- Notes, cautions, and warnings
- Preface
- Introduction
- Access Control
- Access control settings
- Security for management access
- Authentication
- Authorization
- Component access controls
- Data security settings
- Password policy
- Physical security controls
- Login banner and message of the day
- Logging
- Communication Security
- Communication security settings
- Port usage
- Ports used by Unisphere components on VNX for block
- How VNX for file works on the network
- Network encryption
- Management support for TLS communications on VNX2 systems
- SSL certificates
- Planning considerations for Public Key Infrastructure on VNX for file
- IP packet reflect on VNX for file systems
- Effect of filtering management network
- vSphere Storage API for Storage Awareness (VASA) support
- Special configurations
- Secure Remote Procedure Call
- Other security considerations
- Data Security Settings
- Data at Rest Encryption overview
- Data at Rest Encryption feature activation
- Encryption status
- Backup keystore file
- Data in place upgrade
- Hot spare operations
- Adding a disk drive to a VNX with encryption activated
- Removing a disk drive from a VNX with encryption enabled
- Replacing a chassis and SPs from a VNX with encryption enabled
- Security Maintenance
- Advanced Management Capabilities
- Secure deployment and usage settings
- TLS cipher suites
- LDAP-based directory server configuration
- VNX for file CLI role-based access
- VNX for file CLI security configuration operations
- Configuring password policy
- Configuring session timeout
- Protect session tokens
- Configuring network encryption and authentication using the SSL protocol
- Configuring PKI
- Creating the certificate provided by the persona
- Using the Control Station as the CA
- Obtaining CA certificates
- Generate a key set and certificate request
- Send the certificate request to the CA
- Import a CA-signed certificate
- List the available CA certificates
- Acquire a CA certificate
- Import a CA certificate
- Generate a new Control Station CA certificate
- Display the certificate
- Distribute the Control Station CA certificate
- Request and Install Customer-Supplied Certificates for Control Station
- Managing PKI
- Customize a login banner
- Create a MOTD
- Restrict anonymous root login
- Locking accounts after a specific number of failed logins
- VNX for block SSL certificate import
EMC® VNX® Series Security Configuration Guide for VNX
Supported TLS cipher suites
A cipher suite defines a set of technologies to secure your TLS communications:
- Key exchange algorithm (how the secret key used to encrypt the data is communicated from the client to the server). Examples: RSA key or Diffie-Hellman (DH)
- Authentication method (how hosts can authenticate the identity of remote hosts). Examples: RSA certificate, DSS certificate, or no authentication
- Encryption cipher (how to encrypt data). Examples: AES (256 or 128 bits) or 3DES (168 bits)
- Hash algorithm (ensuring data by providing a way to determine if data has been modified). Examples: SHA-2 or SHA-1
The supported cipher suites combine all these items. Default/Supported TLS cipher suites on VNX2 Control Station lists the cipher suites supported by VNX2 for the Control Station. Default/Supported TLS cipher suites on VNX2 Storage Processor lists the cipher suites supported by VNX2 for the Storage Processor. Default/Supported TLS cipher suites on VNX2 Data Mover lists the default/supported cipher suites used by VNX2 for the Data Mover. Default/Supported TLS cipher suites on VNX2 related to Replication lists the cipher suites supported by VNX2 for Replication. Default/Supported TLS cipher suites on VNX1 Control Station lists the cipher suites supported by VNX1 for the Control Station. Default/Supported TLS cipher suites on VNX1 Storage Processor lists the cipher suites supported by VNX1 for the Storage Processor. Default/Supported TLS cipher suites on VNX1 Data Mover lists the default/supported cipher suites used by VNX1 for the Data Mover. Default/Supported TLS cipher suites on VNX1 related to Replication lists the cipher suites supported by VNX1 for Replication.
The following lists give the OpenSSL names of the TLS cipher suites for the different VNX components and their associated ports.
NOTE:The cipher suites are listed alphabetically for readability only. The order does not represent the strength level.
