EMC Unity Family, EMC UnityVSA, EMC Unity All Flash, EMC UnityHybrid Security Configuration Manual

EMC Unity™ Family
EMC Unity™ All Flash, EMC Unity™ Hybrid,

EMC UnityVSA

™

Version 4.0

Security Configuration Guide

P/N 302-002-564 REV 03

Copyright © 2016 EMC Corporation All rights reserved.

Published December 2016

Dell believes the information in this publication is accurate as of its publication date. The information is subject to change
without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS-IS.“ DELL MAKES NO REPRESENTATIONS OR
WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY
DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. USE,
COPYING, AND DISTRIBUTION OF ANY DELL SOFTWARE DESCRIBED IN THIS PUBLICATION REQUIRES AN
APPLICABLE SOFTWARE LICENSE.

Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be the property of
their respective owners. Published in the USA.

EMC Corporation
Hopkinton, Massachusetts 01748-9103
1-508-435-1000 In North America 1-866-464-7381
www.EMC.com

2 EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide

5

Introduction 7

Overview...................................................................................................... 8

Related features and functionality information............................................. 8

Access Control 9

Alert settings.............................................................................................. 10

Storage system factory default management and service accounts............ 11

Storage system account management.........................................................11

Unisphere....................................................................................................12

Unisphere command line interface (CLI)..................................................... 14

Storage system service SSH interface........................................................15

Storage system SP Ethernet service port and IPMItool.............................. 16

SMI-S provider............................................................................................17

vSphere Storage API for Storage Awareness support................................. 17

Single sign-on with Unisphere Central........................................................ 19

Single sign-on process flows......................................................... 20

Logging in to a local storage system...............................................21

Single sign-on and NAT support.................................................... 22

Security on file system objects...................................................................22

File systems access in a multiprotocol environment....................................22

User mapping.................................................................................22

Access policies for NFS, SMB, and FTP........................................ 23

Credentials for file level security....................................................24

NFS secure.................................................................................................26

Dynamic Access Control............................................................................. 27

Logging 29

Logging...................................................................................................... 30

Remote logging options...............................................................................31

Communication Security 33

Port usage.................................................................................................. 34

Storage system network ports.......................................................34

Ports the storage system may contact.......................................... 39

Storage system certificate..........................................................................41

Storage system interfaces, services, and features that support Internet

Protocol version 6...................................................................................... 42

Storage system management interface access using IPv6......................... 43

Configuring the management interface using DHCP...................................44

Running the Connection Utility......................................................45

Protocol (SMB) encryption and signing......................................................46

IP packet reflect.........................................................................................48

IP multi-tenancy......................................................................................... 48

About VLANs................................................................................. 49

Preface

Chapter 1

Chapter 2

Chapter 3

Chapter 4

CONTENTS

EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide 3

Management support for FIPS 140-2..........................................................49

Data Security Settings 51

About Data at Rest Encryption (physical deployments only)...................... 52

Encryption status.......................................................................... 52

Backup keystore file...................................................................... 53

Data at Rest Encryption audit logging........................................... 54

Hot spare operations..................................................................... 54

Adding a disk drive to a storage system with encryption activated....

55

Removing a disk drive from a storage system with encryption

enabled..........................................................................................55

Replacing a chassis and SPs from a storage system with encryption

enabled..........................................................................................55

Data security settings.................................................................................56

Security Maintenance 57

Secure maintenance...................................................................................58

License update.............................................................................. 58

Software upgrade..........................................................................58

EMC Secure Remote Services for your storage system............................. 59

Security Alert Settings 61

Alert settings..............................................................................................62

Configuring alert settings........................................................................... 63

Configure alert settings for email notifications ............................. 63

Configure alert settings for SNMP traps....................................... 63

Other Security Settings 65

Physical security controls (physical deployments only)..............................66

Antivirus protection....................................................................................66

TLS cipher suites 67

Supported TLS cipher suites...................................................................... 68

Chapter 5

Chapter 6

Chapter 7

Chapter 8

Appendix A

CONTENTS

4 EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide

Additional resources

As part of an effort to improve its product lines, EMC periodically releases revisions of
its software and hardware. Therefore, some functions described in this document
might not be supported by all versions of the software or hardware currently in use.
The product release notes provide the most up-to-date information on product
features. Contact your EMC technical support professional if a product does not
function properly or does not function as described in this document.

