EMC Celerra Version 5.6 Technical Primer: Public Key Infrastructure Support



Similar documents
EMC Celerra Version 5.6 Technical Primer: Control Station Password Complexity Policy Technology Concepts and Business Considerations

Using EMC Unisphere in a Web Browsing Environment: Browser and Security Settings to Improve the Experience

Managing the SSL Certificate for the ESRS HTTPS Listener Service Technical Notes P/N REV A01 January 14, 2011

EMC ViPR Controller. Version 2.4. User Interface Virtual Data Center Configuration Guide REV 01 DRAFT

Administration Guide Certificate Server May 2013

Configuring Digital Certificates

EMC CLARiiON Secure Remote Support Solutions Technical Notes P/N REV A03 October 5, 2010

SolarWinds Technical Reference

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

Grid Computing - X.509

Understanding digital certificates

DOCUMENTUM CONTENT SERVER CERTIFICATE BASED SSL CONFIGURATION WITH CLIENTS

Installation Guide. SafeNet Authentication Service

WiMAX Public Key Infrastructure (PKI) Users Overview

DOCUMENTUM CONTENT SERVER CERTIFICATE BASED SSL CONFIGURATION AND TROUBLESHOOTING

Replicating VNXe3100/VNXe3150/VNXe3300 CIFS/NFS Shared Folders to VNX Technical Notes P/N h REV A01 Date June, 2011

Certificate technology on Pulse Secure Access

Using etoken for Securing s Using Outlook and Outlook Express

Certificate technology on Junos Pulse Secure Access

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

EMC Data Protection Search

Certificate Management

Installing Management Applications on VNX for File

What is an SSL Certificate?

Microsoft IIS Integration Guide

BEA Weblogic Guide to Installing Root Certificates, Generating CSR and Installing SSL Certificate

EMC Backup and Recovery for Microsoft SQL Server 2008 Enabled by EMC Celerra Unified Storage

CA Nimsoft Service Desk

Configuration Guide for RFMS 3.0 Initial Configuration. WiNG 5 How-To Guide. Digital Certificates. July 2011 Revision 1.0

Generating SSH Keys and SSL Certificates for ROS and ROX Using Windows AN22

webmethods Certificate Toolkit

Integration Guide. SafeNet Authentication Service. SAS Using RADIUS Protocol with Microsoft DirectAccess

GB-OS. Certificate Management. Tel: Fax Web:

EMC Integrated Infrastructure for VMware

NetIQ Certificate Server 8.8 SP8. Administration Guide

Setting Up a Unisphere Management Station for the VNX Series P/N Revision A01 January 5, 2010

SSL Configuration on Weblogic Oracle FLEXCUBE Universal Banking Release [August] [2014]

Secure IIS Web Server with SSL

Understanding Digital Certificates & Secure Sockets Layer (SSL): A Fundamental Requirement for Internet Transactions

(n)code Solutions CA A DIVISION OF GUJARAT NARMADA VALLEY FERTILIZERS COMPANY LIMITED P ROCEDURE F OR D OWNLOADING

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

EMC Symmetrix Data at Rest Encryption

Security certificate management

Replacing vcenter Server 4.0 Certificates VMware vsphere 4.0

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006

Chapter 7 Managing Users, Authentication, and Certificates

Entrust Managed Services PKI

EMC VMAX3 DATA AT REST ENCRYPTION

StoneGate SSL VPN Technical Note Adding Bundled Certificates

User Guide Supplement. S/MIME Support Package for BlackBerry Smartphones BlackBerry Pearl 8100 Series

EMC Documentum Content Management Interoperability Services

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

EMC AVAMAR INTEGRATION WITH EMC DATA DOMAIN SYSTEMS

EMC Physical Security Enabled by RSA SecurID Two-Factor Authentication with Verint Nextiva Review and Control Center Clients

EMC Virtual Infrastructure for SAP Enabled by EMC Symmetrix with Auto-provisioning Groups, Symmetrix Management Console, and VMware vcenter Converter

