The system provides secure connectivity between internal and external components.
Secure connectivity with internal system SDS components
The SSL authentication feature allows secure authentication of
PowerFlex SDS components using a Public and Private Key (Key-Pair) associated with a certificate. The feature works as follows:
When an SDS is added to the
PowerFlex system (for example, using the
--add_sds command), it generates its own certificate and a CSR to the MDM.
The MDM acts as the Certificate Authority, and signs the certificates, using its own credentials.
Every time that an SDS reconnects to the system, authentication occurs. If the challenge fails, that component will not be able to connect to the
PowerFlex system.
If necessary, or if a malfunction occurs, this feature provides a secure protected manner in which to disable secure authentication.
OpenSSL FIPS compliance
You can enable OpenSSL Federal Information Processing Standards (FIPS) compliance implementation in the MDM for communication between the external components, including the
PowerFlex GUI,
PowerFlex Gateway, and CLI, to the MDM. It can also be enabled for any other usage of the OpenSSL library. For instructions on how to enable OpenSSL FIPS compliance implementation, see "Enable OpenSSL FIPS compliance."
Secure connectivity with external components
This feature allows external components to authenticate the MDM with a certificate and authenticate back to the MDM with a user name and password. After authentication, communication between the MDM and external components is performed using TLS (Transport Layer Security) protocols. Secure communication with the MDM is authenticated by the following
PowerFlex components:
CLI client
PowerFlex Gateway
PowerFlex GUI client
PowerFlex Installer client
vSphere plug-in
The same method is employed between the
PowerFlex Installer and all LIAs.
On the
PowerFlex Gateway, setting the
security.bypass_certificate_check property in the gateway properties file to
true will result in the gateway blindly trusting the certificates of the hosts to which it is trying to connect. Typically, the gateway connects to the MDM or to LIA. This setting affects REST and
PowerFlex Installer connections, because they are all included in the gateway. The default setting of this property is
false.
Any actions relating to the acceptance of certificates will still add the certificates to the trust store file (truststore.jks) for future use, when this property is set to
false. Such actions are:
MDM certificate and LIA certificate approval during installation with the
PowerFlex Installer
The REST request
trustHostCertificate
SSH
A manually generated public-private key pair can be used to perform SSH key authentication, instead of passwords, between the
PowerFlex Gateway and
PowerFlex system servers.
NOTE: Whenever Apache Tomcat is shut down normally and restarted, or when an application reload is triggered, the standard Manager implementation will attempt to serialize all currently active sessions to a disk file located via the pathname (by default SESSIONS.SER) attribute. All such saved sessions will then be deserialized and activated (assuming they have not expired in the mean time) when the application reload is completed. To remove saved sessions after a
PowerFlex Gateway restart, delete the following file:
/opt/emc/scaleio/gateway/work/Catalina/localhost/_/SESSIONS.ser
Data is not available for the Topic
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\