Documente Academic
Documente Profesional
Documente Cultură
V7.3
Security Configuration Guide
P/N 300-012-677 A01
EMC
Corporate Headquarters
Hopkinton, MA 01748-9103
1-508-435-1000
www.EMC.com
EMC Corporation
Copyright 2011 EMC Corporation. All rights reserved.
Published June, 2011
EMC believes the information in this publication is accurate as of its publication date. The information is subject to
change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED AS IS. EMC CORPORATION MAKES NO
REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS
PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE.
Use, copying, and distribution of any EMC software described in this publication requires an applicable software
license.
For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com.
All other trademarks used herein are the property of their respective owners.
EMC Corporation
Table of Contents
1
Overview ................................................................................................................................. 4
Introduction ...................................................................................................................... 4
2.2
2.2.1
2.2.2
2.3
2.3.1
2.3.2
2.4
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6
2.5
2.6
2.6.1
2.6.2
2.6.3
3.1.1
4
EMC Corporation
1 Overview
This guide describes the security configuration settings available in Solutions Enabler, along with
information on how to securely deploy, use, and maintain the product. It is divided into the
following sections:
Secure Deployment and Usage provides instructions on how to deploy and use
Solutions Enabler securely.
Log files and settings control event logging and associated files.
Data security settings ensure protection of the data handled by the product.
In the discussion that follows, <SYMAPI_HOME> refers to the base file system location used for
Solutions Enabler data and configuration files. Unless this is overridden during installation
(Windows), this will be:
Windows:
UNIX (and UNIX-based systems):
C:\Program Files\EMC\SYMAPI
/var/symapi
Open VMS file locations are discussed in the Solutions Enabler Installation Guide.
Note: Whenever pathnames are presented within this document, they are done so using a UNIXspecific format, using forward slashes (/) instead of backslashes (\) that are typically used in
Windows platforms.
EMC Corporation
2.2 Access Control Settings
2.2.1 User authentication
Solutions Enabler does not support an explicit authentication mechanism for users. When using
SYMCLI commands, Solutions Enabler uses the credentials users supply when logging onto the
local systemas provided by the operating system. When using Symmetrix Management
Console (SMC), SMC passes the users authenticated identity to Solutions Enabler.
Internally, Solutions Enabler represents a user identity as a string that comprises the users name
along with how (and where) they were originally authenticated. The possible encodings are:
H:HostName\UserName
D:DomainName\UserName
L:ServerName\UserName
C:HostName\UserName
V:DomainName|UserName
Solutions Enabler uses these identities in a number of ways. A user name is included in records
that are written to the Symmetrix arrays secure Audit Log. This identifies the user that initiated
the activity being logged. A user identity is basis for optional user authorization rules that restrict
management access to Symmetrix arrays.
EMC Corporation
2.3 Log Files and Settings
2.3.1 Log description
Solutions Enabler maintains the following log files.
Description
Where yyyymmdd is the numerical value for the
year, month, and day. For example,
symapi_20100920.log is the log for
September 20, 2010.
Solutions Enabler writes errors and other
significant conditions to this log.
By default, Solutions Enabler does keeps these
files forever. Setting the
SYMAPI_LOGFILE_RETENTION option,
described on page 7, configures at what point in
time after creation these files should be
automatically removed.
EMC Corporation
Description
SYMAPI_LOGFILE_RETENTION = NN
<SYMAPI_HOME>/config/options
EMC Corporation
2.4 Communication Security Settings
2.4.1 Port usage
The following network ports are used by Solutions Enabler.
Component
Client / Server
Protocol
TCP/IP
Port
2707
Description
In client/server mode, Solutions Enabler Server
(storsrvd daemon) listens on this port for
connections from client hosts.
You can change the default port as described
in "Port settings on page 9.
Event Daemon
TCP/IP
Dynamically
Assigned
CLARiiON
TCP/IP
443 or 2163
EMC Corporation
Description
storsrvd:port = NN
<SYMAPI_HOME>/config/daemon_options
storevntd:event_listen_port = NN
<SYMAPI_HOME>/config/daemon_options
EMC Corporation
2.4.4.1 Running the Solutions Enabler Server
The Solutions Enabler server daemon, (storsrvd) does not run by default. It must be explicitly
started before it is can accept connections from remote clients. It can be configured to start
automatically whenever a server host starts by running the following command:
stordaemon install storsrvd -autostart
Daemons are started diffenrently on z/OS and Open VMS platforms. Refer to the EMC Solutions
Enabler Installation Guide for details.
# From Client host Jupiter, only users joe and sally may connect.
jupiter
joe, sally
Option Name
( within <SYMAPI_HOME>/config/options )
SYMAPI_ACC_ADMIN_VIA_SERVER
Description
Symmetrix Access Control
changes.
This defaults to ENABLE.
SYMAPI_ACC_DISPLAY_VIA_SERVER
SYMAPI_ALLOW_SCRIPTS_VIA_SERVER
10
EMC Corporation
SYMAPI_CTRL_VIA_SERVER
a. When set to DISABLE, this class of functionality is not available through the server.
