- Notes, cautions, and warnings
- Preface
- Introduction
- Access Control
- Access control settings
- Security for management access
- Authentication
- Authorization
- Component access controls
- Data security settings
- Password policy
- Physical security controls
- Login banner and message of the day
- Logging
- Communication Security
- Communication security settings
- Port usage
- Ports used by Unisphere components on VNX for block
- How VNX for file works on the network
- Network encryption
- Management support for TLS communications on VNX2 systems
- SSL certificates
- Planning considerations for Public Key Infrastructure on VNX for file
- IP packet reflect on VNX for file systems
- Effect of filtering management network
- vSphere Storage API for Storage Awareness (VASA) support
- Special configurations
- Secure Remote Procedure Call
- Other security considerations
- Data Security Settings
- Data at Rest Encryption overview
- Data at Rest Encryption feature activation
- Encryption status
- Backup keystore file
- Data in place upgrade
- Hot spare operations
- Adding a disk drive to a VNX with encryption activated
- Removing a disk drive from a VNX with encryption enabled
- Replacing a chassis and SPs from a VNX with encryption enabled
- Security Maintenance
- Advanced Management Capabilities
- Secure deployment and usage settings
- TLS cipher suites
- LDAP-based directory server configuration
- VNX for file CLI role-based access
- VNX for file CLI security configuration operations
- Configuring password policy
- Configuring session timeout
- Protect session tokens
- Configuring network encryption and authentication using the SSL protocol
- Configuring PKI
- Creating the certificate provided by the persona
- Using the Control Station as the CA
- Obtaining CA certificates
- Generate a key set and certificate request
- Send the certificate request to the CA
- Import a CA-signed certificate
- List the available CA certificates
- Acquire a CA certificate
- Import a CA certificate
- Generate a new Control Station CA certificate
- Display the certificate
- Distribute the Control Station CA certificate
- Request and Install Customer-Supplied Certificates for Control Station
- Managing PKI
- Customize a login banner
- Create a MOTD
- Restrict anonymous root login
- Locking accounts after a specific number of failed logins
- VNX for block SSL certificate import
EMC® VNX® Series Security Configuration Guide for VNX
SSL certificates
Any time a client connects to a server over a network, it is important that the client can verify the identity of the server. Otherwise, any node on the network can impersonate the server and potentially extract information from the client. This is known as a man-in-the-middle attack.
Unisphere uses public key cryptography to verify the identity of the storage management server. Each VNX SP and Control Station contains a PKI certificate with a corresponding public key that the storage management server presents to a client. The certificates will be self-signed by default, but users have the ability to import certificates that have been signed by a trusted third party. If the client has the root certificate for that trusted third party (web browsers have certificates from common certificate authorities pre-installed) then it can inherently trust the server. This is the same mechanism by which your web browser inherently trusts most secure web sites.
NOTE: VNX systems inherently support SHA-1 certificates. For SHA-2 support, you must import your own SHA-2 certificates.
Certificates should contain 2048-bit RSA encrypted keys but keys containing as low as 1024 bits are allowed to be imported. For VNX for block, the interface for managing user certificates is found at:
https://<SP_IP_address>/setup, which requires username and password authentication, or with the naviseccli security -pkcs12upload switch.
NOTE:For more information about the interface for managing user certificates for VNX for block, see
VNX for block SSL certificate import. For more information about the naviseccli commands, see the
VNX Series Command Line Interface Reference for Block, located on
mydocs.emc.com.
Unisphere not only verifies the certificate of the storage system it is connected to, it also verifies certificates for all the VNX systems in the domain. Other client software like Unisphere Service Manager (USM), CLI, and Unisphere Server Utility will perform certificate verification when connecting to the storage system. The management server that is running on the storage system will also verify certificates when connecting to external servers like LDAP and ESX/Virtual Center.
How it works
When a client (such as Unisphere, CLI, or USM) connects to a server (such as the Storage management server or LDAP) for the first time, it is presented with a certificate from the server. The user can check the details of the certificate and decide to accept the certificate or reject it. If the user rejects the certificate, the communication with the server is stopped. If the user decides to accept the certificate, the communication continues and the certificate is stored in a certificate store. The next time when the client communicates with that server, the server's certificate is verified with the certificate in the certificate store. The user is prompted the first time it communicates with a server. Once the certificate is stored, the certificate verification process will happen in the background.
The following options are presented to the user when connecting to a server for the first time:
- Accept for session - Accepts the certificate to manage the system for this session only. The user will be prompted again in future sessions to accept the certificate.
- Accept Always - By selecting this option, the certificate is stored in the certificate store on the client; for subsequent communications the certificate is verified as a background task. The user will not be prompted again.
- Reject - If the user does not trust the certificate, the user can opt to reject the certificate and the communication will be stopped.
Unisphere and USM use the Java certificate store for storing certificates. The certificates store can be managed using the Java control panel. Block CLI and Unisphere Server Utility create a certificate store on the user directory of the client. Unisphere, USM, and Unisphere Server Utility will enforce certificate verification when connecting to the storage system.
The storage management server also performs certificate verification when communicating with LDAP and the ESX/Virtual Center server. The certificates are stored on the storage system and appear in Trusted Certificates for LDAP and VMware Servers (in Unisphere use ).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\