ScaleIO Security Configuration Guide



Similar documents
MaaS360 Cloud Extender

Exercise 5 Server Configuration, Web and FTP Instructions and preparatory questions Administration of Computer Systems, Fall 2008

Instant Chime for IBM Sametime Quick Start Guide

AvePoint High Speed Migration Supplementary Tools

Exercise 5 Server Configuration, Web and FTP Instructions and preparatory questions Administration of Computer Systems, Fall 2008

Serv-U Distributed Architecture Guide

Readme File. Purpose. Introduction to Data Integration Management. Oracle s Hyperion Data Integration Management Release 9.2.

McAfee Enterprise Security Manager. Data Source Configuration Guide. Infoblox NIOS. Data Source: September 2, Infoblox NIOS Page 1 of 8

Ten Steps for an Easy Install of the eg Enterprise Suite

StarterPak: Dynamics CRM Opportunity To NetSuite Sales Order

How To Upgrade A Crptocard To A 6.4 Migratin Tl (Cpl) For A 6Th Generation Of A Crntl (Cypercoder) On A Crperd (Cptl) 6.

Mobile Device Manager Admin Guide. Reports and Alerts

Configuring BMC AREA LDAP Using AD domain credentials for the BMC Windows User Tool

Preparing to Deploy Reflection : A Guide for System Administrators. Version 14.1

ROSS RepliWeb Operations Suite for SharePoint. SSL User Guide

Configuring and Monitoring AS400 Servers. eg Enterprise v5.6

2. When logging is used, which severity level indicates that a device is unusable?

Junos Pulse Instructions for Windows and Mac OS X

NETWRIX CHANGE NOTIFIER

Installation Guide Marshal Reporting Console

SBClient and Microsoft Windows Terminal Server (Including Citrix Server)

SaaS Listing CA Cloud Service Management

Introduction to Mindjet MindManager Server

Readme File. Purpose. What is Translation Manager 9.3.1? Hyperion Translation Manager Release Readme

Deployment Overview (Installation):

This guide is intended for administrators, who want to install, configure, and manage SAP Lumira, server for BI Platform

Introduction LIVE MAPS UNITY PORTAL / INSTALLATION GUIDE Savision B.V. savision.com All rights reserved.

How To Install An Orin Failver Engine On A Network With A Network Card (Orin) On A 2Gigbook (Orion) On An Ipad (Orina) Orin (Ornet) Ornet (Orn

Copyright 2013, SafeNet, Inc. All rights reserved. We have attempted to make these documents complete, accurate, and

Improved Data Center Power Consumption and Streamlining Management in Windows Server 2008 R2 with SP1

HOWTO: How to configure SSL VPN tunnel gateway (office) to gateway

CallRex 4.2 Installation Guide

Configuring and Integrating LDAP

ISAM TO SQL MIGRATION IN SYSPRO

FINRA Regulation Filing Application Batch Submissions

Using Shift4 with Magento

Release Notes. Dell SonicWALL Security firmware is supported on the following appliances: Dell SonicWALL Security 200

BackupAssist SQL Add-on

Learn More Cloud Extender Requirements Cheat Sheet

How to deploy IVE Active-Active and Active-Passive clusters

Connector for Microsoft Dynamics Installation Guide

Serv-U Distributed Architecture Guide

Attunity RepliWeb SSL Guide

Cloud Services Frequently Asked Questions FAQ

NETWRIX PASSWORD MANAGER

Pexip Infinity Secure Mode Deployment Guide

Configuring and Monitoring Network Elements

SITE APPLICATIONS USER GUIDE:

The user authentication process varies from client to client depending on internal resource capabilities, and client processes and procedures.

