EMC EMC Unity All Flash Скачать руководство пользователя страница 23 | Manualshive

Страница: 23 / 70

background image

l

Windows resolvers

l

Secmap

l

NTXMAP

UNIX Directory Services
UNIX Directory Services (UDSs) are used to determine the following for user
mapping:

l

Given a user identidier (UID), return the corresponding UNIX account name.

l

Given a UNIX account name, return the corresponding UID and primary group
identifier (GID).

The supported services are:

l

LDAP

l

NIS

There is at most one UDS active at a time for each NAS server. One UDS must be
enabled when multiprotocol sharing is enabled. The UDS to use is determined by the
unix-directory-service property of the NAS server.

Windows resolvers
Windows resolvers are used to determine the following for user mapping:

l

Given a security identifier (SID) return the corresponding Windows account name

l

Given a Windows account name, return the corresponding SID

The Windows resolvers are:

l

The domain controller (DC) of the domain

l

The local group database (LGDB) of the SMB server

Secmap
The function of Secmap is to store all SID-to-UID/primary GID and UID-to-SID
mappings to ensure coherency across all file systems of the NAS server.

NTXMAP
NTXMAP is used to associate a Windows account to a UNIX account when the name
is different. For example, if there is a user who has an account called Gerald on
Windows but the account on UNIX is called Gerry, NTXMAP is used to make the
correlation between the two.

Access policies for NFS, SMB, and FTP

In a multiprotocol environment, the storage system uses file system access policies to
manage user access control of its file systems. There are two kinds of security, UNIX
and Windows.

For UNIX security authentication, the credential is built from the UNIX Directory
Services (UDS). User rights are determined from the mode bits. The user and group
identifiers (UID and GID, respectively) are used for identification. There are no
privileges associated with UNIX security.

For Windows security authentication, the credential is built from the Windows Domain
Controller (DC) and Local Group Database (LGDB) of the SMB server. User rights are
determined from the SMB ACLs. The security identifier (SID) is used for identification.
There are privileges associated with Windows security, such as TakeOwnership,
Backup, and Restore, that are granted by the LGDB of the SMB server.

There are three access policies that define what security is used by which protocols:

Access Control

Access policies for NFS, SMB, and FTP

23

«
...
21
22
23
24
25
...
»

Содержание EMC Unity All Flash

Страница 1: ...EMC Unity Family EMC Unity All Flash EMC Unity Hybrid EMC UnityVSA Version 4 0 Security Configuration Guide P N 302 002 564 REV 03...

Страница 2: ...AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE USE COPYING AND DISTRIBUTION OF ANY DELL SOFTWARE DESCRIBED IN THIS PUBLICATION REQUIRES AN APPLICA...

Страница 3: ...ess in a multiprotocol environment 22 User mapping 22 Access policies for NFS SMB and FTP 23 Credentials for file level security 24 NFS secure 26 Dynamic Access Control 27 Logging 29 Logging 30 Remote...

Страница 4: ...ed 55 Data security settings 56 Security Maintenance 57 Secure maintenance 58 License update 58 Software upgrade 58 EMC Secure Remote Services for your storage system 59 Security Alert Settings 61 Ale...

Страница 5: ...n Troubleshooting For information about EMC products software updates licensing and service go to EMC Online Support registration required at https Support EMC com After logging in locate the appropri...

Страница 6: ...Note Presents information that is important but not hazard related Additional resources 6 EMC Unity All Flash EMC Unity Hybrid EMC UnityVSA 4 0 Security Configuration Guide...

Страница 7: ...R 1 Introduction This chapter briefly describes a variety of security features implemented on the storage system Topics include l Overview 8 l Related features and functionality information 8 Introduc...

Страница 8: ...product service operations performed by the manufacturer or its service partners Alert system Managing the alerts and notifications generated for security related events Other security settings Securi...

Страница 9: ...t management 11 l Unisphere 12 l Unisphere command line interface CLI 14 l Storage system service SSH interface 15 l Storage system SP Ethernet service port and IPMItool 16 l SMI S provider 17 l vSphe...