Where to get help

Support, product, and licensing information can be obtained as follows:

Product information

For product and feature documentation or release notes, go to Unity Technical
Documentation at: www.emc.com/en-us/documentation/unity-family.htm. You can
also access this page from the Unity product family page at: www.emc.com/en-us/

storage/unity.htm. In the Why EMC Unity Storage section, click Unity Product

Resources > Technical Documentation.

Troubleshooting

For information about EMC products, software updates, licensing, and service, go to
EMC Online Support (registration required) at: https://Support.EMC.com. After
logging in, locate the appropriate Support by Product page.

Technical support

For technical support and service requests, go to EMC Online Support at: https://

Support.EMC.com. After logging in, locate Create a service request. To open a

service request, you must have a valid support agreement. Contact your EMC Sales
Representative for details about obtaining a valid support agreement or to answer any
questions about your account.

Special notice conventions used in this document

EMC uses the following conventions for special notices:

DANGER

Indicates a hazardous situation which, if not avoided, will result in death or
serious injury.

WARNING

Indicates a hazardous situation which, if not avoided, could result in death or
serious injury.

CAUTION

Indicates a hazardous situation which, if not avoided, could result in minor or
moderate injury.

NOTICE

Addresses practices not related to personal injury.

EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide 5

Note

Presents information that is important, but not hazard-related.

Additional resources

6 EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide

CHAPTER 1

Introduction

This chapter briefly describes a variety of security features implemented on the
storage system.

Topics include:

l

Overview..............................................................................................................8

l

Related features and functionality information.....................................................8

Introduction 7

Overview

The storage system uses a variety of security features to control user and network
access, monitor system access and use, and support the transmission of storage data.
This document describes available security features.

This document is intended for administrators responsible for storage system
configuration and operation.

The guide approaches security settings within the categories shown in Table 1 on
page 8:

Table 1 Security settings categories

Security category Description

Access control Limiting access by end-user or by other entities to protect

hardware, software, or specific product features.

Logs Managing the logging of events.

Communication
security

Securing product network communications.

Data security Providing protection for product data.

Serviceability Maintaining control of product service operations performed by the

manufacturer or its service partners.

Alert system Managing the alerts and notifications generated for security-related

events.

Other security settings Security settings that do not fall in one of the previous sections,

such as physical security.

Related features and functionality information

Specific information related to the features and functionality described in this
document is included in the following for Unity:

l

Unisphere Command Line Interface User Guide

l

Unisphere Online Help

l

SMI-S Provider Programmer's Guide

l

Service Commands Technical Notes

l

Secure Remote Services Requirements and Configuration

The complete set of EMC customer publications is available on the EMC Online
Support website at http://Support.EMC.com. After logging in to the website, click
the Support by Product page, to locate information for the specific feature required.

Introduction

8 EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide

CHAPTER 2

Access Control

This chapter describes a variety of access control features implemented on the
storage system.

Topics include:

l

Alert settings......................................................................................................10

l

Storage system factory default management and service accounts....................11

l

Storage system account management................................................................ 11

l

Unisphere........................................................................................................... 12

l

Unisphere command line interface (CLI).............................................................14

l

Storage system service SSH interface............................................................... 15

l

Storage system SP Ethernet service port and IPMItool......................................16

l

SMI-S provider................................................................................................... 17

l

vSphere Storage API for Storage Awareness support.........................................17

l

Single sign-on with Unisphere Central................................................................ 19

l

Security on file system objects.......................................................................... 22

l

File systems access in a multiprotocol environment........................................... 22

l

NFS secure........................................................................................................ 26

l

Dynamic Access Control.....................................................................................27

Access Control

9

Alert settings

Storage system alerts inform administrators of actionable events that occur on the
storage system. Storage system events can be reported as shown in Table 2 on page

10.

