Solutions Enabler Security Configuration Guide - Dell EMC · EMC Corporation Solutions Enabler...

EMC Corporate Headquarters

Hopkinton, MA 01748-9103 1-508-435-1000 www.EMC.com

EMC CONFIDENTIAL – INTERNAL USE ONLY EMC CONFIDENTIAL – INTERNAL AND PARTNER USE ONLY DELETE IF THIS IS A PUBLIC DOCUMENT

EMC Solutions Enabler V7.3.1

Security Configuration Guide P/N 300-013-060 A01

EMC Corporation

Solutions Enabler V7.3.1 Security Configuration Guide 2

Copyright © 2011 EMC Corporation. All rights reserved.

Published September, 2011

EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS IS.” EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.

For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com.

All other trademarks used herein are the property of their respective owners.

EMC Corporation


Table of Contents

1 Overview ................................................................................................................................. 4

2 Security configuration settings ................................................................................................ 4

2.1 Introduction ...................................................................................................................... 4

2.2 Access Control settings ................................................................................................... 5

2.2.1 User authentication .................................................................................................. 5

2.2.2 Authorization for Symmetrix arrays ......................................................................... 5

2.2.3 Identifying hosts with access IDs ............................................................................. 6

2.3 Log files and settings ....................................................................................................... 9

2.3.1 Log description ........................................................................................................ 9

2.3.2 Log settings ........................................................................................................... 10

2.4 Communication security settings ................................................................................... 11

2.4.1 Port usage ............................................................................................................. 11

2.4.2 Port settings ........................................................................................................... 12

2.4.3 Network encryption ................................................................................................ 12

2.4.4 Client / server settings ........................................................................................... 12

2.4.5 SSL settings ........................................................................................................... 14

2.4.6 SSL settings ........................................................................................................... 16

2.5 Data security .................................................................................................................. 17

2.6 Other security considerations ........................................................................................ 18

2.6.1 Daemon processes on UNIX ................................................................................. 18

2.6.2 Securing Solutions Enabler configuration files ...................................................... 18

2.6.3 Running commands as a non-privileged user ....................................................... 18

3 Secure deployment and usage ............................................................................................. 19

3.1 Guidelines for securely deploying Solutions Enabler .................................................... 19

3.1.1 Securely enabling client/server operations ............................................................ 19

4 Secure maintenance ............................................................................................................. 20

4.1 Backup of Solutions Enabler state ................................................................................. 20

4.2 Log file rotation using logrotate ..................................................................................... 20

EMC Corporation


1 Overview This guide describes the security configuration settings available in Solutions Enabler, along with information on how to securely deploy, use, and maintain the product. It is divided into the following sections:

• Security Configuration Settings describes Solutions Enabler security settings.

• Secure Deployment and Usage provides instructions on how to deploy and use Solutions Enabler securely.

• Secure Maintenance provides recommendations for safeguarding data maintained by Solutions Enabler.

2 Security configuration settings

2.1 Introduction Solutions Enabler security settings fall into the following categories:

• Access control settings limit access by end-user or by external product components.

• Log files and settings control event logging and associated files.

• Communication security settings provide security for the product network communications.

• Data security settings ensure protection of the data handled by the product.

• Other security considerations describe other security settings critical to Solutions Enabler operations.

Note: When <SYMAPI_HOME> is used, it refers to the location of Solutions Enabler data and configuration files. The following are the default locations (unless overridden during a Windows installation):

Windows: C:\Program Files\EMC\SYMAPI UNIX (and UNIX-based systems): /var/symapi

Open VMS file locations are discussed in the EMC Solutions Enabler Installation Guide.

Note: When pathnames are presented in this document, they use a UNIX-specific format, using forward slashes (/) instead of backslashes (\) that are typically used in Windows platforms.

EMC Corporation


2.2 Access Control settings

2.2.1 User authentication Solutions Enabler does not support an explicit authentication mechanism for users. When using SYMCLI commands, Solutions Enabler uses the credentials users supply when logging onto the local system—as provided by the operating system. When using Symmetrix Management Console (SMC), SMC passes the user’s authenticated identity to Solutions Enabler.

Internally, Solutions Enabler represents a user identity as a string that comprises the user’s name along with how (and where) they were originally authenticated. The possible encodings are:

H:HostName\UserName A user authenticated by the local operating system.