Страница 10: ...alerts l Severity level critical error warning notice or information required for email notification Note For storage system alert email notification to work you must configure a target SMTP server fo...

Страница 11: ...accounts Storage system account management Table 4 on page 11 illustrates the ways in which you can manage the storage system accounts Table 4 Account management methods Account roles Description Man...

Страница 12: ...the capabilities of the role assigned to the user LDAP The Lightweight Directory Access Protocol LDAP is an application protocol for querying directory services running on TCP IP networks LDAP provid...

Страница 13: ...ation Table 6 on page 13 shows the roles you can assign to the storage system local users and the privileges associated with these roles In addition you can assign these roles to LDAP users and groups...

Страница 14: ...e interface CLI The Unisphere CLI provides a command line interface for the same functionality available through Unisphere Running the Unisphere CLI requires special storage system command line softwa...

Страница 15: ...system SSH service interface when enabled provides a command line interface for performing related and overlapping functionality to that which is available from the Unisphere Service page under System...

Страница 16: ...to which it does not have execute permissions and cannot edit configuration files that require root access to read or modify or both Access control lists ACLs The ACL mechanism on the storage system u...

Страница 17: ...A is used by VMware clients rather than Unisphere clients The VP runs on the active Storage Processor SP of the storage system The vSphere user must configure this VP instance as the provider of VASA...

Страница 18: ...user The Unisphere credentials used here are only used during this initial step of the connection If the Unisphere credentials are valid for the target storage system the certificate of the vCenter S...

Страница 19: ...ntext of the same VASA session If an SSL certificate expires the vSphere administrator must generate a new certificate The vCenter Server will establish a new SSL connection and register the new certi...

Страница 20: ...can be a client of the centralized authentication server and participate in the single sign on environment For more information about this command refer to the Unisphere Command Line Interface User Gu...

Страница 21: ...original URL that was specified 5 The browser downloads the Unisphere content and Unisphere is instantiated 6 The user then opens another web browser window or tab and specifies the network address o...

Страница 22: ...cess control entries ACEs Each ACE in turn contains a single SID that identifies a user group or computer and a list of rights that are denied or allowed for that SID File systems access in a multipro...

Страница 23: ...used to associate a Windows account to a UNIX account when the name is different For example if there is a user who has an account called Gerald on Windows but the account on UNIX is called Gerry NTX...

Страница 24: ...n granted or denied There is no synchronization between mode bits and the SMB discretionary access list DACL They are independent For FTP authentication with windows or Unix depends on the user name f...

Страница 25: ...in the Windows credential When accessing a file system with a UNIX access policy the UID of the user is used to query the UDS to build the UNIX credential similar to building an extended credential fo...

Страница 26: ...incipal the server builds the credential of that user by querying the active UDS Since NIS is not secured it is not recommended to use it with NFS secure It is recommended to use Kerberos with LDAP or...

Страница 27: ...d in the UDS the configured default UNIX user credential is used instead If the default UNIX user is not set the credential used will be nobody Replication When a NAS server is the target of a replica...

Страница 28: ...ountry or department DAC CBAC is enabled on the storage system by default however a service command svc_dac allows you to do the following l Enable or disable the DAC feature when disabled the CAP ass...

Страница 29: ...CHAPTER 3 Logging This chapter describes a variety of logging features implemented on the storage system Topics include l Logging 30 l Remote logging options 31 Logging 29...

Страница 30: ...tem accumulates two million log entries it purges the oldest 500K entries as determined by log record time to return to 1 5 million log entries You can archive log entries by enabling remote logging s...

Страница 31: ...m sends remote log information l Type of log messages to send Use the Facility field to set the type of log messages It is recommended that you select the User Level Messages options l Port number and...

Страница 32: ...Logging 32 EMC Unity All Flash EMC Unity Hybrid EMC UnityVSA 4 0 Security Configuration Guide...

Страница 33: ...ystem certificate 41 l Storage system interfaces services and features that support Internet Protocol version 6 42 l Storage system management interface access using IPv6 43 l Configuring the manageme...