The following restriction applies:
- Some cipher suites will not be accepted by VNX for file because of certificate size (if the certificate presented by the Data Mover has a 2048-bit key, ciphers with a smaller key will be rejected).
| Cipher Suites | Protocols | Ports |
|---|---|---|
| AES128-SHA | TLSv1, TLSv1.1, TLSv1.2 | 443 |
| AES256-SHA | TLSv1, TLSv1.1, TLSv1.2 | 443 |
| CAMELLIA128-SHA | TLSv1, TLSv1.1, TLSv1.2 | 443 |
| CAMELLIA256-SHA | TLSv1, TLSv1.1, TLSv1.2 | 443 |
| DES-CBC3-SHA | TLSv1, TLSv1.1, TLSv1.2 | 443 |
| AES128-SHA | TLSv1, TLSv1.1, TLSv1.2 | 5989 |
| AES256-SHA | TLSv1, TLSv1.1, TLSv1.2 | 5989 |
| DES-CBC3-SHA | TLSv1, TLSv1.1, TLSv1.2 | 5989 |
| Cipher Suites | Protocols | Ports |
|---|---|---|
| AES128-SHA | TLSv1, TLSv1.1, TLSv1.2 | 443 |
| AES256-SHA | TLSv1, TLSv1.1, TLSv1.2 | 443 |
| DES-CBC3-SHA | TLSv1, TLSv1.1, TLSv1.2 | 443 |
| Cipher Suites | Protocols | Ports |
|---|---|---|
| AECDH-AES128-SHA | TLSv1, TLSv1.1, TLSv1.2 | 989, 990, 5080 |
| AECDH-AES256-SHA | TLSv1, TLSv1.1, TLSv1.2 | 989, 990, 5080 |
| AECDH-DES-CBC3-SHA | TLSv1, TLSv1.1, TLSv1.2 | 989, 990, 5080 |
| AES128-SHA | TLSv1, TLSv1.1, TLSv1.2 | 989, 990, 5080 |
| AES256-SHA | TLSv1, TLSv1.1, TLSv1.2 | 989, 990, 5080 |
| CAMELLIA128-SHA | TLSv1, TLSv1.1, TLSv1.2 | 989, 990, 5080 |
| CAMELLIA256-SHA | TLSv1, TLSv1.1, TLSv1.2 | 989, 990, 5080 |
| DES-CBC3-SHA | TLSv1, TLSv1.1, TLSv1.2 | 989, 990, 5080 |
| DHE-RSA-AES128-SHA | TLSv1, TLSv1.1, TLSv1.2 | 989, 990, 5080 |
| DHE-RSA-AES128-SHA256 (CBC) | TLSv1.2 | 989, 990, 5080 |
| DHE-RSA-AES128-SHA256 (GCM) | TLSv1.2 | 989, 990, 5080 |
| DHE-RSA-AES256-SHA | TLSv1, TLSv1.1, TLSv1.2 | 989, 990, 5080 |
| DHE-RSA-AES256-SHA256 | TLSv1.2 | 989, 990, 5080 |
| DHE-RSA-AES256-SHA384 | TLSv1.2 | 989, 990, 5080 |
| DHE-RSA-CAMELLIA128-SHA | TLSv1, TLSv1.1, TLSv1.2 | 989, 990, 5080 |
| DHE-RSA-CAMELLIA256-SHA | TLSv1, TLSv1.1, TLSv1.2 | 989, 990, 5080 |
| ECDHE-RSA-AES128-SHA | TLSv1, TLSv1.1, TLSv1.2 | 989, 990, 5080 |
| ECDHE-RSA-AES128-SHA256 (CBC) | TLSv1.2 | 989, 990, 5080 |
| ECDHE-RSA-AES128-SHA256 (GCM) | TLSv1.2 | 989, 990, 5080 |
| ECDHE-RSA-AES256-SHA | TLSv1, TLSv1.1, TLSv1.2 | 989, 990, 5080 |
| ECDHE-RSA-AES256-SHA384 (CBC) | TLSv1.2 | 989, 990, 5080 |
| ECDHE-RSA-AES256-SHA384 (GCM) | TLSv1.2 | 989, 990, 5080 |
| ECDHE-RSA-DES-CBC3-SHA | TLSv1, TLSv1.1, TLSv1.2 | 989, 990, 5080 |
| EDH-RSA-DES-CBC3-SHA | TLSv1, TLSv1.1, TLSv1.2 | 989, 990, 5080 |
| RSA-AES128-SHA256 (CBC) | TLSv1.2 | 989, 990, 5080 |
| RSA-AES128-SHA256 (GCM) | TLSv1.2 | 989, 990, 5080 |
| RSA-AES256-SHA256 | TLSv1.2 | 989, 990, 5080 |
| RSA-AES256-SHA384 | TLSv1.2 | 989, 990, 5080 |
NOTE:Instances where cipher suites do not indicate the Key Exchange or Authentication entry use RSA.