Table 2 Alert settings

Alert type Description

Visual notification Displays informational pop-up messages when users log in to the interface and in real-time to

indicate when alert conditions occur. Pop-ups provide basic information about the alert condition.
You can obtain additional information from the Settings > Alerts > Specify Email Alerts and

SMTP Configuration.

Note

Storage system visual alert notifications are not configurable. Also, the storage system does not
have an option of authentication to an SMTP mail server. If your mail server requires all clients to
authenticate to relay an email, the storage system cannot send email alerts through that mail server.

Email notification Enables you to specify one or more email addresses to which to send alert messages. You can

configure the following settings:

l

Email addresses to which to send storage system alerts.

l

Severity level (critical, error, warning, notice, or information) required for email notification.

Note

For storage system alert email notification to work, you must configure a target SMTP server for the
storage system.

SNMP traps Transfer alert information to designated hosts (trap destinations) that act as repositories for

generated alert information by the storage network system. You can configure SNMP traps through
Unisphere. Settings include:

l

IP address of a network SNMP trap destination

l

Optional security settings for trap data transmission

n

Authentication protocol: Hashing algorithm used for SNMP traps (SHA or MD5)

n

Privacy protocol: Encryption algorithm used for SNMP traps (DES, AES, AES192, or
AES256)

The Unisphere Online Help provides more information.

EMC Secure Remote
Services (ESRS)

ESRS provides an IP-based connection that enables EMC Support to receive error files and alert
messages from your storage system, and to perform remote troubleshooting resulting in a fast and
efficient time to resolution.

Note

Available with operating environment (OE) version 4.0 or later. For ESRS to work, you must enable it
on the storage system.

Access Control

10 EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide

Storage system factory default management and service
accounts

The storage system comes with factory default user account settings to use when
initially accessing and configuring the storage system. See Table 3 on page 11.

Table 3 Factory default user account settings

Account type Username Password Privileges

Management
(Unisphere)

admin Password123# Administrator privileges for resetting

default passwords, configure system
settings, create user accounts, and
allocate storage.

Service service service Perform service operations.

Note

During the initial configuration process, you are required to change the default
password for the Management and Service accounts.

Storage system account management

Table 4 on page 11 illustrates the ways in which you can manage the storage system

accounts.

Table 4

Account management methods

Account roles Description

Management After the storage system initial system

configuration process is complete, you can
manage the storage system management
accounts from Unisphere or the Unisphere
CLI. You can create, modify, delete, or reset
password settings for the storage system
local accounts, and assign or change roles to
accounts that determine the privileges
provided to users who use them.

Service You cannot create or delete storage system

service accounts. You can reset the service
account password from Unisphere. Under
System, select Service > Service Tasks >

Change Service Password function.

Access Control

Storage system factory default management and service accounts 11

Note

You can reset the storage system factory default account passwords by pressing the
password reset button on the storage system chassis. The

Unisphere Online Help

provides more information.

Unisphere

Authentication for access to Unisphere is performed based on the credentials of the
user (local or LDAP) account. User accounts are created and subsequently managed
through the Unisphere Manage Administration page. The authorizations that apply to
Unisphere depend on the role associated with the user account.

Before a user can download the Unisphere UI content to a management workstation,
the user must provide credentials for authentication and establish a session on the
storage system. When the user specifies the network address of the storage system
as the URL in a web browser, the user will be presented with a login page from which
the user can select to authenticate either as a local user or through an LDAP directory
server. The credentials that the user provides will be authenticated and, upon
successful authentication, a UI management session will be created on the storage
system. Subsequently, the Unisphere UI will be downloaded and instantiated on the
user's management workstation. The user then will be able to monitor and manage the
storage system within the capabilities of the role assigned to the user.

LDAP

The Lightweight Directory Access Protocol (LDAP) is an application protocol for
querying directory services running on TCP/IP networks. LDAP provides central
management of authentication and identity and group information used for
authorization on the storage system. Integrating the system into an existing LDAP
environment provides a way to control user and user group access to the system
through Unisphere CLI or Unisphere.

