Dell PowerFlex v3.6.x Security Configuration Guide

Supported access control settings

Access control settings are used to protect resources against unauthorized access.

The following access control settings are supported:

MDM:

• User roles and passwords are needed to access the MDM. User roles with different access permissions can be assigned to users. Both local and LDAP authentication are supported. For more information, see "User Management" in the Configure and Customize Dell PowerFlex.
• Limited MDM access mode—a system can be configured to allow read-only access to the MDM by remote clients. In this mode, only local users connecting to the MDM using the IP address 127.0.0.1 have full configuration privileges.
• Restricted SDC mode—a system can be configured to only allow approved SDCs to connect to the MDM. This mode forces you to map volumes only to SDCs which have been previously approved by the user, by configuring them using their GUID. To increase security, you can specify that only SDCs with preconfigured IP addresses can communicate with the MDM. For more information, see the Configure and Customize Dell PowerFlex.
• SSL authentication of internal components to the MDM—allows secure authentication of PowerFlex SDS components to the MDM using a Public and Private Key (Key-Pair) associated with a certificate. The trust is established when adding the SDS, and reconnecting will require reauthentication.
• Secure connectivity with external components—allows external components to authenticate the MDM with a certificate and authenticate back to the MDM with a username and password. After authentication, communication between the MDM and external components is performed using TLS (Transport Layer Security) protocols. External components include: PowerFlex Installer client, PowerFlex CLI client, PowerFlex GUI client, vSphere plug-in, and PowerFlex Gateway. The same method is used between the PowerFlex Installer client and LIAs.
• An RSA Lockbox is used to store MDM credentials on the PowerFlex Gateway. These credentials are required for authentication purposes by the SNMP trap sender and ESRS.
• PowerFlex can be used to run user-provided scripts on servers hosting MDM or SDS components. This feature is supported on Linux-based nodes only. This feature can be used for any purpose external to the PowerFlex system, such as running a set of Linux shell commands, patching an operating system, and more. The feature allows the running of scripts in a safe manner, both from a security and a data integrity perspective.

PowerFlex Gateway:

• Access to the PowerFlex Gateway requires defining a dedicated user. This user may either be a local user or an LDAP user. For more information, see the Configure and Customize Dell PowerFlex, or Dell PowerFlex User Roles and LDAP Usage Technical Notes.
• Access to the PowerFlex Installer requires a username and password. This user may either be a local user or an LDAP user. For more information, see the Configure and Customize Dell PowerFlex, or Dell PowerFlex User Roles and LDAP Usage Technical Notes.
• A manually generated public-private key pair can be used to perform SSH key authentication, instead of passwords, between the PowerFlex Gateway and PowerFlex servers.
• LDAP support for the PowerFlex Gateway and the PowerFlex Installer now includes up to 8 LDAP servers.

LIA:

• PowerFlex Installer / PowerFlex Gateway access to the LIA may be restricted to predefined IP addresses, by configuring the list of trusted IP addresses in the file:
  • Windows: C:\Program Files\emc\scaleio\LIA\cfg\conf.txt
  • Linux: /opt/emc/scaleio/lia/cfg/conf.txt
• Access to the LIA can use local authentication or LDAP authentication, with up to 8 LDAP servers.

REST API:

• REST authenticates user access, using the gatewayAdminPassword and mdmPassword (for more information, see the PowerFlex REST API Reference Guide).
• REST authenticates user access, using the AMSAdminPassword (for more information, see the VxFlex Ready Node REST API Reference Guide).
• REST feature enabler—access to the REST gateway can be blocked by configuring the gatewayUser.properties file located on the PowerFlex Gateway. The feature is enabled by default. For detailed information, see "Configuring the PowerFlex Gateway by editing the user properties file", in the Dell PowerFlex REST API Reference Guide.

SNMP:

• SNMP—the SNMP trap sender can be enabled or disabled using one of the methods listed below. The feature is disabled by default. For detailed information, see the Configure and Customize Dell PowerFlex.
  • During deployment (on Linux and Windows only)
  • Configuring the gatewayUser.properties file located on the PowerFlex Gateway.
  • Using the REST API