VPLEX Security Configuration Guide

EMC® VPLEX®
Security Configuration Guide

P/N 300-010-493-11
February 03, 2014
This guide provides an overview of VPLEX security configuration. Topics include:

◆ VPLEX overview......................................................................................................... 1
◆ Security recommendations........................................................................................ 3
◆ IP addresses and component IDs .............................................................................. 7
◆ Security configuration settings ................................................................................ 13
◆ Configuring user authentication .............................................................................. 15
◆ Manage user accounts ............................................................................................ 18
◆ Log file settings....................................................................................................... 21
◆ Communication security settings ............................................................................ 22
◆ Data security settings.............................................................................................. 29
VPLEX overview
An EMC® VPLEX® cluster consists of one, two, or four engines (each containing two
directors), and a management server. A dual-engine or quad-engine cluster also contains
a pair of Fibre Channel switches for communication between directors.
Each engine is protected by a standby power supply (SPS), and each Fibre Channel switch
gets its power through an uninterruptible power supply (UPS). In a dual-engine or
quad-engine cluster, the management server also gets power from a UPS.
The management server has a public Ethernet port, which provides cluster management
services when connected to the customer network. The management server can also
provide call-home services through the public Ethernet port by connecting to an EMC
Secure Remote Support (ESRS) gateway deployed on the same network. The ESRS
gateway is also used by EMC personnel to provide remote service.
Three VPLEX implementations are available:
◆ VPLEX Local (single cluster)
◆ VPLEX Metro (two clusters separated by synchronous distances)
◆ VPLEX Geo (two clusters separated by asynchronous distances)
In a VPLEX Metro or VPLEX Geo implementation, the clusters are connected over IP
between the management servers.
VPLEX overview
VPLEX user authentication is configured locally on the management server or remotely on

an OpenLDAP or Active Directory server which integrates with Unix using Service for UNIX
3.5, Identity Management for UNIX, or other authentication service.
A management server in each VPLEX cluster authenticates users against account
information kept on its local file system or against the LDAP/AD server. An authenticated
user can manage resources in the local cluster.
In a VPLEX Metro or VPLEX Geo, users authenticated by either management server can
manage all resources in both clusters. Figure 1 on page 2 shows a VPLEX cluster
configuration (quad system) example.
Engine 4
SPS SPS
Engine 3
SPS SPS
FC Switch B
UPS B
FC Switch A
UPS A
Management Server
Engine 2
SPS SPS
Engine 1
SPS SPS
SYM-002272
Figure 1 VPLEX cluster configuration
2 EMC® VPLEX® Security Configuration Guide

Security recommendations
Security recommendations
While the Security Configuration Guide must be reviewed in its entirety, this section
serves to highlight EMC's most important security recommendations to ensure the
security of your data and environment.
◆ Given the elevated permissions granted to the service account, its password must be
changed in order to better protect VPLEX from misuse or abuse of those privileges.
“Changing the service account password” on page 20 provides more information.
◆ To protect your data in the communications between clusters in VPLEX Metro-IP and
Geo configurations, an external encryption solution such as IPSec must be used to
guarantee confidentiality and authentication for the IP WAN COM link. “IP WAN COM”
on page 22provides more information.
◆ To protect the identity and integrity of your users and their account credentials, all
LDAP communication must be configured to use the LDAPS protocol. “Implementing
LDAP” on page 16 provides more information.
VPLEX management server operating system and networking

The VPLEX management server’s operating system (OS) is based on a Novell SUSE Linux
Enterprise Server 10 SP2 distribution. Starting in Release 5.3, the management server will
run SUSE Linux Enterprise Server 11 patch 3.
The operating system has been configured to meet EMC security standards by disabling or
removing unused services and packages, and protecting access to network services
through a firewall.
Used packages are hardened with security updates.
A management server has four Ethernet ports, identified as eth0 through eth3 by the
operating system, and shown in Figure 2. A 1 Gb/s public management port (eth3) is the
only Ethernet port in the VPLEX rack that must be connected to an external management
LAN. Other components in the rack are connected to two redundant private management
Ethernet networks, connected to the management server's eth0 and eth2 ports. A service
port (eth1) can be connected to a local laptop, providing access to the same services as a
host on the management LAN.
Ethernet port
Customer Service cable
workstation eth1 eth3
Customer
IP network
Customer-provided
Ethernet cable
Management server
eth0 eth2 eth
Figure 2 Management server, rear view
EMC® VPLEX® Security Configuration Guide 3

Accessing the management server

Three protocols allow access to a VPLEX management server over a secure and encrypted
connection: SSH, HTTPS, and IPsec VPN.
Using SSH to access the management server shell

Users can log in to the management server shell over SSH version 2, through the
management server's public Ethernet port or service port. The SSH service is available on
the standard port 22.
An SSH login with appropriate credentials allows access to a Linux shell on the
management server. From there:
◆ Users can access the VPLEX command line interface (VPlexcli).
◆ A service account user can also inspect log files, start and stop services, and upgrade
firmware and software.
SSH also can be used to establish a secure tunnel between the management server and
the host running the SSH client. “Using a tunneled VNC connection to access the
management server desktop” on page 5 provides more information.
Using HTTPS to access the VPLEX GUI

The Unisphere for VPLEX graphical user interface (GUI) is accessible as a web service on
the management server's public Ethernet port and the service port, using the HTTPS
protocol. It is available on the standard port 443.
The following URL initiates an HTTPS connection to the GUI:
https://<management_server_public_IP_address>
To access the GUI using an IPv6 address, use the following URL:
https://[mgmtserver_ipv6_addr]
For example:
https://[3ffe:80c0:22c:803c:215:17ff:fed3:207]/smsflex/VPlexConsole
.html
Note: Accessing the VPLEX GUI or the VPLEX CLI over IPv6 is possible only if the client
machine is also in an IPv6 network.
The GUI encrypts all traffic using a server certificate. “Creating a host certificate” on
page 28 provides more information.
Note: The GUI has a timer that logs the user out after 10 minutes of inactivity. You can
modify the timeout value to a maximum of 12 hours.
Using IPsec VPN in a VPLEX Metro implementation

The management server in each VPLEX Metro cluster must connect to each other over a
Virtual Private Network (VPN) through the public Ethernet port, as shown in Figure 3.

Customer IP network
IPsec tunnel
eth3 eth3
Mgmt server 1 Mgmt server 2
eth0 eth2 eth0 eth2
Subnet A Subnet A
Subnet B 128.221.252.32/27 Subnet B 128.221.252.64/27
128.221.253.32/27 128.221.253.64/27
Cluster 1 Cluster 2
IPsec_VPN
Figure 3 IPsec VPN connection
Although you might have already secured the network connections between two VPLEX
Metro or VPLEX Geo clusters, the management servers must establish an explicit VPN
connection, to acknowledge that the remote management server has full management
control over the local cluster and its resources.
The VPLEX management server uses strongSwan, an open source implementation of IPsec
for Linux.
Using SCP to copy files

The Secure Copy Protocol (SCP) allows users to transfer files to and from the management
server. SCP uses the same credentials as SSH. Popular SCP clients are WinSCP and PSCP
provided by the PuTTY package, and the SCP client provided by OpenSSH.
Using a tunneled VNC connection to access the management server desktop

The SSH protocol provides a mechanism for communication through an encrypted SSH
connection. Most SSH clients, such as OpenSSH and PuTTY, allow users to establish SSH
tunnels by specifying a port on their local machine (source port), and a port on the
management server (destination port).
Access to the management server's desktop is provided by VNC access through an SSH
tunnel. Users must first establish an SSH tunnel between destination port 5901 and local
port 5901, and then connect a VNC viewer to local port 5901. Popular VNC clients are
RealVNC and TightVNC.
To establish a tunnel, you must log in with your standard SSH credentials. After a
successful login, the SSH client program must remain running, to allow the SSH tunnel to
remain operational.
Follow these steps to establish a tunneled VNC connection using PuTTY:
1. Launch PuTTY.exe, and configure the PuTTY window as shown in Figure 4 and the
following:
• Server address — Public IP address of the VPLEX management server.

• Session name — Type a name for the PuTTY session you are configuring. This
allows you to load the saved session if you need to reconnect later, eliminating the
need to configure the individual parameters again.
• Default settings — Verify, and set as shown if necessary.
Server address
(default)
Session name
(default)
PuTTY_VNC
Figure 4 PuTTY Configuration window
2. Expand SSH in the Category list, and click Tunnels.

3. Configure the SSH port forwarding parameters as shown in Figure 5, and then click
Add.

IP addresses and component IDs
5901
localhost:5901
tunnels
Figure 5 PuTTY configuration: SSH port forwarding parameters
4. Click Open to establish an SSH tunnel to the management server.

When prompted, type the account password.
5. Authenticate as usual, and leave the PuTTY window open.
6. Launch the VNC viewer, and connect to localhost:5901.

The IP addresses of the VPLEX hardware components are determined by a set of formulae
that depend on the internal management network (A or B), the Cluster IP Seed, and (for
directors) the Enclosure ID (which matches the engine number).
Figure 6 on page 8 shows the IP addresses in a cluster with a Cluster IP Seed of 1, and
Figure 7 on page 9 shows the addresses for a Cluster IP Seed of 2. Note that the Cluster IP
Seed is the same as the Cluster ID, which depends on the following VPLEX
implementation:
◆ VPLEX Local - The Cluster ID is always 1.
◆ VPLEX Metro or VPLEX Geo - The Cluster ID for the first cluster that is set up is 1, and
the second cluster is 2.
Note: The management server supports the coexistence of both the IPv6 and IPv4
address. However, the directors only support IPv4 addresses.