After you configure LDAP settings for the system, you can manage users and user
groups, within the context of an established LDAP directory structure. For instance,
you can assign access roles (Administrator, Storage Administrator, Operator, VM
administrator) to the LDAP user or groups. The role applied will determine the level of
authorization the user or group will have in administering the storage system. The
system uses the LDAP settings only for facilitating control of access to Unisphere CLI
and Unisphere, not for access to storage resources.

Session rules

Unisphere sessions have the following characteristics:

l

Expiration term of one hour

l

Session timeout is not configurable

l

Session IDs are generated during authentication and used for the duration of each
session

Password usage

Unisphere account usernames and passwords must meet these requirements, as
shown in Table 5 on page 13.

Access Control

12 EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide

Table 5 Unisphere account requirements

Restriction Password requirement

Minimum number of characters 8

Minimum number of uppercase characters 1

Minimum number of lowercase characters 1

Minimum number of numeric characters 1

Minimum number of special characters

l

Supported special characters include:

n

!,@#$%^*_~?

1

Maximum number of characters 40

Note

You can change account passwords from Unisphere by selecting Settings and, under
Users and Groups, select User Management > More Actions > Reset Password.

When changing a password, you cannot reuse any of the last three passwords. The

Unisphere Online Help

provides more information.

Authorization

Table 6 on page 13 shows the roles you can assign to the storage system local users

and the privileges associated with these roles. In addition, you can assign these roles
to LDAP users and groups.

Table 6

Local user roles and privileges

Task Operator Storage

administrator

Administrator VM

administrator

Change own local login password x x x

Add, delete, or modify hosts x

Create storage x x

Delete storage x x

Add storage objects, such as LUNs, shares, and
storage groups to a storage resource

x x

View storage configuration and status x x x

View Unisphere user accounts x x

Add, delete or modify Unisphere user accounts x

View current software or license status x x x

Perform software or license upgrade x

Perform initial configuration x

Modify NAS server configuration x

Modify system settings x

Access Control

Unisphere 13

Table 6 Local user roles and privileges (continued)

Task Operator Storage

administrator

Administrator VM

administrator

Modify network settings x

Change management interface language x x x

View log and alert information x x x

View encryption status x x x

Perform encryption keystore, auditlog, checksum
backup

x x

Establish VASA connections between vCenter and
the storage system

x x

In the case of the VM Administrator role, once connection is established between the
vCenter and the storage system, a vCenter user will be able to view the subset of the
storage configuration and status which is relevant to that vCenter and its ESXi
servers. The vCenter user can view only that information which is allowed through the
vCenter access control mechanisms.

Note

You can change account roles in Unisphere by selecting Settings and, under Users
and Groups, select User Management > More Actions > Change Role. The

Unisphere Online Help

provides more information.

NAT

NAT is not supported for local login through Unisphere to the storage system.

Unisphere command line interface (CLI)

The Unisphere CLI provides a command line interface for the same functionality
available through Unisphere.

Running the Unisphere CLI requires special storage system command line software.
You can download this software from the product page for your storage system on
EMC Online Support (https://support.emc.com).

Session rules

The Unisphere CLI client does not support sessions. You must use command line
syntax to specify the account username and password with each command that you
issue.

You can use the Unisphere CLI -saveuser command to save the access credentials
(username and password) for a specific account to a file in the secure lockbox that
resides locally on the host on which Unisphere CLI is installed. The stored data is only
available on the host where it was saved and to the user who saved it. After you save
the access credentials, the CLI automatically applies them to the specified storage
system destination and port each time you run a command.

Password usage

Authentication to the Unisphere CLI is performed in accordance with management
accounts created and managed through Unisphere. The same permissions that apply

Access Control

14 EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide

to Unisphere apply to specific commands depending on the role associated with the
current login account.

Saved settings

You can save the following settings on the host on which you run Unisphere CLI:

l

User access credentials, including your username and password, for each system
you access.

l

SSL certificates imported from the system.

l

Information about default system to access through Unisphere CLI, including the
system name or IP address and the system port number.

