares uses the Windows credential associated with the request to check the SMB ACL. The access is then granted or denied.
● A UNIX user must be mapped to a Windows user in order to build the Windows credential when the user is accessing a file system that has a Windows access policy. Two properties are associated to the NAS server with regards to unmapped users: ● The default UNIX user. ● The default Windows user.
Windows credential for NFS requests The Windows credential is only built or retrieved when a user through an NFS request attempts to access a file system that has a Windows access policy. The UID is extracted from the NFS request. There is a global Windows credential cache to help avoid building the credential on each NFS request with an associated retention time. If the Windows credential is found in this cache, no other action is required.
2 Communication security settings This section contains the following topics: Topics: • Port Usage Port Usage The following sections outline the collection of network ports and the corresponding services that may be found on the appliance. The appliance functions as a network client in several circumstances, for example, in communicating with a vCenter Server. In these instances, the appliance initiates communication and the network infrastructure will need to support these connections.
Table 2. Appliance network ports (continued) Port Service Protocol Access Direction Description SNMP will not be sent. The default port set for SNMP is 162. 443 HTTPS TCP Bi-directional Secure HTTP traffic to PowerStore Manager. If closed, communication with the appliance will be unavailable. 500 IPsec (IKEv2) UDP Bi-directional To make IPSec work through your firewalls, open UDP port 500 and permit IP protocol numbers 50 and 51 on both inbound and outbound firewall filters.
Table 2. Appliance network ports (continued) Port Service Protocol Access Direction Description 9443 SupportAssist TCP Outbound Required for SupportAssist REST API related to Connect Home. Appliance network ports related to file The following table outlines the collection of network ports and the corresponding services that may be found on the appliance related to file. NOTE: Outbound ports are ephemeral. Table 3.
Table 3. Appliance network ports related to file (continued) Port Service Protocol Access Direction Description used. If disabled, this port disables Browsing capability. 139 Microsoft CIFS TCP Bi-directional The NETBIOS Session Service is associated with appliance SMB file sharing services and is a core component of that functionality. If SMB services are enabled, this port is open. It is specifically required for SMB v1. 389 LDAP TCP/UDP Outbound Unsecure LDAP queries.
Table 3. Appliance network ports related to file (continued) Port Service Protocol Access Direction Description 4000 STATD for NFSv3 TCP/UDP Bi-directional Used to provide NFS statd services. statd is the NFS file-locking status monitor and works in conjunction with lockd to provide crash and recovery functions for NFS. If closed, NAS statd services will be unavailable. 4001 NLMD for NFSv3 TCP/UDP Bi-directional Used to provide NFS lockd services. lockd is the NFS file-locking daemon.
Table 4. Network ports related to PowerStore X model appliances Port Service Protocol Access Direction Description 22 SSH server TCP Inbound Allows SSH access (if enabled). If closed, management connections using SSH will be unavailable. 80, 9000 vSphere Web Access TCP Inbound Access for vSphere Update Manager Web Client plug-in for vSphere Web Client.
Table 4. Network ports related to PowerStore X model appliances (continued) Port Service Protocol Access Direction Description backup virtual machines must have these ports open. On hosts that are not using VMware FT, these ports do not have to be open. 9080 I/O filter TCP Outbound Used by the I/O Filters storage feature. 31031 vSphere Replication, VMware Site Recovery Manager TCP Outbound Used for ongoing replication traffic by vSphere Replication and VMware Site Recovery Manager.
3 Auditing This chapter contains the following information: Topics: • Auditing Auditing Auditing provides a historical view of users activity on the system. A user with the role of Administrator, Security Administrator, or Storage Administrator can use the REST API to search for and view configuration change events on the system. These events that are audited are not just security related, all set operations (that is, POST/PATCH/DELETE) are audit logged.
4 Data security settings This section contains the following topics: Topics: • • • • • • • • Data at Rest Encryption Encryption activation Encryption status Key management Keystore backup file Re-purpose a drive in an appliance with encryption enabled Replacing a base enclosure and nodes from a system with encryption enabled Resetting an appliance to factory settings Data at Rest Encryption Data at Rest Encryption (D@RE) in PowerStore utilizes FIPS 140-2 validated Self-Encrypting Drives (SEDs) by respect
● Unencrypted – Encryption capability is not supported on the appliance. ● Encrypting – Appears during the encryption activation process. When the encryption process completes successfully, the cluster level encryption status appears as encrypted. Drive level encryption status is provided for each drive in an appliance and appears as one of the following: ● Encrypted – The drive is encrypted. This is the typical state of a drive in an appliance that is encryption capable.
Re-purpose a drive in an appliance with encryption enabled About this task A self-encrypting drive (SED) is locked when an appliance is initialized or when it is inserted into an already initialized appliance. The drive cannot be used in another system without first being unlocked. The locked drive becomes unusable when it is inserted into a different appliance and its encryption status appears as Foreign in the new appliance.