Use Enterprise SSO as the Credential Server for Protected Sites

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

REMOTE KEY MANAGEMENT (RKM) ENABLEMENT FOR EXISTING DOCUMENTUM CONTENT SERVER DEPLOYMENTS

How to Prepare Your Salesforce Service for Certificate Changes

X.509 Certificate Generator User Manual

Guide to Using DoD PKI Certificates in Outlook

Blue Coat Security First Steps Solution for Controlling HTTPS

Domain Management with EMC Unisphere for VNX

Technical Notes P/N Rev 01

Administering the Web Server (IIS) Role of Windows Server

HMRC Secure Electronic Transfer (SET)

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

Cisco Expressway Certificate Creation and Use

SETTING UP ACTIVE DIRECTORY (AD) ON WINDOWS 2008 FOR EROOM

Web Security: Encryption & Authentication

Building Customer Confidence through SSL Certificates and SuperCerts

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Tableau Server

EMC Replication Manager and Kroll Ontrack PowerControls for Granular Recovery of SharePoint Items

Syncplicity On-Premise Storage Connector

GlobalSign Enterprise Solutions

SBClient SSL. Ehab AbuShmais

Creating and Managing Certificates for My webmethods Server. Version 8.2 and Later

Copyright 2013 EMC Corporation. All Rights Reserved.

EMC DATA DOMAIN ENCRYPTION A Detailed Review

Overview. SSL Cryptography Overview CHAPTER 1

Installation and Configuration Guide

EMC VNX Series. Using FTP, TFTP, and SFTP on VNX. Release 7.0 P/N REV A01

A Guide to Secure

SECO Whitepaper. SuisseID Smart Card Logon Configuration Guide. Prepared for SECO. Publish Date Version V1.0

SafeNet KMIP and Amazon S3 Integration Guide

Cisco TelePresence VCS Certificate Creation and Use

Enterprise Content Management System Monitor 5.1 Security Considerations Revision CENIT AG Brandner, Marc

Understanding Digital Certificates on z/os Vanguard Las Vegas, NV Session AST3 June 26th 2012

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Introduction to Cryptography

Single Sign-on to Salesforce.com with CA Federation Manager

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

AX4 5 Series Software Overview

Cisco TelePresence VCS Certificate Creation and Use

Entrust Certificate Services. Java Code Signing. User Guide. Date of Issue: December Document issue: 2.0

Understanding Digital Certificates & Secure Sockets Layer A Fundamental Requirement for Internet Transactions

How To Use Networker With Orgsap With Orgos.Org Software On A Powerbook (Orchestra) On A Networkor (Orroboron) With An Ipa (Ororor) With A Networker

Domino Certification Authority and SSL Certificates

SMTP POP3 SETUP FOR EMC DOCUMENTUM eroom

Transcription:

EMC Celerra Version 5.6 Technical Primer: Public Key Infrastructure Support Technology Concepts and Business Considerations Abstract Encryption plays an increasingly important role in IT infrastructure due to the impact of regulations and the risk of data security breaches. Many of these protocols use public key encryption (particularly those tools that are used for session-based encryption or authentication). This primer discusses improvements introduced in EMC Celerra Network Server version 5.6 that enable the use of public key encryption, such as its implementation of a public key infrastructure. June 2009

Copyright 2009 EMC Corporation. All rights reserved. EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. THE INFORMATION IN THIS PUBLICATION IS PROVIDED AS IS. EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com All other trademarks used herein are the property of their respective owners. Part Number h6348 Technology Concepts and Business Considerations 2

Table of Contents Executive summary...4 Business problem... 4 Technical problem... 4 Feature introduction... 4 What s new... 4 Introduction...5 Audience... 5 Detailed overview...5 Architecture... 5 Limitations... 7 Compatibility with earlier releases... 8 Conclusion...8 References...8 Technology Concepts and Business Considerations 3

