Upload
others
View
22
Download
0
Embed Size (px)
Citation preview
EMC®
Atmos™
Version 2.3.1
Security Configuration GuideP/N 300-015-476REV 01
EMC Atmos Version 2.3.1 Security Configuration Guide2
Copyright © 2008- 2015 EMC Corporation. All rights reserved. Published in the USA.
Published August, 2015
EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.
The information in this publication is provided as is. EMC Corporation makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.
EMC2, EMC, and the EMC logo are registered trademarks or trademarks of EMC Corporation in the United States and other countries. All other trademarks used herein are the property of their respective owners.For the most up-to-date regulatory document for your product line, go to the technical documentation and advisories section on the EMC online support website.
CONTENTS
Preface
Chapter 1 Security Configuration
About Atmos Security.................................................................................. 10Authentication ...................................................................................... 11Data Integrity and Privacy...................................................................... 12
Administrative Security ............................................................................... 12 Web-services Security ................................................................................. 13 File-system Security .................................................................................... 13 Atmos CAS Security..................................................................................... 14 Atmos System Accounts .............................................................................. 14 Communication-security Settings................................................................ 15
Port Usage ............................................................................................ 15 Network Encryption..................................................................................... 18
EMC Atmos Version 2.3.1 Security Configuration Guide 3
Contents
4 EMC Atmos Version 2.3.1 Security Configuration Guide
PREFACE
As part of an effort to improve its product lines, EMC periodically releases revisions of its software and hardware. Therefore, some functions described in this document might not be supported by all versions of the software or hardware currently in use. The product release notes provide the most up-to-date information on product features.
Contact your EMC representative if a product does not function properly or does not function as described in this document.
Note: This document was accurate at publication time. New versions of this document might be released on the EMC online support website. Check the EMC online support website to ensure that you are using the latest version of this document.
AudienceThis document is intended for system administrators and provides an overview of security configuration settings available to ensure secure operation of EMC® Atmos™.
Related documentationThe EMC Atmos documentation set includes the following titles:
• EMC Atmos Release Notes
• EMC Atmos Administrator’s Guide
• EMC Atmos Programmer’s Guide
• EMC Atmos System Management API Guide
• EMC Atmos Security Configuration Guide
• EMC Atmos CAS Programmer’s Guide
• EMC Atmos CAS API Reference Guide
• EMC Atmos Installable File System (IFS) Installation and Upgrade Guide
• EMC Atmos online help
• EMC Atmos Series Open Source License and Copyright Information
• EMC Atmos Series Open Source License and Copyright Information for GPLv3
Conventions used in this documentEMC uses the following conventions for special notices:
Note: A note presents information that is important, but not hazard-related.
IMPORTANT
An important notice contains information essential to software or hardware operation.
EMC Atmos Version 2.3.1 Security Configuration Guide 5
Preface
Typographical conventions
EMC uses the following type style conventions in this document:
Where to get helpEMC support, product, and licensing information can be obtained as follows:
Product information - For documentation, release notes, software updates, or information about EMC products, go to EMC Online Support at:
https://support.emc.com
Technical support - Go to EMC Online Support and click Service Center. You will see several options for contacting EMC Technical Support. Note that to open a service request, you must have a valid support agreement. Contact your EMC sales representative for details about obtaining a valid support agreement or with questions about your account.