RSA SecurID Software Token Security Best Practices Guide. Version 3

GUIDANCE FOR BUSINESS ASSOCIATES

Instructions for Configuring a SAFARI Montage Managed Home Access Expansion Server

Helpdesk Support Tickets & Knowledgebase

Traffic monitoring on ProCurve switches with sflow and InMon Traffic Sentinel

StarterPak: Dynamics CRM On-Premise to Dynamics Online Migration - Option 2. Version 1.0

Webalo Pro Appliance Setup

KronoDesk Migration and Integration Guide Inflectra Corporation

Corente Cloud Services Exchange (CSX) Corente Cloud Services Gateway Site Survey Form

ViPNet VPN in Cisco Environment. Supplement to ViPNet Documentation

INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE

Citrix XenServer from HP Getting Started Guide

CenterPoint Accounting for Agriculture Network (Domain) Installation Instructions

Installation Guide Marshal Reporting Console

AvePoint Privacy Impact Assessment 1

Adobe Sign. Enabling Single Sign-On with SAML Reference Guide

Datasheet. PV4E Management Software Features

Password Reset for Remote Users

CNS-205: Citrix NetScaler 11 Essentials and Networking

AVG AntiVirus Business Edition

Monitor Important Windows Security Events using EventTracker

Click Studios. Passwordstate. RSA SecurID Configuration

TaskCentre v4.5 Send Message (SMTP) Tool White Paper

SANsymphony-V Storage Virtualization Software Installation and Getting Started Guide. February 5,

Pharmaserv GR Release Notes. Product Name: Pharmaserv Release Version: GR 7.1.0

.Net Strong Authentication API

Cloud Services MDM. Windows 8 User Guide

A Beginner s Guide to Building Virtual Web Servers

Regions File Transmission

WatchDox for Windows User Guide

AvePoint Discovery Tool User Guide

Avigilon Control Center Client User Guide

RSA Authentication Manager 5.2 and 6.1 Security Best Practices Guide. Version5

Getting Started Guide

Click Studios. Passwordstate. SafeNet Two-Factor Configuration

LogMeIn Rescue Web SSO via SAML 2.0 Configuration Guide

ACTIVITY MONITOR Real Time Monitor Employee Activity Monitor

Creating automated reports using VBS AN 44

Telelink 6. Installation Manual

CSAT Account Management

Pronestor Room & Catering

ca Securecenter Federation Runbook for Pivotal Cloud Foundry

Transcription:

ScaleIO Security Cnfiguratin Guide 1 Intrductin This sectin prvides an verview f the settings available in ScaleIO t ensure secure peratin f the prduct: Security settings are divided int the fllwing categries: Access Cntrl Settings describes settings available t limit access by end-user r by external prduct cmpnents Lg Settings describes settings related t the lgging f events Cmmunicatin Security Settings describes settings related t security fr the prduct s netwrk cmmunicatins Data Security Settings describes settings available t ensure prtectin f the data handled by the prduct 2 Access Cntrl Settings Access cntrl settings enable the prtectin f resurces against unauthrized access. The fllwing cntrl settings are supprted: User rles and passwrds are needed t access the MDM. User rles with different access permissins can be assigned t users. Fr mre infrmatin, see the chapter Security and User Management in the ScaleIO User Guide. Limited MDM access mde a system can be cnfigured t allw read-nly access t the MDM by remte clients. In this mde, nly lcal users cnnecting t the MDM using the IP address 127.0.0.1 have full cnfiguratin privileges. Restricted SDC mde a system can be cnfigured t nly allw - apprved SDCs t cnnect t the MDM Access t vsphere a user must have internal access cntrl fr vsphere (user name and passwrd). Access t the Installatin Manager (IM) requires a passwrd. Access t the REST Gateway requires a passwrd. REST authenticates user access, using the gatewayadminpasswrd and liapasswrd (fr mre infrmatin, see the appendix REST API Reference in the ScaleIO User Guide) The ScaleIO GUI and CLI use MDM authenticatin. Fr mre infrmatin abut lgging in t the CLI, see the chapter Security and User Management in the ScaleIO User Guide. Fr mre infrmatin abut lgging in t the GUI, see the chapter Using the Graphical User Interface in the ScaleIO User Guide. SNMP feature enabler the SNMP trap sender can be enabled r disabled by cnfiguring the file lcated n the ScaleIO Gateway. The feature is disabled by default. Fr exact file lcatins, see the table in the sectin Encde the MDM passwrd. Fr detailed infrmatin, see the appendix SNMP Trap Supprt, Cnfiguring the SNMP prperties in the ScaleIO User Guide. 1