Executive summary Protecting sensitive information is one of the foremost concerns of customers today. With new threats to information security being discovered every day, encryption becomes critical to business. With encryption, however, comes the incremental burden of managing encryption keys and certificates. Public key infrastructure (PKI) tools introduced in EMC Celerra Network Server version 5.6 help mitigate this task by eliminating the need to manage individual keys and certificates. Business problem Securing a wide variety of business data has become a modern day requirement for most businesses. For some, a breach in that security could have a substantially negative impact, including costly litigation, competitive exposure, or public embarrassment, and while the need for security is well understood, achieving a confident level of security is not so straightforward. Complex data centers, globally dispersed locations, and numerous technologies from many suppliers make realizing a secure environment a constant and costly challenge. Technical problem Encryption and authentication certificates are two widely used tools in improving data center security. While they are highly beneficial, both tools increase the burden on system administrators to actively manage and maintain them, and ensure their effectiveness. Feature introduction Celerra version 5.6 introduces PKI tools that help administrators manage encryption keys and certificates for a Data Mover and, to a more limited extent, for the Control Station. These tools ease the use of encryption protocols such as SSL by providing a single, consistent interface that manages the required keys and certificates. PKI tools provide the ability to: Generate key sets Export certificate signing requests or sign persona certificates with the Control Station Certificate Authority (CA) Import signed certificates Store certificates using a current and next model Import CA certificates The Control Station can now serve as a CA and sign Control Station and Data Mover certificates. This is useful in customer environments where an enterprise-level or other external CA is not available. Also, the Celerra Manager SSL certificate is now automatically signed by the Control Station CA rather than being self-signed. What s new The PKI functionality is new to Celerra version 5.6. Several Celerra features now take advantage of the PKI infrastructure. These features include: FileMover HTTP-over-SSL support: Authenticates and encrypts FileMover control channels LDAP-over-SSL support: Authenticates and encrypts LDAP connections Technology Concepts and Business Considerations 4

Introduction This primer includes a discussion of the architecture of the new feature, and lists limitations and compatibility with earlier Celerra versions. Audience This white paper is intended for customers, including IT planners, storage architects, administrators, and others involved in evaluating, acquiring, managing, operating, or designing an EMC networked storage environment. Detailed overview Architecture PKI is an architectural enhancement to Celerra. Consequently, its key and certificate management tools are available for any future features or enhancements that require encryption capabilities, providing a common management interface. While this PKI functionality is largely Data Mover-based, there are some changes to the Control Station that are included in the current release. This is discussed on page 7. PKI manages the following objects: Personas (Data Mover key and certificate pair) External CA certificates Control Station CA key and certificate pair A persona is a digital identity. It consists of a Data Mover private key and the associated Data Mover public key certificate signed by a CA. (Hereafter, this paper refers to the pairing of a private key and public key certificate as a key/certificate pair. ) A persona is identified by a specific name when assigned to a Data Mover feature. In Celerra version 5.6, there is only one persona, called a default. Many Data Mover features may use a single persona to facilitate ease of use. Data Mover key/certificate pairs within a persona are managed by using a current-next model. Each persona recognizes two slots for key/certificate pairs, current and next. The current key/certificate pair is the one that is valid and is being used actively. The next key/certificate pair is a key/certificate pair that replaces the current key/certificate pair when it reaches its start date. You can create and manage personas and certificates using either the Celerra Manager or the CLI. Figure 1 on page 6 shows the Celerra Manager Personas tab, which displays information about the current key/certificate pair, and information about the next key/certificate pair, if available. A new key/certificate pair is always identified as the next key/certificate pair. It becomes the current key/certificate pair only when it becomes valid. Thus, it is possible for there to be a next key/certificate pair (which is not yet valid) but no current key/certificate pair. In this situation, the key and certificate requests fail until the next key/certificate pair becomes valid. The Data Mover s system clock is used when determining key/certificate pair validity, and a 5-minute time skew is allowed. Technology Concepts and Business Considerations 5