D:DomainName\UserName A user authenticated by a specific Domain on Windows.

L:ServerName\UserName A user authenticated by an LDAP Server. [SMC only]

C:HostName\UserName A user authenticated by the private SMC authentication service on some host. [SMC only]

V:DomainName|UserName A user authenticated by a Virtualization Domain. [SMC only]

Solutions Enabler uses these identities in a number of ways. A user name is included in records that are written to the Symmetrix array’s secure Audit Log. This identifies the user that initiated the activity being logged. A user identity is the basis for optional user authorization rules that restrict management access to Symmetrix arrays.

2.2.2 Authorization for Symmetrix arrays There are two authorization mechanisms, Symmetrix® Access Control and Symmetrix User Authorization, used to restrict management operations on Symmetrix arrays.

Note: This document only describes Solutions Enabler management operations and does not cover data access using device masking, Auto-provisioning, or IPSec capabilities.

Symmetrix Access Control allows you to restrict what hosts can perform what management operations (by command) against what devices on a Symmetrix array. Using the symacl command or SMC, restrictions can be placed on the types of operations that can be performed from a host, along with the specific devices they can, or cannot, be performed against. For additional information, refer to the EMC Solutions Enabler Symmetrix Array Management CLI Product Guide.

In contrast, Symmetrix User Authorization assigns individual users to roles that limit the management operations that they can perform. The roles define a set of restrictions for the users. User Authorization does not provide functionality-based control over access as Symmetrix Access Control does. Using the symauth command or SMC, users can be assigned to management roles that restrict the types of operations that they are permitted to perform. For additional information, refer to the EMC Solutions Enabler Symmetrix Array Management CLI Product Guide.

EMC Corporation


2.2.3 Identifying hosts with access IDs Symmetrix Access Control identifies individual management hosts with an access ID. Solutions Enabler symacl –unique

• Hardware-based access ID (default mechanism): Access ID is generated based on the individual hosts hardware characteristics (such as a MAC address). For more information, refer to “

command generates these access IDs in one of two ways:

Hardware-based access IDs” on page 6. • Alternate access ID: Access ID is a randomly generated ID that is securely stored

locally to disk. Currently, only (x86 (32-bit Intel), x86_64 (64-bit), and IA64 hardware platforms support the alternate access ID option. This optional method provides added security and eliminates certain risks associated with some IDs generated from hardware characteristics. For more information on this option and how to enable it, refer to “Alternate access IDs” on page 7.

Note: EMC recommends, as part of our security best practices on x86 (32-bit Intel), x86_64 (64-bit), and IA64 hardware platforms, that you use alternate access IDs instead of hardware-based access IDs. For more information on using alternate access IDs, refer to “Alternate access IDs” on page 7.

2.2.3.1 Hardware-based access IDs This is the default method used by Solutions Enabler to generate host access IDs. Hardware-based access IDs are generated differently on various host platforms based on network interface cards and host characteristics, such as MAC addresses. For example, on x86 platforms (Windows, Linux, Solaris), information from network interface cards is used, specifically a MAC address. Other platforms use other means to generate an access ID, such as a unique system identifier (for example, an ID from a processor).

When MAC addresses are used to generate access IDs they may be unreliable under certain circumstances, such as in clustering or virtual environments, and may change following a hardware change. EMC recommends, as part of our security best practices on x86 (32-bit Intel), x86_64 (64-bit), and IA64 hardware platforms, that you use alternate access IDs instead of hardware-based access IDs.

For more information on using alternate access IDs, refer to “Alternate access IDs” on page 7.

For more information on disabling the alternate access ID mechanism to use the default hardware-based mechanism, refer to “Disable alternate access IDs: re-enabling hardware-based access IDs” on page 7.

EMC Corporation


2.2.3.2 Alternate access IDs On x86 (32-bit Intel), x86_64 (64-bit), and IA64 hardware platforms, an alternate access ID mechanism can be used. It does not utilize the host’s hardware identifiers (such as MAC address) to generate an access ID based on host-level hardware characteristics. When enabled, Solutions Enabler generates an access ID for the host and securely stores it on the local disk (refer to “Enabling alternate access IDs” on page 7).

When enabled and in use, two copies of the alternate access ID – a primary and secondary – are securely stored on disk in the following directories:

<SYMAPI_HOME>/config/lockboxp

These files are encrypted. If the primary copy is found to be corrupt, the secondary is used. These files hold other security related information (and keys) in addition to these alternate access IDs. Therefore, these files should not be deleted.

<SYMAPI_HOME>/config/lockboxb

Note: It is recommended that you maintain backup copies of these files and secure those backups appropriately. If these files are lost (for example, during a disk replacement or file system re-image), any alternate access IDs contained in those files will be lost along with the other security information that Solutions Enabler stores there.

2.2.3.2.1 Enabling alternate access IDs 1. Enable the SYMAPI_ALTERNATE_ACCESS_ID value in the options file to use alternate

access IDs. The options file is located in the following directory:

2. Run the

<SYMAPI_HOME>/config/options

symacl -unique

Note: If you had run this command before enabling the option file setting, the new alternate access ID will be a different value than the hardware-based access ID you received prior to enabling this option. Any hardware-based access ID previously used to identify this host in an Access Group needs to be updated with the new alternate access ID using Solutions Enabler.

command. Solutions Enabler recognizes that the above option is set and, if one does not already exist for the host, generates a random access ID is, securely stores it in the lockbox, and displays it to the user. If an alternate access ID had previously been generated for this host, and the option had been disabled, a copy of the access ID remains securely stored on disk, but is not used. When the option is re-enable in the future, the existing value is used.

3. Add this new, alternate access ID to the appropriate Access Groups. When an access ID is required on this host, the alternate access ID that was stored to disk is used.

2.2.3.2.2 Disable alternate access IDs: re-enabling hardware-based access IDs

1. Disable the SYMAPI_ALTERNATE_ACCESS_ID value in the options file to disable use of alternate access IDs. The options file is located in the following directory:


2. Run the symacl -unique

3. Add this access ID to the appropriate Access Groups.

command. This command recognizes that the option has been reset, disables use of the alternate access ID, and generates and displays an access ID based on host-level hardware characteristics. A backup copy of the access ID remains securely stored on disk, but is not used.

EMC Corporation


2.2.3.2.3 Changing a host's access ID It is recommended that you have two administrative hosts available to change a host's alternate access ID. You cannot perform all the operations from the host that requires the access ID change. When you change the access ID for a given host, the host no longer has any valid Access Control entries, since the original access ID no longer applies, and the host may lose access to the storage array. You need a secondary host to reset the Access Control entries for the host’s new access ID.

For example, assume that you need to change the access ID for Host-1. Login to another administrative host, for example Host-2, and remove any existing definitions for Host-1 from the Access Group it resides for any Symmetrix arrays to which it has access. From Host-1, follow the steps outlined in “Enabling alternate access IDs” on page 7, to enable (or disable) the alternate access ID mechanism and obtain a new access ID. From Host-2, add Host-1 back into its Access Group using its new access ID to any Symmetrix arrays to which it requires access.

Note: The Solution Enabler Access Control changes must be made from an administrative host with ADMIN rights to the array and rights to make symacl changes. If you only have one such administrative host, and you are trying to change its alternate access ID, once that change is made, the host will no longer be able to make Access Control changes (the new access ID will not be in an Access Group yet). It is recommended that you enable a second administrative host (even temporarily to complete this operation) prior to completing this task.

EMC Corporation


2.3 Log files and settings

2.3.1 Log description Solutions Enabler maintains the following log files.

Log type and location Description

Solutions Enabler log files <SYMAPI>/log/symapi_yyyymmdd.log

Where yyyymmdd is the numerical value for the year, month, and day. For example, symapi_20100920.log is the log for September 20, 2010.

Solutions Enabler writes errors and other significant conditions to this log.

By default, Solutions Enabler keeps these files forever. Setting the SYMAPI_LOGFILE_RETENTION option, described on page 10, configures at what point in time after creation these files should be automatically removed.

Daemon log files <SYMAPI>/log/storXXXX.log0 <SYMAPI>/log/storXXXX.log1

Where storXXXX is the name of the daemon. For example: storapid.log0, storapid.log1, storgnsd.log0, storgnsd.log1.

Each Solutions Enabler daemon maintains a pair of log files. The daemons alternate between these two files, switching from one to the other, when the default maximum size of approximately 1 MB is reached.

Symmetrix Audit Log

Maintained on the Symmetrix array.

