Documente Academic
Documente Profesional
Documente Cultură
Topics include:
Overview................................................................................................................... 2
Access Control Settings............................................................................................. 3
Log Settings.............................................................................................................. 7
Communication Security Settings.............................................................................. 7
Data Security Settings............................................................................................. 10
Note: This document was accurate at publication time. Go to EMC Online Support
(https://support.emc.com) to ensure that you are using the latest version of this
document.
This document provides specific information on XtremIO clusters that are managed by
XMS version 4.2.0. For XtremIO clusters that are managed by XMS version 4.0.2 or 4.0.4,
refer to the appropriate XtremIO product documents which are provided for these
versions.
Overview
Overview
This guide provides an overview of the available security configuration settings that are
applied in the XtremIO Storage Array to ensure its secure operation and data protection.
Security settings are sub-categorized as follows:
Access control settings - describes internal and external settings that limit end-user
access to the cluster.
Log settings - describes settings related to logging of events.
Communication security settings - describes settings related to XtremIO Storage Array
network communications.
Data security settings - describes settings for protecting and erasing user data
handled by the XtremIO Storage Array.
Secure serviceability settings - describes settings that ensure control of service
operations performed on XtremIO Storage Arrays by EMC or its service partners.
User Authentication
User authentication settings control the process of verifying an identity claimed by a user
for accessing the various products user interfaces (shell access, command line,
graphical, etc.).
Default Accounts
The following default accounts are pre-configured on the XtremIO Storage Array
xmsadmin XMS operating system Direct access to the XMCLI shell from
console or SSH
tech XMS CLI / GUI / RESTful API (for EMC technician account for cluster
accessing admin level commands) creation and part replacement
admin XMS CLI / GUI / RESTful API Storage Array configuration, operation
and user management
rp_user XMS CLI / RESTful API Internal built-in account for integration
with RecoverPoint only
odx_user XMS CLI / RESTful API Internal built-in account for ODX
integration only
If needed, you can change the default passwords for xinstall, xmsupload and root
on the cluster. For the procedure guidelines, refer to EMC knowledge-base article#
183472 (https://support.emc.com/kb/183472).
Note: Changing the clusters default passwords per this knowledge base article, requires
EMC Global Services approval via RPQ.
Note: If you change the default username/password for the SMI-S provider user on the
XMS server, you need to make the corresponding change in ECOM. This username is not
the one SMI-S clients should use for communicating with ECOM. SMI-S clients who wish to
communicate with ECOM must set up a unique username/password in Microsoft SCVMM,
ECOM and the XtremIO XMS server.
Authentication Configuration
LDAP Authentication - The Lightweight Directory Access Protocol (LDAP) is an
application protocol for accessing and maintaining distributed directory information
services over an Internet Protocol (IP) network.
The XtremIO Storage Array supports LDAP users authentication. Once configured for
LDAP authentication, the XMS redirects users authentication to the configured LDAP
or Active Directory (AD) servers and allows access to authenticated users only. Users
XMS permissions are defined, based on a mapping between the users LDAP/AD
groups and XMS roles.
The XMS Server LDAP Configuration feature allows using a single or multiple servers
for the external users authentication for their login to the XMS server.
The LDAP operation is performed once when logging with external user credentials to
an XMS server. The XMS server operates as an LDAP client and connects to an LDAP
service, running on an external server. The LDAP Search is performed, using the
pre-configured LDAP Configuration profile and the external user login credentials.
If the authentication is successful, the external user logs in to the XMS server and
accesses the full or limited XMS server functionality (according to the XMS Role that
was assigned to the AD users Group). The external users credentials are saved in the
XMS Cache and a new user profile is created in the XMS User Administration
configuration. From that point, the external user authentication is performed internally
by the XMS server, without connecting to an external server. The XMS server will
re-perform the LDAP Search only after the LDAP Configuration cache expires (cache
expiration default value is 24 hours) or at the next successful external user login if the
external user credentials were removed from the XMS Server User Administration
manually.
Inactivity Timeout
Time out is configured for each user to allow monitoring clients to be connected without
disconnections.
XtremIO client inactivity timeout is set by default to ten minutes. The user is prompted
sixty seconds before the timeout expires. When timeout expires, the user is prompted for
the user name and password again. Re-logging returns the user to the last opened screen.
The timeout can be changed in full minute granularity (ranging from 0 - no timeout, to 12
hours). After the default timeout is changed, new users are created with the new value.
All login and re-login actions are logged.
User Authorization
The XtremIO Storage Array supports four levels of users roles, as shown in the following
table:
Technician Authorized to perform all commands and manage all user accounts. Used only
by XtremIO Storage Array trained support personnel.
Configuration Authorized to perform all storage array configuration actions. Cannot manage
users.
Read-Only Authorized to view all storage array information. Cannot perform any
configuration changes.
rp_user and odx_user are authorized to access all RecoverPoint and ODX objects,
respectively. They are built-in with the Administrator role to enable integration with
external systems and are not visible to regular (non-tech) XMS users in the user accounts
list.
