Dell EMC PowerStore Security Configuration Guide Version 2.x June 2021 Rev.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2020 - 2021 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Contents Additional Resources.....................................................................................................................5 Chapter 1: Authentication and access............................................................................................6 Hardware root of trust.......................................................................................................................................................
Auditing................................................................................................................................................................................36 Remote logging.................................................................................................................................................................. 36 Add Remote Syslog Server.........................................................................................................................
Preface As part of an improvement effort, revisions of the software and hardware are periodically released. Some functions that are described in this document are not supported by all versions of the software or hardware currently in use. The product release notes provide the most up-to-date information about product features. Contact your service provider if a product does not function properly or does not function as described in this document.
1 Authentication and access This chapter contains the following information: Topics: • • • • • • • • • • • • • • • Hardware root of trust Authenticating and Managing User Accounts, Roles, and Privileges Certificates Secure communication between PowerStore appliances within a cluster Secure communication for replication and data import vSphere Storage API for Storage Awareness support CHAP authentication Configuring CHAP External SSH access Configuring external SSH access NFS secure Security on file system
After you configure LDAP settings for the system, you can manage users and user groups, within the context of an established LDAP directory structure. For instance, you can assign access roles (Administrator, Storage Administrator, Security Administrator, Operator, VM administrator) to the LDAP user or groups. The role applied will determine the level of authorization the user or group will have in administering the storage system.
Restriction Password requirement Minimum number of characters 8 Minimum number of uppercase characters 1 Minimum number of lowercase characters 1 Minimum number of numeric characters 1 Minimum number of special characters ● Supported characters: ! @ # $ % ^ * _ ~ ? NOTE: The password cannot include single quote ('), ampersand (&), or space characters. 1 Maximum number of characters 40 NOTE: The last five passwords are blocked from being reused.
Table 2.
Table 3.
Table 3.
Table 3. Roles and privileges related to file (continued) Task Operator VM Security Storage Administrator Storage Administrator Administrator Administrator Operator Upload a file LDAP configuration or LDAP certificate Download of a file LDAP certificate User account management based on role privileges A user with either an Administrator or Security Administrator role can do the following with regards to user account management: ● Create a new user account.
Steps 1. If the USB drive is formatted, go to the next step; otherwise, use a command prompt such as: format /FS:FAT32 to format the drive. Where d: is the drive letter for the USB drive you have inserted into your laptop or PC. 2. Set the label with the command: label d: RSTPWD NOTE: The appliance will not mount the USB drive without the RSTPWD label. After labeling the USB drive, insert an empty file for the account passwords that you would like to reset.
Steps 1. In vSphere underStorage, select your PowerStore X model appliance. For example, DataCenter-WX-D6013 > PowerStore D6013 2. Under Files, select ISOs. 3. Select Upload and upload the reset.iso file, either the pre-created image file from https://www.dell.com/support or your own image file that you created on a Linux system. The reset.iso file appears in the ISOs folder. 4. In vSphere under Host and Clusters, select the primary node of the primary PowerStore X model appliance in the cluster.
Steps 1. Launch the PowerStore Manager. 2. Click Settings and under Security click Certificates. Information about the certificates stored on the appliance appears. 3. To view the chain of certificates that comprise a certificate and associated information for a service, click the specific service. View Certificate Chain appears and lists information about the chain of certificates that comprise the certificate.
For more information related to VASA, vSphere, and vVols, see the VMware documentation and the PowerStore Manager online help. Authentication related to VASA During the initial configuration of a PowerStore X model cluster, a vCenter Server is automatically established and a PowerStore VASA provider is automatically registered. The vCenter Server connection on a PowerStore X model cluster cannot be modified after the initial configuration is complete.
Provider using the client Storage Monitoring Service(SMS) certificate validated against the previously registered root signing certificate. A VASA Provider generates unique identifiers for storage entity objects, and the vCenter Server uses the identifier to request data for a specific entity. A VASA Provider uses SSL certificates and the VASA session identifier to validate VASA sessions.
the same password across the initiators of a host. Specific details on how to configure the CHAP configuration of an external host varies. To utilize this capability, you need to be familiar with the operating system of the host and how to configure it. NOTE: Enabling CHAP once hosts are configured on the system is a disruptive action for the external hosts. It causes I/O interruption until configurations are set up on both the external host and appliance.
Service account password The service account is an account that service personnel can use to perform basic Linux commands. During initial configuration of the appliance, you must change the default service password. The service password restrictions are the same as those that apply to the System management accounts (see Username and password usage on page 7).
