manualshive.com logo in svg

EMC EMC Unity All Flash, Руководство по настройке безопасности

EMC EMC Unity All Flash - это мощное хранилище данных, обеспечивающее максимальную производительность и отказоустойчивость. Для настройки безопасности рекомендуется скачать Security Configuration Manual, который можно найти на manualshive.com. Получите бесплатный доступ к руководству уже сегодня.

Поделиться
Скачать
background image

A vCenter session is based on secure HTTPS communication between a vCenter
Server and a VP. The VASA architecture uses SSL certificates and VASA session
identifiers to support secure connections. With VASA 1.0, the vCenter Server added
the VP certificate to its truststore as part of the VP installation, or when it created a
VASA session connection. The VP added the vCenter Server certificate to its
truststore when Storage Monitoring Service (SMS) called the
registerVASACertificate function. In VASA 3.0 and VASA 2.0, vCenter Server acts as
the VMware certificate authority (VMCA). The VP transmits a self

signed certificate

on request, after authorizing the request. It adds the vCenter Server certificate to its
truststore, then issues a certificate signing request, and replaces its self

signed

certificate with the VMCA signed certificate. Future connections will be authenticated
by the server (the VP) using the client (SMS) certificate validated against the
previously registered root signing certificate. A VP generates unique identifiers for
storage entity objects, and vCenter Server uses the identifier to request data for a
specific entity.

A VP uses SSL certificates and the VASA session identifier to validate VASA sessions.
After the session is established, a VP must validate both the SSL certificate and the
VASA session identifier associated with each function call from the vCenter Server.
The VP uses the vCenter Server certificate stored in its truststore to validate the
certificate associated with function calls from the vCenter SMS. A VASA session
persists across multiple SSL connections. If an SSL connection is dropped, the
vCenter Server will perform an SSL handshake with the VP to re

establish the SSL

connection within the context of the same VASA session. If an SSL certificate expires,
the vSphere administrator must generate a new certificate. The vCenter Server will
establish a new SSL connection and register the new certificate with the VP.

Note

Unregistration of 3.0 and 2.0 VPs differs from unregistration of 1.0 VPs. SMS does not
call the unregisterVASACertificate function against a 3.0 or 2.0 VP, so even after
unregistration, the VP can continue to use its VMCA signed certificate obtained from
SMS and continues to have access to the VMCA root certificate.

Single sign-on with Unisphere Central

The single sign-on capability added to Unisphere Central provides authentication
services for multiple storage systems that are configured to use this feature. This
feature provides an easy way for a user to log in to each system without requiring the
user to re-authenticate to each system.

Unisphere Central is the centralized authentication server that facilitates single sign-
on. This functionality allows a user to:

l

Log in to Unisphere Central, then select and launch Unisphere on a storage system
without supplying your login credentials again.

l

Log in to one storage system and then select other storage systems associated
with the same Unisphere Central to log in to without supplying your login
credentials again.

Unisphere Central will periodically execute a query to request status information from
the storage systems that it is managing. The identity associated with requests
executed in this context is the Unisphere Central SSL/X.509 certificate. This
certificate is signed by the Unisphere Central Certificate Authority, which is trusted by
each storage system instance that Unisphere Central is configured to manage.

Additionally, this feature provides a single sign-off capability; that is, when you log off
Unisphere Central, you log off all of the associated storage system sessions at once.

Access Control

Single sign-on with Unisphere Central

     

19

Содержание EMC Unity All Flash

Страница 1: ...EMC Unity Family EMC Unity All Flash EMC Unity Hybrid EMC UnityVSA Version 4 0 Security Configuration Guide P N 302 002 564 REV 03...

Страница 2: ...AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE USE COPYING AND DISTRIBUTION OF ANY DELL SOFTWARE DESCRIBED IN THIS PUBLICATION REQUIRES AN APPLICA...

Страница 3: ...ess in a multiprotocol environment 22 User mapping 22 Access policies for NFS SMB and FTP 23 Credentials for file level security 24 NFS secure 26 Dynamic Access Control 27 Logging 29 Logging 30 Remote...

Страница 4: ...ed 55 Data security settings 56 Security Maintenance 57 Secure maintenance 58 License update 58 Software upgrade 58 EMC Secure Remote Services for your storage system 59 Security Alert Settings 61 Ale...

Страница 5: ...n Troubleshooting For information about EMC products software updates licensing and service go to EMC Online Support registration required at https Support EMC com After logging in locate the appropri...

Страница 6: ...Note Presents information that is important but not hazard related Additional resources 6 EMC Unity All Flash EMC Unity Hybrid EMC UnityVSA 4 0 Security Configuration Guide...

