Documente Academic
Documente Profesional
Documente Cultură
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 1
Unisphere Security and Basic
Management
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 2
VNX Administration
• Administration performed via GUI or CLI connection to VNX
Unisphere GUI
CLI to Control Station (for File) or Host Secure CLI (for Block)
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 3
EMC Unisphere
Browser session
Unisphere
VNX Client
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 4
Unisphere Interface Terms and Components (1 of 8)
1
3 2
Expand
Main Pane
1. Top Navigation
Bar
2. Task Pane
3. Main Pane Expand
Task
Pane
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 5
Unisphere Interface Terms and Components (2 of 8)
1 2
Hide
Navigation Task Menu
“breadcrumb”
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 6
Unisphere Interface Terms and Components (3 of 8)
TTTTTTTTTTTTTTTTTTTTTT
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 7
Unisphere Interface Terms and Components (4 of 8)
Tools
Page
Help
Export to CSV
file
Refresh the
Page
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 8
Unisphere Interface Terms and Components (5 of 8)
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 9
Unisphere Interface Terms and Components (6 of 8)
• Mouse cursor over field name
Wait for pop-up description
Quick answers for simple
usability questions
• Example:
User is creating a NFS Export
for a File System (discussed
later on this course)
The Create NFS export dialog
box opens with data form
Mouse cursor was placed
over “Read-only Hosts:”
Operator waited two seconds
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 10
Unisphere Interface Terms and Components (7 of 8)
• Wizards
Generates pop-up window
Simplified step walk through
Designed for novice users
Further modification and management
done using Navigation and Task pages
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 11
VNX for File Command Line Interface (CLI)
• Used for the completion of most administrative tasks
• Primary function: scripting of repetitive tasks
• CLI can be accessed in the Control Station (CS)
Local access available directly at the Control Station console
Remote access available via an SSH interface tool like PuTTy
• Approximately 80 Linux-like commands.
CS runs an EMC-customized Linux
• Data Movers (DM) do not have CLI
Commands are entered from CS
CS route the commands to
Data Movers
Storage Systems
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 12
VNX for File CLI Commands
• cel_ commands
Execute to remotely-linked VNX for File systems
• cs_ commands
Execute to the local Control Station
• fs_ commands
Execute to the specified file system
• nas_ commands
Execute to the Control Station database
• server_ commands
Execute directly to a Data Mover
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 13
Unisphere Integration with VNX for File CLI
• Integration with Command Line Interface (CLI)
VNX for File CLI commands can be executed via GUI interface
Only one command at a time
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 14
VNX for Block Command Line Interface (CLI)
• Secure CLI is a comprehensive VNX CLI for Block solution
Client application installed on supported Windows, Linux /Unix hosts
Commands consist of naviseccli command and options
Commands: Storage connectivity/provisioning, and management, LUN
compression/expansion/migration, storage domain/host agents
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 15
SP Setup Page
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 16
Unisphere Security and Basic
Management
Lesson 1: Summary
During this lesson the following topics were covered:
• VNX administration
• Unisphere interface navigation
• Command Line Interface (CLI) for File and Block access
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 17
Unisphere Security and Basic
Management
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 18
VNX Management Access Security
• Different management applications with access to VNX system
• Access limited to authorized users and applications
Authentication
Identify user making a request
Authorization
Determine if user has the right to exercise the request
Privacy
Avoid unauthorized disclosure of information to user
Trust
Verify the identity of the communication parties
Audit
Record of activities performed by authenticated user
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 19
VNX Administration Security
Login
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 20
Administrative Authentication Scope
• Authentication Scopes
Storage Domain
Global
Local
Global
LDAP Global
User
LDAP
User
LDAP
LDAP Server
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 21
VNX Default Management Accounts
• VNX for File and Unified systems default management accounts
Account Description
VNX for File local account which provides administrator
root
level privileges on the CS
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 22
Administrative Roles
• Areas of Administrative • System-defined roles
responsibility Cannot be modified/deleted
• Privileges to VNX object • User-defined role
Read/Modify/Full Control
Custom configured
• Associated to User’s Primary
group • Roles apply to GUI & CLI
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 23
Unisphere SSL/TLS Certificates
• Certificates secure VNX network links for:
Management
