EMC

EMC XtremIO Storage Array

XIOS Versions 4.0.2, 4.0.4 and 4.0.10
XMS Version 4.2.0

Security Configuration Guide

P/N 302-002-970
REV 01

June 15, 2016

Topics include:
Overview................................................................................................................... 2
Access Control Settings............................................................................................. 3
Log Settings.............................................................................................................. 7
Communication Security Settings.............................................................................. 7
Data Security Settings............................................................................................. 10

Note: This document was accurate at publication time. Go to EMC Online Support
(https://support.emc.com) to ensure that you are using the latest version of this
document.



This document provides specific information on XtremIO clusters that are managed by
XMS version 4.2.0. For XtremIO clusters that are managed by XMS version 4.0.2 or 4.0.4,
refer to the appropriate XtremIO product documents which are provided for these
versions.
Overview

Overview
This guide provides an overview of the available security configuration settings that are
applied in the XtremIO Storage Array to ensure its secure operation and data protection.
Security settings are sub-categorized as follows:
Access control settings - describes internal and external settings that limit end-user
access to the cluster.
Log settings - describes settings related to logging of events.
Communication security settings - describes settings related to XtremIO Storage Array
network communications.
Data security settings - describes settings for protecting and erasing user data
handled by the XtremIO Storage Array.
Secure serviceability settings - describes settings that ensure control of service
operations performed on XtremIO Storage Arrays by EMC or its service partners.

2 EMC XtremIO Storage Array Security Configuration Guide

 Access Control Settings

Access Control Settings

Access control settings enable protecting the clusters resources from unauthorized
access.

User Authentication
User authentication settings control the process of verifying an identity claimed by a user
for accessing the various products user interfaces (shell access, command line,
graphical, etc.).

Default Accounts
The following default accounts are pre-configured on the XtremIO Storage Array

User Account Component Description

xinstall Storage Controller and XMS Initial configuration and software

operating system installation

xmsupload XMS operating system Uploading SW images to the XMS for

installation and upgrade

xmsadmin XMS operating system Direct access to the XMCLI shell from
console or SSH

root Storage Controller and XMS Advanced support

operating system

ADMIN Storage Controller IPMI HW management and monitoring

tech XMS CLI / GUI / RESTful API (for EMC technician account for cluster
accessing admin level commands) creation and part replacement

admin XMS CLI / GUI / RESTful API Storage Array configuration, operation
and user management

rp_user XMS CLI / RESTful API Internal built-in account for integration
with RecoverPoint only

odx_user XMS CLI / RESTful API Internal built-in account for ODX
integration only

smi_s_provi ECOM/SMI-S Provider Internal built-in account for integration

der with ECOM/SMI-S Provider only. This
account must be present and set up in
both XMS and ECOM, for ECOM to
obtain necessary initialization and
setup information from XMS.

XtremIO Storage Array Security Configuration Guide 3

Access Control Settings

If needed, you can change the default passwords for xinstall, xmsupload and root
on the cluster. For the procedure guidelines, refer to EMC knowledge-base article#
183472 (https://support.emc.com/kb/183472).

Note: Changing the clusters default passwords per this knowledge base article, requires
EMC Global Services approval via RPQ.

Note: The root account enables troubleshooting before cluster installation.

Note: To block root access, contact Support.

Note: If you change the default username/password for the SMI-S provider user on the
XMS server, you need to make the corresponding change in ECOM. This username is not
the one SMI-S clients should use for communicating with ECOM. SMI-S clients who wish to
communicate with ECOM must set up a unique username/password in Microsoft SCVMM,
ECOM and the XtremIO XMS server.

