EMC Atmos Security Configuration Guide · Atmos internal LDAP A directory service hosted with in the Atmos system. The SecurityAdmin role is created when Atmos is installed, but you

EMC®

Atmos™

Version 2.3.1

Security Configuration GuideP/N 300-015-476REV 01

EMC Atmos Version 2.3.1 Security Configuration Guide2

Copyright © 2008- 2015 EMC Corporation. All rights reserved. Published in the USA.

Published August, 2015

EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

The information in this publication is provided as is. EMC Corporation makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.

EMC2, EMC, and the EMC logo are registered trademarks or trademarks of EMC Corporation in the United States and other countries. All other trademarks used herein are the property of their respective owners.For the most up-to-date regulatory document for your product line, go to the technical documentation and advisories section on the EMC online support website.

CONTENTS

Preface

Chapter 1 Security Configuration

About Atmos Security.................................................................................. 10Authentication ...................................................................................... 11Data Integrity and Privacy...................................................................... 12

Administrative Security ............................................................................... 12 Web-services Security ................................................................................. 13 File-system Security .................................................................................... 13 Atmos CAS Security..................................................................................... 14 Atmos System Accounts .............................................................................. 14 Communication-security Settings................................................................ 15

Port Usage ............................................................................................ 15 Network Encryption..................................................................................... 18

EMC Atmos Version 2.3.1 Security Configuration Guide 3

Contents

4 EMC Atmos Version 2.3.1 Security Configuration Guide

PREFACE

As part of an effort to improve its product lines, EMC periodically releases revisions of its software and hardware. Therefore, some functions described in this document might not be supported by all versions of the software or hardware currently in use. The product release notes provide the most up-to-date information on product features.

Contact your EMC representative if a product does not function properly or does not function as described in this document.

Note: This document was accurate at publication time. New versions of this document might be released on the EMC online support website. Check the EMC online support website to ensure that you are using the latest version of this document.

AudienceThis document is intended for system administrators and provides an overview of security configuration settings available to ensure secure operation of EMC® Atmos™.

Related documentationThe EMC Atmos documentation set includes the following titles:

• EMC Atmos Release Notes

• EMC Atmos Administrator’s Guide

• EMC Atmos Programmer’s Guide

• EMC Atmos System Management API Guide

• EMC Atmos Security Configuration Guide

• EMC Atmos CAS Programmer’s Guide

• EMC Atmos CAS API Reference Guide

• EMC Atmos Installable File System (IFS) Installation and Upgrade Guide

• EMC Atmos online help

• EMC Atmos Series Open Source License and Copyright Information

• EMC Atmos Series Open Source License and Copyright Information for GPLv3

Conventions used in this documentEMC uses the following conventions for special notices:

Note: A note presents information that is important, but not hazard-related.

IMPORTANT

An important notice contains information essential to software or hardware operation.


Preface

Typographical conventions

EMC uses the following type style conventions in this document:

Where to get helpEMC support, product, and licensing information can be obtained as follows:

Product information - For documentation, release notes, software updates, or information about EMC products, go to EMC Online Support at:

https://support.emc.com

Technical support - Go to EMC Online Support and click Service Center. You will see several options for contacting EMC Technical Support. Note that to open a service request, you must have a valid support agreement. Contact your EMC sales representative for details about obtaining a valid support agreement or with questions about your account.

Normal Used in running (nonprocedural) text for:• Names of interface elements, such as names of windows, dialog boxes,

buttons, fields, and menus• Names of resources, attributes, pools, Boolean expressions, buttons,

DQL statements, keywords, clauses, environment variables, functions, and utilities

• URLs, pathnames, filenames, directory names, computer names, links, groups, service keys, file systems, and notifications

Bold Used in running (nonprocedural) text for names of commands, daemons, options, programs, processes, services, applications, utilities, kernels, notifications, system calls, and man pages

Used in procedures for:• Names of interface elements, such as names of windows, dialog boxes,

buttons, fields, and menus• What the user specifically selects, clicks, presses, or types

Italic Used in all text (including procedures) for:• Full titles of publications referenced in text• Emphasis, for example, a new term• Variables

Courier Used for:• System output, such as an error message or script• URLs, complete paths, filenames, prompts, and syntax when shown

outside of running text

Courier bold Used for specific user input, such as commands

Courier italic Used in procedures for:• Variables on the command line• User input variables

< > Angle brackets enclose parameter or variable values supplied by the user

[ ] Square brackets enclose optional values

| Vertical bar indicates alternate selections — the bar means “or”

{ } Braces enclose content that the user must specify, such as x or y or z

... Ellipses indicate nonessential information omitted from the example


http://support.emc.com

Preface

Your commentsYour suggestions will help us continue to improve the accuracy, organization, and overall quality of the user publications. Send your opinions of this document to:

[email protected]


Preface


CHAPTER 1Security Configuration

This guide provides an overview of the security configuration settings available to ensure a secure operation of EMC® Atmos™. This guide describes the following topics:

• About Atmos Security.............................................................................................. 10• Administrative Security ........................................................................................... 12• Web-services Security ............................................................................................. 13• File-system Security ................................................................................................ 13• Atmos CAS Security................................................................................................. 14• Atmos System Accounts .......................................................................................... 14• Communication-security Settings ............................................................................ 15

Security Configuration 9

Security Configuration

About Atmos SecurityAtmos is architected as a multi-tenant system where a single instance of Atmos can support multiple organizations known as tenants. Atmos provides physical isolation of tenants and their data by restricting Atmos access nodes to specific tenants. Each tenant can be further subdivided into one or more subtenants. Subtenants are logically isolated from other subtenants. They use the access nodes defined for the tenant container, but they have their own objects, file systems, and users.

Figure 1 shows how the Atmos security components interact between the application tier and the Atmos tier.

Figure 1 Atmos Security Components

The Atmos tier includes:

• A Web-based system-management GUI.

Atmos controls security for administrative tasks through role-based access control. It includes roles for managing the system, tenants, and subtenants. For details about roles, see “Administrative Security” on page 12.

• Access nodes through which Web-services (REST, S3), file-system applications (CIFS and NFS), and Atmos Content Addressed Storage (CAS) can access Atmos data.

To create a secure multi-tenant environment, the system administrator configures which tenants control which access nodes. An access node provides the gateway to data access for applications written for Atmos. Each Atmos node is considered an individual appliance.

EMC provides software updates in the form of new code releases, security patches or hotfixes. Installation of external applications or software from non-EMC third parties is not permitted.



Atmos uses FIPS-140-2 certified cryptography libraries to provide tamper evidence of Atmos security-related configuration files for system administrator authentication, and for Web Services users whose UIDs and shared secrets are stored in the Atmos lockbox (shared secret keystore).

Authentication

Atmos authenticates users logging in at the administration interface and Web-services users. File-system applications (CIFS and NFS clients) are responsible for authenticating their end users. Atmos CAS authenticates applications first before access is granted to application users. Atmos ensures that authenticated users are able to perform only the actions for which they have permissions through roles, or through file system or object ACLs and UIDs.

Atmos does not currently ensure a consistent view of users across Web-services, file-system, and Atmos CAS authentication systems.

• File-system users are defined by the node that is configured as the file system access node. This access node can be either a natively configured NFS/CIFS access node for the tenant, or a RHEL5 Atmos file system client running IFS or acting as a gateway and re-exporting via NFS or CIFS. These nodes are typically configured to operate within a company’s infrastructure which includes the definition of an authentication source, such as LDAP. The file system interface inherits this configuration's userspace.

• Web-services users are defined by the tenant or subtenant administrator through UIDs. These Web-services users are stored in an internal LDAP server.

• Atmos CAS users are defined not only by the node that is configured as the CAS-enabled access node, but also by the subtenant ID with which they are associated.

Note: Because of the inconsistent view of users, the administrative user responsible for defining Web-services users must be careful about user name conflicts. For example, user1 might exist in the file system LDAP authentication source. If the administrator creates user1 as a Web-services user, Atmos cannot guarantee that those two users are the same.

About Atmos Security 11


To enable a flexible security configuration, Atmos supports user management through the authentication providers described in Table 1.

Data Integrity and Privacy

Atmos installs, on each node, a self-signed certificate using SHA1-RSA encryption. During the initial install, the certificate issuer is listed as localhost.localdomain. Once the install is complete, the certificate issuer is listed as the name of the Atmos master node. The certificate timestamp is set to the time the master node was installed from the installation media.

• Administrative roles — Atmos requires HTTPS (HTTP over TLS) when accessing the system management user interface. The administrative roles access the administration console for their role. They access the dashboard using a Web browser running on HTTPS using port 443. Attempts to access the administrative interface through unsecured channels are redirected to the HTTPS channel.

• Web-service applications — Can use HTTP (80) or HTTPS (10080). For Amazon S3 applications, the ports are 8080 (HTTP) and 8443 (HTTPS)

Note: In Atmos configurations of a single tenant, only one certificate is necessary for web services and system management.

Administrative SecurityAtmos implements role-based access control for administrative tasks.

• SecurityAdmin — This role is provided out-of-the-box. Atmos allows a single SecurityAdmin for the entire system. The role name must be SecurityAdmin. The SecurityAdmin authenticates using Atmos’s internal LDAP server; it cannot be configured to use an external source.

