Dell PowerFlex v3.6.x Security Configuration Guide

SDC authentication

This feature ensures security by applying CHAP (Challenge-Handshake Authentication Protocol) based authentication of the SDC to the MDM for access to the system in general and to mapped volumes in particular. This prevents the SDC from accessing unauthorized volumes. Once enabled, the SDC internally performs mutual CHAP authentication with the SDSs and the SDRs with no manual intervention.

1. Get the shared generated password for SDC from the MDM using the command:

   scli --generate_sdc_password --(sdc_id <ID> | sdc_name <NAME) | sdc_guid <GUID> | sdc_ip <IP>) [--reason <REASON>]

   The reason parameter (mandatory) is used to verify that the SDC password is being reset and not changed by accident. The reason is stored in the MDM events log.

   NOTE: SDCs not configured with a password are disconnected after the feature is enabled in step 3.
   Copy the password that was generated in <SDC_PASSWORD_STRING>, used in the next step.
2. On the SDC, run the following command:
   • Linux:

     /opt/emc/scaleio/sdc/bin/drv_cfg --set_mdm_password --ip <MDM_IP> --password <SDC_PASSWORD_STRING> --file/etc/emc/scaleio/drv_cfg.txt

     NOTE: The file option is required for password persistency, for cases such as service scini restart or SDC reboot. Open the file to verify the <SDC_PASSWORD_STRING> is logged at the end of the MDM line.
   • ESXi:

     1. cat /etc/vmware/esx.conf | grep scini | grep options

        A string is returned representing all of the ESXi configuration parameters currently set. Copy the string with the enclosing quotation marks and paste in a text editor for editing.
     2. At the end of the string, add the following text, within the quotation marks:

        IoctlMdmPasswordStr=<MDM_IP>-<MDM_PASSWORD>

        where:
        • <MDM_IP> is the MDM IP address
        • <MDM_PASSWORD> is the MDM password
        For example:

        "IoctlIniGuidStr=cd069ce3-bf2a-5dea-b50a-1a5ebc8ef3de IoctlMdmIPStr=192.169.217.165,172.17.217.165,192.169.217.166,172.17.217.166,192.169.217.167,172.17.217.167 IoctlMdmPasswordStr=192.169.217.165-AQAAAAAAAADu/10fXW3BS1wPBDgnkR06tdneGoUK7VQ"

     3. Run the following command with the string appended to the end:

        esxcli system module parameters set -m scini -p <STRING>

        For example:

        esxcli system module parameters set -m scini -p "IoctlIniGuidStr=cd069ce3-bf2a-5dea-b50a-1a5ebc8ef3de IoctlMdmIPStr=192.169.217.165,172.17.217.165,192.169.217.166,172.17.217.166,192.169.217.167,172.17.217.167 IoctlMdmPasswordStr=192.169.217.165-AQAAAAAAAADu/10fXW3BS1wPBDgnkR06tdneGoUK7VQ"

3. To check SDC readiness for all SDCs in the system, before enabling SDC authentication, run the following command:
   NOTE: It is important to complete the previous steps for all SDCs before running the command.

   scli --check_sdc_authentication_status [--run_test] [--file_name <FILENAME>]

   Where:

   • --run_test runs a connectivity test to check whether the SDCs can successfully authenticate using CHAP
   • --filename <FILENAME> is the full file name and path for the generated report.

   The command sends a report that includes the SDCs authentication password status.

   NOTE: When running this command, the SDCs are disconnected for a very short period from the MDM. This does not interrupt running I/Os or have any impact on MDM/SDC activity. It is recommended to run the command when the system is in a healthy state and not during rebalancing or rebuilding operations.
4. To enable SDC authentication, run the following command:

   scli --set_sdc_authentication --enable

5. To disable SDC authentication, run the following command:

   scli --set_sdc_authentication --disable

6. Reboot the ESXi for the configuration to take effect.