Страница 7: ...R 1 Introduction This chapter briefly describes a variety of security features implemented on the storage system Topics include l Overview 8 l Related features and functionality information 8 Introduc...

Страница 8: ...product service operations performed by the manufacturer or its service partners Alert system Managing the alerts and notifications generated for security related events Other security settings Securi...

Страница 9: ...t management 11 l Unisphere 12 l Unisphere command line interface CLI 14 l Storage system service SSH interface 15 l Storage system SP Ethernet service port and IPMItool 16 l SMI S provider 17 l vSphe...

Страница 10: ...alerts l Severity level critical error warning notice or information required for email notification Note For storage system alert email notification to work you must configure a target SMTP server fo...

Страница 11: ...accounts Storage system account management Table 4 on page 11 illustrates the ways in which you can manage the storage system accounts Table 4 Account management methods Account roles Description Man...

Страница 12: ...the capabilities of the role assigned to the user LDAP The Lightweight Directory Access Protocol LDAP is an application protocol for querying directory services running on TCP IP networks LDAP provid...

Страница 13: ...ation Table 6 on page 13 shows the roles you can assign to the storage system local users and the privileges associated with these roles In addition you can assign these roles to LDAP users and groups...

Страница 14: ...e interface CLI The Unisphere CLI provides a command line interface for the same functionality available through Unisphere Running the Unisphere CLI requires special storage system command line softwa...

Страница 15: ...system SSH service interface when enabled provides a command line interface for performing related and overlapping functionality to that which is available from the Unisphere Service page under System...

Страница 16: ...to which it does not have execute permissions and cannot edit configuration files that require root access to read or modify or both Access control lists ACLs The ACL mechanism on the storage system u...

Страница 17: ...A is used by VMware clients rather than Unisphere clients The VP runs on the active Storage Processor SP of the storage system The vSphere user must configure this VP instance as the provider of VASA...

Страница 18: ...user The Unisphere credentials used here are only used during this initial step of the connection If the Unisphere credentials are valid for the target storage system the certificate of the vCenter S...

Страница 19: ...ntext of the same VASA session If an SSL certificate expires the vSphere administrator must generate a new certificate The vCenter Server will establish a new SSL connection and register the new certi...

Страница 20: ...can be a client of the centralized authentication server and participate in the single sign on environment For more information about this command refer to the Unisphere Command Line Interface User Gu...

Страница 21: ...original URL that was specified 5 The browser downloads the Unisphere content and Unisphere is instantiated 6 The user then opens another web browser window or tab and specifies the network address o...

Страница 22: ...cess control entries ACEs Each ACE in turn contains a single SID that identifies a user group or computer and a list of rights that are denied or allowed for that SID File systems access in a multipro...

Страница 23: ...used to associate a Windows account to a UNIX account when the name is different For example if there is a user who has an account called Gerald on Windows but the account on UNIX is called Gerry NTX...

Страница 24: ...n granted or denied There is no synchronization between mode bits and the SMB discretionary access list DACL They are independent For FTP authentication with windows or Unix depends on the user name f...

Страница 25: ...in the Windows credential When accessing a file system with a UNIX access policy the UID of the user is used to query the UDS to build the UNIX credential similar to building an extended credential fo...

Страница 26: ...incipal the server builds the credential of that user by querying the active UDS Since NIS is not secured it is not recommended to use it with NFS secure It is recommended to use Kerberos with LDAP or...

Страница 27: ...d in the UDS the configured default UNIX user credential is used instead If the default UNIX user is not set the credential used will be nobody Replication When a NAS server is the target of a replica...

Страница 28: ...ountry or department DAC CBAC is enabled on the storage system by default however a service command svc_dac allows you to do the following l Enable or disable the DAC feature when disabled the CAP ass...

Страница 29: ...CHAPTER 3 Logging This chapter describes a variety of logging features implemented on the storage system Topics include l Logging 30 l Remote logging options 31 Logging 29...

Страница 30: ...tem accumulates two million log entries it purges the oldest 500K entries as determined by log record time to return to 1 5 million log entries You can archive log entries by enabling remote logging s...

Страница 31: ...m sends remote log information l Type of log messages to send Use the Facility field to set the type of log messages It is recommended that you select the User Level Messages options l Port number and...

Страница 32: ...Logging 32 EMC Unity All Flash EMC Unity Hybrid EMC UnityVSA 4 0 Security Configuration Guide...

Страница 33: ...ystem certificate 41 l Storage system interfaces services and features that support Internet Protocol version 6 42 l Storage system management interface access using IPv6 43 l Configuring the manageme...

