EMC VPLEX Security Configuration Guide P/N 300-010-493 Rev A05 June 7, 2011 This guide provides an overview of VPLEX security configuration settings, including secure deployment and usage settings needed to securely use VPLEX. Topics include: VPLEX overview... 2 VPLEX management server operating system and networking... 4 IP addresses and component IDs... 8 Security configuration settings... 12 Log file settings... 16 Communication security settings... 17 Data security settings... 20 1
VPLEX overview VPLEX overview An EMC VPLEX cluster consists of one, two, or four engines (each containing two directors), and a management server. A dual-engine or quad-engine cluster also contains a pair or Fibre Channel switches for communication between directors. Each engine is protected by a standby power supply (SPS), and each Fibre Channel switch gets its power through an uninterruptible power supply (UPS). (In a dual-engine or quad-engine cluster, the management server also gets power from a UPS.) The management server has a public Ethernet port, which provides cluster management services when connected to the customer network. The management server can also provide call-home services through the public Ethernet port by connecting to an EMC Secure Remote Support (ESRS) gateway deployed on the same network. The ESRS gateway is also used by EMC personnel to provide remote service. Three VPLEX implementations are available: VPLEX Local (single cluster) VPLEX Metro (two clusters separated by synchronous distances) VPLEX Geo (two clusters separated by asynchronous distances). In a VPLEX Metro or VPLEX Geo implementation, the clusters are connected over Fibre Channel between the directors, and over IP between the management servers. VPLEX user authentication is configured locally on the management server or remotely on an OpenLDAP or Active Directory server (with service for Unix SFU 3.5). A management server in each VPLEX cluster authenticates users against account information kept on its local filesystem or against LDAP/AD server. An authenticated user can manage resources in the local cluster. In a VPLEX Metro or VPLEX Geo implementation, users authenticated by either management server can manage all resources in both clusters. Figure 1 on page 3 shows a VPLEX cluster configuration example. 2 EMC VPLEX Security Configuration Guide
DRAFT VPLEX overview Engine 4 SPS SPS Engine 3 SPS SPS FC Switch B UPS B FC Switch A UPS A Management Server Engine 2 SPS SPS Engine 1 SPS SPS SYM-002272 Figure 1 VPLEX cluster configuration EMC VPLEX Security Configuration Guide 3
VPLEX management server operating system and networking VPLEX management server operating system and networking The VPLEX management server s operating system (OS) is based on a Novell SUSE Linux Enterprise Server 10 distribution. The operating system has been configured to meet EMC security standards by disabling or removing unused services, and protecting access to network services through a firewall. A management server has four Ethernet ports, identified as eth0 through eth3 by the operating system, and shown in Figure 2. A 1 Gb/s public management port (eth3) is the only Ethernet port in the VPLEX rack that may be connected to an external management LAN. Other components in the rack are connected to two redundant private management Ethernet networks, connected to the management server's eth0 and eth2 ports. A service port (eth1) can be connected to a local laptop, providing access to the same services as a host on the management LAN. Customer workstation Ethernet port Service cable eth1 eth3 Customer IP network Management server Customer-provided Ethernet cable eth0 eth2 eth Figure 2 Management server, rear view Accessing the management server Using SSH to access the management server shell Three protocols allow access to a VPLEX management server over a secure and encrypted connection: SSH, HTTPS, and IPsec VPN. Users can log in to the management server shell over SSH, through the management server's public Ethernet port or service port. The SSH service is available on the standard port 22. An SSH login with appropriate credentials allows access to a Linux shell on the management server. From there: Users can access the VPLEX command line interface (VPlexcli). An admin account user can create, modify, and delete user accounts. A service account user can inspect log files, start and stop services, and upgrade firmware and software. SSH also can be used to establish a secure tunnel between the management server and the host running the SSH client. Using a tunneled VNC connection to access the management server desktop on page 5 provides more information. 4 EMC VPLEX Security Configuration Guide
DRAFT VPLEX management server operating system and networking Using HTTPS to access the VPLEX GUI The VPLEX Management Console s graphical user interface (GUI) is accessible as a web service on the management server's public Ethernet port and the service port, using the HTTPS protocol. It is available on the standard port 443. The following URL initiates an HTTPS connection to the GUI: https://<management_server_public_ip_address> The GUI encrypts all traffic using a server certificate. Creating a host certificate on page 18 provides more information. Note: The GUI has a timer that logs the user out after 10 minutes if no activity has occurred. If you want to change the timeout setting, contact the EMC Support Center. Using IPsec VPN in a VPLEX Metro implementation The management server in each VPLEX Metro cluster must connect to each other over a Virtual Private Network (VPN) through the public Ethernet port, as shown in Figure 3. Customer IP network Mgmt server 1 eth0 eth3 eth2 IPsec tunnel Mgmt server 2 eth0 eth2 eth3 Subnet B 128.221.253.32/27 Subnet A 128.221.252.32/27 Subnet B 128.221.253.64/27 Subnet A 128.221.252.64/27 Cluster 1 Cluster 2 IPsec_VPN Figure 3 IPsec VPN connection Although you might have already secured the network connections between two VPLEX Metro or VPLEX Geo clusters, the management servers must establish an explicit VPN connection, to acknowledge that the remote management server has full management control over the local cluster and its resources. The VPLEX management server uses strongswan, an open source implementation of IPsec for Linux. Using SCP to copy files Using a tunneled VNC connection to access the management server desktop The Secure Copy Protocol (SCP) allows users to transfer files to and from the management server. SCP uses the same credentials as SSH. Popular SCP clients are WinSCP and PSCP provided by the PuTTY package, and the SCP client provided by OpenSSH. The SSH protocol provides a mechanism for sending unencrypted traffic through an encrypted SSH connection. Most SSH clients, such as OpenSSH and PuTTY, allow users to establish SSH tunnels by specifying a port on their local machine (source port), and a port on the management server (destination port). EMC VPLEX Security Configuration Guide 5
VPLEX management server operating system and networking Access to the management server's desktop is provided by VNC access through an SSH tunnel. Users must first establish an SSH tunnel between destination port 5901 and local port 5901, and then connect a VNC viewer to local port 5901. Popular VNC clients are RealVNC and TightVNC. To establish a tunnel, you must log in with your standard SSH credentials. After a successful login, the SSH client program must remain running, to allow the SSH tunnel to remain operational. Follow these steps to establish a tunneled VNC connection using PuTTY: 1. Launch PuTTY.exe, and configure the PuTTY window as shown in Figure 4 and the following: Server address Public IP address of the VPLEX management server. Session name Type a name for the PuTTY session you are configuring. This allows you to load the saved session if you need to reconnect later, eliminating the need to configure the individual parameters again. Default settings Verify, and set as shown if necessary. Server address (default) Session name (default) PuTTY_VNC Figure 4 PuTTY Configuration window 2. Expand SSH in the Category list, and click Tunnels. 3. Configure the SSH port forwarding parameters as shown in Figure 5, and then click Add. 6 EMC VPLEX Security Configuration Guide
DRAFT VPLEX management server operating system and networking 5901 localhost:5901 tunnels Figure 5 PuTTY configuration: SSH port forwarding parameters 4. Click Open to establish an SSH tunnel to the management server. When prompted, type the admin account password. 5. Authenticate as usual, and leave the PuTTY window open. 6. Launch the VNC viewer, and connect to localhost:5901. EMC VPLEX Security Configuration Guide 7
IP addresses and component IDs IP addresses and component IDs The IP addresses of the VPLEX hardware components are determined by a set of formulae that depend on the internal management network (A or B), the Cluster IP Seed, and (for directors) the Enclosure ID (which matches the engine number). Figure 6 shows the IP addresses in a cluster with a Cluster IP Seed of 1, and Figure 7 on page 9 shows the addresses for a Cluster IP Seed of 2. Note that the Cluster IP Seed is the same as the Cluster ID, which depends on the VPLEX implementation: VPLEX Local - The Cluster ID is always 1. VPLEX Metro or VPLEX Geo - The Cluster ID for the first cluster that is set up is 1, and the second cluster is 2. VPLEX VS1 hardware Management network B addresses Cluster IP Seed = 1 Enclosure IDs = engine numbers Management network A addresses Engine 4: Director 4B Director 4A 128.221.253.42 128.221.253.41 Engine 4: Director 4B Director 4A 128.221.252.42 128.221.252.41 Engine 3: Director 3B Director 3A 128.221.253.40 128.221.253.39 Engine 3: Director 3B Director 3A 128.221.252.40 128.221.252.39 FC switch B 128.221.253.34 Service port 128.221.252.2 Public Ethernet port Customer-assigned FC switch A 128.221.252.34 Mgt B port 128.221.253.33 Mgt A port 128.221.252.33 Management server Engine 2: Director 2B Director 2A 128.221.253.38 128.221.253.37 Engine 2: Director 2B Director 2A 128.221.252.38 128.221.252.37 Engine 1: Director 1B Director 1A 128.221.253.36 128.221.253.35 Engine 1: Director 1B Director 1A 128.221.252.36 128.221.252.35 Zep-028_1 Figure 6 Component IP addresses in Cluster 1 8 EMC VPLEX Security Configuration Guide
DRAFT IP addresses and component IDs Management network B addresses Cluster IP Seed = 2 Enclosure IDs = engine numbers Management network A addresses Engine 4: Director 4B Director 4A 128.221.253.74 128.221.253.73 Engine 4: Director 4B Director 4A 128.221.252.74 128.221.252.73 Engine 3: Director 3B Director 3A 128.221.253.72 128.221.253.71 Engine 3: Director 3B Director 3A 128.221.252.72 128.221.252.71 FC switch B 128.221.253.66 Service port 128.221.252.2 Public Ethernet port Customer-assigned FC switch A 128.221.252.66 Mgt B port 128.221.253.65 Mgt A port 128.221.252.65 Management server Engine 2: Director 2B Director 2A 128.221.253.70 128.221.253.69 Engine 2: Director 2B Director 2A 128.221.252.70 128.221.252.69 Engine 1: Director 1B Director 1A 128.221.253.68 128.221.253.67 Engine 1: Director 1B Director 1A 128.221.252.68 128.221.252.67 Zep-028_2 Figure 7 Component IP addresses in VPLEX Metro or VPLEX Geo Cluster 2 EMC VPLEX Security Configuration Guide 9
IP addresses and component IDs VPLEX VS2 hardware Engine 4: Director 4B, A side: Director 4B, B side: 128.221.252.42 128.221.253.42 Cluster IP Seed = 1 Enclosure IDs = engine numbers Engine 4: Director 4A, A side: Director 4A, B side: 128.221.252.41 128.221.253.41 Engine 3: Director 3B, A side: Director 3B, B side: 128.221.252.40 128.221.253.40 Engine 3: Director 3A, A side: Director 3A, B side: 128.221.252.39 128.221.253.39 Service port 128.221.252.2 FC switch B 128.221.253.34 Public Ethernet port Customer-assigned FC switch A 128.221.252.34 Mgt B port 128.221.253.33 Mgt A port 128.221.252.33 Management server Engine 2: Director 2B, A side: Director 2B, B side: 128.221.252.38 128.221.253.38 Engine 2: Director 2A, A side: Director 2A, B side: 128.221.252.37 128.221.253.37 Engine 1: Director 1B, A side: Director 1B, B side: 128.221.252.36 128.221.253.36 Engine 1: Director 1A, A side: Director 1A, B side: 128.221.252.35 128.221.253.35 VPLX-000242 Figure 8 Component IP addresses in Cluster 1 10 EMC VPLEX Security Configuration Guide
DRAFT IP addresses and component IDs Engine 4: Director 4B, A side: Director 4B, B side: 128.221.252.74 128.221.253.74 Cluster IP Seed = 2 Enclosure IDs = engine numbers Engine 4: Director 4A, A side: Director 4A, B side: 128.221.252.73 128.221.253.73 Engine 3: Director 3B, A side: Director 3B, B side: 128.221.252.72 128.221.253.72 Engine 3: Director 3A, A side: Director 3A, B side: 128.221.252.71 128.221.253.71 Service port 128.221.252.2 FC switch B 128.221.253.66 Public Ethernet port Customer-assigned FC switch A 128.221.252.66 Mgt B port 128.221.253.65 Mgt A port 128.221.252.65 Management server Engine 2: Director 2B, A side: Director 2B, B side: 128.221.252.70 128.221.253.70 Engine 2: Director 2A, A side: Director 2A, B side: 128.221.252.69 128.221.253.69 Engine 1: Director 1B, A side: Director 1B, B side: 128.221.252.68 128.221.253.68 Engine 1: Director 1A, A side: Director 1A, B side: 128.221.252.67 128.221.253.67 VPLX-000243 Figure 9 Component IP addresses in VPLEX Metro or VPLEX Geo Cluster 2 EMC VPLEX Security Configuration Guide 11
Security configuration settings Security configuration settings This section provides an overview of the settings required to use VPLEX securely. User roles and accounts Table 1 Table 1 describes each VPLEX user account. VPLEX user roles and accounts Component Role Default account Default password Privileges Management server Service a service Mi@Dim7T Access to the management server desktop, VPlexcli, and Management Console GUI Ability to start and stop management server services Access to most files on the filesystem Administrator a admin tes6nax2 b Ability to create, modify, and delete VPLEX user accounts Access to management server desktop, VPlexcli, and GUI Ability to start and stop management server services Fibre Channel Service service d Mi@Dim7T Access to the switch interface COM switches c Ability to start and stop switch services Access to most files on the switch Administrator admin Ry3fog4M d Access to the switch interface Ability to add and delete other accounts Ability to change passwords User user jyw13abn Access to the switch interface a. You cannot delete the default management server accounts. b. The first user who logs in as admin is prompted to change this password, which is required before any user can log in to the VPlexcli as admin. To change the password when prompted, follow the steps in Changing passwords on page 13, with the exception of step 4 (because you are asked to change the password after you log in). c. Fibre Channel COM switches exist only in dual-engine and quad-engine VPLEX clusters. d. In switches that are shipped for field replacement or hardware upgrade (rather than as part of a cabinet system), the admin account password is password, and there is no service account. Configuring user authentication Password policy VPLEX user authentication is configured locally on the management server or remotely on an OpenLDAP or Active Directory server (with service for Unix SFU 3.5). Usernames and passwords are stored on the management server, and cannot be managed by external authentication services. Refer to the VPLEX CLI Guide for information on the commands used to configure user authentication. The VPLEX management server uses a pluggable authentication module (pam) infrastructure to enforce minimum password quality. It uses pam_cracklib, a library that checks for dictionary words, to check potential passwords. The command man pam_cracklib on the management server provides more information about how this pam module works. The management server uses all default parameters. 12 EMC VPLEX Security Configuration Guide
DRAFT Security configuration settings pam_cracklib applies the following rules: Minimum password length of eight characters, including numbers, upper-case and lower-case letters, and special characters No dictionary words Comparison to the previous password: checks for palindromes, case-only changes, password similarity and rotation, to prevent users from using an old password with only a slight change Adding user accounts A user with an admin account can create a new account as follows: 1. Launch PuTTY (or a similar SSH client), and establish a connection to the public IP address of the VPLEX management server. 2. Log in with username admin. 3. From the Linux shell prompt, type the applicable command to connect to the VPlexcli: If VPLEX GeoSynchrony 4.0.x is running on the cluster: telnet localhost 49500 If VPLEX GeoSynchrony 4.1.x or later is running on the cluster: vplexcli Log in with username admin. 4. From the VPlexcli prompt, type the following command: user add -u <username> a. When prompted, type the admin account password. b. When prompted for a password for the new user, type a password that adheres to the rules in Password policy on page 12. c. When prompted, retype the new password. Note: The new user must change the password the first time he or she logs in. Changing passwords Any user with an admin or service account can change his/her own password as follows: 1. Launch PuTTY (or a similar SSH client), and establish a connection to the public IP address of the VPLEX management server. 2. Log in with the applicable username: admin or service. 3. From the Linux shell prompt, type the applicable command to connect to the VPlexcli: If VPLEX GeoSynchrony 4.0.x is running on the cluster: telnet localhost 49500 If VPLEX GeoSynchrony 4.1.x or later is running on the cluster: vplexcli Log in with the applicable username: admin or service. EMC VPLEX Security Configuration Guide 13
Security configuration settings 4. From the VPlexcli prompt, type the following command: user passwd -u <username> a. When prompted, type the old password. b. When prompted for a new password, type a password that adheres to the rules in Password policy on page 12. c. When prompted, retype the new password. Resetting passwords A user with an admin account can reset passwords for other users as follows: 1. Launch PuTTY (or a similar SSH client), and establish a connection to the public IP address of the VPLEX management server. 2. Log in with username admin. 3. From the Linux shell prompt, type the applicable command to connect to the VPlexcli: If VPLEX GeoSynchrony 4.0.x is running on the cluster: telnet localhost 49500 If VPLEX GeoSynchrony 4.1.x or later is running on the cluster: vplexcli Log in with username admin. 4. From the VPlexcli prompt, type the following command: user reset -u <username> a. When prompted, type the admin account password. b. When prompted for a password for the new user, type a password that adheres to the rules in Password policy on page 12. c. When prompted, retype the new password. Note: The user must change the password the next time he or she logs in. Changing the service account password Deleting user accounts Customers who want the service password to be different from the default password must ask the EMC representative installing VPLEX to modify the password. Because the service account is used by EMC to provide remote support through the EMC ESRS gateway, the service password must be recorded in the customer service database in order to provide this support. The service password must be changed in two locations: Management server Fibre Channel switches To change the service password on the Fibre Channel switches, use the switch's passwd command. A user with an admin account can delete a different account as follows: 14 EMC VPLEX Security Configuration Guide
DRAFT Security configuration settings 1. Launch PuTTY (or a similar SSH client), and establish a connection to the public IP address of the VPLEX management server. 2. Log in with username admin. 3. From the Linux shell prompt, type the applicable command to connect to the VPlexcli: If VPLEX GeoSynchrony 4.0.x is running on the cluster: telnet localhost 49500 If VPLEX GeoSynchrony 4.1.x or later is running on the cluster: vplexcli Log in with username admin. 4. From the VPlexcli prompt, type the following command: user remove -u <username> When prompted, type the admin account password. EMC VPLEX Security Configuration Guide 15
Log file settings Log file settings This section describes log files relevant to security. Log file location Table 2 Table 2 lists the name and location of VPLEX component log files relevant to security. VPLEX component log files Component Management Console management server OS ConnectEMC Firewall VPN (ipsec) Location /var/log/vplex/cli/session.log_<username> /var/log/messages /var/log/connectemc/logs/connectemc.log files /var/log/firewall /var/log/events.log Log file management and retrieval All logs rotate automatically, to avoid unbounded consumption of disk space. 16 EMC VPLEX Security Configuration Guide
DRAFT Communication security settings Communication security settings This section describes the communication security settings that enable you to establish secure communication channels between VPLEX components, as well as VPLEX components and external systems. It provides the following information: Port usage Table 3 lists each port, its function, and the service that uses the port. Table 3 Port Usage Port Function Service Public port TCP/22 Service port TCP/22 Public port TCP/21 Public port TCP/443 Public port TCP/5400 to 5413 Log in to management server OS, copy files to and from the management server using the SCP sub-service, and establish SSH tunnels ESRS (EMC Secure Remote Service) access to VPLEX SSH ESRS Public port TCP/50 IPsec VPN ESP Public port UDP/500 Public port UDP/4500 ISAKMP IPSEC NAT traversal Public port UDP/123 Time synchronization service NTP Public port TCP/161 Public port UDP/161 Public port TCP/443 Service port TCP/443 Localhost TCP/5901 Localhost TCP/49500 Get performance statistics Web access to the VPLEX Management Console s graphical user interface Access to the management server's desktop. Not available on the public network. Must be accessed through SSH tunnel. VPlexcli. Not available on the public network. Must be accessed through SSH. SNMP HTTPS VNC Telnet Network encryption The VPLEX management server supports SSH through the sshd daemon provided by the OpenSSH package. It supports versions 1 and 2 of the SSH protocol. When the management server starts for the first time, the sshd daemon generates key-pairs (private and public key) for communication with SSH clients. An rsa1 key-pair is generated to support communication with SSH version 1 clients, and rsa and dsa key-pairs are generated to support communication with SSH version 2 clients. All keys have a 2048 bit length. EMC VPLEX Security Configuration Guide 17
Communication security settings The HTTPS protocol and the IPsec VPN use a X.509 host certificate to identify the server and encrypt all traffic. X.509 host certificates use a 2048 bit host key. During initial setup of a VPLEX cluster, a local Certification Authority (which signs the host certificate request) is created automatically. Currently, VPLEX does not support a corporate Certification Authority signing the host certificate requests. Creating a local Certification Authority Creating a host certificate A Certification Authority (CA) on the VPLEX management server must be created solely for the purposes of signing management server certificates. The VPlexcli command security create-ca-cert creates a CA certificate file and private key protected by a passphrase. By default, this command creates the following: A 2048-bit CA key in /etc/ipsec.d/private/strongswankey.pem A CA certificate in /etc/ipsec.d/cacerts/strongswancert.pem that remains valid for 1825 days (5 years) You must provide a passphrase for the CA key and the CA certificate subject. The CA certificate subject must be the VPLEX cluster's serial number (found on the label attached to the top of the VPLEX cabinet). If you are creating a CA certificate for a VPLEX Metro or VPLEX Geo implementation, you can use either cluster's serial number. Note: Creating host certificates are created as a part of EZsetup during a first time installation. The VPlexcli command security create-host-certificate generates a host certificate request and signs it with the Certification Authority certificate created in the Creating a local Certification Authority on page 18. By default, this command creates the following: A 2048 key in /etc/ipsec.d/private/hostkey.pem A host certificate /etc/ipsec.d/certs/hostcert.pem that remains valid for 730 days (2 years) You must provide the CA key passphrase for the host key, the host certificate subject which must be the cluster's serial number (found on the label attached to the top of the VPLEX cabinet). Installing the host certificate for use by HTTPS At the Linux shell prompt on the management server, type the following command to transform the X.509 certificate into jks format for use by tomcat: sudo /opt/emc/vplex/tools/utils/jkssetup.pl You must provide the host certificate's passphrase before converting the host certificate into a format suitable for HTTPS service. Obtaining host certificate and host key fingerprints When users first connect to the management server over SSH or by connecting to the GUI using the HTTPs protocol, they are asked to confirm the server's identity. Most client programs display the management server's fingerprints as MD5 or SHA1 checksums, allowing you to verify that they are connected to the VPLEX management server and not to another machine, possibly deployed to harvest logins and passwords for a man-in-the-middle attack. 18 EMC VPLEX Security Configuration Guide
DRAFT Communication security settings Once the user confirms the management server's identity, subsequent connections will not ask for this confirmation, but instead warn the user if the management server's fingerprint has changed, which may be another indication of man-in-the-middle attacks. A VPLEX administrator might be asked by security-conscious users for the fingerprints of both the X.509 certificate used for the GUI and for the host keys used for SSH access to the management server. To find the host certificate's SHA1 and (for GUI users) MD5 fingerprints: 1. At the Linux shell prompt, type the following command: /etc/ipsec.d/certs # openssl x509 -noout -in hostcert.pem -fingerprint -md5 Output example: MD5 Fingerprint=6E:2C:A5:8E:86:11:45:26:02:09:62:97:6F:18:FD:62 2. Type the following command: /etc/ipsec.d/certs # openssl x509 -noout -in hostcert.pem -fingerprint -sha1 Output example: SHA1 Fingerprint=2E:B0:DD:59:DD:C3:29:96:33:74:19:CC:A0:81:28:28:6F:4F:76:E4 To find the SSH key fingerprint (for SSH users): 1. At the Linux shell prompt, type the following command: /etc/ssh # ssh-keygen -l -f ssh_host_dsa_key Output example: 1024 52:42:70:0c:22:aa:2f:e3:09:18:93:c8:20:a4:78:0c ssh_host_dsa_key.pub 2. Type the following command: /etc/ssh # ssh-keygen -l -f ssh_host_rsa_key Output example: 1024 a4:d8:64:d0:24:b9:2c:3d:06:24:5f:3a:30:ba:83:f8 ssh_host_rsa_key.pub 3. Type the following command: /etc/ssh # ssh-keygen -l -f ssh_host_key Output example: 1024 1f:07:f1:f5:21:f6:fa:ae:74:aa:64:d7:4d:67:d4:c2 root@lsca5216 EMC VPLEX Security Configuration Guide 19
Data security settings Data security settings Encryption of data at rest: user passwords Hashed user passwords are stored in /etc/passwd on the VPLEX directors. GeoSynchrony uses a hardcoded hashing algorithm to encrypt the passwords. Copyright 2011 EMC Corporation. All rights reserved. EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. THE INFORMATION IN THIS PUBLICATION IS PROVIDED AS IS. EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. For the most up-to-date regulatory document for your product line, go to the Technical Documentation and Advisories section on EMC Powerlink. For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com. All other trademarks used herein are the property of their respective owners. 20 EMC VPLEX Security Configuration Guide