Professional Documents
Culture Documents
VPLEX Security Configuration Guide
VPLEX Security Configuration Guide
VPLEX Security Configuration Guide
VPLEX overview
An EMC® VPLEX® cluster consists of one, two, or four engines (each containing two
directors), and a management server. A dual-engine or quad-engine cluster also contains
a pair of Fibre Channel switches for communication between directors.
Each engine is protected by a standby power supply (SPS), and each Fibre Channel switch
gets its power through an uninterruptible power supply (UPS). In a dual-engine or
quad-engine cluster, the management server also gets power from a UPS.
The management server has a public Ethernet port, which provides cluster management
services when connected to the customer network. The management server can also
provide call-home services through the public Ethernet port by connecting to an EMC
Secure Remote Support (ESRS) gateway deployed on the same network. The ESRS
gateway is also used by EMC personnel to provide remote service.
Three VPLEX implementations are available:
◆ VPLEX Local (single cluster)
◆ VPLEX Metro (two clusters separated by synchronous distances)
◆ VPLEX Geo (two clusters separated by asynchronous distances)
In a VPLEX Metro or VPLEX Geo implementation, the clusters are connected over IP
between the management servers.
VPLEX overview
Engine 4
SPS SPS
Engine 3
SPS SPS
FC Switch B
UPS B
FC Switch A
UPS A
Management Server
Engine 2
SPS SPS
Engine 1
SPS SPS
SYM-002272
Security recommendations
While the Security Configuration Guide must be reviewed in its entirety, this section
serves to highlight EMC's most important security recommendations to ensure the
security of your data and environment.
◆ Given the elevated permissions granted to the service account, its password must be
changed in order to better protect VPLEX from misuse or abuse of those privileges.
“Changing the service account password” on page 20 provides more information.
◆ To protect your data in the communications between clusters in VPLEX Metro-IP and
Geo configurations, an external encryption solution such as IPSec must be used to
guarantee confidentiality and authentication for the IP WAN COM link. “IP WAN COM”
on page 22provides more information.
◆ To protect the identity and integrity of your users and their account credentials, all
LDAP communication must be configured to use the LDAPS protocol. “Implementing
LDAP” on page 16 provides more information.
Ethernet port
Customer Service cable
workstation eth1 eth3
Customer
IP network
Customer-provided
Ethernet cable
Management server
To access the GUI using an IPv6 address, use the following URL:
https://[mgmtserver_ipv6_addr]
For example:
https://[3ffe:80c0:22c:803c:215:17ff:fed3:207]/smsflex/VPlexConsole
.html
Note: Accessing the VPLEX GUI or the VPLEX CLI over IPv6 is possible only if the client
machine is also in an IPv6 network.
The GUI encrypts all traffic using a server certificate. “Creating a host certificate” on
page 28 provides more information.
Note: The GUI has a timer that logs the user out after 10 minutes of inactivity. You can
modify the timeout value to a maximum of 12 hours.
Customer IP network
IPsec tunnel
eth3 eth3
Mgmt server 1 Mgmt server 2
eth0 eth2 eth0 eth2
Subnet A Subnet A
Subnet B 128.221.252.32/27 Subnet B 128.221.252.64/27
128.221.253.32/27 128.221.253.64/27
Cluster 1 Cluster 2
IPsec_VPN
Although you might have already secured the network connections between two VPLEX
Metro or VPLEX Geo clusters, the management servers must establish an explicit VPN
connection, to acknowledge that the remote management server has full management
control over the local cluster and its resources.
The VPLEX management server uses strongSwan, an open source implementation of IPsec
for Linux.
• Session name — Type a name for the PuTTY session you are configuring. This
allows you to load the saved session if you need to reconnect later, eliminating the
need to configure the individual parameters again.
• Default settings — Verify, and set as shown if necessary.
Server address
(default)
Session name
(default)
PuTTY_VNC
5901
localhost:5901
tunnels
Note: The management server supports the coexistence of both the IPv6 and IPv4
address. However, the directors only support IPv4 addresses.