Authentication Configuration
LDAP Authentication - The Lightweight Directory Access Protocol (LDAP) is an
application protocol for accessing and maintaining distributed directory information
services over an Internet Protocol (IP) network.
The XtremIO Storage Array supports LDAP users authentication. Once configured for
LDAP authentication, the XMS redirects users authentication to the configured LDAP
or Active Directory (AD) servers and allows access to authenticated users only. Users
XMS permissions are defined, based on a mapping between the users LDAP/AD
groups and XMS roles.
The XMS Server LDAP Configuration feature allows using a single or multiple servers
for the external users authentication for their login to the XMS server.
The LDAP operation is performed once when logging with external user credentials to
an XMS server. The XMS server operates as an LDAP client and connects to an LDAP
service, running on an external server. The LDAP Search is performed, using the
pre-configured LDAP Configuration profile and the external user login credentials.
If the authentication is successful, the external user logs in to the XMS server and
accesses the full or limited XMS server functionality (according to the XMS Role that
was assigned to the AD users Group). The external users credentials are saved in the
XMS Cache and a new user profile is created in the XMS User Administration
configuration. From that point, the external user authentication is performed internally
by the XMS server, without connecting to an external server. The XMS server will
re-perform the LDAP Search only after the LDAP Configuration cache expires (cache
expiration default value is 24 hours) or at the next successful external user login if the
external user credentials were removed from the XMS Server User Administration
manually.

4 EMC XtremIO Storage Array Security Configuration Guide

 Access Control Settings

XtremIO LDAP integration supports the following LDAP options:

LDAP clear text LDAP communication between XMS and LDAP server. LDAP uses
default port 389 or port 3268 for global catalog.
LDAPS secure LDAP communication using Transport Layer Security (TLS) between
the XMS and the LDAP server. LDAPS can be used either with a root certificate to
validate the server authenticity or without it. LDAPS uses default port 636 or 3269
for global catalog.
Start TLS secure LDAP communication that starts at a non-secure port and
enhances the security mid-session. Start TLS uses port 389 or port 3268 for global
catalog.
LDAP user authentication can be configured and managed via either GUI or CLI.
For detailed procedures, refer to the XtremIO Storage Array User Guide.
SSH key authentication - starting from version 2.4, XtremIO Storage Array supports a
new user type, that is restricted to CLI access and uses an SSH certificate rather than a
password for authentication. This user type can be used for running scripts from a
remote system.
For detailed procedures, refer to the XtremIO Storage Array User Guide.

Inactivity Timeout
Time out is configured for each user to allow monitoring clients to be connected without
disconnections.
XtremIO client inactivity timeout is set by default to ten minutes. The user is prompted
sixty seconds before the timeout expires. When timeout expires, the user is prompted for
the user name and password again. Re-logging returns the user to the last opened screen.
The timeout can be changed in full minute granularity (ranging from 0 - no timeout, to 12
hours). After the default timeout is changed, new users are created with the new value.
All login and re-login actions are logged.

Customized Login Banner

The XtremIO cluster enables you to customize your login banner in SSH, HTML and Java.
You can customize the banner by adding text, via CLI commands or GUI.
The login banner text is displayed on three screens:
XtremIO launch screen
XMS login screen
Login to XMCLI after providing the user name

User Actions Performed without Authentication

The XtremIO Storage Array blocks unauthenticated or anonymous user actions.

XtremIO Storage Array Security Configuration Guide 5

Access Control Settings

User Authorization
The XtremIO Storage Array supports four levels of users roles, as shown in the following
table:

User Role Description

Technician Authorized to perform all commands and manage all user accounts. Used only
by XtremIO Storage Array trained support personnel.

Administrator Authorized to perform all configuration, user account and cluster

administration commands and manage all user accounts, except for technician
user accounts.

Configuration Authorized to perform all storage array configuration actions. Cannot manage
users.

Read-Only Authorized to view all storage array information. Cannot perform any
configuration changes.

rp_user and odx_user are authorized to access all RecoverPoint and ODX objects,
respectively. They are built-in with the Administrator role to enable integration with
external systems and are not visible to regular (non-tech) XMS users in the user accounts
list.
RP users and ODX users are created with random, unknown passwords. RP users must be
assigned a password to integrate with the XMS. Any user with admin or tech permissions
can assign the password, using the following CLI command:
modify-password usr-id="rp_user"
ODX users do not require assigning a password.

Note: Assigning a password cannot be done via GUI because rp_user is not visible to
admin users.

