HP 3PAR InForm OS Common Criteria Administrator’s Reference Abstract This manual is for all levels of system and storage administrators. It provides information for operating the HP 3PAR Storage System in the Common Criteria evaluated configuration.
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Contents 1 Introduction .................................................................................. 5 Audience........................................................................................................... 5 Support and Other Resources .............................................................................. 5 Related Documentation ....................................................................................... 6 Typographical Conventions ......................................
Licensed Features ............................................................................................. 27 CC Configuration Validation ............................................................................. 28 Auditing Security-Relevant Events........................................................................ 29 6 Documentation Errata ................................................................. 30 CLI Administrator’s Manual............................................................
1 Introduction This administrator’s reference provides information for administering the HP 3PAR Storage System to operate in the Common Criteria (CC) evaluated configuration mode. The Common Criteria (CC) are internationally well-recognized standards for the evaluation of products incorporating security functionality.
Related Documentation The following documents also provide information related to HP 3PAR Storage Systems and the InForm® Operating System that might be useful in preparing to install, configure and operate the equipment.
Advisories To avoid injury to people or damage to data and equipment, be sure to observe the cautions and warnings in this reference guide. Always be careful when handling any electrical equipment. WARNING Warnings alert you to actions that can cause injury to people or irreversible damage to data or the operating system. CAUTION Cautions alert you to actions that can cause damage to equipment, software, or data.
Acronym Definition NTP Network Time Protocol OOTB Out-of-the-Box script run during initial HP 3PAR Storage installation OS Operating System P16 Patch 16 PDU Packet Data Unit PR Persistent Repository RCIP Remote Copy over IP RFC Request For Comment RM-VASA VMWare-specific component of the Recovery Manager, which provides backup/restore capability with the InServ being used as the backend (backup) repository RSA Rivest, Shamir, Adelman algorithm for public-key cryptography SAN Storage A
2 Overview This section provides an overview of Common Criteria. Common Criteria The Common Criteria (CC) are internationally well-recognized standards for the evaluation of products incorporating security functionality. Important areas of security functionality are: Ensuring that the HP 3PAR Storage System is accessed by authorized administrators. Ensuring that administrator access occurs over a secure interface.
3 Evaluated Configuration This section provides information on the HP 3PAR Storage System Common Criteria evaluated configuration. Hardware and Software The HP 3PAR Storage System evaluated for conformance to the CC standard consists of the following: HP 3PAR InServ Storage Systems models listed below, each running InForm OS (version 3.1.
The host interface connections (SAN, iSCSI, LAN) are assumed to be private networks and carry no general network traffic. While difficult, access by untrustworthy entities, or hosts, could lead to the spoofing of WWNs or iSCSI names on these network segments. This could result in unintended access to storage resources by those untrustworthy entities.
4 Operating in Common Criteria Mode This section provides details on HP 3PAR Storage System evaluated configuration operation in CC mode. Common Criteria Mode Common Criteria “mode” operation differs from standard HP 3PAR Storage System operation in that in this mode only secure (i.e., encrypted) ports can be used. By default, the HP 3PAR Storage System provides both secure and unsecure ports for performing operational activities.
Port Type Use Status in CC mode Status in non-CC mode 5780 TCP Legacy guisrv port – no longer used Visible but closed Visible but closed 5781 TCP Port on which the Service Processor listens for HP 3PAR Storage System events Not visible (firewalled at installation) Active 5782 TCP Unsecured CLI/IMC port Not visible (firewalled at installation) Active 5783 TCP Secured (SSL) CLI/IMC port Active Active 5988 TCP Unsecured (HTTP) CIM server port Visible but closed Visible/Active if en
By default, the HP 3PAR Storage System does not authenticate hosts. To authenticate the identity of hosts, use iSCSI to interface to the hosts and use the Challenge-Handshake Authentication Protocol (CHAP), or dual-CHAP, for host authentication (CHAP is not supported for the FC interface). CHAP can be configured using the sethost CLI command and the initchap, targetchap CLI subcommands (see the HP 3PAR InForm OS Command Line Reference for details).
SSH Client Usage The InForm OS includes an SSH server. The following are Common Criteria-relevant recommendations for configuring SSH clients and user environments when communicating with the HP 3PAR Storage System. The InForm OS supports several key exchange algorithms for securing the channel: diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, diffie-hellman-groupexchange-sha1, and diffie-hellman-group-exchange-sha256. Some clients allow for setting the “preferred” key exchange protocol.
Functionality that is excluded from the CC evaluated configuration This section provides details on items excluded from the CC evaluated configuration. SNMP Activities in the SNMP agent component are not logged in a manner consistent with the majority of the InForm OS components. There is minimal visibility to the actions performed by the SNMP agent in the system audit logs.
Remote Copy The Remote Copy application involves network communication between HP 3PAR Storage System peers. This communication uses a protocol that is unencrypted and unauthenticated. Though the application configuration assumes that the connection is a point-to-point VPN including only the two peers, since the protocol is unsecured and the peers do not authenticate each other, Remote Copy was excluded from the evaluated configuration.
Table 5 Mapping of HP 3PAR Storage System Events to ST Requirements Requirement FAU_GEN.1 Auditable Event(s) Additional Audit Record Content InServ Event None None None None None None Reading of information from the audit records None The event log will contain a “CLI command executed” event naming ‘geteventlog’ as the command executed. This is true for both CLI and IMC data extraction operations.