LDAP bindings Client VMware
Software ESXi
Establishing a trusted identity
PKI encoding and decoding
• Default self-signed certificates
SPA, SPB & Control Station
2048 bit RSA keys
• Generate Data Mover self-signed
certificates
• Configure CA-signed certificates LDAP FileMover
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 24
VNX Log Auditing
• Audit Logging on a VNX for Block system
Check for suspicious activity logged on the VNX SPs
Provides information on the affected SPs and the associated hosts
• Auditing on a VNX for File system
Capture management activities initiated from the Control Station
Verify access to key system files and end-user data
• Integration with RSA enVision
Application provides collection, analysis and reporting of
administrative events logged by the VNX storage systems
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 25
Unisphere Security and Basic
Management
Lesson 2: Summary
During this lesson the following topics were covered:
• VNX Administrative user authentication
• Unisphere authentication scopes
• Unisphere Security features
• Unisphere user roles for system administration
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 26
Unisphere Security and Basic
Monitoring
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 27
Configuring LDAP Authentication Overview
• Configure LDAP binding to LDAP server
• Map a VNX Administrative Role to an LDAP Group
• VNX creates Local group and maps it to LDAP Group
LDAP-based Domains
• Microsoft AD
• iPlanet
1 • OpenLDAP
LDAP Binding
2
Role to Group mapping
3
Group mapping
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 28
Configuring LDAP Binding: Part 1
• Settings > Security
From System Tasks pane Manage LDAP Domain
• Server tab
IP address & port number
Server Type and Protocol
Domain Name
BindDN and Password
User and Group search Paths
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 29
Configuring LDAP Binding: Part 2
• Role Mapping tab • Advanced tab
For LDAP Group object Customize various LDAP
Domain group or user name attributes
Role for user or group
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 30
Automatic LDAP Group Mapping
• New local group automatically created on VNX
• Automatic mapping between new local group and LDAP domain
group
Members of LDAP group granted administrative rights for role
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 31
LDAP User Login
• GUI Login
LDAP Credentials
Username/Password
Select Use LDAP option
• CLI Login to Control Station
LDAP credentials
Username format:
<username>@<domain name>
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 32
Unisphere Security and Basic
Management
Lesson 3: Summary
During this lesson the following topics were covered:
• Integration of VNX with LDAP domains and users
• How to bind the Control Station and SPs to LDAP
• Configuration of Group mappings
• Assignment of Administrative Roles to LDAP users
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 33
Unisphere Security and Basic
Management
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 34
Auditing on the VNX Control Station
• The purpose of auditing is to record the security-relevant events
that happen on a system
Provides information about who initiated the event and the
event’s affect on the system (e.g., success or failure)
• Auditing is driven by several factors including compliance
concerns and basic system management
• Auditing is enabled by default
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 35
Default Audit Events
• Defined in /etc/audit/audit.rules
Root file system access by Administrators
A list of sensitive system files
Changes to the audit infrastructure
Users authenticating to the system
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 36
Record Types
• Several main record types associated to audit events
The main record types are listed on the table below
Record
Description
Type
SYSCALL Information associated with a system call invocation
USER_XX
Events associated with a user authenticating to the system
XX
FS_WATC
Associated with accessing a file system object that has an explicit watch placed on it.
H
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 37
Audit Commands
• Native Linux commands
No VNX specific commands
Man pages
Requires root permissions
• /sbin/auditctl
Controls the kernel’s audit subsystem
• /sbin/ausearch
For reading the audit trail
• /sbin/aureport
Produces summary reports of audit logs
• /sbin/service auditd
Controls the audit subsystem
Options: start, stop, status, restart, reload, rotate, condrestart
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 38
Audit Control
• Configure Audit behavior - /sbin/auditctl
Example shows abbreviated output of this command help
# ./auditctl -h
usage: auditctl [options]
-a <l,a> Append rule to end of <l>ist with <a>ction
-A <l,a> Add rule at beginning of <l>ist with <a>ction
-b <backlog> Set max number of outstanding audit buffers
allowed Default=64
-d <l,a> Delete rule from <l>ist with <a>ction
l=task,entry,exit,user,watch,exclude
a=never,possible,always
-D Delete all rules and watches
-e [0..2] Set enabled flag
-f [0..2] Set failure flag
0=silent 1=printk 2=panic
-F f=v Build rule: field name, operator(=,!=,<,>,<=,
>=,^,&) value
-h Help
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 39
Viewing Audit Log
• Reading the audit trail - /sbin/ausearch
Example shows file system paths accessed
Output below is abbreviated.