Normal Used in running (nonprocedural) text for:• Names of interface elements, such as names of windows, dialog boxes,
buttons, fields, and menus• Names of resources, attributes, pools, Boolean expressions, buttons,
DQL statements, keywords, clauses, environment variables, functions, and utilities
• URLs, pathnames, filenames, directory names, computer names, links, groups, service keys, file systems, and notifications
Bold Used in running (nonprocedural) text for names of commands, daemons, options, programs, processes, services, applications, utilities, kernels, notifications, system calls, and man pages
Used in procedures for:• Names of interface elements, such as names of windows, dialog boxes,
buttons, fields, and menus• What the user specifically selects, clicks, presses, or types
Italic Used in all text (including procedures) for:• Full titles of publications referenced in text• Emphasis, for example, a new term• Variables
Courier Used for:• System output, such as an error message or script• URLs, complete paths, filenames, prompts, and syntax when shown
outside of running text
Courier bold Used for specific user input, such as commands
Courier italic Used in procedures for:• Variables on the command line• User input variables
< > Angle brackets enclose parameter or variable values supplied by the user
[ ] Square brackets enclose optional values
| Vertical bar indicates alternate selections — the bar means “or”
{ } Braces enclose content that the user must specify, such as x or y or z
... Ellipses indicate nonessential information omitted from the example
6 EMC Atmos Version 2.3.1 Security Configuration Guide
Preface
Your commentsYour suggestions will help us continue to improve the accuracy, organization, and overall quality of the user publications. Send your opinions of this document to:
EMC Atmos Version 2.3.1 Security Configuration Guide 7
Preface
8 EMC Atmos Version 2.3.1 Security Configuration Guide
CHAPTER 1Security Configuration
This guide provides an overview of the security configuration settings available to ensure a secure operation of EMC® Atmos™. This guide describes the following topics:
• About Atmos Security.............................................................................................. 10• Administrative Security ........................................................................................... 12• Web-services Security ............................................................................................. 13• File-system Security ................................................................................................ 13• Atmos CAS Security................................................................................................. 14• Atmos System Accounts .......................................................................................... 14• Communication-security Settings ............................................................................ 15
Security Configuration 9
Security Configuration
About Atmos SecurityAtmos is architected as a multi-tenant system where a single instance of Atmos can support multiple organizations known as tenants. Atmos provides physical isolation of tenants and their data by restricting Atmos access nodes to specific tenants. Each tenant can be further subdivided into one or more subtenants. Subtenants are logically isolated from other subtenants. They use the access nodes defined for the tenant container, but they have their own objects, file systems, and users.
Figure 1 shows how the Atmos security components interact between the application tier and the Atmos tier.
Figure 1 Atmos Security Components
The Atmos tier includes:
• A Web-based system-management GUI.
Atmos controls security for administrative tasks through role-based access control. It includes roles for managing the system, tenants, and subtenants. For details about roles, see “Administrative Security” on page 12.
• Access nodes through which Web-services (REST, S3), file-system applications (CIFS and NFS), and Atmos Content Addressed Storage (CAS) can access Atmos data.
To create a secure multi-tenant environment, the system administrator configures which tenants control which access nodes. An access node provides the gateway to data access for applications written for Atmos. Each Atmos node is considered an individual appliance.
EMC provides software updates in the form of new code releases, security patches or hotfixes. Installation of external applications or software from non-EMC third parties is not permitted.
10 EMC Atmos Version 2.3.1 Security Configuration Guide
Security Configuration
Atmos uses FIPS-140-2 certified cryptography libraries to provide tamper evidence of Atmos security-related configuration files for system administrator authentication, and for Web Services users whose UIDs and shared secrets are stored in the Atmos lockbox (shared secret keystore).
Authentication
Atmos authenticates users logging in at the administration interface and Web-services users. File-system applications (CIFS and NFS clients) are responsible for authenticating their end users. Atmos CAS authenticates applications first before access is granted to application users. Atmos ensures that authenticated users are able to perform only the actions for which they have permissions through roles, or through file system or object ACLs and UIDs.
Atmos does not currently ensure a consistent view of users across Web-services, file-system, and Atmos CAS authentication systems.
• File-system users are defined by the node that is configured as the file system access node. This access node can be either a natively configured NFS/CIFS access node for the tenant, or a RHEL5 Atmos file system client running IFS or acting as a gateway and re-exporting via NFS or CIFS. These nodes are typically configured to operate within a company’s infrastructure which includes the definition of an authentication source, such as LDAP. The file system interface inherits this configuration's userspace.
• Web-services users are defined by the tenant or subtenant administrator through UIDs. These Web-services users are stored in an internal LDAP server.
• Atmos CAS users are defined not only by the node that is configured as the CAS-enabled access node, but also by the subtenant ID with which they are associated.
