EMC Data Protection Search

EMC Data Protection Search Version 1.0 Security Configuration Guide 302-001-611 REV 01

Copyright 2014-2015 EMC Corporation. All rights reserved. Published in USA. Published April 20, 2015 EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. The information in this publication is provided as is. EMC Corporation makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. EMC², EMC, and the EMC logo are registered trademarks or trademarks of EMC Corporation in the United States and other countries. All other trademarks used herein are the property of their respective owners. For the most up-to-date regulatory document for your product line, go to EMC Online Support (https://support.emc.com). EMC Corporation Hopkinton, Massachusetts 01748-9103 1-508-435-1000 In North America 1-866-464-7381 www.emc.com 2 EMC Data Protection Search 1.0 Security Configuration Guide

CONTENTS PREFACE 5 Chapter 1 Data Protection Search Communication Security 7 Port usage...8 Network encryption... 8 Cryptographic modules in Data Protection Search... 9 Login, session and password protection...9 Firewall rules...9 REST API...9 Data security... 10 Chapter 2 Access control 11 User authorization...12 Data Protection Search Admin role... 12 Index Admin roles... 12 DPSearch UI access...12 Editing the DPSearch nginx.conf file... 14 Installing a self-signed or trusted certificate... 15 Default accounts... 16 Authentication configuration... 16 EMC Data Protection Search 1.0 Security Configuration Guide 3

CONTENTS 4 EMC Data Protection Search 1.0 Security Configuration Guide

PREFACE As part of an effort to improve its product lines, EMC periodically releases revisions of its software and hardware. Therefore, some functions described in this document might not be supported by all versions of the software or hardware currently in use. The product release notes provide the most up-to-date information on product features. As part of an effort to improve its product lines, EMC periodically releases revisions of its software and hardware. Therefore, some functions described in this document might not be supported by all versions of the software or hardware currently in use. The product release notes provide the most up-to-date information on product features. Contact your EMC technical support professional if a product does not function properly or does not function as described in this document. Note This document was accurate at publication time. Go to EMC Online Support (https:// support.emc.com) to ensure that you are using the latest version of this document. Purpose This document describes the security features and settings of EMC Data Protection Search. Audience This document is intended for the administrator and index administrator who will be involved in managing Data Protection Search. Related documentation Data Protection Search Installation and Administration Guide Data Protection Search Security Configuration Guide Data Protection Search Release Notes Data Protection Search Online Help Special notice conventions used in this document EMC uses the following conventions for special notices: NOTICE Addresses practices not related to personal injury. Note Presents information that is important, but not hazard-related. Typographical conventions EMC uses the following type style conventions in this document: Bold Italic Used for names of interface elements, such as names of buttons, fields, tab names, and menu paths (what the user specifically selects or clicks) Used for full titles of publications referenced in text PREFACE 5

PREFACE Monospace Used for: System code System output, such as an error message or script Pathnames, file names, prompts, and syntax Commands and options Monospace italic Monospace bold Used for variables Used for user input [ ] Square brackets enclose optional values Vertical bar indicates alternate selections - the bar means or { } Braces enclose content that the user must specify, such as x or y or z... Ellipses indicate non-essential information omitted from the example Where to get help EMC support, product, and licensing information can be obtained as follows: Product information For documentation, release notes, software updates, or information about EMC products, go to EMC Online Support at https://support.emc.com. Technical support Go to EMC Online Support and click Service Center. You will see several options for contacting EMC Technical Support. Note that to open a service request, you must have a valid support agreement. Contact your EMC sales representative for details about obtaining a valid support agreement or with questions about your account. Online communities Visit EMC Community Network at https://community.emc.com for peer contacts, conversations, and content on product support and solutions. Interactively engage online with customers, partners, and certified professionals for all EMC products. Your comments Your suggestions will help us continue to improve the accuracy, organization, and overall quality of the user publications. Send your opinions of this document to DPAD.Doc.Feedback@emc.com. 6 EMC Data Protection Search 1.0 Security Configuration Guide

CHAPTER 1 Data Protection Search Communication Security Communication security settings enable the establishment of secure communication channels between product components and external systems or components. This chapter contains the following topics: Port usage...8 Network encryption... 8 Cryptographic modules in Data Protection Search... 9 Login, session and password protection...9 Firewall rules...9 REST API...9 Data security... 10 Data Protection Search Communication Security 7

Data Protection Search Communication Security Port usage The ports listed in the following table are the Data Protection Search default ports for the various components all using the TCP/HTTPS protocol. Some of these ports can be changed. Various configuration files must be manually edited. The following table lists the required ports for DPSearch. Table 1 Default ports Component Service Protocol Port Description Common Indexing Service DPSearch Admin Interface Common Indexing Service DPSearch Admin REST API DPSearch Search REST API NGINX TCP/HTTPS 442 Secure access to Elasticsearch. For example, ElasticSearch Head plugin NGINX TCP/HTTPS 443 Admin/Search web apps NGINX TCP/HTTPS 441 CIS REST API NGINX TCP/HTTPS 448 Admin REST API. Open externally only if third party access is required NGINX TCP/HTTPS 449 Search REST API. Open externally only if third party access is required Avamar agent port range NetWorker client service ports Elasticsearch cluster ports avagent TCP 28000, 29000 nsrexecd TCP 7937-8200 NGINX TCP/HTTPS 9200, 9300-9 400 Ports that must be open for remote connections to/from the Avamar server and Utility Node Ports for communicating with the NetWorker client database Ports for communicating with Elasticsearch (Index data nodes) Network encryption The EMC Avamar Product Security Guide provides complete details on ports for communicating with Avamar clients. The EMC NetWorker Security Configuration Guide provides complete details on ports for communicating with NetWorker clients. The following table contains the encryption strategies that are employed by the Data Protection Search feature for communication between components. Table 2 Encryption strategies Communication Web browser and DPSearch web server (Admin/Search web applications) DPSearch web server and CIS web server Encryption type SSL with server authentication SSL with mutual authentication 8 EMC Data Protection Search 1.0 Security Configuration Guide

Data Protection Search Communication Security Table 2 Encryption strategies (continued) Communication Web browser and CIS web server (if going directly to CIS/ Elasticsearch) Encryption type SSL with mutual authentication For Avamar, SSL between DPSearch and the Avamar Web Service is used with keystore to store the certificate for web service authentication. For NetWorker, backup and archive data on UNIX and Windows hosts are encrypted with the aes Application Specific Module (ASM). the aes ASM provides 256-bit data encryption. Backup data is encrypted based on a user-defined pass phrase. If no pass phrase is specified, data is encrypted with the default pass phrase. Cryptographic modules in Data Protection Search The following is a list of cryptographic modules used in Data Protection Search: HS256 for signing JWT RSA1_5 2048 bit for encrypting the web tokens AES_256_GCM for lockbox encryption RSA 1024 bit and RSA 2048 bit algorithms for NGINX SSL certificates Login, session and password protection It is recommended that you change the password for the DPSearch local system accounts (dpsearch and root) from the default immediately after the DPSearch deployment completes. During deployment, the script has a menu option to change both passwords. The local system accounts provide the ability to log on to the Virtual Machine and access Elasticsearch directly, by using port http://localhost:9200. This port is not accessible remotely. Therefore it is important that local system access is restricted. Note Elasticsearch is accessible remotely through port 442, and requires CIS credentials before login. The DPSearch login session expires after a period of inactivity (1 hour by default), and can be modified in the Options section of the Admin UI. Firewall rules Data Protection Search requires access to the ports, 22, 440:449 (reserve two more ports for extensibility), 28000:29000, 7937:8200. CIS currently provides access to IP addresses within a subnet (for example 128.222.162) to use ports 9300-9400. Ports 9300-9400 enable Elasticsearch node to form a cluster and to communicate with other Elasticsearch nodes. REST API It is possible to implement custom applications or widgets that make use of the REST API, but any such software will not be supported by EMC. This is not supported as the REST Cryptographic modules in Data Protection Search 9

Data Protection Search Communication Security API might be subject to change without notice in future versions of Data Protection Search. Data security Data Protection Search encrypts all in-flight data by using https. Communication between Elasticsearch and CIS is not encrypted if they are on separate nodes. Also, communication between Elasticsearch nodes is not encrypted. 10 EMC Data Protection Search 1.0 Security Configuration Guide

CHAPTER 2 Access control Access control settings provide protection of resources against unauthorized access. This chapter contains the following topics: User authorization...12 DPSearch UI access...12 Editing the DPSearch nginx.conf file... 14 Installing a self-signed or trusted certificate... 15 Default accounts... 16 Authentication configuration... 16 Access control 11

Access control User authorization Data Protection Search Admin role DPSearch Admin roles on page 12, and Index Admin roles on page 12 provide information on permission based access. Also, there is a CIS Admin which is used to access the CIS API/Web authentication for Elasticsearch content. DPSearch provides the ability to create multiple indexes if required, and to specify the particular users and/or groups able to access those indexes. These users/groups are referred to as Search Admins. When a Search Admin logs in to the Search UI, they can search only those indexes to which they have access. The following table lists the DPSearch Admin roles. Table 3 Admin roles Search Admin role Index Admin - All access Index Admin - Read only Description No restrictions are applied. Cannot view inline or full preview for search hits, download files locally, or restore files to an alternate location. Note The Data Protection Search Admin Group is the default Index Admin. Members of the Data Protection Search Admin Group are listed and can not be edited directly. DPAdmin users are added and modified in any LDAP based directory service, such as Active Directory. Index Admin roles Specify Index Admin permissions in the Roles section of the DPSearch Admin UI. The Index Admin can have the permissions to: Maintain all index-related jobs Monitor index jobs Receive index jobs related notifications Create metadata only indexing collection activities (default) Create metadata only and full-content indexing collection activities (must specifically enable full-content indexing capability) Create and maintain indexes DPSearch UI access Access to the Admin UI and the Dashboard Health Check UI sections of the are based on DPSearch Admin, and Index Admin permissions. The following table lists and describes the sections of the DPSearch Admin UI. 12 EMC Data Protection Search 1.0 Security Configuration Guide

Access control Table 4 DPSearch Admin UI Admin Web UI tab Description Visibility based on Admin permissions DPSearch Admin Index Admin Sources Add, update or remove Avamar and NetWorker servers. No Roles You can add, update and remove Index Admins here. DPSearch Admins are listed, but cannot be modified. Instead, they are managed with your LDAP solution. No Indexes Enable metadata only and/or full-content indexing in Data Protection Search. No Collections Schedule collections for Avamar and NetWorker backup servers, No System Provides monitoring of DPSearch Worker and Index nodes. No Jobs Running and completed activities/jobs are listed with details including type, status, duration, and more. Options Modify the number of Search hits to display, Session (timeout), and LDAP host options. No Help Access the Data Protection Search online help. The following table lists the Dashboard components and visibility based on Admin permissions. Table 5 DPSearch Dashboard Component Description Visibility based on Admin permissions DPSearch Admin Index Admin Both DP Search and Index Admin Source Servers Health DPSearch Workers Health Lists configured backup servers with information on platform, version and status. You can click the link below the Source Servers Health table for more complete details. The Sources section of the DPSearch UI opens. Lists configured DPSearch Worker nodes and their status. You can click the link below the DP Search Workers Health table for more complete details. The System section of the DPSearch UI No No DPSearch UI access 13

Access control Table 5 DPSearch Dashboard (continued) Component Description Visibility based on Admin permissions DPSearch Admin Index Admin Both DP Search and Index Admin Elasticsearch Cluster Health Index Status Upcoming Collections System Notifications opens. Each Workers health segment provides a last updated time, and the ability to force a refresh and view unresponsive worker services. Lists configured Elasticsearch Cluster and their status. You can click the link below the Elastic Search Cluster Health to view the individual Elastic Search nodes in the cluster. The System section of the DPSearch UI opens. A situation where replication is configured, but there is only one ElasticsSearch node available is an example of why the cluster might be yellow rather than green. Lists configured indexes and their status. At initial login, no indexes will have been created so the list is empty. Lists the next time a scheduled collection will run. Displays the system notifications. Click to view additional details about the notification. System Notifications is enabled by default, and all notifications can be viewed from the dashboard. Options>Configuring system notifications section of the Admin UI provides the ability to send email notifications. No No No Editing the DPSearch nginx.conf file Use a text editor like vi, or vim to edit the nginx.conf file on the Linux terminal to edit the nginx.conf file. The nginx.conf file enables you to define ports and manage SSL certificates and keys. Perform the following tasks to edit the DPSearch nginx.conf file. Procedure 1. Open the usr/local/dpsearch/etc/nginx.conf file with the text editor. 14 EMC Data Protection Search 1.0 Security Configuration Guide

