- Notes, cautions, and warnings
- Preface
- Introduction
- Access Control
- Access control settings
- Security for management access
- Authentication
- Authorization
- Component access controls
- Data security settings
- Password policy
- Physical security controls
- Login banner and message of the day
- Logging
- Communication Security
- Communication security settings
- Port usage
- Ports used by Unisphere components on VNX for block
- How VNX for file works on the network
- Network encryption
- Management support for TLS communications on VNX2 systems
- SSL certificates
- Planning considerations for Public Key Infrastructure on VNX for file
- IP packet reflect on VNX for file systems
- Effect of filtering management network
- vSphere Storage API for Storage Awareness (VASA) support
- Special configurations
- Secure Remote Procedure Call
- Other security considerations
- Data Security Settings
- Data at Rest Encryption overview
- Data at Rest Encryption feature activation
- Encryption status
- Backup keystore file
- Data in place upgrade
- Hot spare operations
- Adding a disk drive to a VNX with encryption activated
- Removing a disk drive from a VNX with encryption enabled
- Replacing a chassis and SPs from a VNX with encryption enabled
- Security Maintenance
- Advanced Management Capabilities
- Secure deployment and usage settings
- TLS cipher suites
- LDAP-based directory server configuration
- VNX for file CLI role-based access
- VNX for file CLI security configuration operations
- Configuring password policy
- Configuring session timeout
- Protect session tokens
- Configuring network encryption and authentication using the SSL protocol
- Configuring PKI
- Creating the certificate provided by the persona
- Using the Control Station as the CA
- Obtaining CA certificates
- Generate a key set and certificate request
- Send the certificate request to the CA
- Import a CA-signed certificate
- List the available CA certificates
- Acquire a CA certificate
- Import a CA certificate
- Generate a new Control Station CA certificate
- Display the certificate
- Distribute the Control Station CA certificate
- Request and Install Customer-Supplied Certificates for Control Station
- Managing PKI
- Customize a login banner
- Create a MOTD
- Restrict anonymous root login
- Locking accounts after a specific number of failed logins
- VNX for block SSL certificate import
EMC® VNX® Series Security Configuration Guide for VNX
Using the Control Station as the CA
The system software automatically generates a key set and certificate for the Control Station when the system is installed or upgraded. The Control Station uses this key set and certificate to sign certificate requests from Data Movers. However, before the Control Station can successfully operate as a CA and be recognized by a Data Mover as such, you must complete several configuration tasks:
- Distribute the Control Station CA certificate to network clients. In order for a network client to validate a certificate sent by a Data Mover that has been signed by the Control Station, the client needs the public key from the CA certificate to verify the Data Mover certificate’s signature.
- Import the CA certificate (with the CA certificates from external CAs).
A copy of the Control Station certificate can be obtained only by using the CLI. If the Control Station key set and certificate are compromised, you can regenerate them. This task can be accomplished only through a CLI command. After regenerating the Control Station key set and certificate, you have to regenerate a new key set and certificate request, and then import the signed certificate for any personas whose certificates are signed by the Control Station.
NOTE:The Control Station continues to generate a
separate key set for the SSL-based connection between the Apache web server (on
behalf of Unisphere) and a user’s web browser. However, the Control Station now
uses the CA key set to sign the Apache web server’s certificate, meaning the
certificate is no longer self-signed.
Installing Management Applications on VNX for
File describes how to manage certificates for Unisphere.
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\