11
EMC Corporation
To allow non-secure connections with servers that are not able to use SSL, add the
following to the <SYMAPI_HOME>/config/options file:
SYMAPI_SERVER_SECURITY_LEVEL = ANY
To allow non-secure connections with specific server hosts, specify the NONSECURE or
ANY attribute in the <SYMAPI_HOME>/config/netcnfg entry for the server in question.
This file is used to map service names to server host names (or IP addresses) and port
numbers, usually for Solutions Enabler SYMCLI commands.
The format of records within this file is as follows:
<ServiceName>
TCPIP
<HostName>
<IP-Address>
<Port>
<SecurityLevel>
Where:
<ServiceName>
<HostName>
<IP-Address>
<Port>
<SecurityLevel>
For additional information, refer to client/server security in the EMC Solutions Enabler Installation
Guide.
12
EMC Corporation
SECURE |
NONSECURE |
ANY
<SYMAPI_HOME>/config/deamon_options
Description
On server hosts: Controls
whether servers will establish an
SSL secured connection.
SECURE (default): Secure SSL
connections are always used. All
other connection types are refused.
NONSECURE: Non-SSL
connection are used; secure SSL
connections are not used.
ANY: An SSL secured connection
is established when supported by
the client, otherwise a non-SSL
connection is used.
storsrvd:security_clt_secure_lvl =
MUSTVERIFY |
VERIFY |
NOVERIFY
<SYMAPI_HOME>/config/daemon_options
SYMAPI_SERVER_SECURITY_LEVEL= SECURE |
NONSECURE |
ANY
<SYMAPI_HOME>/config/options
13
EMC Corporation
2.5 Data security
Solutions Enabler maintains sensitive data in a number of files. It is important to back up and
protect these files. If they are lost, functionality that depends on the data that they contain may be
impacted.
File location
Description
<SYMAPI_HOME>/config/emcpwddb.dat
<SYMAPI_HOME>/config/lockboxp
<SYMAPI_HOME>/config/lockboxb
<SYMAPI_HOME>/db/symapi_db.bin
14
EMC Corporation
2.6 Other security considerations
2.6.1 Daemon processes on UNIX
Solutions Enabler uses a number of helper daemon processes: storapid, storsrmd,
storsrvd, storgnsd, storrdfd, storevntd, storwatchd. On UNIX, these daemons run as
root by default as a result of their executables being marked setuid-to-root.
The storsrvd, storgnsd, storevntd, and storwatchd daemons can optionally be
configured to run as an identity other than root. This can be set during Solutions Enabler
installation using the -daemonuid=Name option, which, when used with the -silent option
changes ownership of daemons to non-root user, or post-install using the stordaemon
command. For information on which daemons are affected by this option, refer to the
stordaemon man page. For example, the following command configures the GNS daemon to
run under the bin user account:
stordaemon setuser storgnsd -user bin
For example, the following command configures all daemons to run under the bin user account:
stordaemon setuser all -user bin
For additional information, refer to the stordaemon man page. Also refer to the
<SYMAPI_HOME>/config/README.daemon_users file that is installed with Solutions Enabler.
15
EMC Corporation
Protect the <SYMAPI_HOME>/config directory and its contents so that only appropriate
administrators have write access. [Section 2.6.2 on page 15]
To limit the amount of disk space used by Solutions Enabler log files, arrange for these to
be cleaned up automatically after some period of time. [Section 2.3.2 on page 7]
Use Symmetrix Access Control and/or Symmetrix User Authorization to restrict which
hosts and users may perform management operations. [Section 2.2.2 on page 5]
If a Firewall or NAT router exists between client and server hosts, you may need to
configure specific ports and allow those to pass through. [Section 2.4.1 on page 8]
For maximum network security, replace the self-signed SSL certificates that are installed
by default with ones appropriate and specific to your site.[Section 2.4.5.3 on page 12]
On server hosts:
Arrange for the storsrvd daemon to automatically start by the operating system.
[Section 2.4.4.1 on page 10]
If necessary, modify the port on which the storsrvd daemon listens. [Section
2.4.4.2 on page 10]
If you want to limit the set of client hosts that the server will accept connections
from, configure the nethost file. [Section 2.4.4.2 on page 10]
If you want to limit functionality that the server makes available to remote client
hosts, configure the specific options. [Section 2.4.4.3 on page 10, or for z/OS
section 2.4.4.4 on page 11]
UNIX only: Since the storsrvd daemon is network facing, consider having it run
as something other than root. [Section 2.6.3 on page 15]
On client hosts:
o
For SYMCLI users, modify the netcnfg file with the host names or IP addresses
of your servers. [Section 2.4.2 on page 9 and section 2.4.6 on page 12]
If using asynchronous events through the event daemon, modify the port on
which the client event daemon listens. [Section 2.4.1 on page 8, on page 9]
16
EMC Corporation
4 Secure Maintenance
4.1 Backup of Solutions Enabler state
The following directories and their contents should be backed up to preserve the Solutions
Enabler configuration on a host.
<SYMAPI_HOME>/config
<SYMAPI_HOME>/db
The other directories under <SYMAPI_HOME> contain less critical data that will be recreated by
Solutions Enabler as necessary.
17