Страница 34: ...VSI TCP 22 Allows SSH access if enabled Also used for VSI plugin If closed management connections using SSH will be unavailable and VSI plugin will not be available Dynamic DNS update TCP UDP 53 Used...

Страница 35: ...m has network connectivity to the port it can query it No authentication is performed NTP UDP 123 NTP time synchronization If closed time will not be synchronized among arrays DCE Remote Procedure Cal...

Страница 36: ...ectivity port for Windows 2000 and later clients Clients with legitimate access to the storage system SMB services must have network connectivity to the port for continued operation Disabling this por...

Страница 37: ...AS lockd services will be unavailable NFS TCP UDP 4002 Used to provide NFS rquotad services The rquotad daemon provides quota information to NFS clients that have mounted a file system If closed NAS r...

Страница 38: ...ty software on the server In a storage system the NAS Server functions as the NDMP server l The NDMP service can be disabled if NDMP tape backup is not used l The NDMP service is authenticated with a...

Страница 39: ...and VSI plugin will not be available SMTP TCP 25 Allows the system to send email If closed email notifications will be unavailable DNS TCP UDP 53 DNS queries If closed DNS name resolution will not wo...

Страница 40: ...UDP 464 Provides Kerberos Password Change and Set If closed impacts SMB Remote Syslog UDP 514a Syslog Log system messages to a remote host You can configure the host port that the system uses LDAPS T...

Страница 41: ...ial configuration daemon If closed initialization of the array will be unavailable through the network a The LDAP and LDAPS port numbers can be overridden from inside Unisphere when configuring Direct...

Страница 42: ...tem and use Internet Protocol version 6 IPv6 addresses to configure different services and features The following list contains features where IPv6 protocol is supported l Interfaces SF iSCSI to stati...

Страница 43: ...and Internet connected devices the available IPv4 address space is insufficient IPv6 solves the address shortage issue because it uses 128 bit addresses which provides approximately 340 trillion addr...

Страница 44: ...information about these manage network interface commands and attributes refer to the Unisphere Command Line Interface User Guide Configuring the management interface using DHCP After you finish inst...

Страница 45: ...the Connection Utility and instead can automatically assign a dynamic IP address IPv4 only for the storage system management interface When a storage system uses a static IP address it is manually con...

Страница 46: ...ypt all its requests related to the share otherwise access to the share will be denied To enable SMB Encryption you either set the Protocol Encryption option in the advanced SMB share properties in Un...

Страница 47: ...ays Whether the client side SMB component requires signing Disabled Microsoft network client Digitally sign communications if server agrees Whether the client side SMB component has signing enabled En...

Страница 48: ...need to determine the route to send the reply packets Because reply packets always go out the same interface as the request packets request packets cannot be used to indirectly flood other LANs In cas...

Страница 49: ...ace s VLAN ID If the VLAN ID of an interface is set to zero packets are sent without VLAN tags There are two ways to work with VLANs l Configure a switch port with a VLAN identifier and connect a NAS...

Страница 50: ...y set fips140Enabled yes will set it to FIPS 140 2 mode uemcli sys security set fips140Enabled no will set it to non FIPS 140 2 mode Use the following CLI command to determine the current FIPS 140 2 m...

Страница 51: ...chapter describes the security features that are available on the storage system for supported storage types Topics include l About Data at Rest Encryption physical deployments only 52 l Data security...

Страница 52: ...age pool has been added or removed Key backups are performed automatically by the system In addition changes to the configuration of the system that result in changes to the keystore will generate inf...

Страница 53: ...d to view the status of the keystore and to determine whether any user operations are required See the Unisphere Command Line Interface User Guide for detailed information about these CLI commands Bac...

Страница 54: ...d previously Note As an alternative use the uemcli u username p password download encryption type auditLog entries all or YYYY MM CLI command to download the entire audit log and checksum information...

Страница 55: ...ta that may be hidden in obscured locations within the drive will not be overwritten NOTICE If the potential access to data remnants from the previous use of a drive violates your security policy you...