Unisphere CLI saves the settings to a secure lockbox that resides locally on the host
on which Unisphere CLI is installed. The stored data is only available on the host where
it was saved and to the user who saved it. The lockbox resides in the following
locations:

l

On Windows Server 2003 (XP): C:\Documents and Settings\
$<user_name>\Local Settings\ApplicationData\.emc\uemcli\cert

l

On Windows 7, Windows 8, and Windows 10: C:\Users\${user_name}
\AppData\Local\.emc\uemcli\cert

l

On UNIX/Linux: <home_directory>/.emc/uemcli/cert

Locate the files config.xml and config.key. If you uninstall Unisphere CLI, these
directories and files are not deleted, giving you the option of retaining them. If these
files are no longer needed, consider deleting them.

Storage system service SSH interface

The storage system SSH service interface when enabled provides a command line
interface for performing related and overlapping functionality to that which is available
from the Unisphere Service page (under System select Service > Service Tasks >
Enable SSH).

The service account enables users to perform the following functions:

l

Perform specialized storage system service commands for monitoring and
troubleshooting storage system settings and operations.

l

Operate standard Linux commands as a member of a non-privileged Linux user
account. This account does not have access to proprietary system files,
configuration files, or user/customer data.

To learn more about using service commands, see the technical notes document,

Service Commands

.

The storage system SSH service interface setting is persistent across system reboots,
failovers, and in both Service Mode and Normal Mode. Therefore, enabling the storage
system SSH service interface will keep the interface enabled until it is explicitly
disabled from the Unisphere Service page (under System select Service > Service
Tasks > Disable SSH).

For maximum system security, it is recommended to leave the storage system SSH
service interface disabled at all times unless it is specifically needed to perform service
operations on the storage system. After performing the necessary service operations,
disable the SSH interface to ensure that the system remains secure.

Access Control

Storage system service SSH interface 15

Sessions

The storage system SSH service interface sessions are maintained according to the
settings established by the SSH client. Session characteristics are determined by the
SSH client configuration settings.

Password usage

The service account is an account that service personnel can use to perform basic
Linux commands.

The default password for the storage system service interface is service. When you
perform initial configuration for the storage system, you must change the default
service password. Password restrictions are the same as those that apply to
Unisphere management accounts (see Password usage on page 12). For information
on the storage system service command, svc_service_password, used to manage
the password settings for the storage system service account, see the technical notes
document,

Service Commands

.

Authorization

As shown in Table 7 on page 16, authorization for the service account is defined in
two ways.

Table 7 Service account authorization definitions

Authorization type Description

Linux file system
permissions

File system permissions define most of the tasks that the service
account can and cannot perform on the storage system. For example,
most Linux tools and utilities that modify system operation in any way
require superuser account privileges. Since the service account does
not have such access rights, the service account cannot use Linux
tools and utilities to which it does not have execute permissions and
cannot edit configuration files that require root access to read or
modify, or both.

Access control lists
(ACLs)

The ACL mechanism on the storage system uses a list of very specific
rules to explicitly grant or deny access to system resources by the
service account. These rules specify service account permissions to
other areas of the storage system that are not otherwise defined by
standard Linux file system permissions.

Storage system service commands

A set of problem diagnostic, system configuration, and system recovery commands
are installed on the storage system's operating environment (OE). These commands
provide an in-depth level of information and a lower level of system control than is
available through Unisphere. The technical notes document,

Service Commands

,

describes these commands and their common use cases.

Storage system SP Ethernet service port and IPMItool

Your storage system provides console access over an Ethernet service port that is on
each SP. This access requires the use of the IPMItool. The IPMItool is a network tool
similar to ssh or telnet that interfaces with each SP over an Ethernet connection by
using the IPMI protocol. The IPMItool is a Windows utility that negotiates a secure
communication channel to access the SP console of a storage system. This utility
requires login credentials and an IP address to activate the console. For more
information about the IPMItool, see the

IPMItool User Guide Technical Notes

.

Access Control

16 EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide

The SP Ethernet service port interface provides the same functions and features as
the service SSH interface and is also subject to the same restrictions. The difference
is that users access the interface through an Ethernet port connection rather than an
SSH client.

For a list of service commands refer to the

Service Commands Technical Notes

.