Without Kerberos, the credential of the user is sent on the wire un-encrypted and thus can easily be spoofed. With Kerberos, the identity (principal) of the user is included in the encrypted Kerberos ticket, which can only be read by the target server and KDC. They are the only ones to know the encryption key. In conjunction with NFS secure, AES128 and AES256 encryption in Kerberos is supported. Along with NFS secure, this also impacts SMB and LDAP.
Security on file system objects In a multiprotocol environment, security policy is set at the file system level, and is independent for each file system. Each file system uses its access policy to determine how to reconcile the differences between NFS and SMB access control semantics. Selecting an access policy determines which mechanism is used to enforce file security on the particular file system.
● Return the corresponding UNIX account name for a particular user identifier (UID). ● Return the corresponding UID and primary group identifier (GID) for a particular UNIX account name. The supported services are: ● ● ● ● LDAP NIS Local files None (the only possible mapping is through the default user) There should be one UDS enabled or local files enabled, or both local files and a UDS enabled for the NAS server when multiprotocol sharing is enabled.
SID In secmap secmap? Yes UID and Primary GID In Local Files or UDS? No In Local Group Database? No Unknown SID Access Denied UID and Primary GID Yes UID and Primary GID No Yes Windows Name used for SMB-only access Automatic Mapping? No In Domain Controller? Yes No Yes Windows Name In ntxmap? No Yes UNIX Name Windows Name = UNIX Name Default UNIX Account? Yes UID and Primary GID No Failed Mapping Access Denied Figure 1.
UID In secmap secmap? Yes In Domain Controller? SID SID No No In Local Files or UDS? Yes Yes No UNIX Name In ntxmap? No Yes Windows Name Windows Name = UNIX Name In Local Group Database? Yes SID No Default Windows Account? Yes SID No Unresolvable UID Access Denied Figure 2.
Access policy Description ● SMB ACL permission changes are allowed in order to avoid causing disruption, but these permissions are not maintained. For FTP, authentication with Windows or UNIX depends on the user name format that is used when authenticating to the NAS server. If Windows authentication is used, FTP access control is similar to that for SMB; otherwise, authentication is similar to that for NFS. FTP and SFTP clients are authenticated when they connect to the NAS server.
UNIX credential for NFS requests To handle NFS requests for an NFS only or multi-protocol file system with a UNIX or native access policy, a UNIX credential must be used. The UNIX credential is always embedded in each request; however, the credential is limited to 16 extra groups. The NFS server extendedUnixCredEnabled property provides the ability to build a credential with more than 16 groups.
system. Although the operating system is resistant to viruses, Windows clients that access the storage system require virus protection. Virus protection on clients reduces the chance that they will store an infected file on the server, and protects them if they open an infected file. This antivirus solution consists of a combination of the operating system software, CAVA agent, and a third-party antivirus engine.
2 Communication security settings This section contains the following topics: Topics: • • Port Usage Transport Layer Security Port Usage The following sections outline the collection of network ports and the corresponding services that may be found on the appliance. The appliance functions as a network client in several circumstances, for example, in communicating with a vCenter Server.
Table 5. Appliance network ports (continued) Port Service Protocol Access Direction Description SNMP will not be sent. The default port set for SNMP is 162. 443 HTTPS TCP Bi-directional Secure HTTP traffic to PowerStore Manager. If closed, communication with the appliance will be unavailable. 500 IPsec (IKEv2) UDP Bi-directional To make IPSec work through your firewalls, open UDP port 500 and permit IP protocol numbers 50 and 51 on both inbound and outbound firewall filters.
Table 5. Appliance network ports (continued) Port Service Protocol Access Direction Description ● Outbound for SupportAssist ● Required for the related SupportAssist Connect Home functions. 8443, 50443, 55443, or 60443 Windows import host agent, Linux import host agent, or VMware import host agent TCP Outbound One of these ports must be open when importing data storage from legacy storage systems. 9443 SupportAssist TCP Outbound Required for SupportAssist REST API related to Connect Home.
Table 6. Appliance network ports related to file (continued) Port Service Protocol Access Direction Description 137 Microsoft Netbios WINS UDP; TCP/UDP Inbound; Outbound The NETBIOS Name Service is associated with the appliance SMB file sharing services and is a core component of that feature (Wins). If disabled, this port disables all SMB related services.
Table 6. Appliance network ports related to file (continued) Port Service Protocol Access Direction Description 636 LDAPS TCP/UDP Outbound Secure LDAP queries. If closed, secure LDAP authentication will be unavailable. 1234 NFS mountd TCP/UDP Bi-directional Used for the mount service, which is a core component of the NFS service (versions 2, 3, and 4). 1468 Remote Logging TCP Outbound Allows the appliance to send log messages to remote syslog servers.