Страница 56: ...group accounts l File and share access controls are provided through Windows directory services SMB share access control list ACL can also be configured through an SMI S interface l Security signature...

Страница 57: ...nance This chapter describes a variety of security maintenance features implemented on the storage system Topics include l Secure maintenance 58 l EMC Secure Remote Services for your storage system 59...

Страница 58: ...oading and installing licenses through Unisphere client to the storage system l License file uploads to the storage system occur within Unisphere sessions authenticated through HTTPS l The storage sys...

Страница 59: ...n off array ESRS Gateway The ESRS Gateway is the single point of entry and exit for all IP based EMC remote support activities for the storage systems associated with the gateway The ESRS Gateway is a...

Страница 60: ...Security Maintenance 60 EMC Unity All Flash EMC Unity Hybrid EMC UnityVSA 4 0 Security Configuration Guide...

Страница 61: ...Settings This chapter describes the different methods available to notify administrators of alerts that occur on the storage system Topics include l Alert settings 62 l Configuring alert settings 63 S...

Страница 62: ...ts l Severity level critical error warning notice or information required for email notification Note For storage system alert email notification to work you must configure a target SMTP server for th...

Страница 63: ...ing and Above l Notice and Above l Information and Above Note For the storage system alert email mechanism to work a target SMTP server must be configured for the storage system 4 Under Specify SMTP n...

Страница 64: ...l Warning and above l Notice and above l Information and above Security Alert Settings 64 EMC Unity All Flash EMC Unity Hybrid EMC UnityVSA 4 0 Security Configuration Guide...

Страница 65: ...is chapter contains other information that is relevant for ensuring the secure operation of the storage system Topics include l Physical security controls physical deployments only 66 l Antivirus prot...

Страница 66: ...assword l SP Ethernet service port connector Allows authenticated access through an SP Ethernet service port connection Antivirus protection The storage system supports Common AntiVirus Agent CAVA CAV...

Страница 67: ...APPENDIX A TLS cipher suites This appendix lists the TLS cipher suites supported by the storage system Topics include l Supported TLS cipher suites 68 TLS cipher suites 67...

Страница 68: ...TLS cipher suites supported on the storage system Cipher Suites Protocols Ports TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLSv1 TLSv1 1 TLSv1 2 443 8443 8444 TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLSv1 TLSv1 1 TLSv...

Страница 69: ...uites supported on the storage system continued Cipher Suites Protocols Ports TLS_RSA_WITH_AES_256_CBC_SHA TLSv1 TLSv1 1 TLSv1 2 5989 TLS_RSA_WITH_3DES EDE CBC SHA TLSv1 TLSv1 1 TLSv1 2 5989 TLS ciphe...

Страница 70: ...TLS cipher suites 70 EMC Unity All Flash EMC Unity Hybrid EMC UnityVSA 4 0 Security Configuration Guide...

Отзывы:

Нет отзывов

Похожие инструкции для EMC Unity All Flash

MY PASSPORT EDGE

Бренд: Western Digital Страницы: 77

Бренд: LaCie Страницы: 48

DJSA-210 - Travelstar 10 GB Hard Drive

Бренд: IBM Страницы: 211

Бренд: Seagate Страницы: 20

Бренд: Suncast Страницы: 28

Бренд: HOLZMANN MASCHINEN Страницы: 18

Бренд: GARDEN MASTER Страницы: 8

USB2.0 Flash Stick

Бренд: Acer Страницы: 11

Бренд: Acer Страницы: 24

USB 2.0 Flash Stick

Бренд: Acer Страницы: 12

RAID Ready Systems

Бренд: Acer Страницы: 21

External Hard Disk Drive 500Gb

Бренд: Acer Страницы: 2

Бренд: Panasonic Страницы: 14

Бренд: Panasonic Страницы: 18

Бренд: Panasonic Страницы: 34

Бренд: ETT Страницы: 5

Бренд: CalDigit Страницы: 14

Бренд: SmartStore Страницы: 16

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды