- Notes, cautions, and warnings
- Preface
- Introduction
- Access Control
- Access control settings
- Security for management access
- Authentication
- Authorization
- Component access controls
- Data security settings
- Password policy
- Physical security controls
- Login banner and message of the day
- Logging
- Communication Security
- Communication security settings
- Port usage
- Ports used by Unisphere components on VNX for block
- How VNX for file works on the network
- Network encryption
- Management support for TLS communications on VNX2 systems
- SSL certificates
- Planning considerations for Public Key Infrastructure on VNX for file
- IP packet reflect on VNX for file systems
- Effect of filtering management network
- vSphere Storage API for Storage Awareness (VASA) support
- Special configurations
- Secure Remote Procedure Call
- Other security considerations
- Data Security Settings
- Data at Rest Encryption overview
- Data at Rest Encryption feature activation
- Encryption status
- Backup keystore file
- Data in place upgrade
- Hot spare operations
- Adding a disk drive to a VNX with encryption activated
- Removing a disk drive from a VNX with encryption enabled
- Replacing a chassis and SPs from a VNX with encryption enabled
- Security Maintenance
- Advanced Management Capabilities
- Secure deployment and usage settings
- TLS cipher suites
- LDAP-based directory server configuration
- VNX for file CLI role-based access
- VNX for file CLI security configuration operations
- Configuring password policy
- Configuring session timeout
- Protect session tokens
- Configuring network encryption and authentication using the SSL protocol
- Configuring PKI
- Creating the certificate provided by the persona
- Using the Control Station as the CA
- Obtaining CA certificates
- Generate a key set and certificate request
- Send the certificate request to the CA
- Import a CA-signed certificate
- List the available CA certificates
- Acquire a CA certificate
- Import a CA certificate
- Generate a new Control Station CA certificate
- Display the certificate
- Distribute the Control Station CA certificate
- Request and Install Customer-Supplied Certificates for Control Station
- Managing PKI
- Customize a login banner
- Create a MOTD
- Restrict anonymous root login
- Locking accounts after a specific number of failed logins
- VNX for block SSL certificate import
EMC® VNX® Series Security Configuration Guide for VNX
Management support for FIPS 140-2
Federal Information Processing Standard 140-2(FIPS 140-2) is a standard that describes US Federal government requirements that IT products should meet for Sensitive, but Unclassified (SBU) use. The standard defines the security requirements that must be satisfied by a cryptographic module used in a security system protecting unclassified information within IT systems. To learn more about FIPS 140-2, refer to FIPS 1402-2 publication.
VNX systems, starting with VNX for block OE 31.5 and VNX for file OE 7.1, support a FIPS 140-2 mode for the SSL modules on the Storage Processor (SP) and Control Station (CS) that handle client management traffic. Management communication into and out of the system is encrypted using SSL. As a part of this process, the client and the storage management server negotiate an agreed upon cipher suite to use in the exchange. The use of the FIPS 140-2 mode restricts the allowable set of cipher suites that can be selected in the negotiation to only those that are sufficiently strong. If the FIPS 140-2 mode is enabled, you may find that some of your existing clients can no longer communicate with the management ports of the system if they do not support a cipher suite of acceptable strength. FIPS Mode cannot be enabled on a VNX system when non-FIPS-compliant certificates exist in the certificate store for file or block. You must remove all non-FIPS compliant certificates from the VNX system before you enable the FIPS 140-2 mode.
Managing FIPS 140-2 mode on a VNX unified system
Only the Administrator or Security Administrator has the privileges to manage the FIPS 140-2 mode. Use either of the following block or file CLI commands to set the FIPS 140-2 mode on a VNX unified system. Using either command affects the entire VNX:
Block CLI:
naviseccli -h <SP_IP_address> security -fipsmode -set 0|1 [-o]
- 0 will set it to non-FIPS 140-2 mode
- 1 will set it to FIPS 140-2 mode
File CLI:
nas_fipsmode -enable will set it to FIPS 140-2 mode.
nas_fipsmode -disable will set it to non-FIPS 140-2 mode.
Use either of the following block or file CLI commands to determine the current FIPS 140-2 mode for the entire VNX:
Block CLI:
naviseccli -h <SP_IP_address> security -fipsmode -get
File CLI:
nas_fipsmode -info
When you set the FIPS 140-2 mode on a VNX unified system, the storage management server will restart. For that brief period, management commands to both SPs and the Control Station will be blocked. However, this action should not effect the input/output operations happening on the storage system.
NOTE:On systems with two Control Stations, CS0
will fail over to CS1 when you set the FIPS 140-2 mode.
Managing FIPS 140-2 mode on a VNX for block system
Only the Administrator or Security Administrator has the privileges to manage the FIPS 140-2 mode. Use the following block CLI command to set the FIPS 140-2 mode on a VNX for block system:
naviseccli -h <SP_IP_address> security -fipsmode -set 0|1 [-o]
- 0 will set it to non-FIPS 140-2 mode
- 1 will set it to FIPS 140-2 mode
Use the following block CLI command to determine the current FIPS 140-2 mode for the VNX for block system:
naviseccli -h <SP_IP_address> security -fipsmode -get
When you set the FIPS 140-2 mode on a VNX for block system, the storage management server will restart. For that brief period, management commands to both SPs will be blocked. However, this action should not effect the input/output operations happening on the storage system.
Managing FIPS 140-2 mode on a VNX for file or Gateway system
Only the Administrator or Security Administrator has the privileges to manage the FIPS 140-2 mode. Use the following file CLI command to set the FIPS 140-2 mode on a VNX for file or Gateway system.
nas_fipsmode -enable will set it to FIPS 140-2 mode.
nas_fipsmode -disable will set it to non-FIPS 140-2 mode.
Use the following file CLI command to determine the current FIPS 140-2 mode on a VNX for file or Gateway system.
nas_fipsmode -info
When you set the FIPS 140-2 mode on a Gateway system, the NAS service on the Control Station will restart. For that brief period, management commands to the Control Station will be blocked. However, this action should not effect the input/output operations happening on the VNX for file or Gateway system.
NOTE:On systems with two Control Stations, CS0
will fail over to CS1 when you set the FIPS 140-2 mode.
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\