VPLEX VS1 hardware
Cluster IP Seed = 1
Enclosure IDs = engine numbers
Management network B addresses Management network A addresses
Engine 4: Engine 4:
Director 4B 128.221.253.42 Director 4B 128.221.252.42
Director 4A 128.221.253.41 Director 4A 128.221.252.41
Engine 3: Engine 3:
FC switch B 128.221.253.34
Service port
Public Ethernet port
128.221.252.2
Customer-assigned
FC switch A 128.221.252.34
Mgt B port Mgt A port

Management server
128.221.253.33 128.221.252.33
Engine 2: Engine 2:
Engine 1: Engine 1:
Zep-028_1
Figure 6 Component IP addresses in Cluster 1

Cluster IP Seed = 2
Management network B addresses Management network A addresses
Engine 4: Engine 4:
Engine 3: Engine 3:
FC switch B 128.221.253.66
Service port
128.221.252.2
Customer-assigned
FC switch A 128.221.252.66

Management server
128.221.253.65 128.221.252.65
Engine 2: Engine 2:
Engine 1: Engine 1:
Zep-028_2
Figure 7 Component IP addresses in VPLEX Metro or VPLEX Geo Cluster 2
VPLEX VS2 hardware

Cluster IP Seed = 1
Engine 4: Engine 4:
Director 4B, A side: 128.221.252.42 Director 4A, A side: 128.221.252.41
Director 4B, B side: 128.221.253.42 Director 4A, B side: 128.221.253.41
Engine 3: Engine 3:
FC switch B 128.221.253.34
Service port
128.221.252.2
Customer-assigned
FC switch A 128.221.252.34

Management server
128.221.253.33 128.221.252.33
Engine 2: Engine 2:
Engine 1: Engine 1:
VPLX-000242
Figure 8 Component IP addresses in Cluster 1

Implementing IPv6
Cluster IP Seed = 2
Engine 4: Engine 4:
Engine 3: Engine 3:
FC switch B 128.221.253.66
Service port
128.221.252.2
Customer-assigned
FC switch A 128.221.252.66

Management server
128.221.253.65 128.221.252.65
Engine 2: Engine 2:
Engine 1: Engine 1:
VPLX-000243
Figure 9 Component IP addresses in VPLEX Metro or VPLEX Geo Cluster 2
Implementing IPv6
In VPLEX, an IP address can either be an IPv4 address and/or an IPv6 address. While
VPLEX continues to support IPv4, it now also provides support for the full IPv6 stack as
well as dual stack IPv4/IPv6, including:
◆ Browser session
◆ VPN connection
Note: In a virtual private network, the end points must always be of the same address
family. That is, each leg in the VPN connection must either be IPv4 or IPv6.
◆ WAN link ports

◆ CLI session
◆ Cluster Witness

Implementing IPv6
◆ Recover Point
Note: In Release 5.3, IPv6 is available only with new installations.
The transition from an IPv4 network to a network where IPv4 and IPv6 coexist is
challenging because the two protocols are not designed to be interoperable with each
other. Transition technologies such as tunneling, or other translator gateways are
required to exchange traffic between the two types of network.
The VPLEX management server uses the dual stack mechanism to deploy IPv6. This
mechanism provides complete support for both IPv4 and IPv6, and allows applications to
talk to both IPv4 and IPv6. However, the choice of IP version is based on the name look up
and application preference.
Table 1describes IPv6 support on VPLEX components along with additional notes.
Table 1 IPv6 support on VPLEX components
Supports Supports
VPLEX Components Co-existence Notes
IPv4 IPv6
Management server Yes Yes Yes • The management

server supports only
global scope IPv6 static
address configuration.
• The management
server supports the
coexistence of both the
IPv4 and IPv6 address.
Director Yes No No Directors continue to

support IPv4 address.
Cluster Witness Yes Yes Yes IPv6 address for a cluster

witness can be specified
using the Vcenter or the
VMware console ->
Configure Network
WAN COM Yes Yes No The IP-WAN-COM link

either operates on IPv4 or
IPv6.

Security configuration settings
Table 1 IPv6 support on VPLEX components
Supports Supports
VPLEX Components Co-existence Notes
IPv4 IPv6
VASA Provider Yes No No Although VPLEX SMS

supports IPv6, VASA
provider continues to
support only IPv4 in
Release 5.3. Therefore,
VASA providers running in
an IPv6 environment must
specify the IPv4 SMS
address for VASA provider
setup or registration.
Recover Point Yes Yes Yes RecoverPoint can

communicate with the
management server using
either an IPv4 address or
an IPv6 address.
Directory service Yes Yes Yes The IP address can be

specified during the LDAP
configuration. To change
the configured IP address,
the configuration must be
recreated.
The VPLEX Administration Guide provides additional information on IPv6.

This section provides an overview of user accounts and privileges.