Table 6. Appliance network ports related to file (continued) Port Service Protocol Access Direction Description ● The NDMP service can be disabled if NDMP tape backup is not used. ● The NDMP service is authenticated with a username/password pair. The username is configurable. The NDMP documentation describes how to configure the password for a variety of environments.
Table 7. Network ports related to PowerStore X model appliances (continued) Port Service Protocol Access Direction Description 5900, 5901, 5902, 5903, 5904 RFB protocol TCP Inbound Remote access to graphical user interfaces such as VNC. 5988 Common Information Model (CIM) Server TCP Inbound Server for CIM. 5989 CIM Secure Server TCP Inbound Server for CIM.
example, when importing external data from older systems). For some operations, an earlier version of the TLS protocol may be required. For example, importing external storage from a different storage system that does not support TLS 1.2 but does support TLS 1.1. TLS 1.1 is disabled by default on PowerStore and is not considered a secure protocol. TLS 1.1 can be enabled on PowerStore and allows users to import data from older systems that do not support TLS 1.2. When TLS 1.1 is enabled, both TLS 1.
3 Auditing This chapter contains the following information: Topics: • • Auditing Remote logging Auditing Auditing provides a historical view of users activity on the system. A user with the role of Administrator, Security Administrator, or Storage Administrator can use the REST API to search for and view configuration change events on the system. These events that are audited are not just security related, all set operations (that is, POST/PATCH/DELETE) are audit logged.
Configuring a remote syslog server to receive storage system log messages Before configuring remote logging for a storage system, you must configure each remote system to receive logging messages from the storage system. A root or administrator on the receiving system can configure the remote syslog server or rsyslog server to receive log information by editing the syslog server or rsyslog server configuration file (syslogng.conf or rsyslog.conf) on the remote system.
Import a certificate for remote logging Prerequisites Before importing a certificate, ensure that you know the location of the certificate file or have the certificate text available to copy and paste for import. About this task To import a certificate using the PowerStore Manager, do the following: Steps 1. Click Settings and under Security select Remote Logging. The Remote logging page appears. 2. Under Certificates, select Import and select the type of certificate to import.
Manage remote logging settings About this task You can change the configuration settings of the remote syslog servers, delete remote syslog servers, and send a test message to a remote syslog server. You can also import either a Server CA Certificate for one-way authentication or an optional Mutual Authentication Certificate for two-way authentication, delete a certificate, and generate a Certificate Signing Request (CSR). Steps 1.
4 Data security settings This section contains the following topics: Topics: • • • • • • • • Data at Rest Encryption Encryption activation Encryption status Key management Keystore backup file Repurpose a drive in an appliance with encryption enabled Replacing a base enclosure and nodes from a system with encryption enabled Resetting an appliance to factory settings Data at Rest Encryption Data at Rest Encryption (D@RE) in PowerStore utilizes FIPS 140-2 validated Self-Encrypting Drives (SEDs) by respecti
● Unencrypted – Encryption capability is not supported on the appliance. Drive level encryption status is provided for each drive in an appliance and appears as one of the following: ● Encrypted – The drive is encrypted. This is the typical state of a drive in an appliance that is encryption capable. ● Processing – The appliance is enabling encryption on the drive.
Repurpose a drive in an appliance with encryption enabled A self-encrypting drive (SED) is locked when an appliance is initialized or when it is inserted into an already initialized appliance. About this task The drive cannot be used in another system without first being unlocked. The locked drive becomes unusable when it is inserted into a different appliance and its encryption status appears as Foreign in the new appliance.
5 Secure serviceability settings This chapter contains the following information: Topics: • • • • • • • • • • Operational description of SupportAssist SupportAssist options SupportAssist Connect via Gateway option SupportAssist Connect Directly option Requirements for SupportAssist Connect via Gateway Requirements for SupportAssist Connect Directly Configuring SupportAssist Configure SupportAssist CloudIQ Cybersecurity Operational description of SupportAssist SupportAssist is a secure support technology
SupportAssist communication SupportAssist cannot be enabled on PowerStore models configured with IPv6 for the management network. SupportAssist is not supported over IPv6. Also, management network reconfiguration from IPv4 to IPv6 is not allowed when SupportAssist is configured on a cluster. NOTE: Access to a DNS server is required for SupportAssist to work.
● Connect Directly — For distributed SupportAssist that runs on individual appliances with the same two-way file transfer as connecting through a SupportAssist gateway server. Another option, Disabled, is available but not recommended. If you select this option, Dell EMC Support will not receive notifications about issues with the appliance. You may need to collect appliance information manually to assist support representatives with troubleshooting and resolving problems with the appliance.