Note: Because of the inconsistent view of users, the administrative user responsible for defining Web-services users must be careful about user name conflicts. For example, user1 might exist in the file system LDAP authentication source. If the administrator creates user1 as a Web-services user, Atmos cannot guarantee that those two users are the same.
About Atmos Security 11
Security Configuration
To enable a flexible security configuration, Atmos supports user management through the authentication providers described in Table 1.
Data Integrity and Privacy
Atmos installs, on each node, a self-signed certificate using SHA1-RSA encryption. During the initial install, the certificate issuer is listed as localhost.localdomain. Once the install is complete, the certificate issuer is listed as the name of the Atmos master node. The certificate timestamp is set to the time the master node was installed from the installation media.
• Administrative roles — Atmos requires HTTPS (HTTP over TLS) when accessing the system management user interface. The administrative roles access the administration console for their role. They access the dashboard using a Web browser running on HTTPS using port 443. Attempts to access the administrative interface through unsecured channels are redirected to the HTTPS channel.
• Web-service applications — Can use HTTP (80) or HTTPS (10080). For Amazon S3 applications, the ports are 8080 (HTTP) and 8443 (HTTPS)
Note: In Atmos configurations of a single tenant, only one certificate is necessary for web services and system management.
Administrative SecurityAtmos implements role-based access control for administrative tasks.
• SecurityAdmin — This role is provided out-of-the-box. Atmos allows a single SecurityAdmin for the entire system. The role name must be SecurityAdmin. The SecurityAdmin authenticates using Atmos’s internal LDAP server; it cannot be configured to use an external source.
Table 1 Authentication Providers
Authentication Provider Description
Atmos internal LDAP A directory service hosted within the Atmos system. The SecurityAdmin role is created when Atmos is installed, but you can add other administrative roles through the system management GUI. For more information, see EMC Atmos Administrator’s Guide.
External LDAP provider A directory service that you can configure for administrator authentication. For more information on configuring your system for external LDAP providers, see EMC Atmos Administrator’s Guide.
Active Directory (for CIFS users)
A directory service that you can configure to authenticate CIFS users.Active Directory is supported only for authenticating CIFS users (UIDs). For CIFS users using Active Directory, Atmos supports authentication of only local administrators, not remote administrators. For more information, see the EMC Atmos Administrator’s Guide.
12 EMC Atmos Version 2.3.1 Security Configuration Guide
Security Configuration
The SecurityAdmin user has the following defaults (but the user is required to change the password during the installation procedure):
• URL = https://master-node-ip/mgmt_login
• User Name = SecurityAdmin
• Password = #1Passwd
• SysAdmin — This role is responsible for managing an Atmos system. This role can be authenticated using the Atmos internal LDAP server, or you can configure it to authenticate through your own LDAP server.
• TenantAdmin — This role is responsible for managing the applications that access the Atmos system. This role can authenticate using Atmos’s internal LDAP server, or you can configure it to authenticate through your own LDAP server.
• SubTenantAdmin — This role is responsible for managing the applications that access the Atmos system as subtenants. This role can authenticate using Atmos’s internal LDAP server, or you can configure it to authenticate through your own preconfigured LDAP server.
For more information on these roles and the tasks they can perform, see EMC Atmos Administrator’s Guide.
Web-services SecurityAtmos implements Web-services security using the Keyed-Hash Messaging Authentication Code (HMAC) algorithm. To enable a Web-service application to access Atmos:
1. The SysAdmin defines the Atmos access nodes that are available for Web-service access from a specific tenant.
2. The TenantAdmin does the following:
• Defines UIDs (user IDs) that represent security principals for the Web-services node.
• Generates shared secrets for the UIDs.
• Sends the shared secrets to the Web-services application developer.
The Web-services application developer is responsible for generating the signature and including it with the REST or S3 messages. For REST applications, the Atmos Web server implements proprietary security classes to enforce the MAC security scheme.
To authenticate S3 applications, the S3 Authorization header substituting the Atmos UID and shared secret as needed for the S3 Access key and secret key values.
File-system SecurityAtmos provides secure data access through the file system interface through the mauifs native file system client or through NFS and CIFS servers deployed in the system.