5 Secure serviceability settings This chapter contains the following information: Topics: • • • • • • • • Operational description of SupportAssist SupportAssist options SupportAssist Gateway Connect options SupportAssist Direct Connect options Requirements for SupportAssist Gateway Connect Requirements for SupportAssist Direct Connect Configuring SupportAssist Configure SupportAssist Operational description of SupportAssist™ The SupportAssist feature provides an IP-based connection that enables Dell EMC
still function utilizing the surviving HA gateway server in the cluster. Also, the SupportAssist Gateway Connect with remote assist and Gateway Connect without remote assist options should only be configured on the designated primary appliance on your system. The appliance itself does not implement any policies. If you require more control over remote access to your appliance, you can use a Policy Manager to set authorization permissions.
● Direct Connect with remote access — For distributed SupportAssist that runs on individual appliances with the same twoway file transfer as Gateway Connect without remote access along with remote access for Dell EMC Support personnel. Another option, Disabled, is available but not recommended. If you select this option, Dell EMC Support will not receive notifications about issues with the appliance.
Requirements for SupportAssist Gateway Connect The following requirements are applicable to both the Gateway Connect without remote access and Gateway Connect with remote access SupportAssist implementations: ● Network traffic (HTTPS) must be permitted on port 9443 (or customer specified port, if different) between the appliance and the SupportAssist Gateway server. Also, allow access to ports 22, 443, and 8443 between PowerStore and the SupportAssist Gateway server for PowerStore Manager and SSH accessing.
3. Under SupportAssist, the Connect to CloudIQ checkbox is selected by default; if you do not want to send files to CloudIQ, clear the checkbox; otherwise, leave the checkbox selected. 4. Select the Type of SupportAssist option you intend to use from the list. 5. Depending on which type of SupportAssist option you select, do one of the following: ● For either the Gateway Connect without remote access or Gateway Connect with remote access options: ○ Specify the IP address of the gateway server.
A TLS cipher suites This appendix contains the following information: Topics: • Supported TLS cipher suites Supported TLS cipher suites A cipher suite defines a set of technologies to secure your TLS communications: ● Key exchange algorithm (how the secret key used to encrypt the data is communicated from the client to the server). Examples: RSA key or Diffie-Hellman (DH) ● Authentication method (how hosts can authenticate the identity of remote hosts).
B Directory Services This appendix describes how to configure PowerStore to connect to an LDAP server for authentication, and how to assign roles to LDAP users and groups. Topics include: Topics: • • • Configuring Directory Services Configure LDAP server Configure LDAP account Configuring Directory Services The Lightweight Directory Access Protocol (LDAP), is an application protocol for querying and modifying directory services running on TCP/IP networks.
Steps 1. In PowerStore Manager, select Settings in the top menu bar to display the Settings page. 2. In the left panel under Users, click Directory Services. The Directory Services page appears. 3. The options that appear depend on whether LDAP has been configured. Do one of the following: ● To configure LDAP for the first time, click Configure LDAP. Go to the next step. ● To edit an existing LDAP configuration, click Edit LDAP Configuration. Go to the next step.
■ Object Class: user ■ Search Path: cn=Users,dc= ○ Group Search Settings: ■ Member Attribute: member ■ ID Attribute: cn ■ Object Class: group ■ Search Path: cn=Users,dc= ■ Search Level: ● Active Directory - Global Catalog server ○ User Search Settings: ■ ID Attribute: UserPrincipalName ■ Object Class: user ■ Search Path: (greyed out) ○ Group Search Settings: ■ Member Attribute: member ■ ID Attribute: cn ■ Object Class: group ■ Search Path: (greyed out) ■ Search L
To verify connection to the LDAP server will be successful, do the following: Steps 1. Click Verify Connection on the Directory Services page. If the configuration is valid, a connection will be established with the LDAP server and a green check mark along with the text Connection Verified will appear. 2. If the verification fails, the following steps are recommended to troubleshoot the failure: a.
For example, nsroot.net instead of nam.nsroot.net using LDAPS allows customers to query the entire AD forest (port 3269) instead of just the AD domain (TCP port 636). Also, AD role association is based on group scopes for Domain Local Groups and Universal Groups. This allows end-users to search the AD using an appropriate scope as needed and to avoid unnecessary group searches.) Also, Upload for LDAP Certificate appears when the LDAP Secure (Use SSL) checkbox is selected. 3. Click Upload.
2. In the left panel under Users, click Users. The Powerstore Users page appears. 3. Click LDAP. The LDAP account information appears. 4. Click Add. The Add Account slide out panel appears. 5. For Type, select the type of LDAP account, either User or Group. 6. For Account Name, type the user name that is listed in the LDAP server. NOTE: The account name must be the value of the ID Attribute defined in Advanced Settings under Domain Settings on the Directory Services slide out panel.