Dell EMC VPLEX GeoSynchrony

Security Configuration Guide

August 2020
Notes, cautions, and warnings

NOTE: A NOTE indicates important information that helps you make better use of your product.

CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid
the problem.

WARNING: A WARNING indicates a potential for property damage, personal injury, or death.

© 2016 - 2021 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Other trademarks may be trademarks of their respective owners.
 Contents

Tables........................................................................................................................................... 5
Preface.........................................................................................................................................................................................6

Chapter 1: VPLEX overview........................................................................................................... 8

Chapter 2: Security recommendations..........................................................................................11

Chapter 3: VPLEX management server operating system and networking.................................... 12

Accessing the management server................................................................................................................................13
Using SSH to access the management server shell............................................................................................ 13
Using HTTPS to access the metro node UI...........................................................................................................13
Using IPsec VPN in a VPLEX Metro implementation.......................................................................................... 13
Using SCP to copy files.............................................................................................................................................. 14
Using a tunneled VNC connection to access the management server desktop...........................................16

Chapter 4: IP addresses and component IDs................................................................................ 18

Chapter 5: Implementing IPv6..................................................................................................... 22

Chapter 6: Security configuration settings..................................................................................23

User roles, accounts, and privileges............................................................................................................................. 23

Chapter 7: Configuring user authentication................................................................................. 24

Role-based access control feature overview............................................................................................................. 24
Role descriptions .................................................................................................................................................... 25
Role-based access control and NDU...................................................................................................................... 25
LDAP/AD user authentication........................................................................................................................................26
Password policy ................................................................................................................................................................26
Synchronizing service account password to MMCS peer.......................................................................................27

Chapter 8: Manage user accounts................................................................................................28

Adding user accounts....................................................................................................................................................... 28
View user account details............................................................................................................................................... 28
Changing passwords.........................................................................................................................................................29
Resetting passwords........................................................................................................................................................ 29
Deleting user accounts.................................................................................................................................................... 29

Chapter 9: Log file settings......................................................................................................... 31

Chapter 10: Communication Security Settings.............................................................................32

Communication security settings.................................................................................................................................. 32
IP WAN COM................................................................................................................................................................32
Accessibility...................................................................................................................................................................32
Port Usage.................................................................................................................................................................... 33

Contents 3
 Communications specifications - VPLEX Metro system....................................................................................33
Communications specifications - VPLEX Local system..................................................................................... 35
Network Encryption....................................................................................................................................................36
Creating a local Certification Authority..................................................................................................................36
Finding the host certificates's SHA256, SHA1 and (for GUI users) MD5 fingerprints...............................37
Finding the SSH key fingerprint (for SSH users)................................................................................................ 38
Configurable HTTPS/TLS protocol.........................................................................................................................38
Data security settings................................................................................................................................................ 39

4 Contents
 Tables

1 Typographical conventions...................................................................................................................................... 7
2 Quad-engine cluster director IP addresses........................................................................................................ 19
3 Dual-engine cluster director IP addresses......................................................................................................... 20
4 Single-engine cluster director IP addresses......................................................................................................20
5 Last Octets of Director IP Addresses.................................................................................................................20
6 IPv6 support on VPLEX components................................................................................................................. 22
7 Metro node user accounts and privileges.......................................................................................................... 23
8 Description of roles in Role-based Access Control......................................................................................... 25
9 Default password policies...................................................................................................................................... 26
10 VPLEX component log files....................................................................................................................................31
11 Communication in a VPLEX Metro system........................................................................................................34
12 Communication in a VPLEX Local system......................................................................................................... 35

Tables 5
 Preface
As part of an effort to improve its product lines, Dell EMC periodically releases revisions of its software and hardware.
Therefore, some functions described in this document might not be supported by all versions of the software or hardware
currently in use. The product release notes provide the most up-to-date information on product features.
Contact your Dell EMC technical support professional if a product does not function properly or does not function as described
in this document.
NOTE: This document was accurate at publication time. Go to Dell EMC Online Support (https://www.dell.com/support)
to ensure that you are using the latest version of this document.