To enable file-system access:
1. The SysAdmin defines the Atmos nodes available for access by NFS/CIFS.
Web-services Security 13
Security Configuration
2. The TenantAdmin sets up the share that can be used.
Atmos relies on file system applications to authenticate the end-users outside the Atmos system, but access is only allowed through the valid access nodes and IP addresses defined by the tenant. Atmos authorizes users/principals based on the ACL associated with each object. Atmos supports POSIX extended ACLs. POSIX extended ACLs include simple mode bits, named users, named groups, default ACLs, and ACL inheritance.
For more information, see the EMC Atmos Administrator’s Guide.
Atmos CAS SecurityApplications use the native Atmos CAS API (aka the EMC Centera SDK or SDK) to interact with Atmos CAS, an access method for Content Addressable Storage on the Atmos platform. Because of a limitation that exists with the Centera SDK, the SDK does not use the SSL protocol as a means of communication between the application and Atmos CAS.
The Atmos CAS security model prevents unauthorized applications from storing data on or retrieving data from Atmos. Application authentication is the process whereby the application must provide authentication information to Atmos CAS before access to Atmos can be granted.
Applications authenticate using a combination of a subtenant ID and a unique identifier (UID). This pair contains information about the identity of a client application and determines the operations that the client application can perform on one or more CAS-enabled nodes. This information is available in the PEA file that the system administrator generates with the Atmos-CAS PEA File Generator.
The PEA file contains the following information:
• User name: A combination of subtenant ID and UID joined together by a colon (SubtenantId:UID).
• Secret: A password that is used to authenticate the application.
In addition to authenticating the application, Atmos CAS transfers a capability string to the SDK. This capability string contains Atmos CAS capabilities and authorizes the application to perform certain operations on the Atmos system.
For more information on the subtenant and UID pair, see the EMC Atmos CAS Programmer’s Guide.
Atmos System AccountsAtmos nodes are configured with the built-in system accounts described in Table 2.
Table 2 Default Credentials for Atmos System Accounts
Account Default Password Description
ladmin ladmin Limited privileges to perform diagnostics and maintenance on Atmos nodes.
ifsadmin ifsadmin Used to configure Atmos IFS.
14 EMC Atmos Version 2.3.1 Security Configuration Guide
Security Configuration
For improved security, Atmos recommends that you ask your Atmos Global Services representative to change the passwords for these accounts after installing Atmos.
Communication-security SettingsCommunication security settings enable the establishment of secure communication channels between Atmos components as well as between Atmos components and external systems or components.
Port Usage
The tables in this section list the external interfaces, network listening ports, services, and protocols used by Atmos components. This information is needed to use Atmos in conjunction with a firewall.
• Table 3, “Ports used by the management network”
• Table 4, “Ports used by the data network”
• Table 5, “Ports used by the access network”
Table 3 Ports used by the management network
Protocol Port Component Service
TCP 22 System management SSH
TCP 80 Web services Interface HTTP
TCP/UDP 111 NFS Access Sun RPC
TCP 389 LDAP WS Authentication
TCP 443 Atmos secure (SSL) system-management GUI
HTTPS
TCP 3000 System management GUI HTTP
TCP 4001 NFS service NFS lockd
TCP 4002 NFS service NFS statd
TCP 4003 NFS service NFS mountd
TCP 5432 Atmos system management
Atmos
TCP 5433 Atmos system management
Atmos event management
TCP 5672 Atmos system management
Atmos
TCP/UDP 7001 Atmos system management
Atmos