A secure audit log containing a record of configuration changes, security alarms, service operations, and security-relevant actions maintained on each Symmetrix array. Records are written to this by Solutions Enabler, software running on the Service Processor, and the Enginuity™ Operating Environment. Information from this log can be retrieved using the symaudit SYMCLI command.

For more information on this audit log, refer to the EMC Solutions Enabler Symmetrix Array Management CLI Product Guide.

The Solutions Enabler event daemon (storevntd) can be configured to automatically stream audit entries from this log to an external log service (EMC RSA Envision, Syslog, SNMP, or the Windows Event Service) automatically as they appear. For more information on configuring the Solutions Enabler event daemon, refer to the EMC Solutions Enabler Installation Guide.

EMC Corporation


2.3.2 Log settings The following option setting controls how long the Solutions Enabler log files are retained.

Option name and Location Description

SYMAPI_LOGFILE_RETENTION = NN


Solutions Enabler log files, discussed previously, can be automatically removed NN days after they were created.

Note: The log files might not be removed after the NN days are reached. This value indicates to the system when a given file can be removed by the logging logic during its normal operation.

Valid values for NN are between 5 and 1825 (or between 5 days and 5 years). If running on the Symmetrix service processor, you can only set this to the default value 0 (keep them forever) or 30.

EMC Corporation


2.4 Communication security settings

2.4.1 Port usage The following network ports are used by Solutions Enabler.

Component Protocol Port Description

Client / Server TCP/IP 2707 In client/server mode, Solutions Enabler Server (storsrvd daemon) listens on this port for connections from client hosts.

You can change the default port as described in "Port settings” on page 12.

Event Daemon TCP/IP Dynamically Assigned

In client/server mode, the event daemon (storevntd) on a client host listens on this port for asynchronous events sent to it from a server host. By default, this is picked at random by the client side event daemon.

Refer to “Port settings” on page 12 for information on setting a specific port value.

CLARiiON TCP/IP 443 or 2163 A configuration file on CLARiiON© storage arrays controls whether it listens for connections from management hosts over ports 443 or 2163. When Solutions Enabler needs to communicate with the array, it attempts both values.

If a Firewall or Network Address Translator is present between communicating entities, these ports–or ones you have configured–need to be open. Most often, this would be:

• A firewall between Solutions Enabler client and server hosts.

• A firewall between management server and CLARiiON array.

EMC Corporation


2.4.2 Port settings Option location and name Description

storsrvd:port = NN <SYMAPI_HOME>/config/daemon_options

On the server hosts, this directs Solutions Enabler server (storsrvd) to listen for connections at this port instead of the default 2707.

If the default value is changed for the server, client hosts must be configured to the alternate port–as described in storevntd:event_listen_port.

SvcName - TCPIP HostName - NN SECURE <SYMAPI_HOME>/config/netcnfg

On client hosts, the netcnfg file is used to map service names (SvcName), used with the SYMCLI, to a host (HostName) and port (NN) on which the appropriate server is listening. If a non-default server port is configured, corresponding changes have to be made to clients in this file as well. For more information, refer to “Client host SSL control” on page 15.

storevntd:event_listen_port = NN

<SYMAPI_HOME>/config/daemon_options

In client/server mode, the event daemon, storevntd, on a client host listens on this port for asynchronous events sent to it from a server host. By default, this is picked at random by the client side event daemon.

On client hosts, this setting directs the event daemon to listen at this specific port for events sent from the server host instead of using a random port assigned by the local operating system. This setting is automatically transmitted to the server hosts as needed.

2.4.3 Network encryption By default, traffic transmitted between client and server hosts is encrypted using SSL. The following cryptographic algorithms are employed:

SSLv3 with AES-256 + SHA1

2.4.4 Client / server settings In Solutions Enabler client/server mode, client host operations are automatically forwarded to the storsrvd daemon on a server host for execution. For additional information, refer to the EMC Solutions Enabler Installation Guide.

By default, traffic transmitted between client and server hosts is encrypted using SSL. A number of mechanisms are available to operate these connections in a secure manner as described next.

EMC Corporation


2.4.4.1 Running the Solutions Enabler server The Solutions Enabler server daemon, (storsrvd) does not run by default. It must be explicitly started before it is can accept connections from remote clients. It can be configured to start automatically whenever a server host starts by running the following command:

stordaemon install storsrvd -autostart

Daemons are started differently on z/OS and Open VMS platforms. Refer to the EMC Solutions Enabler Installation Guide for details.

