- Notes, cautions, and warnings
- Preface
- Introduction
- Access Control
- Access control settings
- Security for management access
- Authentication
- Authorization
- Component access controls
- Data security settings
- Password policy
- Physical security controls
- Login banner and message of the day
- Logging
- Communication Security
- Communication security settings
- Port usage
- Ports used by Unisphere components on VNX for block
- How VNX for file works on the network
- Network encryption
- Management support for TLS communications on VNX2 systems
- SSL certificates
- Planning considerations for Public Key Infrastructure on VNX for file
- IP packet reflect on VNX for file systems
- Effect of filtering management network
- vSphere Storage API for Storage Awareness (VASA) support
- Special configurations
- Secure Remote Procedure Call
- Other security considerations
- Data Security Settings
- Data at Rest Encryption overview
- Data at Rest Encryption feature activation
- Encryption status
- Backup keystore file
- Data in place upgrade
- Hot spare operations
- Adding a disk drive to a VNX with encryption activated
- Removing a disk drive from a VNX with encryption enabled
- Replacing a chassis and SPs from a VNX with encryption enabled
- Security Maintenance
- Advanced Management Capabilities
- Secure deployment and usage settings
- TLS cipher suites
- LDAP-based directory server configuration
- VNX for file CLI role-based access
- VNX for file CLI security configuration operations
- Configuring password policy
- Configuring session timeout
- Protect session tokens
- Configuring network encryption and authentication using the SSL protocol
- Configuring PKI
- Creating the certificate provided by the persona
- Using the Control Station as the CA
- Obtaining CA certificates
- Generate a key set and certificate request
- Send the certificate request to the CA
- Import a CA-signed certificate
- List the available CA certificates
- Acquire a CA certificate
- Import a CA certificate
- Generate a new Control Station CA certificate
- Display the certificate
- Distribute the Control Station CA certificate
- Request and Install Customer-Supplied Certificates for Control Station
- Managing PKI
- Customize a login banner
- Create a MOTD
- Restrict anonymous root login
- Locking accounts after a specific number of failed logins
- VNX for block SSL certificate import
EMC® VNX® Series Security Configuration Guide for VNX
Management support for TLS communications on VNX2 systems
The Management communication into and out of the storage system is encrypted using SSL. As part of this process, the client and the storage system negotiate an SSL protocol to use. By default, the storage system supports TLS 1.0, TLS 1.1 and TLS 1.2 protocols for communication. The storage system includes an administrative setting to change the TLS mode from the system.
Setting the TLS mode as TLSv1.0 means that the storage system will support communication using the TLS 1.0, TLS 1.1 and TLS 1.2 protocols.
Setting the TLS mode as TLSv1.1 means that the storage system will only support communication using the TLS 1.1 and TLS 1.2 protocols, and TLS 1.0 will not be considered a valid protocol.
Setting the TLS mode as TLSv1.2 means that the storage system will only support communication using the TLS 1.2 protocol, while TLS 1.0 and TLS 1.1 will not be considered valid protocols.
NOTE:Changing the TLS mode to a higher level (from TLSv1.0 to TLSv1.1 or from TLSv1.0 to TLSv1.2) may impact existing client applications which are not compatible with TLS 1.1 or TLS 1.2 protocols. In this case, TLS 1.0 support should remain enabled. TLS mode should not be changed to a higher level. The following functionality will not work in TLSv1.1 and TLSv1.2 mode:
- Replication from/to VNX2 (versions 05.33.009.5.256/8.1.21.256)
- Domain management containing a VNX/VNX2 Control Station (version 8.1.21.256 and earlier)
- Navisphere CLI (version 7.33.x.x.x and earlier) cannot connect to Management Server. Replication Manager, RPA, ViPR SRM, AppSync, and ESA integrated with Navisphere CLI (version 7.33.x.x.x and earlier) also cannot connect to Management Server.
If TLS 1.0 is disabled in the network environment (for example, block TLS 1.0 packets by switch), the following functions will be impacted:
- Unisphere Service Manager cannot receive software, drive firmware, and language pack upgrade notifications
- ESRS IP Client
- ESRS Device Client on Control Station and Storage Processors
Managing TLS mode on the storage system
On a Unified VNX2 or a Gateway VNX2, run the following command on Control Station with root user to manage TLS mode:
/nas/bin/nas_tls -set TLSv1.0 Sets TLS protocol 1.0 as the lowest supported version.
/nas/bin/nas_tls -set TLSv1.1 Sets TLS protocol 1.1 as the lowest supported version.
/nas/bin/nas_tls -set TLSv1.2 Sets TLS protocol 1.2 as the lowest supported version.
/nas/bin/nas_tls -info Lists the current TLS protocol settings.
On a Block-only VNX2, run the following naviseccli command with Administrator or Security Administrator roles:
naviseccli -h <sp_ip> security -tls -set TLSv1.0 Sets TLS protocol 1.0 as the lowest supported version.
naviseccli -h <sp_ip> security -tls -set TLSv1.1 Sets TLS protocol 1.1 as the lowest supported version.
naviseccli -h <sp_ip> security -tls -set TLSv1.2 Sets TLS protocol 1.2 as the lowest supported version.
naviseccli -h <sp_ip> security -tls -get Lists the current TLS protocol settings.
For more information about these commands, please refer to VNX Command Line Interface Reference for File and VNX Command Line Interface Reference for Block.
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\