TCP 8001 Atmos system management
Atmos
TCP 8003 Atmos system management
Atmos
Communication-security Settings 15
Security Configuration
TCP 8004 Atmos system management
Atmos
TCP 8017 Atmos system management
Atmos event management
TCP 8080 Amazon S3 Web services Interface
HTTP
TCP 8101 Atmos system management
Atmos
TCP 8401 Atmos system management
Atmos
TCP 8443 Amazon S3 Web services Interface
HTTPs
TCP 8501 Atmos system management
Atmos
TCP 8647 RMS Atmos
TCP/UDP 8649 RMS Atmos
TCP 8650 RMS Atmos
TCP 8651 RMS Atmos
TCP 8652 RMS Atmos
TCP/UDP 8653 Atmos system management
Atmos
TCP/UDP 9651 RMS Atmos
TCP 9652 RMS Atmos
TCP 10022 SSH Atmos
TCP 10080 Web services Interface HTTP
TCP 10303 RMS Atmos
TCP 10305 Atmos configuration manager
Atmos
TCP 10311 mauicc Atmos
TCP 10322 Atmos Upgrade Atmos
TCP 10389 Atmos Internal LDAP authentication service
LDAP
TCP 10401* MDS Atmos
TCP 10601* MDS Atmos
UDP 123 Time synchronization NTP
UDP 162 SNMP (Default port for NMS
Atmos
UDP 1434 NFS access ms-sql-mon
Table 3 Ports used by the management network
Protocol Port Component Service
16 EMC Atmos Version 2.3.1 Security Configuration Guide
Security Configuration
Table 4 Ports used by the data network
Protocol Port Component Service
TCP 80 Web services Interface HTTP
TCP/UDP 111 NFS Access Sun RPC
TCP 389 MDLS WS Authentication
TCP 443 Atmos secure (SSL) system-management GUI
HTTPS
TCP 445 CIFS Interface SMB
TCP/UDP 2049 NFS Access to the Atmos file system
NFS
TCP/UPD 3218 Atmos CAS access Atmos CAS
TCP 8080 Amazon S3 Web services Interface
HTTP
TCP 8443 Amazon S3 Web services Interface
HTTPs
TCP 10080 Web services Interface HTTP
TCP 10301 SS Atmos
TCP 10302 Job Service Atmos
TCP 10307 MDLS Atmos
TCP 10322 Atmos Upgrade Atmos
TCP 10330 SS (Proxy) Atmos
TCP 10401-10499* MDS Atmos
TCP 10501-10599* MDS Atmos
TCP 10601-10699* Remote MDS Atmos
TCP 10701-10799* Remote MDS Atmos
Table 5 Ports used by the access network
Protocol Port Component Service
TCP 80 Web services Interface HTTP
TCP/UDP 111 NFS Access Sun RPC
TCP 443 Atmos secure (SSL) system-management GUI
HTTPS
TCP 445 CIFS Interface SMB
TCP/UDP 2049 NFS Access to the Atmos file system
NFS
TCP/UPD 3218 Atmos CAS access Atmos CAS
TCP 4001 Atmos Upgrade NFS locked
Communication-security Settings 17
Security Configuration
* Specifies a range of ports that can be opened for metadata servers on an Atmos node. The number of ports you have to open varies based on the number of metadata servers on the node. The number of metadata servers per node is based on the disk ratio specified when the IS was installed. Each metadata disk has its own metadata server, and each metadata server requires one port.
For example, assume that your Atmos system uses the default 1:4 metadata to storage disk ratio on a 60 disk system. This means that each Atmos node would have:
• 12 metadata servers (each on their own disk)
• 1 Storage Server (with a 48 disk capacity)
To support this configuration, you would open the following ports on the appropriate VLAN firewall:
• 10401–10412
• 10501–10512
• 10601-10612
• 10701-10712
Note: Regardless of the number of disks, only one port, 10301, is required for the Storage Server.
Network EncryptionAtmos provides network encryption (SSLv3) for administrative actions via HTTPS on port 443. Atmos installs a self-signed certificate using SHA1-RSA encryption. Web services applications can choose to use HTTPS by using port 10080. S3 applications using HTTPS must use port 8443.
In Atmos configurations of a single tenant, only one certificate is necessary for web services and system management (administrative actions).
TCP 4002 Atmos Upgrade NFS stad
TCP 4003 Atmos Upgrade NFS mountd
TCP 8080 Amazon S3 Web services interface
HTTP
TCP 8443 Amazon S3 Web services Interface
HTTPs
TCP 10080 Web services Interface HTTP
UDP 1434 NFS access ms-sql-mon
Table 5 Ports used by the access network
Protocol Port Component Service
18 EMC Atmos Version 2.3.1 Security Configuration Guide