Table 1 Authentication Providers

Authentication Provider Description

Atmos internal LDAP A directory service hosted within the Atmos system. The SecurityAdmin role is created when Atmos is installed, but you can add other administrative roles through the system management GUI. For more information, see EMC Atmos Administrator’s Guide.

External LDAP provider A directory service that you can configure for administrator authentication. For more information on configuring your system for external LDAP providers, see EMC Atmos Administrator’s Guide.

Active Directory (for CIFS users)

A directory service that you can configure to authenticate CIFS users.Active Directory is supported only for authenticating CIFS users (UIDs). For CIFS users using Active Directory, Atmos supports authentication of only local administrators, not remote administrators. For more information, see the EMC Atmos Administrator’s Guide.



The SecurityAdmin user has the following defaults (but the user is required to change the password during the installation procedure):

• URL = https://master-node-ip/mgmt_login

• User Name = SecurityAdmin

• Password = #1Passwd

• SysAdmin — This role is responsible for managing an Atmos system. This role can be authenticated using the Atmos internal LDAP server, or you can configure it to authenticate through your own LDAP server.

• TenantAdmin — This role is responsible for managing the applications that access the Atmos system. This role can authenticate using Atmos’s internal LDAP server, or you can configure it to authenticate through your own LDAP server.

• SubTenantAdmin — This role is responsible for managing the applications that access the Atmos system as subtenants. This role can authenticate using Atmos’s internal LDAP server, or you can configure it to authenticate through your own preconfigured LDAP server.

For more information on these roles and the tasks they can perform, see EMC Atmos Administrator’s Guide.

Web-services SecurityAtmos implements Web-services security using the Keyed-Hash Messaging Authentication Code (HMAC) algorithm. To enable a Web-service application to access Atmos:

1. The SysAdmin defines the Atmos access nodes that are available for Web-service access from a specific tenant.

2. The TenantAdmin does the following:

• Defines UIDs (user IDs) that represent security principals for the Web-services node.

• Generates shared secrets for the UIDs.

• Sends the shared secrets to the Web-services application developer.

The Web-services application developer is responsible for generating the signature and including it with the REST or S3 messages. For REST applications, the Atmos Web server implements proprietary security classes to enforce the MAC security scheme.

To authenticate S3 applications, the S3 Authorization header substituting the Atmos UID and shared secret as needed for the S3 Access key and secret key values.

File-system SecurityAtmos provides secure data access through the file system interface through the mauifs native file system client or through NFS and CIFS servers deployed in the system.

To enable file-system access:

1. The SysAdmin defines the Atmos nodes available for access by NFS/CIFS.

Web-services Security 13


2. The TenantAdmin sets up the share that can be used.

Atmos relies on file system applications to authenticate the end-users outside the Atmos system, but access is only allowed through the valid access nodes and IP addresses defined by the tenant. Atmos authorizes users/principals based on the ACL associated with each object. Atmos supports POSIX extended ACLs. POSIX extended ACLs include simple mode bits, named users, named groups, default ACLs, and ACL inheritance.

For more information, see the EMC Atmos Administrator’s Guide.

Atmos CAS SecurityApplications use the native Atmos CAS API (aka the EMC Centera SDK or SDK) to interact with Atmos CAS, an access method for Content Addressable Storage on the Atmos platform. Because of a limitation that exists with the Centera SDK, the SDK does not use the SSL protocol as a means of communication between the application and Atmos CAS.

The Atmos CAS security model prevents unauthorized applications from storing data on or retrieving data from Atmos. Application authentication is the process whereby the application must provide authentication information to Atmos CAS before access to Atmos can be granted.

Applications authenticate using a combination of a subtenant ID and a unique identifier (UID). This pair contains information about the identity of a client application and determines the operations that the client application can perform on one or more CAS-enabled nodes. This information is available in the PEA file that the system administrator generates with the Atmos-CAS PEA File Generator.

The PEA file contains the following information:

• User name: A combination of subtenant ID and UID joined together by a colon (SubtenantId:UID).

• Secret: A password that is used to authenticate the application.

In addition to authenticating the application, Atmos CAS transfers a capability string to the SDK. This capability string contains Atmos CAS capabilities and authorizes the application to perform certain operations on the Atmos system.

For more information on the subtenant and UID pair, see the EMC Atmos CAS Programmer’s Guide.

Atmos System AccountsAtmos nodes are configured with the built-in system accounts described in Table 2.

Table 2 Default Credentials for Atmos System Accounts

Account Default Password Description

ladmin ladmin Limited privileges to perform diagnostics and maintenance on Atmos nodes.

ifsadmin ifsadmin Used to configure Atmos IFS.



For improved security, Atmos recommends that you ask your Atmos Global Services representative to change the passwords for these accounts after installing Atmos.