Страница 34: ...VSI TCP 22 Allows SSH access if enabled Also used for VSI plugin If closed management connections using SSH will be unavailable and VSI plugin will not be available Dynamic DNS update TCP UDP 53 Used...

Страница 35: ...m has network connectivity to the port it can query it No authentication is performed NTP UDP 123 NTP time synchronization If closed time will not be synchronized among arrays DCE Remote Procedure Cal...

Страница 36: ...ectivity port for Windows 2000 and later clients Clients with legitimate access to the storage system SMB services must have network connectivity to the port for continued operation Disabling this por...

Страница 37: ...AS lockd services will be unavailable NFS TCP UDP 4002 Used to provide NFS rquotad services The rquotad daemon provides quota information to NFS clients that have mounted a file system If closed NAS r...

Страница 38: ...ty software on the server In a storage system the NAS Server functions as the NDMP server l The NDMP service can be disabled if NDMP tape backup is not used l The NDMP service is authenticated with a...

Страница 39: ...and VSI plugin will not be available SMTP TCP 25 Allows the system to send email If closed email notifications will be unavailable DNS TCP UDP 53 DNS queries If closed DNS name resolution will not wo...

Страница 40: ...UDP 464 Provides Kerberos Password Change and Set If closed impacts SMB Remote Syslog UDP 514a Syslog Log system messages to a remote host You can configure the host port that the system uses LDAPS T...

Страница 41: ...ial configuration daemon If closed initialization of the array will be unavailable through the network a The LDAP and LDAPS port numbers can be overridden from inside Unisphere when configuring Direct...

Страница 42: ...tem and use Internet Protocol version 6 IPv6 addresses to configure different services and features The following list contains features where IPv6 protocol is supported l Interfaces SF iSCSI to stati...

Страница 43: ...and Internet connected devices the available IPv4 address space is insufficient IPv6 solves the address shortage issue because it uses 128 bit addresses which provides approximately 340 trillion addr...

Страница 44: ...information about these manage network interface commands and attributes refer to the Unisphere Command Line Interface User Guide Configuring the management interface using DHCP After you finish inst...

Страница 45: ...the Connection Utility and instead can automatically assign a dynamic IP address IPv4 only for the storage system management interface When a storage system uses a static IP address it is manually con...

Страница 46: ...ypt all its requests related to the share otherwise access to the share will be denied To enable SMB Encryption you either set the Protocol Encryption option in the advanced SMB share properties in Un...

Страница 47: ...ays Whether the client side SMB component requires signing Disabled Microsoft network client Digitally sign communications if server agrees Whether the client side SMB component has signing enabled En...

Страница 48: ...need to determine the route to send the reply packets Because reply packets always go out the same interface as the request packets request packets cannot be used to indirectly flood other LANs In cas...

Страница 49: ...ace s VLAN ID If the VLAN ID of an interface is set to zero packets are sent without VLAN tags There are two ways to work with VLANs l Configure a switch port with a VLAN identifier and connect a NAS...

Страница 50: ...y set fips140Enabled yes will set it to FIPS 140 2 mode uemcli sys security set fips140Enabled no will set it to non FIPS 140 2 mode Use the following CLI command to determine the current FIPS 140 2 m...

Страница 51: ...chapter describes the security features that are available on the storage system for supported storage types Topics include l About Data at Rest Encryption physical deployments only 52 l Data security...

Страница 52: ...age pool has been added or removed Key backups are performed automatically by the system In addition changes to the configuration of the system that result in changes to the keystore will generate inf...

Страница 53: ...d to view the status of the keystore and to determine whether any user operations are required See the Unisphere Command Line Interface User Guide for detailed information about these CLI commands Bac...

Страница 54: ...d previously Note As an alternative use the uemcli u username p password download encryption type auditLog entries all or YYYY MM CLI command to download the entire audit log and checksum information...

Страница 55: ...ta that may be hidden in obscured locations within the drive will not be overwritten NOTICE If the potential access to data remnants from the previous use of a drive violates your security policy you...

Страница 56: ...group accounts l File and share access controls are provided through Windows directory services SMB share access control list ACL can also be configured through an SMI S interface l Security signature...

Страница 57: ...nance This chapter describes a variety of security maintenance features implemented on the storage system Topics include l Secure maintenance 58 l EMC Secure Remote Services for your storage system 59...

Страница 58: ...oading and installing licenses through Unisphere client to the storage system l License file uploads to the storage system occur within Unisphere sessions authenticated through HTTPS l The storage sys...

Страница 59: ...n off array ESRS Gateway The ESRS Gateway is the single point of entry and exit for all IP based EMC remote support activities for the storage systems associated with the gateway The ESRS Gateway is a...