User roles, accounts, and privileges

Table 2 provides an overview of VPLEX accounts and associated privileges.
Table 2 VPLEX user accounts and privileges
Default
Component Account Type password Privileges
Management service Mi@Dim7T 2 • Access to the management server,

server 1 VPlexcli, and Unisphere for VPLEX GUI
• Ability to start and stop management
server services
• Execute permissions for VPlexcli
related scripts
• Ability to execute VPlexcli commands
• Read/write access to log files
admin teS6nAX2 3 • Access to management server,

VPlexcli, and Unisphere for VPLEX GUI
• Ability to create, modify, and delete
new user accounts
• Ability to execute VPlexcli commands
• Read-only access to log files
user • Access to the management server,

VPlexcli, and Unisphere for VPLEX GUI
• Restricted access to management
server native functions
• Read-only access to log files
Fibre Channel service 5 Mi@Dim7T 2 • Access to the Fibre Channel internal

COM switch 4 switch interface
• Ability to start and stop switch
services
admin Ry3fog4M 4 • Access to the Fibre Channel internal

switch interface
• Ability to add and delete other
accounts on the switch interface
• Ability to change passwords on the
switch interface
user jYw13ABn • Access to the Fibre Channel switch

interface
1. You cannot delete the default management server accounts.
2. Given the elevated permissions granted to the service account, its password must be changed in order to
better protect VPLEX from misuse or abuse of those privileges. ““Changing the service account
password” on page 20 provides more information.
3. The first user who logs in as admin is prompted to change this password, which is required before any
user can log in to the VPlexcli as admin. To change the password when prompted, follow the steps in
“Changing passwords” on page 19, with the exception of step 4 (because you are asked to change the
password after you log in).
4. Fibre Channel COM switches exist only in dual-engine and quad-engine VPLEX clusters.
5. In switches that are shipped for field replacement or hardware upgrade (rather than as part of a cabinet
system), the admin account password is password, and there is no service account.

Configuring user authentication
VPLEX operations and account types

Table 3 provides an overview of specific operations that each account type can perform on
a VPLEX component.
Table 3 VPLEX operations and account types
Component Operation service admin user
Management Startup and shutdown Yes No No

server
Create, modify, and delete users No Yes No
Modify your own password Yes Yes Yes
Update or reset passwords for other No Yes No

users
Set IP configuration Yes No No
Change host names Yes No No
Start or stop NTP Yes No No
Start or stop VPN Yes No No
Install, upgrade, backup, and restore Yes No No
Run CRON jobs Yes Yes Yes
VPLEX CLI (VPLEX Configure SNMP Yes Yes Yes

management)
Manage users and passwords No Yes No
Manage password policy No Yes No
Configure CallHome Yes Yes Yes
Create or renew certificates Yes Yes Yes
Start and stop NTP Yes Yes Yes
Configure LDAP Yes Yes Yes
Configure VPN Yes Yes Yes
Configure Cluster Witness Yes Yes Yes
Run EZ-Setup Yes Yes Yes
Configure and manage storage Yes Yes Yes
Fibre Channel Log in Yes Yes Yes

COM Switch
Run switch commands Yes Yes Yes

VPLEX customers can choose to configure their user accounts using either:
◆ An external OpenLDAP or Active Directory server which integrates with Unix using
Service for UNIX 3.5, Identity Management for UNIX, or other authentication service.

OpenLDAP and Active Directory users are authenticated by the server. Usernames and
passwords created on an external server are fetched from the remote system to the
VPLEX system each time they are used.
◆ The VPLEX management server
Usernames and passwords are created locally on VPLEX system, and are stored on
VPLEX.
Customers who do not want to use an external LDAP server for maintaining user accounts
can create their user accounts on the VPLEX system itself.
VPLEX is pre-configured with two default user accounts: admin and service.
To avoid conflicts with VPLEX local users, user accounts created using external LDAP
servers must not include or use the following default user accounts and their respective
UIDs:
◆ admin (UID=1001)
◆ service (UID=1000)
Note: External LDAP server must not use the root user account for authentication.
Refer to the VPLEX CLI Guide for information on the commands used to configure user
authentication.
Default groups
The following table describes the available groups and their group IDs.
Table 4 Default groups and their groups IDs
Group Group ID
groupSvc 1000
groupAdmSvc 1001
groupAllUsr 1002
service 1003
Implementing LDAP
Starting in Release 5.2 and later, LDAP configuration is securely persisted using an
internal security component. This eliminates bind user credential vulnerabilities. The new
implementation of LDAP includes the following:
◆ Use a new internal security component that ensures information is securely persisted.
◆ Support for Directory Server groups, a logical collection of users. Groups can be
specified using the configuration commands and can be added or removed using the
map and unmap commands.
Note: Nested groups and dynamic groups are not supported.

◆ Mapping of OrganizationalUnit (OU’s) is not supported. Use of groups to map multiple

users is recommended.
For upgraded systems or systems that have not previously had LDAP configured, existing
configuration information or the way it is persisted is not automatically modified.
Authentications continue as they were prior to upgrade. However, users can continue to
be mapped or unmapped with the old configuration.
To use the new implementation in a system where an LDAP configuration already exists,
the LDAP configuration must be reconfigured (unconfigured and configured) to leverage
the new security features.
Note: The default configuration of LDAP does not support TLS, it is recommended to use
LDAPS protocol for secure communication between Management Server and Directory
Server.
Note: LDAP configuration in the Management Server requires directory server attributes
which are not explicitly captured during the EZSetup interview process. Default values are
used instead causing configuration issues only for MicrosoftWindows Active Directory
Server. Instead, use the authentication directory-service configure command for
configuring the management server with Microsoft Windows Active Directory configuration
details after completing EZSetup.
The VPLEX CLI Guide provides information on the commands used to configure LDAP.
Password policy
The VPLEX management server uses a Pluggable Authentication Module (PAM)
infrastructure to enforce minimum password quality. It uses pam_cracklib, a library that
checks for dictionary words, to check potential passwords.
Table 5 Default password policies
Policy name Description Default value
Minimum password The minimum number of characters used when 8