REST feature enabler access t the REST gateway can be blcked by cnfiguring the file lcated n the ScaleIO Gateway. The feature is enabled by default. Fr exact file lcatins, see the table in the sectin Encde the MDM passwrd. Fr detailed infrmatin, see the appendix REST API Reference, Cnfiguring the Gateway by editing the user prperties file, in the ScaleIO User Guide. 2.1 User authenticatin User authenticatin settings cntrl the prcess f verifying an identity claimed by a user fr accessing the prduct. 2.1.1 Default accunts User Accunt Passwrd Descriptin Installatin Manager (IM) admin user SVM rt user Passwrd is created by the admin at the beginning f the installatin prcess Passwrd is set in the plugin Lets the user dwnlad the IM CLI file. Lets the user issue installatin cmmands in the IM CLI, r in the IM web client. The IM has a default admin user. The accunt prvides full administratr privileges t all cnfiguratin and mnitring activities via the vsphere plugin. MDM admin admin The MDM has nly ne default accunt ( admin ) with a default passwrd ( admin ). The passwrd must be reset at first lgin. The accunt prvides full administratr privileges t all cnfiguratin and mnitring activities via the CLI and the GUI. Table 1: Default accunts 2.1.2 Authenticatin cnfiguratin User authenticatin is initially cnfigured during ScaleIO installatin, and users can be added and remved later, using the ScaleIO CLI (and nly by a privileged user). The MDM and LIA passwrds must meet the fllwing criteria: Cntain between 6 and 31 characters Include at least 3 f the fllwing 4 grups: [a-z], [A-Z], [0-9], special characters (!@#$ ) N white spaces Fr mre infrmatin, see the chapter Security and User Management in the ScaleIO User Guide. 2.1.3 Encde the MDM passwrd A new encded MDM passwrd can be generated by the Installatin Manager CLI. Cmmand Descriptin im generate_mdm_passwrd Generates an encded MDM passwrd and saves it in the Gateway cnfiguratin file (gatewayuser.prperties see fllwing table fr file lcatin) The fllwing table lists the lcatin f the gatewayuser.prperties file n Windws and Linux perating systems. 2

ScaleIO Gateway installed n Lcatin f gatewayuser.prperties file Windws, 32-bit Windws, 64-bit Linux C:\Prgram Files (x86)\emc\scaleio\gateway\webapps\ ROOT\WEB-INF\classes\ C:\Prgram Files\EMC\ScaleIO\Gateway\webapps\ ROOT\WEB-INF\classes\ /pt/emc/scalei/gateway/webapps/root/web-inf/classes 2.1.4 Changing MDM passwrd encding T change MDM passwrd encding, edit the prperty in the file ( =enabled, r left empty=nt enabled). This file is lcated n the ScaleIO gateway server (fr the file lcatin, see the table in the sectin Encde the MDM passwrd). When, Base64 encding is used fr string the passwrd. Yu can generate such a passwrd using the IM CLI r any ther base64 tl (https://www.base64decde.rg/). 2.2 User authrizatin User authrizatin settings cntrl rights r permissins that are granted t a user t access a resurce managed by the prduct. When users are added t the MDM, user rle definitins must be assigned t them. Administratr users can create and mdify ther users, with the fllwing user rles: User rle Query Cnfigure parameters Cnfigure user credentials Mnitr Yes Cnfigure Yes Yes Administratr Yes Yes Yes Table 2: User rles Fr mre infrmatin, see Adding and Mdifying Users in the chapter Security and User Management, in the ScaleIO User Guide. 2.3 Cmpnent Access Cntrl Cmpnent access cntrl settings define cntrl ver access t the prduct by external and internal systems r cmpnents. 3