Access control 2. If required, modify the ports and SSL certs and keys for the following: root /usr/local/dpsearch/httpds (DPSearch Admin UI) Port 443 (default) SSL_certificate dpsearch.cert SSL_certificate_key dpsearch.key root /usr/local/dpsearch/httpds/admin/api/public (Admin Rest API) Port 448 (default) SSL_certificate dpsearch.cert SSL_certificate_key dpsearch.key root /usr/local/dpsearch/httpds/search/api/public (Search Rest API) Port 449 (default) SSL_certificate dpsearch.cert SSL_certificate_key dpsearch.key 3. Restart NGINX for the changes to take effect. Installing a self-signed or trusted certificate The NGINX web server provided with Data Protection Search is installed with a self-signed certificate, not a trusted public key certificate. The certificate is used for secure http access (https) to the web UIs, Admin and Search REST APIs, and the Common Indexing System (CIS) REST API. This includes secure communications between these components. When a self-signed certificate is active, users connecting to the web-based Admin and Search interfaces will be warned that they are connecting to an untrusted connection. For most web-browsers, this warning can be suppressed after it is initially displayed. To install either a self-signed, or trusted certificate for the Data Protection Search NGINX web server, perform the following steps: Procedure 1. Connect to the Data Protection Search node as root, and use the default password linux. 2. Copy the existing certificate and private key files to a backup location: cp /etc/nginx/dpsearch.cert /BACKUP LOCATION cp /etc/nginx/dpsearch.key /BACKUP LOCATION 3. (Optional) Generate a new private key: openssl genrsa -out dpsearch.key 2048 4. Complete either of the following: Create a new self-signed certificate using the either the existing or newly generated private key file by entering the following command: openssl req -new -x509 -key dpsearch.key -out dpsearch.cert - days 1095 Respond to the prompts. Installing a self-signed or trusted certificate 15

Access control Generate a certificate request (csr) file, using either the existing or newly generated private key file by entering the following command: openssl req -new -key dpsearch.key -out dpsearch.csr a. Respond to the prompts. b. Send the dpsearch.csr file to the certificate authority. c. Rename the returned certificate file to dpsearch.cert. 5. Stop the NGINX service: service nginx stop 6. Copy the new certificate, and (optionally) the new private key to the /etc/nginx directory: cp dpsearch.cert /etc/nginx/ cp dpesearch.key /etc/nginx/ 7. Verify that the files have the correct permissions: chmod 644 /etc/nginx/dpsearch.cert chmod 644 /etc/nginx/dpsearch.key 8. Start the NGINX service: service nginx start Default accounts The following table lists the default DPSearch accounts. The accounts listed in the following table are used for the initial terminal based configuration for all DPSearch nodes. The configuration includes setting up networking and defining the role for each node. Table 6 Default account names and passwords Account type User name Default password User account dpsearch dpsearch Root user root linux Note It is recommended that you change the passwords for both accounts as soon as possible to ensure a secure environment. All other accounts are managed with an LDAP solution, such as Microsoft Active Directory. The LDAP accounts are specified during the initial configuration, or by using the DPSearch web-based Administration application. Authentication configuration This section describes DPSearch user accounts and groups for LDAP and backup servers. Users can only logon remotely to the DPSearch admin and search web-based interfaces using appropriate accounts configured in LDAP. Roles within the software also 16 EMC Data Protection Search 1.0 Security Configuration Guide

Access control determines a users permissions when logged in. The following table lists the DPSearch accounts and groups. Table 7 LDAP server Accounts and Groups When required Required Description CIS/LDAP Admin During initial configuration Defines a user with rights to interact with Elasticsearch (through the Common Indexing System layer), and with the LDAP server. You can specify any LDAP user for which ideally, the password is set to never expire. The LDAP user can be updated by using the DPSearch Admin UI. Note The LDAP username is also required to connect to Elasticsearch remotely, for example by using a plugin like Elastic Search Head. DPSearch Admins Group During initial configuration Defines DPSearch Admins. A user must be a member of this group in order to logon to the Admin UI initially. DPSearch Admins can configure the DPSearch environment. This includes: Monitoring with dashboard Managing indexes Managing roles Viewing jobs Setting system options Index Admins DPSearch Admin UI No One or more Index Admin accounts can be added if required. Index admins are responsible for indexes and collections: Monitoring indexes and collections via dashboard Managing indexes and search admins Scheduling and managing collections Monitoring collection jobs Index admins are assigned one of two possible roles: Metadata Index only (default) Metadata and Full-content Index Search Admins DPSearch Admin UI No One or more dedicated Search Admin accounts can be added if required. However, it is also valid for DPSearch, or Index Admins to be search admins as well. Each index must have at least one Search Admin assigned. Search Admins can have either read only access, or full access to an index. The following table lists the requirements for Avamar and NetWorker backup servers. Authentication configuration 17

Access control Table 8 Backup server Platform Avamar Description The Avamar Administrator user name and password must be entered when the backup server is added. The Avamar Administrator is required to connect to the Avamar server through the web service API for all operations including: Index Download Restore NetWorker The root accounts for all DPSearch nodes must be added to the Operators group (or a custom group with similar permissions) in the NetWorker Administrator. All interaction with NetWorker is through command line tools (recover, mminfo, nsrinfo) running as the root account on that node. NetWorker validates that users have appropriate permissions before completing the operation. 18 EMC Data Protection Search 1.0 Security Configuration Guide