2.4.4.2 Restricting access to the Solutions Enabler server Use the <SYMAPI_HOME>/config/nethost file on a server host to restrict the hosts and users from which that storsrvd accepts connections. If this file is not present, connections are accepted from all client hosts.

When in use, each line of the nethost file identifies acceptable hosts, each with a comma separated list of user names. A user list of ‘*’ means that all users from that host are allowed. Connections from other hosts (and users) will not be permitted. For example:

# From Client host Saturn, all users may connect.

saturn *

# From Client host Jupiter, only users joe and sally may connect.

jupiter joe, sally

# An IP address can be used instead of a host name.

180.100.90.75 *

When a connection is refused, an error message containing the requesting client’s user and host name is written to the storsrvd.log0 or storsrvd.log1 file on the server.

2.4.4.3 Restricting functionality in the Solutions Enabler server Settings in the <SYMAPI_HOME>/config/options file on a server host can be used to restrict the functionality that storsrvd is allowed to perform on behalf of remote client hosts. The options are listed in the next table.

Option Name ( within <SYMAPI_HOME>/config/options )

Description

SYMAPI_ACC_ADMIN_VIA_SERVER Symmetrix Access Control changes.

This defaults to ENABLE.a

SYMAPI_ACC_DISPLAY_VIA_SERVER Symmetrix Access Control information displays.

This defaults to ENABLE.

SYMAPI_ALLOW_SCRIPTS_VIA_SERVER

a

Symmetrix TimeFinder pre-action and post-action scripts.

This defaults to DISABLE.

EMC Corporation


SYMAPI_CTRL_VIA_SERVER Symmetrix control operations in general.

This defaults to ENABLE.

a. When set to DISABLE, this class of functionality is not available through the server.

a

2.4.4.4 IBM z/OS-specific behavior Solutions Enabler does not perform any explicit SAF checks as it performs operations.

By default, a Solutions Enabler server running on a z/OS host does not perform any configuration, SRDF or TimeFinder control operations when requested by a remote client host. To enable these types of operations, an optional configuration step is required at the server. For additional information, refer to "Authorizing Control Operations" in the EMC Solutions Enabler Installation Guide.

Caution: As previously mentioned, no SAF security checks are made during control operations. By enabling them, you make it possible for remote open systems users, in client/server mode, to make changes to the Symmetrix configuration on your mainframe system.

2.4.5 SSL settings Solutions Enabler uses SSL to secure communications between client and server hosts where possible.

Note: Solutions Enabler does not support SSL on iSeries, BS2000, OpenVMS, or Linux on PPC hosts.

2.4.5.1 Server host SSL control When running SSL, a Solutions Enabler server by default only accepts connections from clients if SSL can be used to secure the connection. To allow non-secure connections from clients that cannot (or are configured not to) use SSL, add the following to the <SYMAPI_HOME>/config/daemon_options file on a server host:

storsrvd:security_level = ANY

This configures the server to use SSL where possible and allow non-secure connections if the client cannot use SSL.

Note: This only works if the corresponding client allows non-SSL connection, as described in “Client host SSL control” on page 15.

EMC Corporation


2.4.5.2 Client host SSL control When running on a platform where SSL is supported, a Solutions Enabler client defaults to only use connections to servers if SSL can be used to secure the connection. On client hosts, there are two options for allowing non-secure connections to servers that cannot (or are configured not to) use SSL.

• To allow non-secure connections with servers that are not able to use SSL, add the following to the <SYMAPI_HOME>/config/options file:

SYMAPI_SERVER_SECURITY_LEVEL = ANY

• To allow non-secure connections with specific server hosts, specify the NONSECURE or ANY attribute in the <SYMAPI_HOME>/config/netcnfg entry for the server in question. This file is used to map service names to server host names (or IP addresses) and port numbers, usually for Solutions Enabler SYMCLI commands.

The format of records within this file is as follows: <ServiceName> - TCPIP <HostName> <IP-Address> <Port> <SecurityLevel>

Where:

<ServiceName> Service name by which the server is known. Typically, this is the same value that the SYMCLI_CONNECT environment variable uses for CLI commands.

<HostName> Name of the host on which the server resides. Either specify <HostName> or <IP-Address>.

<IP-Address> IP address of the server. Either specify <HostName> or <IP-Address>.

<Port> Port number (default 2707) on which the server is listening.