Purpose
This document is part of the VPLEX documentation set, and describes the VPLEX features and use cases, configuration options,
VPLEX software and its upgrade, and the hardware overview.

Audience
This guide is intended for use by customers who wish to understand the software and hardware features of VPLEX, the use
cases of VPLEX, product offerings, and the configuration options.
Related documents (available on Dell EMC Online Support and SolVe) include:
● Release Notes for the metro node appliance
● Product Guide or the metro node appliance
● Metro node Hardware Installation Guide
● Configuration and Installation Guide for the metro node appliance
● Security Configuration Guide for the metro node appliance
● CLI Reference Guide for the metro node appliance
● Administration Guide for the metro node appliance
● Online Help for the metro node appliance
● REST API v2 for the metro node appliance
● Open Source Licenses Guide for the metro node appliance
● Hardware Reference Guide for the metro node appliance
● Procedures provided through the SolVe

Special notice conventions used in this document

Dell EMC uses the following conventions for special notices:

CAUTION: Indicates a hazardous situation which, if not avoided, will result in death or serious injury.

CAUTION: Indicates a hazardous situation which, if not avoided, could result in death or serious injury.

CAUTION: Indicates a hazardous situation which, if not avoided, could result in minor or moderate injury.

NOTE: Addresses practices not related to personal injury.

NOTE: Presents information that is important, but not hazard-related.

Typographical conventions
Dell EMC uses the following type style conventions in this document:

6 Preface
Table 1. Typographical conventions
Bold Used for names of interface elements, such as names of windows, dialog boxes, buttons,
fields, tab names, key names, and menu paths (what the user specifically selects or clicks)
italic Used for full titles of publications referenced in text
Monospace Used for:
● System code
● System output, such as an error message or script
● Pathnames, filenames, prompts, and syntax
● Commands and options
Monospace italic Used for variables
Monospace bold Used for user input
[] Square brackets enclose optional values
| Vertical bar indicates alternate selections - the bar means "or"
{} Braces enclose content that the user must specify, such as x or y or z
... Ellipses indicate nonessential information omitted from the example

Where to get help

Dell EMC support, product, and licensing information can be obtained as follows:

Product information
For documentation, release notes, software updates, or information about Dell EMC products, go to Dell EMC Online Support at
https://www.dell.com/support.

Technical support
Go to Dell EMC Online Support and click Support. You will see several options for contacting Dell EMC Technical Support. Note
that to open a service request, you must have a valid support agreement. Contact your Dell EMC sales representative for details
about obtaining a valid support agreement or with questions about your account.

Online communities
Visit Dell EMC Community Network (DECN) at https://www.dell.com/community/Dell-Community/ct-p/English for peer
contacts, conversations, and content on product support and solutions. Interactively engage online with customers, partners,
and certified professionals for all Dell EMC products.

Your comments
Your suggestions will help us continue to improve the accuracy, organization, and overall quality of the user publications. Send
your opinions of this document to vplex.doc.feedback@dell.com.

Preface 7
 1
VPLEX overview
An EMC® VPLEX® cluster consists of one, two, or four engines (each containing two directors), and a management server. A
dual-engine or quad-engine cluster also contains a pair of Fibre Channel switches for communication between directors.
Each engine is protected by a standby power supply (SPS), and each Fibre Channel switch gets its power through an
uninterruptible power supply (UPS). In a dual-engine or quad-engine cluster, the management server also gets power from
a UPS.
The management server has a public Ethernet port, which provides cluster management services when connected to the
customer network. The management server can also provide call-home services through the public Ethernet port by connecting
to an EMC Secure Remote Support (ESRS) gateway deployed on the same network. The ESRS gateway is also used by EMC
personnel to provide remote service.
Two VPLEX implementations are available:
● VPLEX Local (single cluster)
● VPLEX Metro (two clusters separated by synchronous distances)
In a VPLEX Metro implementation, the clusters are connected over IP between the management servers.
VPLEX user authentication is configured locally on the management server or remotely on an OpenLDAP or Active Directory
server which integrates with Unix using Service for UNIX 3.5, Identity Management for UNIX, or other authentication service.
A management server in each VPLEX cluster authenticates users against account information kept on its local file system or
against the LDAP/AD server. An authenticated user can manage resources in the local cluster.
In a VPLEX Metro, users authenticated by either management server can manage all resources in both clusters. Figure 1 shows a
VPLEX cluster configuration (quad system) example.