Figure 1 Personas management using Celerra Manager It is important to note that Data Mover private keys are not accessible from the Control Station; only the Data Mover can access these keys, which reside in the memory for as short a period of time as possible. (Data Mover private keys are encrypted when not in use.) When a Data Mover feature needs to set up an SSL session, it notifies the SSL about the name of the persona to use, and the SSL code then uses the PKI API to retrieve the associated private key and public key certificate. When a public key certificate is received from the peer host (while negotiating an SSL session), the SSL code uses the PKI API to verify the certificate (by using a CA certificate). Thus, it is the PKI infrastructure that frees other Data Mover functionality (such as SSL) from having to maintain private keys, public key certificates, and CA certificates. In addition to managing personas, the PKI infrastructure also manages CA certificates that belong to CAs imported into the Data Mover. Figure 2 on page 7 shows the Celerra Manager CA Certificates tab, which displays information about the currently available CA certificates. CA certificates are used to validate the chain of trust for public key certificates that the Data Mover receives. For example, when setting up an authenticated SSL session, the client or server on the other end of the SSL session provides its public key certificate and a short message encrypted (signed) by its private key. The Data Mover uses the provided public key certificate to decrypt the message (verifying that the provided public key certificate does, in fact, belong to the computer that provided it.) The Data Mover also validates the chain of trust (found in the other computer s public key certificate) by using the CA certificate to decrypt the signature of the other computer s public key certificate. Technology Concepts and Business Considerations 6

Figure 2 CA certificate management using Celerra Manager In summary, PKI serves two primary purposes: Using the concept of a persona, it frees other Data Mover code from the need to manage private keys and associated public key certificates. The type of Data Mover applications that need this are those that act as secure servers (receive incoming SSL-based connection requests), as servers that offer server authentication, or as clients in a connection where the server on the other end requires client authentication. By managing imported CA certificates, it enables all Data Mover applications that must validate received certificates to use the same common pool of CA certificates. Without this common pool, the CA certificate would have to be provided directly to each application that needs it. The current release also enhances the Control Station with the implementation of the Control Station CA and some CLI tools that enable CA certificate management. In the current release, only CLI commands are available to manage the Control Station CA. More information about this functionality can be found in the EMC Celerra Security Configuration Guide. Limitations In the current release, you cannot create and use customer personas. You can only populate the default persona with keys. Only 2048-bit and 4096-bit RSA keys are supported. You cannot use any other key types or lengths. Only Privacy-enhanced Electronic Mail (PEM) encoding is supported for certificate requests. Only PEM and Distinguished Encoding Rules (DER) encodings are supported for imported certificates. Control Station CA certificate management is available only through the CLI. Technology Concepts and Business Considerations 7

You must identify expired key/certificate pairs manually. Key/certificate pairs are usually fairly longlived (12 months is common), and therefore this is not expected to be a major issue. Certificate Revocation Lists (CRLs) are not supported in the current release. You must explicitly remove or replace certificates. Certificate requests and digital signatures are signed using SHA-1 with RSA encryption. No other signing mechanisms are supported in the current release. Most, if not all, CAs support this signing mechanism. Automatic certificate generation using Microsoft Certificate Authority is not available in the current release. However, Microsoft Certificate Authority can be used to sign manually generated certificate requests. Compatibility with earlier releases This functionality is contained within the Celerra on which it is configured, and it does not interact with other Celerras. Therefore, no compatibility concerns exist. Earlier releases use the authentication mechanisms supported in those releases. Conclusion The PKI functionality simplifies private and public key management. It does this by creating and managing digital identities called personas. It also optimizes the process of validating CA certificates by maintaining and managing a common pool of such certificates. References Name: EMC Celerra Security Configuration Guide Type: URL: Audience: Technical documentation See the Celerra Network Server Documentation CD Version 5.6. Also available on Powerlink. Customer Technical Depth: High Name: Type: URL: Audience: Celerra Manager Online Help System Technical documentation (Help System) See the Celerra Network Server Documentation CD Version 5.6. Also available on Powerlink. Customer Technical Depth: High Technology Concepts and Business Considerations 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information