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 40
Creating Audit Reports
• Generating Audit Summary Reports - /sbin/aureport
Example shows Authentication Report
# ./sbin/aureport –auth
Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 04/28/2011 07:30:04 acct="sysadmin ? ? /nas/sbin/change_passwd no 2803462
2. 04/28/2011 07:30:06 acct="root ? ? /nas/sbin/change_passwd no 2803522
3. 04/28/2011 07:30:08 acct="itechi ? ? /nas/sbin/change_passwd no 2803547
4. 04/28/2011 07:34:52 acct="nasadmin 10.12.247.3 ssh /usr/sbin/sshd yes 54
5. 04/28/2011 07:35:09 acct="root ? pts/0 /bin/su yes 256
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 41
Audit Backups
• Audit logs are located in /celerra/audit
• Backup of auditing configuration files and current audit log file
To backend: /nas/var/auditing/
Each Control Station synched every 180 seconds
/nas/var/auditing/cs0/
/nas/var/auditing/cs1/
If Control Station in slot 0 is replaced, recovery code will restore
the audit configuration files
Slot 1 auditing configuration is restored manually
# ls /nas/var/auditing/
cs0 lost+found
# ls /nas/var/auditing/cs0
auditd.conf audit.log audit.rules
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 42
Unisphere Security and Basic
Management
Lesson 4: Summary
During this lesson the following topics were covered:
• Auditing the administrative access to the Control Station
• Events that can be configured for auditing
• Control Station audit commands used for the creation of logs
and reports
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 43
Unisphere Security and Basic
Management
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 44
Unisphere System Monitoring
• System > Monitoring and Alerts >
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 45
Unisphere Monitoring: Alerts
• System > Monitoring and Alerts > Alerts
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 46
Unisphere Monitoring: Background Tasks for File
• System > Monitoring and Alerts > Background Tasks for File
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 47
Unisphere Monitoring: Event Logs for File
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 48
Unisphere Monitoring: SP Event Logs
• VNX for Block related events
Events logged on the Storage Processor
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 49
Unisphere Monitoring: Notifications for File
• System Event Notification: Facility, Severity, Action, Destination
• System Resource Utilization: Storage usage, Storage Protection, DM load
Events Description
Query
Facility Facility value must match this value to trigger
notification
Severity Severity level that will trigger the notification:
0, 1, and 2 – Critical
3 – Error
4 – Warning
4, 6 – informational
Action Action that must be taken if event meet Facility
and Severity criteria.
Destination Destination of notification.
Format depends on type of action:
- Absolute path on CS for log file
- Single SNMP trap
- Comma separated e-mail addresses (SMTP)
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 50
Unisphere Monitoring: Notifications for Block
• Creation and Centralized or Distributed Monitors
• Creation and Configuration of Notification templates
Event Severity: Information, Warning, Error, Critical
Event Category: Basic Array, MirrorView, SnapView, SAN Copy,
NQM, Alerts, Virtual Provisioning, VNX Snapshots
Actions: Logs, Combine events, add response, e-mail notification,
paging service, SNMP trap
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 51
Unisphere Monitoring: Statistics for File
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 52
Unisphere Monitoring: Statistics for Block
• Unisphere Analyzer
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 53
Unisphere Security and Basic
Management
Lesson 5: Summary
During this lesson the following topics were covered:
• Unisphere monitoring features
• Event logs for VNX system activities
• Event monitor operations
• Event monitor notifications
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 54
Unisphere Security and Basic
Management
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 55
Unisphere Storage Domains
• All Systems > Domains
Each VNX is its own storage domain
Domain members: SPA, SPB, Control Station
System managed by Unisphere session to any member
Global user account
“sysadmin”: Administrative role
Storage Domain
SPA SPB
CS
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 56
Multi-Domain Management
• All Systems > Domains
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 57
Adding a VNX System to Domain
• All Systems > System List > Add
SP IP
Address
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 58
Creating New Administrative Users
• Settings > Security > User Management
Requires Administrator or Security Administrator role
Global users
Local users
For File
For Block
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 59
Assigning Administrative Roles
• Settings > Security > User Management > User Customization for File > Users
> Properties
Primary Group
Group Role
Membership
Client Access
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 60
VNX Email Notifications: Email User
• Setup email account
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 61
VNX Notifications: Create Notifications for File
• Create event to monitor
• Select recipient of notification
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 62
Event Monitoring Configuration
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 63
Unisphere Security and Basic
Management
Lesson 6: Summary
During this lesson the following topics were covered:
• Configuring and management of storage domain
• Configuration of administrative users and assignment of
administrative roles
• Setting email notifications
• Setting notifications for File for various severity levels
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 64
Summary
Key points covered in this module:
• VNX provides multiple interface options, including VNX
Unisphere and CLI
• Unisphere supports Global, Local, and LDAP authentication
Options, as well as built-in management accounts. Default and
custom administrative roles help to control management access.
• Control Station auditing can be used to manage desired events.
• Unisphere monitoring and notification can also be used to
manage and report on events.
Copyright © 2014 EMC Corporation. All Rights Reserved. Unisphere Security and Basic Management 65