length creating or changing a password.
Minimum password age The minimum number of days a password cannot 1

be changed after the last password change.
Maximum password The maximum number of days that a password can 90

age be used since the last password change.
After the maximum number of days, the account is
locked and the user must contact the admin user
to reset the password.
Password expiration The number of days before the password expires. 15

warning A warning message indicating that the password
must be changed is displayed.
Password inactive days The number of days after a password has expired 1
before the account is locked.

Manage user accounts
In Release 5.2 and later, the management server uses the default value for the password
policies listed in Table 5, and you can configure each password policy to meet your
specific needs. The new value will be updated in the appropriate configuration file, and
existing users will be updated with the new configuration. Refer to the VPLEX CLI Guide for
information on the commands used to set password policies and the values allowed.
Note the following:
◆ Password policies do not apply to users configured using the LDAP server.
◆ Password policies do not apply to the service account.
◆ The Password inactive days policy does not apply to the admin account to protect the
admin user from account lockouts.
◆ During the management server software upgrade, an existing user’s password is not
changedonly the user’s password age information changes.
◆ You must be an admin user to configure a password policy.
Password policy default values after an upgrade

Note the following:
◆ If upgrading from a release prior to 5.1 to release 5.2, the default values will be new
(see Table 5). If desired, you can change these values. Refer to the VPLEX CLI Guide for
information on setting password policies.
◆ If upgrading from release 5.1 to 5.2, the admin user will no longer have the 90 day
expiration set. The default value for the minimum password length will be 14 as it was
set previously. You can change this value if desired. Refer to the VPLEX CLI Guide for
information on setting password policies.
◆ After upgrading to release 5.2, the admin user will not be locked after the password
expires. If the password for the administrator account has not been changed since the
last 91 days, after upgrading to release 5.2, the admin user will be forced to change
the password on the first login (after it has expired).
Valid password characters

The following characters are allowed in a VPlexcli password:
◆ A-Z
◆ a-z
◆ 0-9
◆ . ? / * @ ^ % # + = - _ ~ : space
Note: A space is allowed only between the characters in a password, not in the beginning
or the end of the password.

◆ “Adding user accounts” on page 19

◆ “Changing passwords” on page 19

◆ “Resetting passwords” on page 20
◆ “Changing the service account password” on page 20
◆ “Deleting user accounts” on page 21
Adding user accounts
Note: In VPLEX Metro and Geo configuration, VPLEX CLI accounts created on one
management server are not propagated to the second management server. The user list
command displays only those accounts configured on the local management server, not
both server.
An admin user can create a new account as follows:

1. Launch PuTTY (or a similar SSH client), and establish a connection to the public IP
address of the VPLEX management server.
2. Log in with username admin.
3. From the Linux shell prompt, type the applicable command to connect to the VPlexcli:
• If VPLEX GeoSynchrony 4.0.x is running on the cluster:
telnet localhost 49500
• If VPLEX GeoSynchrony 4.1.x or later is running on the cluster:

vplexcli
Log in with username admin.

4. From the VPlexcli prompt, type the following command:
user add -u <username>
a. When prompted, type the admin account password.

b. When prompted for a password for the new user, type a password that adheres to
the rules in “Password policy” on page 17.
c. When prompted, retype the new password.
Note: The new user must change the password the first time he or she logs in.
Changing passwords
Any user can change his/her own password as follows:
2. Log in with the applicable username.


vplexcli
Log in with the applicable username.

user passwd -u <username>
a. When prompted, type the old password.

b. When prompted for a new password, type a password that adheres to the rules in
“Password policy” on page 17.
Resetting passwords
An admin user can reset passwords for other users as follows:

vplexcli

user reset -u <username>
a. When prompted, type the admin account password.

b. When prompted for a password for the new user, type a password that adheres to
the rules in “Password policy” on page 17.
Note: The user must change the password the next time he or she logs in.
Changing the service account password

EMC recommends that you change the default service password. For instructions on
changing the password, see “Changing passwords”; or you must ask the EMC
representative installing VPLEX to modify the password. In order to provide optimal
protection for the powerful service account, changing its default password must be

Log file settings
considered a requirement. The service account is used by EMC to provide remote support
through the EMC ESRS gateway. Therefore, the service password must be updated or
recorded in the customer service database in order to provide this support.
The service password must be changed in two locations:
◆ Management server
◆ Fibre Channel switches
To change the service password on the Fibre Channel switches, use the switch's passwd
command.
Deleting user accounts

An admin user can delete a different account as follows:

vplexcli

user remove -u <username>
When prompted, type the admin account password.
Log file settings

This section describes log files relevant to security.
Log file location

Table 6 lists the name and location of VPLEX component log files relevant to security.
Table 6 VPLEX component log files
Component Location
Unisphere for VPLEX /var/log/VPlex/cli/session.log_<username>
management server /var/log/messages

OS

Communication security settings
Table 6 VPLEX component log files
Component Location
ConnectEMC /var/log/ConnectEMC/logs/ConnectEMC.log files
Firewall /var/log/firewall
VPN (ipsec) /var/log/events.log
Log file management and retrieval

All logs rotate automatically, to avoid unbounded consumption of disk space.