2.3.1 Cmpnent authenticatin LIA establishes trust with the IM via a cnfigurable tken. The LIA tken is stred in /pt/emc/scalei/lia/cfg/cnf.txt. The line in the file that can be cnfigured is: lia_tken=xxxx Where xxxx represents the tken. The tken shuld be added t every request sent t LIA. LIA checks that the tken received is equal t the ne that appears in the cnfiguratin file. T change the tken after LIA runs, yu must change the line in the cnfiguratin file and restart LIA. During installatin, the IM passwrd and the LIA tken are stred in hashed frmat. IM passwrds added after initial installatin need t be cnverted t hashed frmat using a CLI cmmand. Fr example: ScaleIO Installatin Manager CLI>im generate_passwrd --im_passwrd admin --cnfig_file "C:\Prgram Files\EMC\ScaleIO\Gateway\webapps\ROOT\WEB- INF\classes\gatewayUser.prperties" Passwrd generated successfully! 2.3.2 Cmpnent authrizatin All the cnfigurable parameters f LIA are included in the file /pt/emc/scalei/lia/cfg/cnf.txt. The list includes: lia_tken, lia_enable_install, lia_enable_uninstall, lia_enable_cnfigure, lia_enable_fetch_lgs. 3 Lg Settings A lg is a chrnlgical recrd f system activities that is sufficient t enable the recnstructin and examinatin f the sequence f envirnments and activities surrunding r leading t an peratin, prcedure, r event in a security-relevant transactin frm inceptin t final results. 3.1 Lg descriptin NOTE: ScaleIO uses Apache Tmcat, which has its wn set f standard lgs. Fr mre infrmatin abut Tmcat lgs, refer t Apache Tmcat dcumentatin. Cmpnent MDM lg The lgs d nt cntain any user data (as the user data d nt pass thrugh the MDM) The lgs may cntain the MDM s user names (but never passwrds), IP addresses, MDM cnfiguratin cmmands, Events etc. Lcatin /pt/emc/scalei/mdm/lgs c:\prgram Files\emc\scalei\mdm\lgs 4

Cmpnent REST lgs Installatin Manager lgs LIA lgs Tmcat lgs GUI lgs vsphere web plugin Plugin: Deplyment Lg: Plugin: Rllback Lg: Plugin: Netwrk Creatin Lg: Lcatin <gateway installed flder>\lgs Fr example: Windws - c:\prgram Files\emc\scalei\gateway\lgs Linux - /pt/emc/scalei/gateway/lgs The fllwing lgs are available: scalei.lg peratins.lg lcalhst_access_lg.lg audit.lg api_peratins.lg <gateway installed flder>\lgs Fr example: Windws - c:\prgram Files\emc\scalei\gateway\lgs Linux - /pt/emc/scalei/gateway/lgs Fllwing lgs are available: scalei.lg peratins.lg lcalhst_access_lg.lg C:\Prgram Files\emc\scalei\ia\lgs /pt/emc/scalei/lia/lgs C:\Prgram Files\EMC\ScaleIO\Gateway\lgs\tmcat.lg /pt/emc/scalei/gateway/lgs %AppData%\EMC\ScaleIO\lgs %AppData%\EMC\ScaleIO\lgs c:\windws\system32\cnfig\systemprfile\ AppData\Raming\VMware\scalei\deplyment.l g /pt/.vmware/scalei/deplyment.lg c:\windws\system32\cnfig\systemprfile\ AppData\Raming\VMware\scalei\rllback.lg /pt/.vmware/scalei/rllback.lg c:\windws\system32\cnfig\systemprfile\ AppData\Raming\VMware\scalei\ netwrkcreatin.lg /pt/.vmware/scalei/netwrkcreatin.lg 5