8 VPLEX overview
 Engine 4, Director B ON
I
O
OFF
ON
I
O
OFF
Engine 4, Director A

SPS 4B SPS 4A
ON ON
I I
O O
OFF OFF

Engine 3, Director B Engine 3, Director A

ON ON
I I
O O
OFF OFF

SPS 3B SPS 3A
Laptop tray
Fibre Channel switch B
UPS B
Fibre Channel switch A
UPS A
OFF OFF
O O
I I

Management server
ON ON

Engine 2, Director B OFF

O
I
ON
OFF
O
I
ON
Engine 2, Director A

SPS 2B SPS 2A
OFF OFF
O O
I I
ON ON

Engine 1, Director B Engine 1, Director A

SPS 1B SPS 1A

VPLX-000228

Figure 1. VPLEX Cluster Configuration (VS2)

VPLEX overview 9
Figure 2. VPLEX Cluster Configuration (VS6)

10 VPLEX overview
 2
Security recommendations
While the Security Configuration Guide must be reviewed in its entirety, this segment serves to check most important security
recommendations of Dell EMC to ensure the security of your data and environment.
● Given the elevated permissions that are granted to the service account, its password must be changed to better protect
metro node from misuse or abuse of those privileges. Service account password and iDRAC root password are changed
automatically during initial system configuration.
● Given the elevated permissions that are granted to the iDRAC root account, its password must be changed to better protect
metro node from misuse or abuse of those privileges. Use the command vplex_system_config --idrac to change the
password.
● To retrieve the auto-generated password, run /opt/dell/vplex/system_config/bin/
system_config_collect.py --SHOW-IDRAC-PWD.

Security recommendations 11
 3
VPLEX management server operating system
and networking
The operating system (OS) of the VPLEX management server is based on Novell SUSE Linux Enterprise Server. The
management server in GeoSynchrony releases 5.3 to 5.5.2 and patches run SUSE Linux Enterprise Server 11 patch 3. Starting
release 6.0, the management server, including MMCS-A and MMCS-B on VS6, runs SUSE Linux Enterprise Server 11 Service
Pack 4,
The operating system has been configured to meet EMC security standards by disabling or removing unused services and
packages, and protecting access to network services through a firewall.
Used packages are hardened with security updates.
A VS2 management server has four Ethernet ports, identified as eth0 through eth3 by the operating system, shown in the
figure below. A 1 Gb/s public management port (eth3) is the only Ethernet port in the VPLEX rack that may be connected to
an external management LAN. Other components in the rack are connected to two redundant private management Ethernet
networks, connected to the management server's eth0 and eth2 ports. A service port (eth1) can be connected to a local laptop,
providing access to the same services as a host on the management LAN.

Figure 3. VS2 Management server, rear view

In a VS6 system, the management server module (MMCS-A and MMCS-B) is located in the first engine on the cluster. All
the remaining engines will have Akula management modules for the management connectivity. MMCS A is the Management
interface to a public network and to the other VPLEX components in the cluster.

Customer network
connection
Engine 1
3x
0
0
0
1

DC DC
1
1
1

P
IB

AC AC
2
2
2
2

3
3
3

xxx-xxx-xxxx-xx xxx-xxx-xxxx-xx xxx-xxx-xxxx-xx

xxx-xxx-xxxx-xx xxx-xxx-xxxx-xx

xxx-xxx-xxxx-xx xxx-xxx-xxxx-xx xxx-xxx-xxxx-xx

xxx-xxx-xxxx-xx xxx-xxx-xxxx-xx
3

3
3

2
2

2
2

AC AC
IB

P
1

1
1

DC DC
0

0
0

x3

Customer network Service port

connection
VPLX-000643e

Figure 4. Customer IP network connections on MMCS-A and MMCS-B

Topics:
• Accessing the management server

12 VPLEX management server operating system and networking

Accessing the management server
Two protocols allow access to a metro node management server over a secure and encrypted connection: SSH and HTTPS.

