- Notes, cautions, and warnings
- Preface
- Introduction
- Access Control
- Access control settings
- Security for management access
- Authentication
- Authorization
- Component access controls
- Data security settings
- Password policy
- Physical security controls
- Login banner and message of the day
- Logging
- Communication Security
- Communication security settings
- Port usage
- Ports used by Unisphere components on VNX for block
- How VNX for file works on the network
- Network encryption
- Management support for TLS communications on VNX2 systems
- SSL certificates
- Planning considerations for Public Key Infrastructure on VNX for file
- IP packet reflect on VNX for file systems
- Effect of filtering management network
- vSphere Storage API for Storage Awareness (VASA) support
- Special configurations
- Secure Remote Procedure Call
- Other security considerations
- Data Security Settings
- Data at Rest Encryption overview
- Data at Rest Encryption feature activation
- Encryption status
- Backup keystore file
- Data in place upgrade
- Hot spare operations
- Adding a disk drive to a VNX with encryption activated
- Removing a disk drive from a VNX with encryption enabled
- Replacing a chassis and SPs from a VNX with encryption enabled
- Security Maintenance
- Advanced Management Capabilities
- Secure deployment and usage settings
- TLS cipher suites
- LDAP-based directory server configuration
- VNX for file CLI role-based access
- VNX for file CLI security configuration operations
- Configuring password policy
- Configuring session timeout
- Protect session tokens
- Configuring network encryption and authentication using the SSL protocol
- Configuring PKI
- Creating the certificate provided by the persona
- Using the Control Station as the CA
- Obtaining CA certificates
- Generate a key set and certificate request
- Send the certificate request to the CA
- Import a CA-signed certificate
- List the available CA certificates
- Acquire a CA certificate
- Import a CA certificate
- Generate a new Control Station CA certificate
- Display the certificate
- Distribute the Control Station CA certificate
- Request and Install Customer-Supplied Certificates for Control Station
- Managing PKI
- Customize a login banner
- Create a MOTD
- Restrict anonymous root login
- Locking accounts after a specific number of failed logins
- VNX for block SSL certificate import
EMC® VNX® Series Security Configuration Guide for VNX
Data at Rest Encryption feature activation
A user role of administrator, storageadmin, or sanadmin is required to activate the Data at Rest Encryption (D@RE) feature. Before activating this encryption feature, ensure that FAST Cache is destroyed on your system. Attempts to activate the D@RE feature on a system with FAST Cache created will return an error. You can recreate your FAST Cache after you activate the encryption feature.
Enabling of the D@RE feature on the system requires a non-disruptive upgrade (NDU) of the DataAtRestEncryption enabler. A subsequent activate operation must be initiated through Unisphere to activate this feature. As an alternative, you can use the VNX for block CLI command, securedata -feature -activate, to activate this feature. See the VNX Series Command Line Interface Reference for Block for detailed information about the securedata command.
NOTE:Once activated, the encryption operation cannot be reverted. This action will cause data encryption keys to be created and all user data will begin to be encrypted. EMC recommends that you have an up-to-date and verified backup of your array as well as an up-to-date configuration capture, created using either Unisphere or the
arrayconfig VNX for block CLI command, before you execute the activate operation.
To activate the D@RE feature in Unisphere, select System and, from the task list under Wizards, select Data At Rest Encryption Activation Wizard. The activation wizard that appears directs you through the steps to activate encryption and to backup the generated keystore file to an external location. The keystore file that is generated to store the encryption keys resides on a managed LUN in private space on the system.
NOTE:EMC strongly recommends that you backup the generated keystore file to another location which is external to the system where the keystore can be kept safe and secret. In the event that the keystore on the system becomes corrupted, the system will be nonfunctional. The system will enter a degraded state, only the operating system boots. In this state attempts to access the system through Unisphere will return an error indicating that the keystore is in an inaccessible state. In this case the backup keystore file and a service engagement are required for resolution.
NOTE:For VNX systems that do not have D@RE enabled or were received from EMC without D@RE activated, the Storage Processors must be rebooted once the D@RE activation process has successfully started. You must manually reboot each Storage Processor (refer to either
Rebooting Storage Processors through Unisphere or
Rebooting Storage Processors through VNX OE for Block CLI). This action will finalize the installation and activation process.
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\