- Notes, cautions, and warnings
- Preface
- Introduction
- Access Control
- Access control settings
- Security for management access
- Authentication
- Authorization
- Component access controls
- Data security settings
- Password policy
- Physical security controls
- Login banner and message of the day
- Logging
- Communication Security
- Communication security settings
- Port usage
- Ports used by Unisphere components on VNX for block
- How VNX for file works on the network
- Network encryption
- Management support for TLS communications on VNX2 systems
- SSL certificates
- Planning considerations for Public Key Infrastructure on VNX for file
- IP packet reflect on VNX for file systems
- Effect of filtering management network
- vSphere Storage API for Storage Awareness (VASA) support
- Special configurations
- Secure Remote Procedure Call
- Other security considerations
- Data Security Settings
- Data at Rest Encryption overview
- Data at Rest Encryption feature activation
- Encryption status
- Backup keystore file
- Data in place upgrade
- Hot spare operations
- Adding a disk drive to a VNX with encryption activated
- Removing a disk drive from a VNX with encryption enabled
- Replacing a chassis and SPs from a VNX with encryption enabled
- Security Maintenance
- Advanced Management Capabilities
- Secure deployment and usage settings
- TLS cipher suites
- LDAP-based directory server configuration
- VNX for file CLI role-based access
- VNX for file CLI security configuration operations
- Configuring password policy
- Configuring session timeout
- Protect session tokens
- Configuring network encryption and authentication using the SSL protocol
- Configuring PKI
- Creating the certificate provided by the persona
- Using the Control Station as the CA
- Obtaining CA certificates
- Generate a key set and certificate request
- Send the certificate request to the CA
- Import a CA-signed certificate
- List the available CA certificates
- Acquire a CA certificate
- Import a CA certificate
- Generate a new Control Station CA certificate
- Display the certificate
- Distribute the Control Station CA certificate
- Request and Install Customer-Supplied Certificates for Control Station
- Managing PKI
- Customize a login banner
- Create a MOTD
- Restrict anonymous root login
- Locking accounts after a specific number of failed logins
- VNX for block SSL certificate import
EMC® VNX® Series Security Configuration Guide for VNX
Network encryption
The storage management server provides 256-bit (128-bit is also supported) symmetric encryption of all data passed between it and the client components that communicate with it, as listed in Ports used by Unisphere components on VNX for block (Web browser, Secure CLI), as well as all data passed between storage management servers. The encryption is provided using SSL/TLS and uses the RSA encryption algorithm, which provides the same level of cryptographic strength as is employed in e-commerce. Encryption protects the transferred data from prying eyes-whether on the local LANs behind the corporate firewalls, or if the storage systems are being remotely managed over the Internet.
The storage management server supports SSL/TLS over the industry-standard port 443 to ease integration with firewall rule sets. For those customers who would like to use another port, instead of the industry standard, the storage management server also supports SSL/TLS over port 2163 (VNX for block only). Port selection is performed when the storage-system network settings are configured. EMC recommends that all storage management server installations in the same domain use the same port for SSL/TLS communications.
NOTE: Unisphere is a Java-based applet that runs inside a Web browser. Once the applet is downloaded, the applet (not the browser) communicates using SSL/TLS. The URL for the browser will not change.
VNX for file supports Secure Socket Layer (SSL) for Data Mover Hypertext Transfer Protocol (HTTP) and Lightweight Directory Access Protocol (LDAP) connections.
Instances of the storage management server installed on Windows hosts use the same communication security mechanisms as those that run on the SP; however, since the application is running on a host, additional security measures are taken to protect Unisphere domain configuration and security information. First, ACLs are set so that only administrator-level accounts can access the install directory. Second, the files are encrypted.
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\