SMI-S provider

The SMI-S provider does not introduce any change with regards to security. An SMI-S
client connects to the storage system through HTTPS port 5989. The login
credentials are the same as those of Unisphere UI or CLI users. All security rules that
apply to UI and CLI users also apply to SMI-S connections. Unisphere UI and CLI users
can authenticate using the SMI-S interface. No separate users are defined for the
SMI-S interface. Once authenticated, the SMI-S client has the same privilege as
defined for those Unisphere UI and CLI users. The

SMI-S Provider Programmer's Guide

for your storage system product provides information about configuring this service.

vSphere Storage API for Storage Awareness support

vSphere Storage API for Storage Awareness (VASA) is a VMware-defined, vendor­neutral API for storage awareness. A VASA Provider (VP) is a storage‐side software
component that acts as a storage awareness service for vSphere. ESXi hosts and
vCenter Server connect to the VP and obtain information about available storage
topology, capabilities, and status. Subsequently, vCenter Server provides this
information to vSphere clients. VASA is used by VMware clients rather than Unisphere
clients.

The VP runs on the active Storage Processor (SP) of the storage system. The
vSphere user must configure this VP instance as the provider of VASA information for
each storage system. In the event that an SP goes down, the related process will
restart on the peer SP, along with the VASA VP. The IP address fails over
automatically. Internally, the protocol will see a fault when obtaining configuration
change events from the newly active VP, but this will cause an automatic
resynchronization of the VASA objects without user intervention.

The storage system provides VASA 3.0 and VASA 2.0 interfaces for vSphere 6, and
VASA 1.0 interfaces for vSphere 5.x.

VASA 1.0 is used for monitoring only and is used by VMware clients rather than
Unisphere clients. VASA 1.0 is a reporting interface only and is used to request basic
information about the storage system and the storage devices it exposes to the virtual
environment in order to facilitate day-to-day provisioning, monitoring, and
troubleshooting through vSphere:

l

Storage visibilty: internally detects property changes, sending the updated
information to vCenter

l

Health and Capacity alarms: internally monitors for health status changes and for
capacity related thresholds being crossed, raising the appropriate alarms to
vCenter:

n

health status for the array, SPs, I/O ports, LUNs, and File Systems

n

class-level change indications for a change in health status for any of these
objects

n

space capacity alarms for LUNs and File Systems

l

VASA storage capabilities: internally monitor for storage capability changes,
reporting updated capabilities to vCenter

Access Control

SMI-S provider 17

l

Storage DRS integration: vSphere will rely on information obtained internally from
the VP and feed it into its business logic for various Storage DRS work-flows.

VASA 3.0 and 2.0 support Virtual Volumes (VVols). VASA 3.0 and VASA 2.0 support
interfaces to query storage abstractions such as VVols and Storage Containers. This
information helps storage policy based management (SPBM) make decisions about
virtual disk placement and compliance. VASA 3.0 and VASA 2.0 also support interfaces
to provision and manage the lifecycle of Virtual Volumes used to back virtual disks.
These interfaces are directly invoked by ESXi hosts.

For more information related to VASA, vSphere, and VVols, refer to the VMware
documentation and the Unisphere online help.

Authentication related to VASA

In order to initiate a connection from vCenter to the Unisphere VP, you must use the
vSphere client to enter three key pieces of information:

l

the URL of the VP, using the following format:

n

For VASA 3.0 and VASA 2.0, https://<Management IP address>:8443/vasa/
version.xml

n

For VASA 1.0, https://<Management IP address>:8444/vasa/version.xml or
https://<Management IP address>:8444/vasa/services/vasaService

l

the username of a Unisphere user (the role must be either VM Administrator or
administrator):

Note

The VM Administrator role is strictly used as a means to register certificates.

n

for local users use the syntax: local/<username>

n

for LDAP users use the syntax: <domain>/<username>

l

the password associated with this user

The Unisphere credentials used here are only used during this initial step of the
connection. If the Unisphere credentials are valid for the target storage system, the
certificate of the vCenter Server is automatically registered with the storage system.
It is this certificate that is used to authenticate all subsequent requests from the
vCenter. No manual steps are required to install or upload this certificate to the VP. If
the certificate has expired, the vCenter must register a new certificate to support a
new session. If the certificate is revoked by the user, the session is invalidated and the
connection is severed.