Cmpnent vsphere Virg Lg: Table 3: Lg Files Lcatin c:\prgramdata\vmware\vsphere Web Client\serviceability\lgs\vsphere_client_vi rg.lg /strage/lg/vmware/vsphere-client/lgs/ vsphere_client_virg.lg 3.2 Lg Management & Retrieval Lg Rll-ver: REST\IM In the cnfiguratin f the lg s behavir (lgback.xml see belw), each lg is defined t be n greater than 10MB. Once it reaches this size, a new lg file is created. The lg files are: name_xxx.lg, name_xxx.1.lg.zip, name_xxx.10.lg.zip Once the maximum (10) is reached, the ldest lg is verwritten (Rll-Over). Cnfiguratin f an external Syslg server: During ScaleIO installatin, yu can use the Installatin Manager web client t cnfigure Syslg event reprting and the Call Hme feature. Yu can als cnfigure these features after installatin, using the CLI. Fr mre infrmatin, see the appendix System Events and Alerts in the ScaleIO User Guide fr CLI cmmands, and the tpic Installing with the web client in the ScaleIO Installatin Guide. Cnfiguratin f lgging levels: GUI Lgging levels can be mdified. Fr mre infrmatin, see the tpic Custmizing System Preferences in the chapter Using the Graphical User Interface, in the ScaleIO User Guide. REST Gateway The lg can be cnfigured by editing the file: <gateway installatin flder>\webapps\root\web- INF\classes\lgback.xml Installatin Manager The lg can be cnfigured by editing the file: <gateway installatin flder>\webapps\root\web- INF\classes\lgback.xml 6

vsphere Web Client T enable debug lgging fr the vsphere Web Client service: Nte: Take a backup f the serviceability.xml file befre mdifying it. 1. Stp the vsphere Web Client service. 2. Navigate t the cnfiguratin flder: Fr vcenter Server 5.5 C:\Prgram Files\VMware\ Infrastructure\vSphereWebClient\Server\cnfiguratin Fr vcenter Server 5.1 C:\Prgram Files\VMware\ Infrastructure\vSphereWebClient\Server\cnfig Fr vcenter Server 5.0 C:\Prgram Files\VMware\ Infrastructure\vSphere Web Client\DMServer\cnfig Fr vcenter Server Virtual Appliance 5.0 /usr/lib/vmwarevsphere-client/server/cnfiguratin Fr vcenter Server Virtual Appliance 5.1 /usr/lib/vmwarevsphere-client/server/cnfig Fr vcenter Server Virtual Appliance 5.5 /usr/lib/vmwarevsphere-client/server/cnfiguratin 3. Open the serviceability.xml file using a text editr. Nte: Take a backup f the serviceability.xml file befre mdifying it. 4. Edit the rt level lgging parameter by replacing the default INFO with DEBUG. Fr example: Change the serviceability.xml default cnfiguratin frm: <rt level="info"> <appender-ref ref="sifted_log_file"></appender-ref> <appender-ref ref="log_file"></appender-ref> </rt> T: <rt level="debug"> <appender-ref ref="sifted_log_file"></appender-ref> <appender-ref ref="log_file"></appender-ref> </rt> 5. T add a lgging sectin fr ScaleIO plugin: Create a sectin t increase lgging t Debug levels: <lgger level="debug" additivity="false" name="cm.emc"> <appender-ref ref="sifted_log_file" /> <appender-ref ref="lg_file" /> </lgger> 6. Save and clse the file. 7. Start the vsphere Web Client service. Additinal lgs will be written t the C:\PrgramData\VMware\vSphere Web Client\Lgs flder 7