Using SSH to access the management server shell

Users can log in to the management server shell over SSH version 2, through the management server's public Ethernet port or
service port. The SSH service is available on the standard port 22.

About this task

An SSH login with appropriate credentials allows access to a Linux shell on the management server. From there:
● Users can access the metro node command line interface (VPlexcli).
● A service account user can also inspect log files, start and stop services, and upgrade firmware and software.
SSH also can be used to establish a secure tunnel between the management server and the host running the SSH client. Using
SSH to access the management server shell provides more information.

Using HTTPS to access the metro node UI

The Unisphere for metro node graphical user interface (UI) is accessible as a web service on the management server's public
Ethernet port and the service port, using the HTTPS protocol. It is available on the standard port 443.

About this task

The following URL initiates an HTTPS connection to the UI:

https://management_server_public_IP_address

To access the UI using an IPv6 address, use the following URL:

https://[mgmtserver_ipv6_addr]

For example:

https://[3ffe:80c0:22c:803c:215:17ff:fed3:207]/smsflex/VPlexConsole.html

NOTE: Accessing the metro node UI or the metro node CLI over IPv6 is possible only if the client machine is also in an IPv6
network. The readonly user has no UI access.
The UI encrypts all traffic using a server certificate. Creating a host certificate provides more information.
NOTE: The UI has a timer that logs the user out after 10 minutes of inactivity. You can modify the timeout value to a
maximum of 12 hours.

Using IPsec VPN in a VPLEX Metro implementation

About this task
The management server in each VPLEX Metro cluster must connect to each other over a Virtual Private Network (VPN)
through the public Ethernet port, as shown in the following figure.

VPLEX management server operating system and networking 13

Figure 5. IPSec VPN connection

Although you might have already secured the network connections between two VPLEX Metro clusters, the management
servers must establish an explicit VPN connection, to acknowledge that the remote management server has full management
control over the local cluster and its resources.
The VPLEX management server uses strongSwan, an open source implementation of IPsec for Linux.

Using SCP to copy files

The Secure Copy Protocol (SCP) allows users to transfer files to and from the management server. SCP uses the same
credentials as SSH. Popular SCP clients are WinSCP and PSCP provided by the PuTTY package, and the SCP client provided by
OpenSSH.

Transferring files to and from the management server using SCP

VPLEX allows file transfer to/from the management server using SCP. In VPLEX release 6.0, SCP permissions will be granted
with shell access.

Prerequisites
To use SCP to transfer files to and from the management server, you must have shell access.

About this task

Users with no shell access can transfer files to a specific management server directory. You can transfer files with SCP to a
specified directory and retrieve files out from another directory located in management server.

NOTE: You cannot transfer or retrieve directories.

Files that are transferred with SCP into or out of the management server can be viewed in the contexts /management-
server/users/share/in and /management-server/users/share/out respectively. All users see identical output
(independent of file ownership) under these in and out contexts. Only the owner of the file (admin or service users) can
delete a file.
For example, if user testuser1 (with no shell access) uses SCP to transfer a file named a.txt into the management server,
anyone logged into the management server will see a.txt displayed in the /management-server/users/share/in
context. No one other than testuser1 (or admin or service) can delete a.txt from the management server.
service and admin users are authorized to delete any existing file in the SCP sub-directories, using the CLI rm command. Other
users are only authorized to delete files to which they have access. See the rm command in the EMC VPLEX CLI Reference
Guide for details.
To modify permissions for SCP file transfers to and from the management server, do the following.

14 VPLEX management server operating system and networking

Steps
1. Verify the attribute value for VPLEX local user testuser1 by listing the management-server/users/local/
testuser1 context. shell-access should be set to false by default

VPlexcli:/management-server/users/local/testuser1> ls
Name Value
------------ ---------
role-name vplexuser
shell-access false
user-name testuser1

2. Run the following examples to test SCP file transfers for restricted shell user testuser1.
a. Transfer files from a remote server and verify the file transfer was successful by listing the management server SCP in
context.

admin@host1:~>scp monitor.xml testuser1@10.63.14.134:

Password:
monitor.xml 100% 1532 1.5KB/s 00:00

VPlexcli:/> ll /management-server/share/in/

Name
---------------
logfile
loginbanner.txt
monitor.xml

b. Transfer files from the management server to an external host and verify the result in the management server. The file
should be present in shell location /diag/share/out/. This path equates to /managementserver/share/out/ in
the CLI.

