- Notes, cautions, and warnings
- Preface
- Introduction
- Access Control
- Access control settings
- Security for management access
- Authentication
- Authorization
- Component access controls
- Data security settings
- Password policy
- Physical security controls
- Login banner and message of the day
- Logging
- Communication Security
- Communication security settings
- Port usage
- Ports used by Unisphere components on VNX for block
- How VNX for file works on the network
- Network encryption
- Management support for TLS communications on VNX2 systems
- SSL certificates
- Planning considerations for Public Key Infrastructure on VNX for file
- IP packet reflect on VNX for file systems
- Effect of filtering management network
- vSphere Storage API for Storage Awareness (VASA) support
- Special configurations
- Secure Remote Procedure Call
- Other security considerations
- Data Security Settings
- Data at Rest Encryption overview
- Data at Rest Encryption feature activation
- Encryption status
- Backup keystore file
- Data in place upgrade
- Hot spare operations
- Adding a disk drive to a VNX with encryption activated
- Removing a disk drive from a VNX with encryption enabled
- Replacing a chassis and SPs from a VNX with encryption enabled
- Security Maintenance
- Advanced Management Capabilities
- Secure deployment and usage settings
- TLS cipher suites
- LDAP-based directory server configuration
- VNX for file CLI role-based access
- VNX for file CLI security configuration operations
- Configuring password policy
- Configuring session timeout
- Protect session tokens
- Configuring network encryption and authentication using the SSL protocol
- Configuring PKI
- Creating the certificate provided by the persona
- Using the Control Station as the CA
- Obtaining CA certificates
- Generate a key set and certificate request
- Send the certificate request to the CA
- Import a CA-signed certificate
- List the available CA certificates
- Acquire a CA certificate
- Import a CA certificate
- Generate a new Control Station CA certificate
- Display the certificate
- Distribute the Control Station CA certificate
- Request and Install Customer-Supplied Certificates for Control Station
- Managing PKI
- Customize a login banner
- Create a MOTD
- Restrict anonymous root login
- Locking accounts after a specific number of failed logins
- VNX for block SSL certificate import
EMC® VNX® Series Security Configuration Guide for VNX
vSphere Storage API for Storage Awareness (VASA) support
VASA is a VMware-defined, vendor-neutral API for storage awareness. It is a proprietary SOAP-based web interface and is consumed by VMware clients rather than Unisphere clients. VASA is a reporting interface only and is used to request basic information about the VNX and the storage devices it exposes to the virtual environment in order to facilitate day-to-day provisioning, monitoring, and troubleshooting through vSphere.
For Unisphere, the VASA Provider (VP) component is embedded on the VNX, on both the Control Station (for VNX for file/unified) and the Storage Processors (for VNX for block). You as the vSphere user must configure these VP instances as the provider of VASA information for each storage system.
NOTE: When you set up a connection to the VNX for
block VP, you should target only one SP. Either SP A or SP B will return the
same information to VASA. In the event that an SP goes down, the client will
lose its connection to the VP (that is, no automatic failover will occur). The
client can either wait for the failed SP to come back up, or it can try
establishing a new connection to the peer SP. You are not prevented from
targeting both SPs, but the information that is returned would be redundant and
could result in duplicate events and alarms depending on VMware's client
implementation.
In order to initiate a connection from vCenter to the Unisphere VP, you must use the vSphere client to enter three key pieces of information:
- the URL of the VP
- the username of a Unisphere user with the administrator, securityadmin or vmadmin role (local, global, or LDAP scope)
- the password associated with this user
The Unisphere credentials used here are only used during this initial step of the connection. If the Unisphere credentials are valid for the target VNX, the vCenter Server's certificate is automatically registered with the VNX. It is this certificate that is used to authenticate all subsequent requests from vCenter. No manual steps are required to install or upload this certificate to the VP.
vCenter Session, Secure Connection and Credentials
A vCenter session begins when a vSphere administrator uses the vSphere Client to supply the vCenter Server with the VASA VP URL and login credentials. The vCenter Server uses the URL, credentials, and the VASA VP's SSL certificate to establish a secure connection with the VP. A vCenter session ends when an administrator uses the vSphere Client to remove the VP from the vCenter configuration and the vCenter Server terminates the connection.
A vCenter session is based on secure HTTPS communication between a vCenter Server and a VP. The VASA architecture uses SSL certificates and VASA session identifiers to support secure connections. Both the vCenter Server and the VP adds the other's certificate to its own trust store.
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\