This section describes the communication security settings that enable you to establish
secure communication channels between VPLEX components, as well as VPLEX
components and external systems.
IP WAN COM
A VPLEX Metro or a VPLEX Geo system does not support native encryption over an IP
WANCOM link. EMC recommends that you deploy an external encryption solution such as
IPSec to achieve data confidentiality and end point authentication over IP WAN COM links
between clusters.
Accessibility
To establish secure communication, note the following:
◆ The following protocols must be allowed on the customer firewall (both in the
outbound and inbound filters):
# Encapsulating Security Payload (ESP): IP protocol number 50
# Authentication Header (AH): IP protocol number 51
◆ The following ports must be allowed on the customer firewall:
# Internet Key Exchange (IKE): UDP port 500
# NAT Traversal in the IKE (IPsec NAT-T): UDP port 4500
# Secure Shell (SSH): TCP port 22
◆ Static IP addresses must be assigned to the public ports on each management server
(eth3) and the public port in the Cluster Witness Server. If these IP addresses are in
different subnets, the IP management network must be able to route packets between
all such subnets.
◆ The firewall configuration settings in the IP management network must not prevent the
creation of IPsec tunnels. Cluster Witness traffic as well as VPLEX management traffic
leverages VPN tunnels established on top of IPsec.
◆ IP management network must be capable of transferring SSH traffic between
management servers and Cluster Witness Server.

◆ IP management network must be capable of transferring ICMP traffic between

management servers and Cluster Witness Server in order to enable configuration,
upgrade, and diagnostics of Cluster Witness.
◆ The required minimum value for Maximum Transmission Unit (MTU) is 1500 bytes.
Configure MTU as 1500 or larger.
Note: The IP management network must not be able to route to the following reserved
VPLEX subnets: 128.221.252.0/24, 128.221.253.0/24, and 128.221.254.0/24.
Note: If VPLEX is deployed with IP inter-cluster network, the inter-cluster network must not
be able to route to the following reserved VPLEX subnets: 128.221.252.0/24,
128.221.253.0/24, and 128.221.254.0/24.
Port usage
Table 7 lists all the network ports and services used by VPLEX components. This
information, along with the firewall settings is needed to use the product.
Table 7 Port Usage
Serial Management Management Cluster

Number Port Function Service server 1 Server 2 Witness
1 Public port TCP/22 Log in to SSH Yes Yes Yes

management server
2 Service port TCP/22 OS, copy files to
and from the
management server
using the SCP
sub-service, and
establish SSH
tunnels
3 Public port TCP/21 ESRS (EMC Secure ESRS Yes Yes No

Remote Service)
access to VPLEX
4 Public port TCP/443
5 Public port TCP/5400

to 5413
6 Public port UDP/500 IPSEC VPN ISAKMP Yes Yes Yes
7 Public port UDP/4500 IPSEC VPN IPSEC Yes Yes Yes

NAT
traversal
8 Public port UDP/123 Time NTP Yes Yes No

synchronization
service
9 Public port TCP/161 Get performance SNMP Yes Yes No

statistics
10 Public port UDP/161

Table 7 Port Usage
Serial Management Management Cluster

Number Port Function Service server 1 Server 2 Witness
11 Public port TCP/443 Web access to the HTTPS Yes Yes No

VPLEX Unisphere
for VPLEX’s
12 Service port TCP/443 graphical user
interface
13 Localhost TCP/59011 Access to the VNC Yes Yes No

management
server's desktop.
Not available on the
public network.
Must be accessed
through SSH
tunnel.
14 Localhost TCP/495002 VPlexcli. Not Telnet Yes Yes No

available on the
public network.
Must be accessed
through SSH.
15 Public port UDP/53 Domain Name DNS Yes Yes Yes

Service
16 Any firewall between Yes Yes Yes

the Cluster Witness
Server and the
management servers
need to allow traffic
for the IP protocol
number 1 (ICMP), 50
(ESP) und 51 (AH)
1. No specific customer firewall settings are required.

2. No specific customer firewall settings are required.
Communication specifications - VPLEX Geo/Metro system

Figure 10 illustrates the communication between VPLEX components in a VPLEX Metro or
a VPLEX Geo system.