VPlexcli:/> ll /management-server/share/out/

Name
--------
testfile

Copy files to a remote server using scp.

admin@host1:~> scp testuser1@10.63.14.134:testfile .

Password:
testfile 100% 0 0.0KB/s 00:00
admin@host1:~> ls
bin monitor.xml testfile

c. Transfer files to a management server directory that is inaccessible to the shell restricted user testuser1 using scp.

admin@host1:~> scp testfile testuser1@<mgmt-server-ip>:/tmp/

admin@host1:~> scp logfile vplexuser@10.110.19.35:/tmp/

Warning: Permanently added '10.110.19.35' (ECDSA) to the list of known hosts.

Password:
[ERROR]/tmp/: Re-enter the command without the destination file path.
Usage: 'scp <absolute path to file> <user>@<public-ip-address>:'

Use SCP to transfer a file from the management server to an external host. The file is present in location /tmp/

admin@host1:~> scp vplexuser@10.110.19.35:/tmp/testfile .

VPLEX management server operating system and networking 15

 After the command fails, display the log file to verify the cause of failure.

Warning: Permanently added '10.110.19.35' (ECDSA) to the list of known hosts.

Password:
[ERROR]scp: /tmp/testfile: No such file or directory

d. Delete a.txt from the SCP share/in context using the rm command.

VPlexcli:/management-server/share/in> ls
a.txt b.txt

VPlexcli:/management-server/share/in> rm a.txt

VPlexcli:/management-server/share/in> ls
b.txt

Using a tunneled VNC connection to access the management

server desktop
The SSH protocol provides a mechanism for sending unencrypted traffic through an encrypted SSH connection. Most SSH
clients, such as OpenSSH and PuTTY, allow users to establish SSH tunnels by specifying a port on their local machine (source
port), and a port on the management server (destination port).

About this task

Access to the management server's desktop is provided by VNC access through an SSH tunnel. Users must first establish an
SSH tunnel between destination port 5901 and local port 5901, and then connect a VNC viewer to local port 5901. Popular VNC
clients are RealVNC and TightVNC.
To establish a tunnel, you must log in with your standard SSH credentials. After a successful login, the SSH client program must
remain running, to allow the SSH tunnel to remain operational.
Follow these steps to establish a tunneled VNC connection using PuTTY:

Steps
1. Launch PuTTY.exe, and configure the PuTTY window as shown in the figure below:
● Server address — Public IP address of the VPLEX management server.
● Session name — Type a name for the PuTTY session you are configuring. This allows you to load the saved session if you
need to reconnect later, eliminating the need to configure the individual parameters again.
● Default settings — Verify, and set as shown if necessary.

16 VPLEX management server operating system and networking

 Figure 6. PuTTY configuration window
2. Expand SSH in the Category list, and click Tunnels.
3. Configure the SSH port forwarding parameters as shown in the figure below, and then click Add.

Figure 7. PuTTY configuration: SSH port forwarding parameters

4. Click Open to establish an SSH tunnel to the management server.

When prompted, type the account password.

5. Authenticate as usual, and leave the PuTTY window open.

6. Launch the VNC viewer, and connect to localhost:5901.

VPLEX management server operating system and networking 17

 4
IP addresses and component IDs
The IP addresses of the VPLEX hardware components are determined by a set of formulae that depend on the internal
management network (A or B), the Cluster IP Seed, and (for directors) the Enclosure ID (which matches the engine number).
The figures below show the IP addresses in a cluster with a Cluster IP Seed of 1 and addresses for a Cluster IP Seed of 2. Note
that the Cluster IP Seed is the same as the Cluster ID, which depends on the following VPLEX implementation:
● VPLEX Local - The Cluster ID is always 1.
● VPLEX Metro - The Cluster ID for the first cluster that is set up is 1, and the second cluster is 2.
NOTE: The management server supports the coexistence of both the IPv6 and IPv4 address. However, the directors only
support IPv4 addresses.

