- Notes, cautions, and warnings
- Introduction
- Access Control Settings
- Supported access control settings
- User authentication
- Component access control
- Managing component certificates
- Log Settings
- Communication Security Settings
- Running scripts on hosts
- Known security issues
- Deploying PowerFlex with SELinux
Dell PowerFlex v3.6.x Security Configuration Guide
Component authentication
The system provides secure connectivity between internal and external components.
Secure connectivity with internal system SDS components
The SSL authentication feature allows secure authentication of
PowerFlex SDS components using a Public and Private Key (Key-Pair) associated with a certificate. The feature works as follows:
- When an SDS is added to the PowerFlex system (for example, using the --add_sds command), it generates its own certificate and a CSR to the MDM.
- The MDM acts as the Certificate Authority, and signs the certificates, using its own credentials.
- Every time that an SDS reconnects to the system, authentication occurs. If the challenge fails, that component will not be able to connect to the PowerFlex system.
- If necessary, or if a malfunction occurs, this feature provides a secure protected manner in which to disable secure authentication.
OpenSSL FIPS compliance
You can enable OpenSSL Federal Information Processing Standards (FIPS) compliance implementation in the MDM for communication between the external components, including the PowerFlex GUI, PowerFlex Gateway, and CLI, to the MDM. It can also be enabled for any other usage of the OpenSSL library. For instructions on how to enable OpenSSL FIPS compliance implementation, see "Enable OpenSSL FIPS compliance."
Secure connectivity with external components
This feature allows external components to authenticate the MDM with a certificate and authenticate back to the MDM with a user name and password. After authentication, communication between the MDM and external components is performed using TLS (Transport Layer Security) protocols. Secure communication with the MDM is authenticated by the following PowerFlex components:
- CLI client
- PowerFlex Gateway
- PowerFlex GUI client
- PowerFlex Installer client
- vSphere plug-in
The same method is employed between the PowerFlex Installer and all LIAs.
On the PowerFlex Gateway, setting the security.bypass_certificate_check property in the gateway properties file to true will result in the gateway blindly trusting the certificates of the hosts to which it is trying to connect. Typically, the gateway connects to the MDM or to LIA. This setting affects REST and PowerFlex Installer connections, because they are all included in the gateway. The default setting of this property is false.
Any actions relating to the acceptance of certificates will still add the certificates to the trust store file (truststore.jks) for future use, when this property is set to
false. Such actions are:
- MDM certificate and LIA certificate approval during installation with the PowerFlex Installer
- The REST request trustHostCertificate
SSH
A manually generated public-private key pair can be used to perform SSH key authentication, instead of passwords, between the PowerFlex Gateway and PowerFlex system servers.
NOTE: Whenever Apache Tomcat is shut down normally and restarted, or when an application reload is triggered, the standard Manager implementation will attempt to serialize all currently active sessions to a disk file located via the pathname (by default SESSIONS.SER) attribute. All such saved sessions will then be deserialized and activated (assuming they have not expired in the mean time) when the application reload is completed. To remove saved sessions after a
PowerFlex Gateway restart, delete the following file:
/opt/emc/scaleio/gateway/work/Catalina/localhost/_/SESSIONS.ser
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\