VPLEX Cluster
Witness
VPLEX Cluster 1 VPLEX Cluster 2

D
Customer
B C
IP Network
Management Server A E Management Server
VPLEX
Management ESRS Server
Client VPLX-000557
Figure 10 VPLEX Geo or a VPLEX Metro system
Table 8 describes the possible communication between the VPLEX components in a

VPLEX Geo or a VPLEX Metro system.
Table 8 Communication in a VPLEX Geo/Metro system
Serial
Number A <-> B A <-> C A <-> D B <->C B <-> D B <-> E C <-> D C <-> E
1 Yes Yes Yes (only Yes Yes Yes

for initial
setup)
2 Yes Yes Yes (only Yes Yes Yes

for initial
setup)
3 Yes Yes
4 Yes Yes
5 Yes Yes
6 Yes Yes Yes
7 Yes Yes Yes
8 Yes
9 Yes Yes
10 Yes Yes
11 Yes Yes
12 Yes Yes
13 Yes Yes

Table 8 Communication in a VPLEX Geo/Metro system
Serial
Number A <-> B A <-> C A <-> D B <->C B <-> D B <-> E C <-> D C <-> E
14 Yes Yes
15 Yes Yes
16 Yes Yes Yes
Legend:
◆ A - VPLEX Management Client
◆ B - Management Server 1
◆ C - Management Server 2
◆ D - VPLEX Cluster Witness
◆ E - ESRS Server
Communication specifications - VPLEX Local system

Figure 11 illustrates the communication between VPLEX components in a VPLEX Local
system.
VPLEX Cluster 1
Customer
B
IP Network
Management Server A C
VPLEX
Management ESRS Server
Client VPLX-000558
Figure 11 VPLEX Local System

Table 9 describes the possible communication between the VPLEX components in a

VPLEX Local system.
Table 9 Communication in a VPLEX Local system
Serial Number A <-> B B <-> C
1 Yes
2 Yes
3 Yes
4 Yes
5 Yes
9 Yes
10 Yes
11 Yes
12 Yes
13 Yes
14 Yes
15
16
Legend:
◆ A - VPLEX Management Client
◆ B - Management Server 1
◆ C - ESRS Server
Network encryption
The VPLEX management server supports SSH through the sshd daemon provided by the
FIPS compliant OpenSSH package. It supports version 2 of the SSH protocol.
When the management server starts for the first time, the sshd daemon generates
key-pairs (private and public key) for communication with SSH clients. rsa and dsa
key-pairs are generated to support communication with SSH version 2 clients. All keys
have a 2048 bit length.
The HTTPS protocol and the IPsec VPN use a X.509 host certificate to identify the server
and encrypt all traffic. X.509 host certificates use a 2048 bit host key. During initial setup
of a VPLEX cluster, a local Certification Authority (which signs the host certificate request)
is created automatically.

Currently, VPLEX does not support a corporate Certification Authority signing the host
certificate requests.
Creating a local Certification Authority

A Certification Authority (CA) on the VPLEX management server must be created solely for
the purposes of signing management server certificates.
The VPlexcli command security create-ca-cert creates a CA certificate file and private key
protected by a passphrase. By default, this command creates the following:
◆ A 2048-bit CA key in /etc/ipsec.d/private/strongswanKey.pem
◆ A CA certificate in /etc/ipsec.d/cacerts/strongswanCert.pem that remains valid for
1825 days (5 years)
You must provide a passphrase for the CA key and the CA certificate subject. The CA
certificate subject must be the VPLEX cluster's serial number (found on the label attached
to the top of the VPLEX cabinet). If you are creating a CA certificate for a VPLEX Metro or
VPLEX Geo implementation, you can use either cluster's serial number.
Creating a host certificate
Note: Host certificates are created as a part of EZsetup during a first time installation.
The VPlexcli command security create-host-certificate generates a host certificate request

and signs it with the Certification Authority certificate created in the “Creating a local
Certification Authority” on page 28. By default, this command creates the following:
◆ A 2048 key in /etc/ipsec.d/private/hostKey.pem
◆ A host certificate in /etc/ipsec.d/certs/hostCert.pem that remains valid for 730 days
(2 years)
You must provide the CA key passphrase for the host key and the host certificate subject
which must be the cluster's serial number (found on the label attached to the top of the
VPLEX cabinet).
Installing the host certificate for use by HTTPS

At the Linux shell prompt on the management server, type the following command to
transform the X.509 certificate into jks format for use by tomcat:
sudo /opt/emc/VPlex/tools/utils/JKSsetup.pl
You must provide the host certificate's passphrase before converting the host certificate
into a format suitable for HTTPS service.
Obtaining host certificate and host key fingerprints

When users first connect to the management server over SSH or by connecting to the GUI
using the HTTPs protocol, they are asked to confirm the server's identity. Most client
programs display the management server's fingerprints as MD5 or SHA1 checksums,
allowing you to verify that they are connected to the VPLEX management server and not to
another machine, possibly deployed to harvest logins and passwords for a
man-in-the-middle attack.