Figure 8. VPLEX VS2 hardware component IP addresses in cluster 1

18 IP addresses and component IDs

Figure 9. VPLEX VS2 hardware component IP addresses in VPLEX Metro cluster 2

MMCS IP Addresses
This table lists the IP addresses of the MMCS modules on engine-1 of VPLEX VS6 systems.

MMCS Cluster 1 IP address Cluster 2 IP address

A 128.221.252.33 128.221.252.65
B 128.221.253.33 128.221.253.65

Director IP Addresses on VPLEX VS6

List of IP addresses of all directors on both clusters in a quad-engine VPLEX system.

Table 2. Quad-engine cluster director IP addresses

Director name Cluster 1 IP addresses Director name Cluster 2 IP addresses
Director-1-1-A 128.221.252.35 128.221.253.35 Director-2-1-A 128.221.252.67 128.221.253.67
Director-1-1-B 128.221.252.36 128.221.253.36 Director-2-1-B 128.221.252.68 128.221.253.68
Director-1-2-A 128.221.252.37 128.221.253.37 Director-2-2-A 128.221.252.69 128.221.253.69
Director-1-2-B 128.221.252.38 128.221.253.38 Director-2-2-B 128.221.252.70 128.221.253.70
Director-1-3-A 128.221.252.39 128.221.253.39 Director-2-3-A 128.221.252.71 128.221.253.71
Director-1-3-B 128.221.252.40 128.221.253.40 Director-2-3-B 128.221.252.72 128.221.253.72
Director-1-4-A 128.221.252.41 128.221.253.41 Director-2-4-A 128.221.252.73 128.221.253.73
Director-1-4-B 128.221.252.42 128.221.253.42 Director-2-4-B 128.221.252.74 128.221.253.74

IP addresses and component IDs 19

Dual-engine Cluster - Director IP Addresses
List of IP addresses of all directors on both clusters in a dual-engine VPLEX system.

Table 3. Dual-engine cluster director IP addresses

Director name Cluster 1 IP addresses Director name Cluster 2 IP addresses
Director-1-1-A 128.221.252.35 128.221.253.35 Director-2-1-A 128.221.252.67 128.221.253.67
Director-1-1-B 128.221.252.36 128.221.253.36 Director-2-1-B 128.221.252.68 128.221.253.68
Director-1-2-A 128.221.252.37 128.221.253.37 Director-2-2-A 128.221.252.69 128.221.253.69
Director-1-2-B 128.221.252.38 128.221.253.38 Director-2-2-B 128.221.252.70 128.221.253.70

Single-engine Cluster - Director IP Addresses

List of IP addresses of all directors on both clusters in a single-engine VPLEX system.

Table 4. Single-engine cluster director IP addresses

Director name Cluster 1 IP addresses Director name Cluster 2 IP addresses
Director-1-1-A 128.221.252.35 128.221.253.35 Director-2-1-A 128.221.252.67 128.221.253.67
Director-1-1-B 128.221.252.36 128.221.253.36 Director-2-1-B 128.221.252.68 128.221.253.68

Last Octets of Director IP Addresses

Table 5. Last Octets of Director IP Addresses
Deployment Director name Cluster 1 octets Director name Cluster 2 octets
Single, Dual, Quad Director-1-1-A 35 Director-2-1-A 67
Single, Dual, Quad Director-1-1-B 36 Director-2-1-B 68
Dual, Quad Director-1-2-A 37 Director-2-2-A 69
Dual, Quad Director-1-2-B 38 Director-2-2-B 70
Quad Director-1-3-A 39 Director-2-3-A 71
Quad Director-1-3-B 40 Director-2-3-B 72
Quad Director-1-4-A 41 Director-2-4-A 73
Quad Director-1-4-B 42 Director-2-4-B 74

IP Addresses
Cable Director IP Address
Cable From To If cable is in Cluster 1 If cable is in Cluster 2
ID in
Figure
A1 MMCS-A Management A Eng-2 MM-A LAN Service Director-1-1-A, subnet B Director-2-1-A, subnet B
Fabric connector port
128.221.253.35 128.221.253.67