If required, the Data Mover cipher parameter can be changed from the default setting either through Unisphere or through VNX CLI for File commands, server_ftp and server_http. For more information about setting the Data Mover cipher parameter, refer to the Unisphere online help or the VNX Command Line Interface Reference for File.
| Cipher Suites | Protocols | Ports |
|---|---|---|
| ADH-AES128-SHA | TLSV1, TLSV1.1, TLSv1.2 | 5085 |
| ADH-AES128-SHA256 | TLSv1.2 | 5085 |
| ADH-AES128-GCM-SHA256 | TLSv1.2 | 5085 |
| ADH-AES256-SHA | TLSV1, TLSV1.1, TLSv1.2 | 5085 |
| ADH-AES256-SHA256 | TLSv1.2 | 5085 |
| ADH-AES256-GCM-SHA384 | TLSv1.2 | 5085 |
| ADH-CAMELIA128-SHA | TLSV1, TLSV1.1, TLSv1.2 | 5085 |
| ADH-CAMELIA256-SHA | TLSV1, TLSV1.1, TLSv1.2 | 5085 |
| ADH-DES-CBC3-SHA | TLSV1, TLSV1.1, TLSv1.2 | 5085 |
| Cipher Suites | Protocols | Ports |
|---|---|---|
| AES128-SHA | TLSv1 | 443 |
| AES256-SHA | TLSv1 | 443 |
| DES-CBC3-SHA | TLSv1 | 443 |
| DHE-RSA-AES128-SHA | TLSv1 | 443 |
| DHE-RSA-AES256-SHA | TLSv1 | 443 |
| EDH-RSA-DES-CBC3-SHA | TLSv1 | 443 |
| AES128-SHA | TLSv1, TLSv1.1 | 5989 |
| AES256-SHA | TLSv1, TLSv1.1 | 5989 |
| DES-CBC3-SHA | TLSv1, TLSv1.1 | 5989 |
| Cipher Suites | Protocols | Ports |
|---|---|---|
| AES128-SHA | TLSv1, TLSv1.1 | 443 |
| AES256-SHA | TLSv1, TLSv1.1 | 443 |
| DES-CBC3-SHA | TLSv1, TLSv1.1 | 443 |
| Cipher Suites | Protocols | Ports |
|---|---|---|
| AES128-SHA | TLSv1 | 990, 5080 |
| AES256-SHA | TLSv1 | 990, 5080 |
| CAMELLIA128-SHA | TLSv1 | 990, 5080 |
| CAMELLIA256-SHA | TLSv1 | 990, 5080 |
| DES-CBC-SHA | TLSv1 | 990, 5080 |
| DES-CBC3-SHA | TLSv1 | 990, 5080 |
| DHE-RSA-AES128-SHA | TLSv1 | 990, 5080 |
| DHE-RSA-AES256-SHA | TLSv1 | 990, 5080 |
| DHE-RSA-CAMELLIA128-SHA | TLSv1 | 990, 5080 |
| DHE-RSA-CAMELLIA256-SHA | TLSv1 | 990, 5080 |
| EDH-RSA-DES-CBC-SHA | TLSv1 | 990, 5080 |
| EDH-RSA-DES-CBC3-SHA | TLSv1 | 990, 5080 |
| Cipher Suites | Protocols | Ports |
|---|---|---|
| ADH-AES128-SHA | TLSv1 | 5085 |
| ADH-AES256-SHA | TLSv1 | 5085 |
| ADH-CAMELLIA128-SHA | TLSv1 | 5085 |
| ADH-CAMELLIA256SHA | TLSv1 | 5085 |
| ADH-DES-CBC3-SHA | TLSv1 | 5085 |
| ADH-DES-CBC-SHA | TLSv1 | 5085 |
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\