vCenter session, secure connection and credentials

A vCenter session begins when a vSphere administrator uses the vSphere Client to
supply the vCenter Server with the VP URL and login credentials. The vCenter Server
uses the URL, credentials, and the SSL certificate of the VP to establish a secure
connection with the VP. A vCenter session ends when one of the following events
occurs:

l

An administrator uses the vSphere Client to remove the VP from the vCenter
configuration and the vCenter Server terminates the connection.

l

The vCenter Server fails or a vCenter Server service fails, terminating the
connection. When vCenter or the service starts again, it will attempt to reestablish
the SSL connection. If it cannot, it will start a new SSL connection.

l

The VASA Provider fails, terminating the connection. When the VASA Provider
starts up, it can respond to communication from the vCenter Server to reestablish
the SSL connection and VASA session.

Access Control

18 EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide

A vCenter session is based on secure HTTPS communication between a vCenter
Server and a VP. The VASA architecture uses SSL certificates and VASA session
identifiers to support secure connections. With VASA 1.0, the vCenter Server added
the VP certificate to its truststore as part of the VP installation, or when it created a
VASA session connection. The VP added the vCenter Server certificate to its
truststore when Storage Monitoring Service (SMS) called the
registerVASACertificate function. In VASA 3.0 and VASA 2.0, vCenter Server acts as
the VMware certificate authority (VMCA). The VP transmits a self‐signed certificate
on request, after authorizing the request. It adds the vCenter Server certificate to its
truststore, then issues a certificate signing request, and replaces its self‐signed
certificate with the VMCA signed certificate. Future connections will be authenticated
by the server (the VP) using the client (SMS) certificate validated against the
previously registered root signing certificate. A VP generates unique identifiers for
storage entity objects, and vCenter Server uses the identifier to request data for a
specific entity.

A VP uses SSL certificates and the VASA session identifier to validate VASA sessions.
After the session is established, a VP must validate both the SSL certificate and the
VASA session identifier associated with each function call from the vCenter Server.
The VP uses the vCenter Server certificate stored in its truststore to validate the
certificate associated with function calls from the vCenter SMS. A VASA session
persists across multiple SSL connections. If an SSL connection is dropped, the
vCenter Server will perform an SSL handshake with the VP to re‐establish the SSL
connection within the context of the same VASA session. If an SSL certificate expires,
the vSphere administrator must generate a new certificate. The vCenter Server will
establish a new SSL connection and register the new certificate with the VP.

Note

Unregistration of 3.0 and 2.0 VPs differs from unregistration of 1.0 VPs. SMS does not
call the unregisterVASACertificate function against a 3.0 or 2.0 VP, so even after
unregistration, the VP can continue to use its VMCA signed certificate obtained from
SMS and continues to have access to the VMCA root certificate.

Single sign-on with Unisphere Central

The single sign-on capability added to Unisphere Central provides authentication
services for multiple storage systems that are configured to use this feature. This
feature provides an easy way for a user to log in to each system without requiring the
user to re-authenticate to each system.

Unisphere Central is the centralized authentication server that facilitates single sign­on. This functionality allows a user to:

l

Log in to Unisphere Central, then select and launch Unisphere on a storage system
without supplying your login credentials again.

l

Log in to one storage system and then select other storage systems associated
with the same Unisphere Central to log in to without supplying your login
credentials again.

Unisphere Central will periodically execute a query to request status information from
the storage systems that it is managing. The identity associated with requests
executed in this context is the Unisphere Central SSL/X.509 certificate. This
certificate is signed by the Unisphere Central Certificate Authority, which is trusted by
each storage system instance that Unisphere Central is configured to manage.

Additionally, this feature provides a single sign-off capability; that is, when you log off
Unisphere Central, you log off all of the associated storage system sessions at once.