Auditable Event(s) Requirement FAU_STG.4 Additional Audit Record Content None None The storage area is protected by the HP Storage System’s physical storage protections, as the PR resides on an admin VV configured for redundancy. Space on the volume is tightly managed to prevent exhaustion. If the log should fail, em_filter writes an indication to its own private log and continues to record events there until the condition is rectified.
Requirement FCS_COP.1(1) The TOE implements AES with CTR and CBC modes and 128, 192, and 256 bit keys sizes. FCS_COP.1(2) The TOE implements the RSA Digital Signature Algorithm with a key size (modulus) including 2048 and greater bits. FCS_COP.1(3) The TOE implements SHA-1 cryptographic hashes. FCS_COP.1(4) The TOE implements HMACSHA-1 keyed-hash message authentication. FCS_SSH_EXT.1 The TOE supports SSHv2 interactive command-line secure administrator sessions as indicated in the STs. FCS_TLS_EXT.
Auditable Event(s) Requirement FDP_ACC.2 Additional Audit Record Content InServ Event None None None All requests to perform an operation on an object covered by the SFP The identity of the subject performing the operation All tpdtcl actions that result in modification of objects (create, modify, delete) are logged via the ‘CLI Command’ type event, where the message includes the name of the command and the result, as well as the user involved and the source of the command.
Requirement FIA_UAU.7 Auditable Event(s) Additional Audit Record Content InServ Event None None None All use of the user identification mechanism The user identity provided See FIA_UAU.1. All modifications of the security attribute values None See FDP_ACF.1. Modifications of the default setting of permissive or restrictive rules None See FDP_ACF.1. The TOE is designed to not echo passwords when users are logging in. FIA_UID.
Auditable Event(s) Requirement FMT_MTD.1 Additional Audit Record Content InServ Event None None None None None None None None None None None None Changes to the time The old and new values for the time Origin of the attempt (e.g., IP address) See FDP_ACF.1.Also, adjustment actions taken by NTP are logged as ‘Syslog Message’ type events with the string ‘ntpd’ in the text. Identification of the claimed user identity See FCS_SSH_EXT.1 and FCS_TLS_EXT.1.
Configuration Steps for CC Operation The following steps should have been taken by customers, in cooperation with HP 3PAR authorized installers, to configure the HP 3PAR Storage System for CC evaluated configuration operation (to verify that you are actually running in the CC evaluated configuration, see “CC Configuration Validation” on page 28). WARNING If any of these steps are omitted, the system will not be in the evaluated configuration. 1.
b. Disable to ports using the setsys MgmtOldPorts disable CLI command. c. For the disable command to take effect, the cluster must be rebooted using the shutdownsys reboot CLI command. Rebooting the cluster will take several seconds and varies depending on your configuration. The shutdownsys reboot CLI command response will guide you through the reboot process. 5. Remote Copy should not be used in the evaluated configuration. a. On new systems, administrators should not issue the startrcopy CLI command. b.
1. The system administrator should set the 3parsvc account password on the desired HP 3PAR Storage System to the manufacturing default value. This password is provided by the HP 3PAR Technical Support team. To change the password, use the setpassword 3parsvc CLI command. 2. The authorized service provider can boot the SP and log in as local user spvar or spdood using a password assigned by the administrator (authorized maintainers will use spvar and HP employees will use spdood). 3.
5 Confirming the System Configuration Administrators can use the information in this section to verify that the HP 3PAR Storage System that was ordered has the correct system components and was installed and configured as intended. See the HP 3PAR InForm OS Command Line Reference for individual CLI command details. Hardware To determine that the installed hardware matches that which was ordered for a system, the administrator can use the showinventory CLI command.
CC Configuration Validation Use the steps below to determine if the system is running in the Common Criteria evaluated configuration. 1. Using a port scanner from a machine on the management network, scan the HP 3PAR Storage System for open ports. The only open ports should indicate that they support encrypted connections. This is useful following a maintenance activity that may have changed networking configuration on the HP 3PAR Storage System.
a. Use the removeuser CLI command to remove the desired users and the setpassword CLI command to change the password on those you want to change. Auditing Security-Relevant Events Administrators with super level authority can see a complete picture of security-relevant activity (including login/logout activity and failed login attempts) by using the showeventlog CLI command with the –debug operand (IMC cannot be used, since the IMC Events pane does not include events with “debug” severity).
6 Documentation Errata This section identifies Common Criteria-related errors in the HP 3PAR Storage System customer documents. CLI Administrator’s Manual CLI User Name Restrictions Using SSH (p. 57) The user name restrictions have nothing to do with SSH. These are user names that already exist on the system and therefore cannot be created using the createuser CLI command. It is not possible to log onto the HP 3PAR Storage System through the CLI (or IMC) using these user names.
prior to pasting it into the setsshkey command. If the private key material is not available on a given host, password authentication will still allow the user to connect. This would be the same if the key was pre-pended with from= and access was attempted from a different IP address even if the private key was available. setsys CLI command MgmtOldPorts parameter (p.
F-Class Installation/Deinstallation Guide Supported Network Topologies (p. 11) This section indicates that there are three supported topologies – shared, split, and private. This is incorrect – only shared and private are supported. Split Network Topology (p. 12) Split network topology is not supported. This entire section should be ignored. Private Network Topology (p.
T-Class Installation/Deinstallation Guide Supported Network Topologies (p. 12) This section indicates that there are three supported topologies – shared, split, and private. This is incorrect – only shared and private are supported. Private Network Topology (p. 12) This section requires a Note that indicates that the service processor cannot communicate with HP Central and therefore cannot support remote diagnostics and monitoring. Split Network Topology (p. 13) Split network topology is not supported.