Requirements for SupportAssist Connect Directly The following requirement is applicable to the Connect Directly SupportAssist implementation: ● Network traffic (HTTPS) must be permitted on ports 443 and 8443 (outbound) to Dell EMC Support. Failure to open port 8443 results in significant performance impact (30–45 percent). Failure to open both ports may result in a delay in resolving issues with the end device.
7. Select Send Test Alert to send a test alert to Dell EMC Support to ensure end-to-end connectivity. 8. The Connect to CloudIQ checkbox is selected by default; if you do not want to send files to CloudIQ and be able to use the Cybersecurity application, clear the checkbox; otherwise, leave the checkbox selected. 9.
6 Security Alert Settings This chapter describes the different methods available to notify administrators of alerts that occur on a PowerStore cluster. Topics: • Alert settings Alert settings PowerStore alerts inform administrators of actionable events that occur on the PowerStore cluster. These alerts can be reported as shown in the following table. Table 8.
Table 8. Alert settings (continued) Alert notification type Description CloudIQ CloudIQ is a Dell EMC-hosted service that uses data (logs, system configuration, alerts, performance metrics, and capacity metrics and capacity forecast data) collected by SupportAssist to allow users to monitor performance in near real-time and utilization and health time across multiple PowerStore clusters and perform basic service actions.
○ Version ○ Trap Community String ● For SNMPv3 ○ Network Name or IP address ○ Port ○ Minimal Severity Level of Alerts ○ Version ○ Security Level NOTE: Depending on the security level selected, additional fields appear. ■ For the level None, only Username appears. ■ For the level Authentication only, Password and Authentication Protocol appear along with Username. For the level Authentication and privacy, Password, Authentication Protocol, and Privacy Protocol appear along with Username.
A TLS cipher suites This appendix contains the following information: Topics: • Supported TLS cipher suites Supported TLS cipher suites A cipher suite defines a set of technologies to secure your TLS communications: ● Key exchange algorithm (how the secret key used to encrypt the data is communicated from the client to the server). Examples: RSA key or Diffie-Hellman (DH) ● Authentication method (how hosts can authenticate the identity of remote hosts).
B Directory Services This appendix describes how to configure PowerStore to connect to an LDAP server for authentication, and how to assign roles to LDAP users and groups. Topics: • • • Configuring Directory Services Configure LDAP server Configure LDAP account Configuring Directory Services The Lightweight Directory Access Protocol (LDAP), is an application protocol for querying and modifying directory services running on TCP/IP networks.
The Directory Services page appears. 3. The options that appear depend on whether LDAP has been configured. Do one of the following: ● To configure LDAP for the first time, click Configure LDAP. Go to the next step. ● To edit an existing LDAP configuration, click Edit LDAP Configuration. Go to the next step. ● To delete an LDAP configuration, click Delete LDAP Configuration. When either Configure LDAP or Edit LDAP Configuration are selected, the Directory Services slide out panel appears.
■ Object Class: group ■ Search Path: cn=Users,dc= ■ Search Level: ● Active Directory - Global Catalog server ○ User Search Settings: ■ ID Attribute: UserPrincipalName ■ Object Class: user ■ Search Path: (greyed out) ○ Group Search Settings: ■ Member Attribute: member ■ ID Attribute: cn ■ Object Class: group ■ Search Path: (greyed out) ■ Search Level: ● OpenLDAP server ○ User Search Settings: ■ ID Attribute: uid ■ Object Class: inetOrgPerson ■ Search Path: ○ Group Search S
a. Verify the Directory Services configuration information, in particular the Distinguished Name (user name), Password, and the Server Address (IP address). b. Verify the LDAP server is online. c. Verify there are no network issues; for example, firewall rules that would block access to the LDAP port, network router configuration that prevents the connection, and such.
Next steps You must verify the configuration after configuring LDAPS and uploading the server certificate file. Verify LDAPS configuration About this task NOTE: To avoid the possibility of data being unavailable, you must verify the LDAPS connection after every LDAPS configuration change. To verify the LDAPS configuration, do the following: Steps 1. Click Verify Connection on the Directory Services page.
● When Global Catalog (forest-level authentication) is selected while configuring the PowerStore LDAP server, the default value for User ID Attribute under Advanced Settings is UserPrincipalName. So the Account Name must be a UserPrincipalName which is unique, and the format is username@DomainName.com ● When Global Catalog is not selected, the default value for the User ID Attribute under Advanced Settings is sAMAccountName. The Account Name must be an sAMAccountName.