A2 Eng-2 MM-A LAN Eng-3 MM-A LAN Service Director-1-2-A, subnet B Director-2-2-A, subnet B
Management port port

20 IP addresses and component IDs

Cable Director IP Address

128.221.253.37 128.221.253.69

A3 Eng-3 MM-A LAN Eng-4 MM-A LAN Service Director-1-3-A, subnet B Director-2-3-A, subnet B
Management port port
128.221.253.39 128.221.253.71

B1 MMCS-B Management B Eng-4 MM-B LAN Director-1-1-B, subnet A Director-2-1-B, subnet A

Fabric connector Management port
128.221.252.36 128.221.252.68

B2 Eng-2 MM-B LAN Eng-3 MM-B LAN Service Director-1-2-B, subnet A Director-2-2-B, subnet A
Management port port
128.221.252.38 128.221.252.70

B3 Eng-3 MM-B LAN Eng-4 MM-B LAN Service Director-1-3-B, subnet A Director-2-3-B, subnet A
Management port port
128.221.252.40 128.221.252.72

IP addresses and component IDs 21

 5
Implementing IPv6
In VPLEX, an IP address can either be an IPv4 address and/or an IPv6 address. While VPLEX continues to support IPv4, it now
also provides support for the full IPv6 stack as well as dual stack IPv4/IPv6, including:
● Browser session
● VPN connection
NOTE: In a virtual private network, the end points must always be of the same address family. That is, each leg in the VPN
connection must either be IPv4 or IPv6.
● WAN link ports
● CLI session
● Cluster Witness
● Recover Point

In Release 5.3, IPv6 is available only with new installations.

The transition from an IPv4 network to a network where IPv4 and IPv6 coexist is challenging because the two protocols are
not designed to be interoperable with each other. Transition technologies such as tunneling, or other translator gateways are
required to exchange traffic between the two types of network.
The VPLEX management server uses the dual stack mechanism to deploy IPv6. This mechanism provides complete support for
both IPv4 and IPv6, and allows applications to talk to both IPv4 and IPv6. However, the choice of IP version is based on the
name look up and application preference.
The following table describes IPv6 support on VPLEX components along with additional notes.

Table 6. IPv6 support on VPLEX components

VPLEX Components Supports Supports Co- Notes
IPv4 IPv6 existence
Management server / Yes Yes Yes ● The management server supports only global scope
MMCS-A IPv6 static address configuration.
● The management server supports the coexistence
of both the IPv4 and IPv6 address.
Director Yes No No Directors continue to support IPv4 address.
Cluster Witness Yes Yes Yes IPv6 address for a cluster witness can be specified
using the Vcenter or the VMware console -> Configure
Network
WAN COM Yes Yes No The IP-WAN-COM link either operates on IPv4 or IPv6.
VASA Provider Yes No No Although VPLEX SMS supports IPv6, VASA provider
continues to support only IPv4 in Release 5.3.
Therefore, VASA providers running in an IPv6
environment must specify the IPv4 SMS address for
VASA provider setup or registration.
Recover Point Yes Yes Yes RecoverPoint can communicate with the management
server using either an IPv4 address or an IPv6 address.
LDAP/AD server Yes Yes Yes The IP address can be specified during the LDAP
configuration. To change the configured IP address, the
configuration must be recreated.

The VPLEX Administration Guide provides additional information on IPv6.

22 Implementing IPv6
 6
Security configuration settings
This section provides an overview of user accounts and privileges.
Topics:
• User roles, accounts, and privileges

User roles, accounts, and privileges

Table 7. Metro node user accounts and privileges
Component Account Type Default password Privileges
Metro node service - ● Access to the metro node management server
desktop, VPlexcli, and Unisphere for metro
node UI.
● Run permissions for VPlexcli related scripts.
● Ability to run VPlexcli commands.
● Read/write access to log files.
● Ability to run the System Configuration
commands.
admin teS6nAX2 (1) ● Access to metro node management server
desktop, VPlexcli, and Unisphere for metro
node UI.
● Ability to create, modify, and delete new user
accounts.
● Ability to run VPlexcli commands.
● Read-only access to log files.
Metro node user null ● Access dependent on that granted with Role-
(default user) based User Access. See Role-based User
Access for complete descriptions of user
types and permissions.