The following table summarizes the different objects and their exposure to different users.

Object Type RecoverPoint User ODX User Regular User Tech User

RecoverPoint Exposed Not Exposed Not exposed Exposed

ODX Not exposed Exposed Not exposed Exposed

Regular Exposed Exposed Exposed Exposed

The CLI/GUI/REST list of the VSG (Volume Snapshot Groups) does not display RP and ODX
volumes and does not allow non-RP users to access them.
System objects counters (e.g. num_volumes) include the resources used by the
unexposed objects. the num_internal_volumes parameter provides the number of
objects that are consuming resources but are not exposed (appears in the output of the
show-volume snapshot-groups CLI command and in the GUI displaying VSG).
However, the properties of owner and permission are not exposed to the user in
CLI/GUI/REST. The displayed number of internal volumes differs according to the current
users visibility.

6 EMC XtremIO Storage Array Security Configuration Guide

 Log Settings

Private reports are accessible to the reports creator and to tech users. Public reports can
be viewed by all users, and can be edited and deleted by the reports creator and by tech
users.

Component Access Control

Component access control settings define external access settings for secure iSCSI and
IPMI connectivity.

iSCSI SAN Security

XtremIO supports CHAP authentication for hosts using the iSCSI protocol. CHAP username
and passwords can be configured for target discovery and initiator authentication. Mutual
CHAP can also be configured, by configuring unique clusters credentials for each initiator
to allow the initiator to authenticate the target.
For details, refer to the XtremIO Storage Array User Guide.

Log Settings
The XtremIO Storage Array keeps event logs in the XMS database. Events consist of
configuration, audit and any system event.

Log Management & Retrieval

XtremIO allows configuring external log reporting as follows:
SNMP can be configured via the GUI or CLI. For detailed procedures, refer to the
XtremIO Storage Array User Guide.
SMTP can be configured via the GUI or CLI. For detailed procedures, refer to the
XtremIO Storage Array User Guide.
The XtremIO Storage Array enables you to send events to a remote syslog server. You
can configure up to 6 syslog servers and use the event handlers configuration to
select the events that will be sent via the syslog interface.
Remote syslog can be configured via the GUI or CLI. For detailed procedures, refer to
the XtremIO Storage Array User Guide.

Communication Security Settings

Communication security settings enable the establishment of secure communication
channels between the products components, as well as between product components
and external systems or components.
To further enhance the security of the communication channel between the XMS and the
Storage Controller, it is recommended to use an external FW device to ensure that only the
XMS IP address can access the Storage Controllers management IP address. Make sure
that all ports that are marked XMS -> XtremIO Storage Controller are allowed.

XtremIO Storage Array Security Configuration Guide 7

Communication Security Settings

Port Usage
For the list of the ports and protocols that are used by the XtremIO Storage Array, refer
to EMC XtremIO Storage Array Site Preparation Guide.
Figure 1 describes the mapping of the ports and protocols, used by the XtremIO Storage
Array.

X-Brick

Clients

RESTful
SMI-S CLI GUI
API
Storage Controller

SLP HTTPS HTTPS HTTPS HTTPS SCSI

(UDP/ (TCP/ (TCP/443) (TCP/443) (TCP/443) NTP XIOS OS BMC Targets
427) 5989)

ISCSI Fibre
(TCP/ Channel
3260)
HTTPS SSH ICMP SSH
(TCP/443) (TCP/22) (TCP/22
and
NTP XMLRPC 22000 -
Hosts
(UDP/ (TCP/ 22032)
123) 11111
IPV6 and IPMI
(TCP/ 11000 - (TCP/23000-23032)
11112) 11032)

XMS

Connect XIOS
SMI-S Reporting UI OS NTP Authentication Manager XMS
EMC

SSH
(TCP/22)
SNMP Syslog HTTPS HTTPS LDAP
(UDP/ (UDP/ (TCP/443) (TCP/ NTP (TCP/389 and 3268)
162) 514) 443 (UDP/123)
SMTP LDAPS
& 8443)
(TCP/25) (TCP/636 and 3269)
HTTPS SSH FTPS HTTPS
(TCP/ (TCP/22) (TCP/ (TCP/
443) 990 443
& 989) & 8443)