RP users and ODX users are created with random, unknown passwords. RP users must be
assigned a password to integrate with the XMS. Any user with admin or tech permissions
can assign the password, using the following CLI command:
modify-password usr-id="rp_user"
ODX users do not require assigning a password.
Note: Assigning a password cannot be done via GUI because rp_user is not visible to
admin users.
The following table summarizes the different objects and their exposure to different users.
Object Type RecoverPoint User ODX User Regular User Tech User
The CLI/GUI/REST list of the VSG (Volume Snapshot Groups) does not display RP and ODX
volumes and does not allow non-RP users to access them.
System objects counters (e.g. num_volumes) include the resources used by the
unexposed objects. the num_internal_volumes parameter provides the number of
objects that are consuming resources but are not exposed (appears in the output of the
show-volume snapshot-groups CLI command and in the GUI displaying VSG).
However, the properties of owner and permission are not exposed to the user in
CLI/GUI/REST. The displayed number of internal volumes differs according to the current
users visibility.
Private reports are accessible to the reports creator and to tech users. Public reports can
be viewed by all users, and can be edited and deleted by the reports creator and by tech
users.
Log Settings
The XtremIO Storage Array keeps event logs in the XMS database. Events consist of
configuration, audit and any system event.
Port Usage
For the list of the ports and protocols that are used by the XtremIO Storage Array, refer
to EMC XtremIO Storage Array Site Preparation Guide.
Figure 1 describes the mapping of the ports and protocols, used by the XtremIO Storage
Array.
X-Brick
Clients
RESTful
SMI-S CLI GUI
API
Storage Controller
ISCSI Fibre
(TCP/ Channel
3260)
HTTPS SSH ICMP SSH
(TCP/443) (TCP/22) (TCP/22
and
NTP XMLRPC 22000 -
Hosts
(UDP/ (TCP/ 22032)
123) 11111
IPV6 and IPMI
(TCP/ 11000 - (TCP/23000-23032)
11112) 11032)
XMS
Connect XIOS
SMI-S Reporting UI OS NTP Authentication Manager XMS
EMC
SSH
(TCP/22)
SNMP Syslog HTTPS HTTPS LDAP
(UDP/ (UDP/ (TCP/443) (TCP/ NTP (TCP/389 and 3268)
162) 514) 443 (UDP/123)
SMTP LDAPS
& 8443)
(TCP/25) (TCP/636 and 3269)
HTTPS SSH FTPS HTTPS
(TCP/ (TCP/22) (TCP/ (TCP/
443) 990 443
& 989) & 8443)
Corporate Corporate
ESRS Email Active Directory
GWs Server LDAP Server
Corporate
External NTP
ESRS
Logging Server
System
1. ICMP between the XMS and the Storage Controller is used for diagnostic purposes only.
Network Encryption
The XtremIO cluster management is carried out over HTTPS. Remote CLI, GUI and RESTful
API communicate with the XMS over a secure SSL channel.
The XMS comes pre-installed with a self-signed certificate that can be replaced via CLI
commands with a third party signed certificate.
For detailed procedures, refer to the XtremIO Storage Array User Guide.
Network Separation
The XtremIO cluster uses a separate port dedicated to IPMI, using internal addresses.
VLAN Support
The XtremIO cluster supports up to 4094 VLANs. For each VLAN the user defines a portal.
It is possible to define a route per VLAN. For HA purposes it is possible to assign the same
VLAN to physical ports that belong to different controllers. The system issues an alert if a
VLAN is assigned to only one physical port to ensure multipath for each VLAN.
XtremIO supports IEEE 802.1q VLAN tagging, and allows both untagged and tagged
VLANs.
When VLAN tagging is used, the port assigns a tag to the outgoing packets according to
the destination address. On the receive path, a packet with a wrong VLAN tag is dropped
by the port.
SSH Firewall
SSH firewall in locked mode prevents opening outgoing connections from the clusters
Storage Controllers to the customer network.
To lock the SSH firewall, run the following command:
modify-ssh-firewall ssh-firewall-mode="locked"
Note: As of version 4.0.0, newly-created clusters that support encryption are encrypted
upon creation.
It is possible to enable encryption without losing data. Media Encryption Keys are stored
on the SSDs dedicated hardware and cannot be accessed. When encryption is enabled,
all SSDs (both in the Storage Controllers and in the DAEs) are locked using a PIN code
which is stored securely in the cluster.
The SSD PIN can be modified to comply with key rollover requirements. During the
process, the software generates a new PIN per each SSD. Old PINs are kept for as long as
the operation continues, to ensure access to SSDs that are not yet changed. When the
process is complete, the new PINs are kept in memory and the old PINs are retired.
For details, refer to the XtremIO Storage Array Software Installation and Upgrade Guide.
Data Integrity
Data integrity is built into the XtremIO Data Protection mechanism and does not require
any configuration.
Data Erasure
Secure Data Erasure is offered as a service from EMC Global Services. For details, contact
EMC Support.