<SecurityLevel> SECURE: Only accepts SSL connections. NONSECURE: Only accepts non-SSL (non-secure) connections. ANY: Accepts both SSL and non-SSL connection.

2.4.5.3 Certificate use Solutions Enabler installs self-signed SSL certificates used, by default, on both client and server hosts to secure SSL connections. For increased security, these default certificates can be deleted and replaced with certificates you generate for your hosts.

By default, Solutions Enabler servers validate an SSL certificate that is sent from a client, if the client has one to send. To require client certificates to always be sent and validated, add the following to the <SYMAPI_HOME>/config/daemon_options file on a server host.

storsrvd:security_clt_secure_level = MUSTVERIFY

For additional information, refer to client/server security in the EMC Solutions Enabler Installation Guide.

EMC Corporation


2.4.6 SSL settings The following table provides a summary of the SSL settings:

Option name, possible values, and location Description

storsrvd:security_level = SECURE | NONSECURE | ANY <SYMAPI_HOME>/config/deamon_options

On server hosts: Controls whether servers will establish an SSL secured connection.

SECURE (default): Secure SSL connections are always used. All other connection types are refused.

NONSECURE: Non-SSL connection are used; secure SSL connections are not used.

ANY: An SSL secured connection is established when supported by the client, otherwise a non-SSL connection is used.

storsrvd:security_clt_secure_lvl = MUSTVERIFY | VERIFY | NOVERIFY <SYMAPI_HOME>/config/daemon_options

On server hosts: Controls how the server validates client certificates. MUSTVERIFY: The server requires clients to send a valid certificate.

VERIFY (default): The server verifies a client’s certificate, if one is sent.

NOVERIFY: The server does not verify client certificates.

Note: This option is not supported on z/OS hosts where it defaults to NOVERIFY.

SYMAPI_SERVER_SECURITY_LEVEL= SECURE | NONSECURE | ANY <SYMAPI_HOME>/config/options

On client hosts: Controls whether clients establish a SSL secured connection.

On server hosts: Controls whether servers establish an SSL secured connection, if the security_level option in daemon_options is not set (above).

This defaults to SECURE.

EMC Corporation


2.5 Data security Solutions Enabler maintains important configuration data in a number of files. It is important these files are backed up and protected at all times. If lost, functionality that depends on the data that these files contain can be impacted.

File location Description

<SYMAPI_HOME>/config/emcpwddb.dat Stores connectivity information–including user names and passwords–used to interact with CLARiiON storage arrays and VMware/Hyper-V Virtual Infrastructure Services.

It is managed via the symcfg authorization SYMCLI command.

The file is encrypted to protect its contents and prevent tampering.

<SYMAPI_HOME>/config/lockboxp <SYMAPI_HOME>/config/lockboxb

These encrypted files (two copies: a primary and backup) contain security keys including encryption keys used by Solutions Enabler on this host.

These files are encrypted to protect its contents and prevent tampering.

<SYMAPI_HOME>/db/symapi_db.bin This is the Solutions Enabler database file. When managing CLARiiON arrays, connectivity information–including user names and passwords–may be stored here if the user performs actions requiring it. If present, these passwords are encrypted to protect them and prevent tampering.

EMC Corporation


2.6 Other security considerations

2.6.1 Daemon processes on UNIX Solutions Enabler uses a number of helper daemon processes: storapid, storsrmd, storsrvd, storgnsd, storrdfd, storevntd, storwatchd. On UNIX, these daemons run as root by default as a result of their executables being marked setuid-to-root.

The storsrvd, storgnsd, storevntd, and storwatchd daemons can optionally be configured to run as an identity other than root. This can be set during Solutions Enabler installation using the -daemonuid=Name option, which, when used with the -silent option changes ownership of daemons to non-root user, or post-install using the stordaemon command. For information on which daemons are affected by this option, refer to the stordaemon man page. For example, the following command configures the GNS daemon to run under the bin user account:

stordaemon setuser storgnsd -user bin

For example, the following command configures all daemons to run under the bin user account: stordaemon setuser all -user bin

For additional information, refer to the stordaemon man page. Also refer to the <SYMAPI_HOME>/config/README.daemon_users file that is installed with Solutions Enabler.

2.6.2 Securing Solutions Enabler configuration files Solutions Enabler stores its configuration files in the following directory:

<SYMAPI_HOME>/config

That directory, and any files in it, should be protected such that only authorized Solutions Enabler administrators have write access.

