EMC® VNX® Series Security Configuration Guide for VNX

Personas

Personas are used to provide an identity for a Data Mover when it is acting as a server or a client. When negotiating a secure connection with a client (such as the external policy and migration software used with FileMover), the persona provides a private key and certificate to the Data Mover (which is acting as a server). This certificate provides the means by which the client can identify and authenticate the server. When negotiating a secure connection with a server that is configured to require client authentication, the persona provides the private key and certificate to the Data Mover (which is acting as a client). The certificate provides the means by which the server can identify and authenticate the client.

By default, each Data Mover is configured with a single persona named default. To create the certificate that the persona provides to the Data Mover, you first generate the persona’s public/private key set. You must then request a signed certificate from a CA. Certificate requests are generated in Privacy Enhanced Mail (PEM) format only.

If you are using the Control Station as the CA, the Control Station automatically receives the certificate request, generates and signs the certificate, and returns the certificate to the Data Mover. The Control Station can sign certificates for all the Data Movers in the cabinet. It cannot be used to sign certificates for any external hosts.

If you are using an external CA, you must send the certificate request manually. The request to sign the public key is generated with the public/private key set. Display the persona’s properties to verify its content. Obtain a copy of the certificate request and then send the request to the CA through that company’s website or email.

When the CA returns a signed certificate, you must import it to the Data Mover. To import the signed certificate, you can either provide a path and import a file, or cut and paste the associated text. A file can be in either Distinguished Encoding Rules (DER) or PEM format. You can cut and paste text only in PEM format.

Each persona can be associated with up to two sets of keys and certificates (current and next), to allow generating new keys and certificates before the expiration of the current certificate. When the next certificate (which is already valid) is imported, it and its associated key set immediately become the current key set and certificate.

Because the next certificate is typically generated when it is needed, you typically do not see a next certificate associated with a persona. However, a next certificate may be waiting if there is a time difference between the Data Mover and the CA (or the Control Station if it is serving as the CA). For example, a CA might prepare a certificate in advance by assigning it a future start date. Merging companies could set up such a certificate to have it in place for the official merge date.

The next certificate becomes the current certificate (and the current key and certificate are deleted) when the certificate becomes valid (per Data Mover time), and one of the following happens:

• The persona is queried (by either the CLI or Unisphere).

• The persona's key and certificate are requested by a Data Mover function (such as SSL).

After a certificate expires, any attempt to use the certificate results in a failure, typically a loss of connection or a failure to reconnect. When a new certificate is available, PKI deletes the old certificate and provides the new certificate when requested. However, if you did not obtain a new certificate before the current certificate expires, the certificate request will fail. PKI will not provide an expired certificate for a persona.

There is no automated way to check for expired public key certificates. You must check for expired certificates manually by listing the personas and examining the expiration dates of the associated certificates. You can then take action based on your organization’s business practices.