EMC® VNX® Series Security Configuration Guide for VNX

Terminology

The VNX Glossary provides a complete list of VNX terminology.

access control entry (ACE): In a Microsoft Windows environment, an element of an access control list (ACL). This element defines access rights to an object for a user or group.

access control list (ACL): A list of access control entries (ACEs) that provide information about the users and groups allowed access to an object.

access policy: The policy that defines what access control methods (NFS permissions and/or Windows ACLs) are enforced when a user accesses a file on a VNX for file system in an environment configured to provide multiprotocol access to some file systems. The access policy is set with the server_mount command and also determines what actions a user can perform against a file or directory.

authentication: The process for verifying the identity of a user trying to access a resource or object, such as a file or a directory.

Certificate Authority (CA): A trusted third party that digitally signs public key certificates.

Certificate Authority Certificate: A digitally signed association between an identity (a Certificate Authority) and a public key to be used by the host to verify digital signatures on Public Key Certificates.

command line interface (CLI): An interface for entering commands through the Control Station to perform tasks that include the management and configuration of the database and Data Movers and the monitoring of statistics for the VNX for file cabinet components.

Common Internet File System (CIFS): A file-sharing protocol based on the Microsoft Server Message Block (SMB). It allows users to share file systems over the Internet and intranets.

Control Station: A hardware and software component of the VNX for file system that manages the system and provides an administrative user interface to VNX for file components.

Data Mover: A VNX for file cabinet component running its own operating system that retrieves files from a storage device and makes them available to a network client.

directory server: A server that stores and organizes information about a computer network's users and network resources, and that allows network administrators to manage users' access to the resources. X.500 is the best-known open directory service. Proprietary directory services include Microsoft’s Active Directory.

Hypertext Transfer Protocol (HTTP): The communications protocol used to connect to servers on the World Wide Web.

Hypertext Transfer Protocol Secure (HTTPS): HTTP over SSL. All network traffic between the client and server system is encrypted. In addition, there is the option to verify server and client identities. Typically server identities are verified and client identities are not.

Kerberos: An authentication, data integrity, and data privacy encryption mechanism used to encode authentication information. Kerberos coexists with NTLM (Netlogon services) and, using secret-key cryptography, provides authentication for client/server applications.

LDAP-based directory: A directory server that provides access by LDAP. Examples of LDAP-based directory servers include OpenLDAP or Oracle Directory Server Enterprise Edition.

Lightweight Directory Access Protocol (LDAP): An industry-standard information access protocol that runs directly over TCP/IP. It is the primary access protocol for Active Directory and LDAP-based directory servers. LDAP Version 3 is defined by a set of Proposed Standard documents in Internet Engineering Task Force (IETF) RFC 2251.

Logical Unit Number (LUN): The identifying number of a SCSI or iSCSI object that processes SCSI commands. The LUN is the last part of the SCSI address for a SCSI object. The LUN is an ID for the logical unit, but the term is often used to refer to the logical unit itself.

Network File System (NFS): A distributed file system providing transparent access to remote file systems. NFS allows all network systems to share a single copy of a directory.

OpenLDAP: The open source implementation of an LDAP-based directory service.

persona: A means of providing an identity for a Data Mover as either a server or a client through a private key and associated public key certificate. Each persona can maintain up to two sets of keys (current and next), to allow for the generation of new keys and certificates prior to the expiration of the current certificate.

public key certificate: An electronic ID issued by a certificate authority. It contains the identity (a hostname) of the user or other entity such as a service, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures), and a digital signature from the certificate-issuing authority so that a recipient can verify that the certificate is valid. For more information, refer to the X.509 standard.

Public Key Infrastructure (PKI): A means of managing private keys and associated public key certificates for use in Public Key Cryptography.

Simple Network Management Protocol (SNMP): Method used to communicate management information between the network management stations and the agents in the network elements.

Secure Socket Layer (SSL): A security protocol that provides encryption and authentication. It encrypts data and provides message and server authentication. It also supports client authentication if required by the server.

Storage Processor (SP): A hardware and software component of the VNX for block system that runs its own operating system and manages the system and provides an administrative user interface to VNX for block components.

Transport Layer Security (TLS): The successor protocol to SSL for general communication authentication and encryption over TCP/IP networks. TLS version 1 is nearly identical with SSL version 3.

X.509: A widely used standard for defining digital certificates.

XML API : An interface for remotely managing and monitoring a VNX for file. The interface uses XML formatted messages, and is programming language neutral.