Data security settings
Once a user confirms the management server's identity, subsequent connections will not
ask for this confirmation, but instead warn the user if the management server's fingerprint
has changed, which may be another indication of man-in-the-middle attacks.
A VPLEX administrator might be asked by security-conscious users for the fingerprints of
both the X.509 certificate used for the GUI and for the host keys used for SSH access to
the management server.
To find the host certificate's SHA1 and (for GUI users) MD5 fingerprints
1. At the Linux shell prompt, type the following command:
/etc/ipsec.d/certs # openssl x509 -noout -in hostCert.pem -fingerprint -md5
Output example:
MD5 Fingerprint=6E:2C:A5:8E:86:11:45:26:02:09:62:97:6F:18:FD:62
2. Type the following command:

/etc/ipsec.d/certs # openssl x509 -noout -in hostCert.pem -fingerprint -sha1
Output example:
SHA1 Fingerprint=2E:B0:DD:59:DD:C3:29:96:33:74:19:CC:A0:81:28:28:6F:4F:76:E4
To find the SSH key fingerprint (for SSH users)

1. At the Linux shell prompt, type the following command:
/etc/ssh > ssh-keygen -l -f ssh_host_dsa_key
Output example:
1024 52:42:70:0c:22:aa:2f:e3:09:18:93:c8:20:a4:78:0c ssh_host_dsa_key.pub

/etc/ssh > ssh-keygen -l -f ssh_host_rsa_key
Output example:
1024 a4:d8:64:d0:24:b9:2c:3d:06:24:5f:3a:30:ba:83:f8 ssh_host_rsa_key.pub

/etc/ssh > ssh-keygen -l -f ssh_host_ecdsa_key
Output example:
256 ca:05:f3:9a:3e:51:fe:53:51:90:39:bf:6b:f5:78:56 [MD5]root@ManagementServer (ECDSA)

Encryption of data at rest: user passwords
Hashed user passwords are stored in /etc/shadow on the VPLEX management server.
GeoSynchrony uses a hardcoded hashing algorithm to encrypt the passwords.

Copyright © 2015 EMC Corporation. All rights reserved.
EMC believes the information in this publication is accurate as of its publication date. The information is subject
to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS IS.” EMC CORPORATION MAKES NO REPRESENTATIONS
OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY
DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Use, copying, and distribution of any EMC software described in this publication requires an applicable software
license.
For the most up-to-date regulatory document for your product line, go to the Technical Documentation and
Advisories section on EMC Powerlink.
For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com.
All other trademarks used herein are the property of their respective owners.

VPLEX Security Configuration Guide

Uploaded by

Copyright:

Available Formats

You might also like

VPLEX Security Configuration Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

VPLEX Security Configuration Guide

Uploaded by

Copyright:

Available Formats

EMC® VPLEX®

Security Configuration Guide

February 03, 2014

This guide provides an overview of VPLEX security configuration. Topics include:

VPLEX user authentication is configured locally on the management server or remotely on

Figure 1 VPLEX cluster configuration

2 EMC® VPLEX® Security Configuration Guide

VPLEX management server operating system and networking

eth0 eth2 eth

Figure 2 Management server, rear view

EMC® VPLEX® Security Configuration Guide 3

Accessing the management server

Using SSH to access the management server shell

Using HTTPS to access the VPLEX GUI

Using IPsec VPN in a VPLEX Metro implementation

4 EMC® VPLEX® Security Configuration Guide

Figure 3 IPsec VPN connection

Using SCP to copy files

Using a tunneled VNC connection to access the management server desktop

EMC® VPLEX® Security Configuration Guide 5

Figure 4 PuTTY Configuration window

2. Expand SSH in the Category list, and click Tunnels.

6 EMC® VPLEX® Security Configuration Guide

Figure 5 PuTTY configuration: SSH port forwarding parameters

4. Click Open to establish an SSH tunnel to the management server.

IP addresses and component IDs

EMC® VPLEX® Security Configuration Guide 7

VPLEX VS1 hardware

Mgt B port Mgt A port

Figure 6 Component IP addresses in Cluster 1

8 EMC® VPLEX® Security Configuration Guide

Mgt B port Mgt A port

Figure 7 Component IP addresses in VPLEX Metro or VPLEX Geo Cluster 2

VPLEX VS2 hardware

EMC® VPLEX® Security Configuration Guide 9

Mgt B port Mgt A port

Figure 8 Component IP addresses in Cluster 1

10 EMC® VPLEX® Security Configuration Guide

Mgt B port Mgt A port

Figure 9 Component IP addresses in VPLEX Metro or VPLEX Geo Cluster 2

◆ WAN link ports

EMC® VPLEX® Security Configuration Guide 11

Note: In Release 5.3, IPv6 is available only with new installations.

Table 1 IPv6 support on VPLEX components

Management server Yes Yes Yes • The management

Director Yes No No Directors continue to

Cluster Witness Yes Yes Yes IPv6 address for a cluster

WAN COM Yes Yes No The IP-WAN-COM link

12 EMC® VPLEX® Security Configuration Guide

Table 1 IPv6 support on VPLEX components

VASA Provider Yes No No Although VPLEX SMS

Recover Point Yes Yes Yes RecoverPoint can

Directory service Yes Yes Yes The IP address can be

The VPLEX Administration Guide provides additional information on IPv6.

Security configuration settings

EMC® VPLEX® Security Configuration Guide 13

User roles, accounts, and privileges

Table 2 VPLEX user accounts and privileges