Cluster IP Seed = 1
Enclosure IDs = engine numbers
Management network B addresses Management network A addresses
Engine 4: Engine 4:
Director 4B 128.221.253.42 Director 4B 128.221.252.42
Director 4A 128.221.253.41 Director 4A 128.221.252.41
Engine 3: Engine 3:
Director 3B 128.221.253.40 Director 3B 128.221.252.40
Director 3A 128.221.253.39 Director 3A 128.221.252.39
FC switch B 128.221.253.34
Service port
Public Ethernet port
128.221.252.2
Customer-assigned
FC switch A 128.221.252.34
Engine 2: Engine 2:
Director 2B 128.221.253.38 Director 2B 128.221.252.38
Director 2A 128.221.253.37 Director 2A 128.221.252.37
Engine 1: Engine 1:
Director 1B 128.221.253.36 Director 1B 128.221.252.36
Director 1A 128.221.253.35 Director 1A 128.221.252.35
Zep-028_1
Cluster IP Seed = 2
Enclosure IDs = engine numbers
Management network B addresses Management network A addresses
Engine 4: Engine 4:
Director 4B 128.221.253.74 Director 4B 128.221.252.74
Director 4A 128.221.253.73 Director 4A 128.221.252.73
Engine 3: Engine 3:
Director 3B 128.221.253.72 Director 3B 128.221.252.72
Director 3A 128.221.253.71 Director 3A 128.221.252.71
FC switch B 128.221.253.66
Service port
Public Ethernet port
128.221.252.2
Customer-assigned
FC switch A 128.221.252.66
Engine 2: Engine 2:
Director 2B 128.221.253.70 Director 2B 128.221.252.70
Director 2A 128.221.253.69 Director 2A 128.221.252.69
Engine 1: Engine 1:
Director 1B 128.221.253.68 Director 1B 128.221.252.68
Director 1A 128.221.253.67 Director 1A 128.221.252.67
Zep-028_2
Cluster IP Seed = 1
Enclosure IDs = engine numbers
Engine 4: Engine 4:
Director 4B, A side: 128.221.252.42 Director 4A, A side: 128.221.252.41
Director 4B, B side: 128.221.253.42 Director 4A, B side: 128.221.253.41
Engine 3: Engine 3:
Director 3B, A side: 128.221.252.40 Director 3A, A side: 128.221.252.39
Director 3B, B side: 128.221.253.40 Director 3A, B side: 128.221.253.39
FC switch B 128.221.253.34
Service port
Public Ethernet port
128.221.252.2
Customer-assigned
FC switch A 128.221.252.34
Engine 2: Engine 2:
Director 2B, A side: 128.221.252.38 Director 2A, A side: 128.221.252.37
Director 2B, B side: 128.221.253.38 Director 2A, B side: 128.221.253.37
Engine 1: Engine 1:
Director 1B, A side: 128.221.252.36 Director 1A, A side: 128.221.252.35
Director 1B, B side: 128.221.253.36 Director 1A, B side: 128.221.253.35
VPLX-000242
Cluster IP Seed = 2
Enclosure IDs = engine numbers
Engine 4: Engine 4:
Director 4B, A side: 128.221.252.74 Director 4A, A side: 128.221.252.73
Director 4B, B side: 128.221.253.74 Director 4A, B side: 128.221.253.73
Engine 3: Engine 3:
Director 3B, A side: 128.221.252.72 Director 3A, A side: 128.221.252.71
Director 3B, B side: 128.221.253.72 Director 3A, B side: 128.221.253.71
FC switch B 128.221.253.66
Service port
Public Ethernet port
128.221.252.2
Customer-assigned
FC switch A 128.221.252.66
Engine 2: Engine 2:
Director 2B, A side: 128.221.252.70 Director 2A, A side: 128.221.252.69
Director 2B, B side: 128.221.253.70 Director 2A, B side: 128.221.253.69
Engine 1: Engine 1:
Director 1B, A side: 128.221.252.68 Director 1A, A side: 128.221.252.67
Director 1B, B side: 128.221.253.68 Director 1A, B side: 128.221.253.67
VPLX-000243
Implementing IPv6
In VPLEX, an IP address can either be an IPv4 address and/or an IPv6 address. While
VPLEX continues to support IPv4, it now also provides support for the full IPv6 stack as
well as dual stack IPv4/IPv6, including:
◆ Browser session
◆ VPN connection
Note: In a virtual private network, the end points must always be of the same address
family. That is, each leg in the VPN connection must either be IPv4 or IPv6.
◆ Recover Point
The transition from an IPv4 network to a network where IPv4 and IPv6 coexist is
challenging because the two protocols are not designed to be interoperable with each
other. Transition technologies such as tunneling, or other translator gateways are
required to exchange traffic between the two types of network.
The VPLEX management server uses the dual stack mechanism to deploy IPv6. This
mechanism provides complete support for both IPv4 and IPv6, and allows applications to
talk to both IPv4 and IPv6. However, the choice of IP version is based on the name look up
and application preference.
Table 1describes IPv6 support on VPLEX components along with additional notes.
Supports Supports
VPLEX Components Co-existence Notes
IPv4 IPv6
Supports Supports
VPLEX Components Co-existence Notes
IPv4 IPv6
Default
Component Account Type password Privileges
OpenLDAP and Active Directory users are authenticated by the server. Usernames and
passwords created on an external server are fetched from the remote system to the
VPLEX system each time they are used.
◆ The VPLEX management server
Usernames and passwords are created locally on VPLEX system, and are stored on
VPLEX.
Customers who do not want to use an external LDAP server for maintaining user accounts
can create their user accounts on the VPLEX system itself.