Страница 60: ...Security Maintenance 60 EMC Unity All Flash EMC Unity Hybrid EMC UnityVSA 4 0 Security Configuration Guide...

Страница 61: ...Settings This chapter describes the different methods available to notify administrators of alerts that occur on the storage system Topics include l Alert settings 62 l Configuring alert settings 63 S...

Страница 62: ...ts l Severity level critical error warning notice or information required for email notification Note For storage system alert email notification to work you must configure a target SMTP server for th...

Страница 63: ...ing and Above l Notice and Above l Information and Above Note For the storage system alert email mechanism to work a target SMTP server must be configured for the storage system 4 Under Specify SMTP n...

Страница 64: ...l Warning and above l Notice and above l Information and above Security Alert Settings 64 EMC Unity All Flash EMC Unity Hybrid EMC UnityVSA 4 0 Security Configuration Guide...

Страница 65: ...is chapter contains other information that is relevant for ensuring the secure operation of the storage system Topics include l Physical security controls physical deployments only 66 l Antivirus prot...

Страница 66: ...assword l SP Ethernet service port connector Allows authenticated access through an SP Ethernet service port connection Antivirus protection The storage system supports Common AntiVirus Agent CAVA CAV...

Страница 67: ...APPENDIX A TLS cipher suites This appendix lists the TLS cipher suites supported by the storage system Topics include l Supported TLS cipher suites 68 TLS cipher suites 67...

Страница 68: ...TLS cipher suites supported on the storage system Cipher Suites Protocols Ports TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLSv1 TLSv1 1 TLSv1 2 443 8443 8444 TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLSv1 TLSv1 1 TLSv...

Страница 69: ...uites supported on the storage system continued Cipher Suites Protocols Ports TLS_RSA_WITH_AES_256_CBC_SHA TLSv1 TLSv1 1 TLSv1 2 5989 TLS_RSA_WITH_3DES EDE CBC SHA TLSv1 TLSv1 1 TLSv1 2 5989 TLS ciphe...

Страница 70: ...TLS cipher suites 70 EMC Unity All Flash EMC Unity Hybrid EMC UnityVSA 4 0 Security Configuration Guide...

Отзывы:

Нет отзывов

Похожие инструкции для EMC Unity All Flash

Oki C7300 Installation Instructions Manual preview
C7300
Бренд: Oki Страницы: 16
NEC Express5800/R120f-2E Configuration Manual preview
Express5800/R120f-2E
Бренд: NEC Страницы: 36
IBM Ultrastar 36XP Quick Installation Manual preview
Ultrastar 36XP
Бренд: IBM Страницы: 2
DANE-ELEC SO MOBILE Datasheet preview
SO MOBILE
Бренд: DANE-ELEC Страницы: 2
morse 400A-96-125 Operator'S Manual preview
400A-96-125
Бренд: morse Страницы: 6
QNAP TS-H686-D1602-8G Quick Installation Manual preview
TS-H686-D1602-8G
Бренд: QNAP Страницы: 12
z HD-WLU3 Reference Manual preview
HD-WLU3
Бренд: z Страницы: 45
G-Technology G-DRIVE mobile USB Product Manual preview
G-DRIVE mobile USB
Бренд: G-Technology Страницы: 32
Arrow Storage Products 697.68222 Owner'S Manual & Assembly Instructions preview
697.68222
Бренд: Arrow Storage Products Страницы: 34
Synology DS3611xs Quick Installation Manual preview
DS3611xs
Бренд: Synology Страницы: 26
ABSCO SHEDS 30082SECOK Manual preview
30082SECOK
Бренд: ABSCO SHEDS Страницы: 23
Oracle StorageTek SL8500 Safety And Compliance Manual preview
StorageTek SL8500
Бренд: Oracle Страницы: 59
3Ware 9650SE-4LPME Installation Manual preview
9650SE-4LPME
Бренд: 3Ware Страницы: 50
Omega Post-Type Wall Mount Shelving Assembly Instructions preview
Post-Type Wall Mount Shelving
Бренд: Omega Страницы: 4
QNAP TS-130 User Manual preview
TS-130
Бренд: QNAP Страницы: 39
IBM SAN768B Installation, Service And User Manual preview
SAN768B
Бренд: IBM Страницы: 208
Freecom RDX Datasheet preview
RDX
Бренд: Freecom Страницы: 2
XtendLan xl-raid-2804issa Installation And Configuration Manual preview
xl-raid-2804issa
Бренд: XtendLan Страницы: 124

Бренды по названию

Популярные бренды

Загрузить еще бренды