Cnfiguratin f alert mechanisms: Call Hme feature During ScaleIO installatin, depending n the perating system used in yur envirnment, yu can use either the ScaleIO Installatin Manager web client r the ScaleIO VMware Deplyment Wizard t cnfigure the Call Hme feature, which cntrls the alert severity threshld used fr alert reprting. Fr mre infrmatin, see the fllwing in the ScaleIO Installatin Guide: Installatin Manager CLI cmmands (im cnfigure_call_hme) Installing with the web client Installatin n ESX Servers (Deplying ScaleIO Systems) Viewing events lcally Use the shwevents.py cmmand, using filter switches t cntrl the severity f alerts. Fr mre infrmatin, see the ScaleIO User Guide, System Events and Alerts appendix. Cnfiguratin fr external lg management tls like envisin - NA Cnfiguratin f time synchrnizatin with external surce (e.g. via NTP, Windws Time Service, etc.) - NA The cmmand im get_inf runs the get_inf script n all ndes and retrieves the result, based either n a CSV file, r via the LIA with cnfiguratin infrmatin frm the MDM. 4 Cmmunicatin Security Settings Cmmunicatin security settings enable the establishment f secure cmmunicatin channels between the prduct cmpnents as well as between prduct cmpnents and external systems r cmpnents. 4.1 Prt usage Cmpnent Service Prtcl Prt Descriptin Installatin Manager Installatin Manager REST ver HTTPS 443 (default) Used t perfrm installatins using the Installatin Manager. This prt n the ScaleIO Gateway web server can be changed t a nnstandard prt by mdifying the server.xml file in the cnf directry. Change the tw instances f prt="443" t anther valid and nnccupied prt f yur chice and restart the ScaleIO Gateway service/daemn. 8

Cmpnent Service Prtcl Prt Descriptin REST scalei-gateway REST ver HTTPS 443 (secure, default) 80 (nnsecured http prt, default) MDM MDM Prtbuf ver TCP 6611, 9011 Tie-Breaker Tie-Breaker Prprietary prtcl ver TCP SDS SDS Prprietary prtcl ver TCP (defaults) 9011 (default) 7072 (default) LIA LIA Prtbuf ver TCP 9099 (default) SNMP SNMP SNMP v2 ver UDP Table 4: Prt Usage 162 (default) T be used by clients wishing t query a ScaleIO cluster r perfrm peratins n it. Used t prvisin a ScaleIO system, r t query it Used t decide which MDM shuld be the primary MDM in the cluster SDCs cnnect thrugh this prt fr data cmmunicatin and the MDM fr meta-data cmmunicatin IM cnnects t the LIA t perfrm installatin related peratins SNMP traps fr system alerts are sent t a trap receiver via this prt. The ScaleIO gateway sends messages t: snmp.traps_receiver_ip n the prt snmp.prt 4.2 Netwrk encryptin IM and the REST Gateway use TLSv1. REST Gateway certificate validatin the OpenStack ScaleIO driver cmmunicates with the REST Gateway thrugh https, (ver TLSv1). By default, the driver ignres verificatin f the REST Gateway s TLSv1 certificate, but it can verify the certificate if the fllwing cnfiguratin parameters are defined: verify_server_certificate set t True, if the server s certificate must be verified, and t False if n verificatin is required. server_certificate_path If the parameter verify_server_certificate is set t True, specify the lcatin f the.pem file cntaining the server s certificate. Fr instructins fr generating a self-signed certificate using Keytl, see the sectin Generating a self-signed certificate using the keytl utility in the ScaleIO Installatin Guide. 5 Data Security Settings Data security settings enable definitin f cntrls t prevent data permanently stred by the prduct t be disclsed in an unauthrized manner. 9

5.1 Data at rest security Obfuscatin f the data stred n ScaleIO vlumes can be cnfigured using the CLI, r during vsphere ScaleIO web plugin installatin. Obfuscatin is enabled by default. 5.2 Data Integrity Data erasure is implemented by using the underlying hardware s data erasure tls. Cpyright 2015 EMC Crpratin. All rights reserved. Published in the USA. Published May 2015 EMC believes the infrmatin in this publicatin is accurate as f its publicatin date. The infrmatin is subject t change withut ntice. The infrmatin in this publicatin is prvided as is. EMC Crpratin makes n representatins r warranties f any kind with respect t the infrmatin in this publicatin, and specifically disclaims implied warranties f merchantability r fitness fr a particular purpse. Use, cpying, and distributin f any EMC sftware described in this publicatin requires an applicable sftware license. EMC 2, EMC, and the EMC lg are registered trademarks r trademarks f EMC Crpratin in the United States and ther cuntries. All ther trademarks used herein are the prperty f their respective wners. Fr the mst up-t-date regulatry dcument fr yur prduct line, g t EMC Online Supprt (https://supprt.emc.cm). 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information