VPLEX is pre-configured with two default user accounts: admin and service.
To avoid conflicts with VPLEX local users, user accounts created using external LDAP
servers must not include or use the following default user accounts and their respective
UIDs:
◆ admin (UID=1001)
◆ service (UID=1000)
Note: External LDAP server must not use the root user account for authentication.
Refer to the VPLEX CLI Guide for information on the commands used to configure user
authentication.
Default groups
The following table describes the available groups and their group IDs.
Group Group ID
groupSvc 1000
groupAdmSvc 1001
groupAllUsr 1002
service 1003
Implementing LDAP
Starting in Release 5.2 and later, LDAP configuration is securely persisted using an
internal security component. This eliminates bind user credential vulnerabilities. The new
implementation of LDAP includes the following:
◆ Use a new internal security component that ensures information is securely persisted.
◆ Support for Directory Server groups, a logical collection of users. Groups can be
specified using the configuration commands and can be added or removed using the
map and unmap commands.
Note: The default configuration of LDAP does not support TLS, it is recommended to use
LDAPS protocol for secure communication between Management Server and Directory
Server.
Note: LDAP configuration in the Management Server requires directory server attributes
which are not explicitly captured during the EZSetup interview process. Default values are
used instead causing configuration issues only for MicrosoftWindows Active Directory
Server. Instead, use the authentication directory-service configure command for
configuring the management server with Microsoft Windows Active Directory configuration
details after completing EZSetup.
The VPLEX CLI Guide provides information on the commands used to configure LDAP.
Password policy
The VPLEX management server uses a Pluggable Authentication Module (PAM)
infrastructure to enforce minimum password quality. It uses pam_cracklib, a library that
checks for dictionary words, to check potential passwords.
Password inactive days The number of days after a password has expired 1
before the account is locked.
In Release 5.2 and later, the management server uses the default value for the password
policies listed in Table 5, and you can configure each password policy to meet your
specific needs. The new value will be updated in the appropriate configuration file, and
existing users will be updated with the new configuration. Refer to the VPLEX CLI Guide for
information on the commands used to set password policies and the values allowed.
Note the following:
◆ Password policies do not apply to users configured using the LDAP server.
◆ Password policies do not apply to the service account.
◆ The Password inactive days policy does not apply to the admin account to protect the
admin user from account lockouts.
◆ During the management server software upgrade, an existing user’s password is not
changedonly the user’s password age information changes.
◆ You must be an admin user to configure a password policy.
Note: A space is allowed only between the characters in a password, not in the beginning
or the end of the password.
Note: In VPLEX Metro and Geo configuration, VPLEX CLI accounts created on one
management server are not propagated to the second management server. The user list
command displays only those accounts configured on the local management server, not
both server.
Note: The new user must change the password the first time he or she logs in.
Changing passwords
Any user can change his/her own password as follows:
1. Launch PuTTY (or a similar SSH client), and establish a connection to the public IP
address of the VPLEX management server.
2. Log in with the applicable username.
3. From the Linux shell prompt, type the applicable command to connect to the VPlexcli:
• If VPLEX GeoSynchrony 4.0.x is running on the cluster:
Resetting passwords
An admin user can reset passwords for other users as follows:
1. Launch PuTTY (or a similar SSH client), and establish a connection to the public IP
address of the VPLEX management server.
2. Log in with username admin.
3. From the Linux shell prompt, type the applicable command to connect to the VPlexcli:
• If VPLEX GeoSynchrony 4.0.x is running on the cluster:
telnet localhost 49500
Note: The user must change the password the next time he or she logs in.
considered a requirement. The service account is used by EMC to provide remote support
through the EMC ESRS gateway. Therefore, the service password must be updated or
recorded in the customer service database in order to provide this support.
The service password must be changed in two locations:
◆ Management server
◆ Fibre Channel switches
To change the service password on the Fibre Channel switches, use the switch's passwd
command.
Component Location
Component Location
Firewall /var/log/firewall
IP WAN COM
A VPLEX Metro or a VPLEX Geo system does not support native encryption over an IP
WANCOM link. EMC recommends that you deploy an external encryption solution such as
IPSec to achieve data confidentiality and end point authentication over IP WAN COM links
between clusters.
Accessibility
To establish secure communication, note the following:
◆ The following protocols must be allowed on the customer firewall (both in the
outbound and inbound filters):
# Encapsulating Security Payload (ESP): IP protocol number 50
# Authentication Header (AH): IP protocol number 51
◆ The following ports must be allowed on the customer firewall:
# Internet Key Exchange (IKE): UDP port 500
# NAT Traversal in the IKE (IPsec NAT-T): UDP port 4500
# Secure Shell (SSH): TCP port 22
◆ Static IP addresses must be assigned to the public ports on each management server
(eth3) and the public port in the Cluster Witness Server. If these IP addresses are in
different subnets, the IP management network must be able to route packets between
all such subnets.