Communication-security SettingsCommunication security settings enable the establishment of secure communication channels between Atmos components as well as between Atmos components and external systems or components.

Port Usage

The tables in this section list the external interfaces, network listening ports, services, and protocols used by Atmos components. This information is needed to use Atmos in conjunction with a firewall.

• Table 3, “Ports used by the management network”

• Table 4, “Ports used by the data network”

• Table 5, “Ports used by the access network”

Table 3 Ports used by the management network

Protocol Port Component Service

TCP 22 System management SSH

TCP 80 Web services Interface HTTP

TCP/UDP 111 NFS Access Sun RPC

TCP 389 LDAP WS Authentication

TCP 443 Atmos secure (SSL) system-management GUI

HTTPS

TCP 3000 System management GUI HTTP

TCP 4001 NFS service NFS lockd

TCP 4002 NFS service NFS statd

TCP 4003 NFS service NFS mountd

TCP 5432 Atmos system management

Atmos


Atmos event management


Atmos

TCP/UDP 7001 Atmos system management

Atmos


Atmos


Atmos

Communication-security Settings 15



Atmos


Atmos event management

TCP 8080 Amazon S3 Web services Interface

HTTP


Atmos


Atmos


HTTPs


Atmos

TCP 8647 RMS Atmos

TCP/UDP 8649 RMS Atmos

TCP 8650 RMS Atmos

TCP 8651 RMS Atmos

TCP 8652 RMS Atmos

TCP/UDP 8653 Atmos system management

Atmos

TCP/UDP 9651 RMS Atmos

TCP 9652 RMS Atmos

TCP 10022 SSH Atmos


TCP 10303 RMS Atmos

TCP 10305 Atmos configuration manager

Atmos

TCP 10311 mauicc Atmos

TCP 10322 Atmos Upgrade Atmos

TCP 10389 Atmos Internal LDAP authentication service

LDAP

TCP 10401* MDS Atmos

TCP 10601* MDS Atmos

UDP 123 Time synchronization NTP

UDP 162 SNMP (Default port for NMS

Atmos

UDP 1434 NFS access ms-sql-mon

Table 3 Ports used by the management network




Table 4 Ports used by the data network




TCP 389 MDLS WS Authentication


HTTPS

TCP 445 CIFS Interface SMB

TCP/UDP 2049 NFS Access to the Atmos file system

NFS

TCP/UPD 3218 Atmos CAS access Atmos CAS


HTTP


HTTPs


TCP 10301 SS Atmos

TCP 10302 Job Service Atmos

TCP 10307 MDLS Atmos

TCP 10322 Atmos Upgrade Atmos

TCP 10330 SS (Proxy) Atmos

TCP 10401-10499* MDS Atmos

TCP 10501-10599* MDS Atmos

TCP 10601-10699* Remote MDS Atmos

TCP 10701-10799* Remote MDS Atmos

Table 5 Ports used by the access network





HTTPS

TCP 445 CIFS Interface SMB

TCP/UDP 2049 NFS Access to the Atmos file system

NFS

TCP/UPD 3218 Atmos CAS access Atmos CAS

TCP 4001 Atmos Upgrade NFS locked

Communication-security Settings 17


* Specifies a range of ports that can be opened for metadata servers on an Atmos node. The number of ports you have to open varies based on the number of metadata servers on the node. The number of metadata servers per node is based on the disk ratio specified when the IS was installed. Each metadata disk has its own metadata server, and each metadata server requires one port.

For example, assume that your Atmos system uses the default 1:4 metadata to storage disk ratio on a 60 disk system. This means that each Atmos node would have:

• 12 metadata servers (each on their own disk)

• 1 Storage Server (with a 48 disk capacity)

To support this configuration, you would open the following ports on the appropriate VLAN firewall:

• 10401–10412

• 10501–10512

• 10601-10612

• 10701-10712

Note: Regardless of the number of disks, only one port, 10301, is required for the Storage Server.

Network EncryptionAtmos provides network encryption (SSLv3) for administrative actions via HTTPS on port 443. Atmos installs a self-signed certificate using SHA1-RSA encryption. Web services applications can choose to use HTTPS by using port 10080. S3 applications using HTTPS must use port 8443.

In Atmos configurations of a single tenant, only one certificate is necessary for web services and system management (administrative actions).

TCP 4002 Atmos Upgrade NFS stad

TCP 4003 Atmos Upgrade NFS mountd

TCP 8080 Amazon S3 Web services interface

HTTP


HTTPs


UDP 1434 NFS access ms-sql-mon

Table 5 Ports used by the access network



Documents

EMC Atmos Security Configuration Guide · Atmos internal LDAP A directory service hosted with in the Atmos system. The SecurityAdmin role is created when Atmos is installed, but you