Corporate Corporate
ESRS Email Active Directory
GWs Server LDAP Server

Corporate
External NTP
ESRS
Logging Server
System

Figure 1 Ports and Protocols1

1. ICMP between the XMS and the Storage Controller is used for diagnostic purposes only.

8 EMC XtremIO Storage Array Security Configuration Guide

 Communication Security Settings

InfiniBand Network Settings

The XtremIO cluster uses InfiniBand (IB) networking for internal communication between
the Storage Controllers. The IB network is crucial for the functionality of the cluster and
must not be interrupted.
Each Storage Controller is connected to two InfiniBand Switches for high-availability (in
case of a single X-Brick cluster, the Storage Controllers are connected back-to-back) and
the switches are connected to each other to create a full mesh.
Connecting the InfiniBand Switches to any external network or connecting any foreign
device to any of the switches is not allowed.

Network Encryption
The XtremIO cluster management is carried out over HTTPS. Remote CLI, GUI and RESTful
API communicate with the XMS over a secure SSL channel.
The XMS comes pre-installed with a self-signed certificate that can be replaced via CLI
commands with a third party signed certificate.
For detailed procedures, refer to the XtremIO Storage Array User Guide.

Network Separation
The XtremIO cluster uses a separate port dedicated to IPMI, using internal addresses.

VLAN Support
The XtremIO cluster supports up to 4094 VLANs. For each VLAN the user defines a portal.
It is possible to define a route per VLAN. For HA purposes it is possible to assign the same
VLAN to physical ports that belong to different controllers. The system issues an alert if a
VLAN is assigned to only one physical port to ensure multipath for each VLAN.
XtremIO supports IEEE 802.1q VLAN tagging, and allows both untagged and tagged
VLANs.
When VLAN tagging is used, the port assigns a tag to the outgoing packets according to
the destination address. On the receive path, a packet with a wrong VLAN tag is dropped
by the port.

SSH Firewall
SSH firewall in locked mode prevents opening outgoing connections from the clusters
Storage Controllers to the customer network.
To lock the SSH firewall, run the following command:

modify-ssh-firewall ssh-firewall-mode="locked"

XtremIO Storage Array Security Configuration Guide 9

Data Security Settings

Unique SSH Key

XtremIO XMS uses SSH-Key-based authentication (together with user password
authentication) to access the clusters Storage Controllers for maintenance purposes,
such as log bundle collection. The cluster is shipped from the factory with a default SSH
key. For information on refreshing the unique SSH key, refer to the EMC XtremIO Storage
Array User Guide.

Data Security Settings

Data security settings prevent unauthorized access to data by defining procedures for
configuring data encryption and erasure.

Data at Rest Encryption

XtremAPP versions 2.4.1 and above support Data at Rest Encryption on 20TB X-Brick type
clusters and on 10TB Encryption Capable X-Brick types.

Note: As of version 4.0.0, newly-created clusters that support encryption are encrypted
upon creation.

It is possible to enable encryption without losing data. Media Encryption Keys are stored
on the SSDs dedicated hardware and cannot be accessed. When encryption is enabled,
all SSDs (both in the Storage Controllers and in the DAEs) are locked using a PIN code
which is stored securely in the cluster.
The SSD PIN can be modified to comply with key rollover requirements. During the
process, the software generates a new PIN per each SSD. Old PINs are kept for as long as
the operation continues, to ensure access to SSDs that are not yet changed. When the
process is complete, the new PINs are kept in memory and the old PINs are retired.

Note: Enabling and disabling Data encryption require service shutdown.

For details, refer to the XtremIO Storage Array Software Installation and Upgrade Guide.

Data Integrity
Data integrity is built into the XtremIO Data Protection mechanism and does not require
any configuration.

Data Erasure
Secure Data Erasure is offered as a service from EMC Global Services. For details, contact
EMC Support.

10 EMC XtremIO Storage Array Security Configuration Guide