◆ The firewall configuration settings in the IP management network must not prevent the
creation of IPsec tunnels. Cluster Witness traffic as well as VPLEX management traffic
leverages VPN tunnels established on top of IPsec.
◆ IP management network must be capable of transferring SSH traffic between
management servers and Cluster Witness Server.
Note: The IP management network must not be able to route to the following reserved
VPLEX subnets: 128.221.252.0/24, 128.221.253.0/24, and 128.221.254.0/24.
Note: If VPLEX is deployed with IP inter-cluster network, the inter-cluster network must not
be able to route to the following reserved VPLEX subnets: 128.221.252.0/24,
128.221.253.0/24, and 128.221.254.0/24.
Port usage
Table 7 lists all the network ports and services used by VPLEX components. This
information, along with the firewall settings is needed to use the product.
VPLEX Cluster
Witness
Customer
B C
IP Network
VPLEX
Management ESRS Server
Client VPLX-000557
Serial
Number A <-> B A <-> C A <-> D B <->C B <-> D B <-> E C <-> D C <-> E
3 Yes Yes
4 Yes Yes
5 Yes Yes
8 Yes
9 Yes Yes
10 Yes Yes
11 Yes Yes
12 Yes Yes
13 Yes Yes
Serial
Number A <-> B A <-> C A <-> D B <->C B <-> D B <-> E C <-> D C <-> E
14 Yes Yes
15 Yes Yes
Legend:
◆ A - VPLEX Management Client
◆ B - Management Server 1
◆ C - Management Server 2
◆ D - VPLEX Cluster Witness
◆ E - ESRS Server
VPLEX Cluster 1
Customer
B
IP Network
Management Server A C
VPLEX
Management ESRS Server
Client VPLX-000558
1 Yes
2 Yes
3 Yes
4 Yes
5 Yes
9 Yes
10 Yes
11 Yes
12 Yes
13 Yes
14 Yes
15
16
Legend:
◆ A - VPLEX Management Client
◆ B - Management Server 1
◆ C - ESRS Server
Network encryption
The VPLEX management server supports SSH through the sshd daemon provided by the
FIPS compliant OpenSSH package. It supports version 2 of the SSH protocol.
When the management server starts for the first time, the sshd daemon generates
key-pairs (private and public key) for communication with SSH clients. rsa and dsa
key-pairs are generated to support communication with SSH version 2 clients. All keys
have a 2048 bit length.
The HTTPS protocol and the IPsec VPN use a X.509 host certificate to identify the server
and encrypt all traffic. X.509 host certificates use a 2048 bit host key. During initial setup
of a VPLEX cluster, a local Certification Authority (which signs the host certificate request)
is created automatically.
Currently, VPLEX does not support a corporate Certification Authority signing the host
certificate requests.
Note: Host certificates are created as a part of EZsetup during a first time installation.
You must provide the host certificate's passphrase before converting the host certificate
into a format suitable for HTTPS service.
Once a user confirms the management server's identity, subsequent connections will not
ask for this confirmation, but instead warn the user if the management server's fingerprint
has changed, which may be another indication of man-in-the-middle attacks.
A VPLEX administrator might be asked by security-conscious users for the fingerprints of
both the X.509 certificate used for the GUI and for the host keys used for SSH access to
the management server.
To find the host certificate's SHA1 and (for GUI users) MD5 fingerprints
1. At the Linux shell prompt, type the following command:
/etc/ipsec.d/certs # openssl x509 -noout -in hostCert.pem -fingerprint -md5
Output example:
MD5 Fingerprint=6E:2C:A5:8E:86:11:45:26:02:09:62:97:6F:18:FD:62
Output example:
SHA1 Fingerprint=2E:B0:DD:59:DD:C3:29:96:33:74:19:CC:A0:81:28:28:6F:4F:76:E4
Output example:
1024 52:42:70:0c:22:aa:2f:e3:09:18:93:c8:20:a4:78:0c ssh_host_dsa_key.pub
Output example:
1024 a4:d8:64:d0:24:b9:2c:3d:06:24:5f:3a:30:ba:83:f8 ssh_host_rsa_key.pub
Output example:
256 ca:05:f3:9a:3e:51:fe:53:51:90:39:bf:6b:f5:78:56 [MD5]root@ManagementServer (ECDSA)
EMC believes the information in this publication is accurate as of its publication date. The information is subject
to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS IS.” EMC CORPORATION MAKES NO REPRESENTATIONS
OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY
DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Use, copying, and distribution of any EMC software described in this publication requires an applicable software
license.
For the most up-to-date regulatory document for your product line, go to the Technical Documentation and
Advisories section on EMC Powerlink.
For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com.
All other trademarks used herein are the property of their respective owners.