2.6.3 Running commands as a non-privileged user Following an initial installation of Solutions Enabler, most SYMCLI commands must be run by root (on UNIX) or an administrator (on Windows) user. To allow other users to execute these commands (for example symcfg discover), you must grant them write access to the following directories and their contents:

<SYMAPI_HOME>/config/db/

Non-root (or administrators, on Windows) users must similarly need to be authorized to explicitly (via stordaemon) or implicitly (via ordinary commands) make use of the Solutions Enabler daemons. This is done by adding an entry for the specific user in the file <SYMAPI_HOME>/config/daemon_users. For example:

# Allow user 'jones' to make use of the storapid daemon: jones storapid # A ‘*’ character at the end of a name can be used # as a simple wildcard. The following allows user 'jones' # to make use of any of the Solutions Enabler daemons: jones stor*

For additional information, refer to the <SYMAPI_HOME>/config/README.daemon_users file installed with Solutions Enabler.

EMC Corporation


3 Secure deployment and usage

3.1 Guidelines for securely deploying Solutions Enabler • Protect the <SYMAPI_HOME>/config directory and its contents so that only appropriate

administrators have write access. [Section 2.6.2 on page 18]

• If you will be running SYMCLI commands as a non-root user (non-administrator on Windows), add those users to the daemon_users as appropriate. Also protect the <SYMAPI_HOME>/db directory to grant them access. [Section 2.6.3 on page 18]

• To limit the amount of disk space used by Solutions Enabler log files, arrange for these to be cleaned up automatically after some period of time. [Section 2.3.2 on page 10]

• Use Symmetrix Access Control and/or Symmetrix User Authorization to restrict which hosts and users may perform management operations. [Section 2.2.2 on page 5]

• When using Access Control, obtain an access ID using the hardware-based or the recommended alternate access ID operation. [Section 2.2.3.1 on page 6]

3.1.1 Securely enabling client/server operations • If a Firewall or NAT router exists between client and server hosts, you may need to

configure specific ports and allow those to pass through. [Section 2.4.1 on page 11]

• If you need to weaken or disable SSL protection of client/server communications (perhaps due to the need to support platforms without SSL support), change the SSL settings. [Section 2.4.5.1 on page 14, 2.4.5.2 on page 15, 2.4.6 on page 16]

• For maximum network security, replace the self-signed SSL certificates that are installed by default with ones appropriate and specific to your site.[Section 2.4.5.3 on page 15]

• On server hosts:

o Arrange for the storsrvd daemon to automatically start by the operating system. [Section 2.4.4.1 on page 13]

o If necessary, modify the port on which the storsrvd daemon listens. [Section 2.4.4.2 on page 13]

o If you want to limit the set of client hosts that the server will accept connections from, configure the nethost file. [Section 2.4.4.2 on page 13]

o If you want to limit functionality that the server makes available to remote client hosts, configure the specific options. [Section 2.4.4.3 on page 13, or for z/OS section 2.4.4.4 on page 14]

o UNIX only: Since the storsrvd daemon is network facing, consider having it run as something other than root. [Section 2.6.3 on page 18]

• On client hosts:

o For SYMCLI users, modify the netcnfg file with the host names or IP addresses of your servers. [Section 2.4.2 on page 12 and section 2.4.6 on page 15]

o If using asynchronous events through the event daemon, modify the port on which the client event daemon listens. [Section 2.4.1 on page 11, on page 12]

EMC Corporation


4 Secure maintenance

4.1 Backup of Solutions Enabler state The following directories and their contents should be backed up to preserve the Solutions Enabler configuration on a host.

<SYMAPI_HOME>/config <SYMAPI_HOME>/db

The other directories under <SYMAPI_HOME> contain less critical data that will be recreated by Solutions Enabler as necessary.

4.2 Log file rotation using logrotate If the logrotate utility is used on Linux to rotate Solution Enabler log files, it is recommended that you use the copytruncate directive in the configuration file passed to logrotate. This directive will truncate the original log file in its current location after creating a copy.

Date post:	23-Jun-2018
Category:	Documents
Upload:	dinhnhan
View:	266 times
Download:	1 times

Solutions Enabler Security Configuration Guide - Dell EMC · EMC Corporation Solutions Enabler...

Documents