Access Control

Single sign-on with Unisphere Central 19

Requirements

To use single sign-on:

l

Unity and UnityVSA storage systems must be running OE version 4.0 or later.

l

Unisphere Central version 4.0 or later must be used.

l

Both the Unisphere Central server and the storage systems must be configured to
authenticate against the same AD/LDAP directory.

l

The LDAP user must be directly mapped to a Unisphere role, or be a member of an
AD/LDAP group that maps to a Unisphere role on both the storage system and
Unisphere Central.

l

Each storage system must have single sign-on enabled.

l

The user must log in as an LDAP user.

Note

In cases where these requirements are not met, the user must log in to the individual
system as a local user and provide authentication credentials to access that system.

You must have Administrator privileges to enable single sign-on. Users with Storage
Administrator, Operator, or VM Administrator privileges cannot enable single sign-on.
Use the following uemcli command to enable single sign-on:

Uemcli -d <IP address> -u <username> -p <password> /sys/ur set ­ssoEnabled yes

Each storage system that is configured with this feature enabled can be a client of the
centralized authentication server and participate in the single sign-on environment.
For more information about this command, refer to the

Unisphere Command Line

Interface User Guide

.

Considerations and Restrictions

The following web browsers are supported:

l

Google Chrome version 33 or higher

l

Microsoft Internet Explorer version 10 or higher

l

Mozilla Firefox version 28 or higher

l

Apple Safari version 6 or higher

The user session timeout between the web client and centralized authentication
server is 45 minutes.

The application session timeout between the web client and the storage system is one
hour.

Single sign-on process flows

The following sequences represent the authentication process flows related to single
sign-on associated with Unisphere Central.

Access to a storage system through Unisphere Central

1. User launches a web browser on a management workstation and specifies the
network address of Unisphere Central as the URL.

2. The browser is redirected by the web server to a local Unisphere Central login URL
and the user is presented with a login screen.

3. The user types and submits LDAP login credentials. The username is in the form
<LDAP DOMAIN>/username.

Access Control

20 EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide

4. A session token is set and the browser is redirected by the system back to the
original URL that was specified.

5. The browser downloads the Unisphere content and Unisphere Central is
instantiated.

6. The user then navigates through Unisphere to a particular storage system to
monitor.

7. The user clicks on the network address for the storage system.

8. A new browser window is created with the URL of the storage system.

9. The browser is redirected to the Unisphere Central authentication server where
the user has already authenticated.

10. The browser is redirected back to the Unisphere download page and a session is
established with the storage system using the new service ticket.

11. Unisphere is downloaded and instantiated.

12. The user starts managing/monitoring the storage system.

Access to storage systems associated with Unisphere Central

1. User launches a web browser on a management workstation and specifies the
network address of a storage system as the URL.

2. The browser is redirected to the local Unisphere Central login service and the user
is presented with a login screen.

3. The user types and submits LDAP login credentials. The username is in the form
<LDAP DOMAIN>/username.

4. A session token is set as a cookie and the browser is redirected by the system
back to the original URL that was specified.

5. The browser downloads the Unisphere content and Unisphere is instantiated.

6. The user then opens another web browser window or tab and specifies the
network address of another storage system as the URL.

7. The browser is redirected to the Unisphere Central authentication server where
the user is already authenticated. A new service ticket is obtained.

8. The browser is redirected back to the Unisphere download page and establishes a
session with the second storage system using the new service ticket.

9. Unisphere for the second storage system is downloaded and instantiated.

10. The user starts managing/monitoring the second storage system.

Logging in to a local storage system

When you use a local account, or, if connectivity to the Unisphere Central
authentication server is not available, you can log in to a local storage system using
the authentication server resident on the system instead of logging in through
Unisphere Central. There are two ways to log into the storage system locally:

l

When the browser is redirected to the Unisphere Central authentication server, an
option is available that allows the user to redirect back to the system and log in
locally.

l

If Unisphere Central is inaccessible, the following url syntax can be used to browse
or access the system and log in locally: https://<storagesystemIP>?

casHome=LOCAL

where

storagesystemIP

is the IP address of the storage system.

Access Control

Logging in to a local storage system 21