Metro node iDRAC root calvin ● Root privileges

● Access to the metro node desktop.
● The default password are removed during the
System Configuration process.

1. The first user who attempts to log in as admin is prompted to change the admin password before logging in.
2. Given the elevated permissions that are granted to the service account, its password must be changed in order to better
protect metro node from misuse or abuse of those privileges. Changing the service account password provides more
information.

Security configuration settings 23

 7
Configuring user authentication
Metro node customers can choose to configure their user accounts using either:
● An external OpenLDAP or Active Directory server which integrates with UNIX using Service for UNIX 3.5, Identity
Management for UNIX, or other authentication service.
OpenLDAP and Active Directory users are authenticated by the server. Usernames and passwords that are created on an
external server are fetched from the remote system to the metro node system each time they are used.
● The metro node management server
Usernames and passwords are created locally on metro node system, and are stored on metro node.

Customers who do not want to use an external LDAP server for maintaining user accounts create their user accounts on the
metro node system itself.
Metro node is pre-configured with two default user accounts: admin and service.
See the Dell EMC CLI Guide for metro node for information about the commands used to configure user authentication.
Topics:
• Role-based access control feature overview
• LDAP/AD user authentication
• Password policy
• Synchronizing service account password to MMCS peer

Role-based access control feature overview

To improve security, shell access is limited to the admin and service users only.
See the CLI Reference Guide for metro node for more information about the User add command with the -r option.
Users who are defined as either admin and service will be taken to the shell command line once logged-in to the metro node
management server. Users not having shell access are redirected to the Vplexcli.
All users using LDAP credentials are defined as vplexuser by default.
Individual login credentials can be set for LDAP users as every user account has a different username and password. However,
all LDAP users are given identical privileges (same role and same shell access value). The Administrator can either grant or
revoke shell access to any customizable role, such as vplexuser.

Connecting to the metro node management server (Local and Metro),

Logging on to metro node CLI (Local and Metro),
The user automatically logs in to the CLI (unless that user is admin or service or is defined as having shell privileges by the
Administrator).
NOTE: In order to issue shell commands, you must either be logged in as admin or service or have shell access that is
explicitly granted by the Administrator.

SCP file transfers

Metro node allows file transfer to/from the metro node management server using SCP. SCP permissions are granted with shell
access.

24 Configuring user authentication

Users with no shell access can perform SCP on files only (not on directories) from or to a single directory. An additional CLI
context represents this SCP directory.

NOTE: If you do not have shell access, you can only access a single directory when uploading and downloading files.

Role descriptions
This topic describes roles supported under role-based access.
Shell access is turned off by default for all new metro node accounts. Roles are defined as follows:
● securityadmin - This role is to be used by the metro node administrator at the customer site. There is only one securityadmin
account allowed in the management server. securityadmin has the same permissions as the vplexuser role yet also manages
user authorization and authentication (creating and deleting accounts).
● service - This role is to be used by authorized Dell EMC service personnel only in order to configure metro node.
● Metro node user - This role is the basic minimum-access metro node user account. Best practices encourage the majority of
users be assigned this role with a unique customized account name. Limit assigning securityadmin roles as much as possible
to ensure security in your installation. Metro node user role accounts correspond to accounts created by the admin as well
as authorized metro node LDAP accounts.
● readonly - The readonly role limits users to performing read-only commands with the CLI, ensuring the user will not invoke
commands that damage or inhibit metro node functionality. It also provides a method of ensuring that automated monitoring
tools/scripts (CLI or REST) don't accidentally invoke damaging or unintended commands. The Admin can create one or more
accounts that have the readonly role. Metro node user role accounts (as well as authorized metro node LDAP accounts)
created by the Administrator may be defined as readonly when deemed necessary.

Table 8. Description of roles in Role-based Access Control

Role User name Shell access(default)
securityadmin admin Customizable(true)
service service Always true
metro node user Customized name Customizable(false)
readonly Customized name Customizable(false)

Current admin and service users continue to have shell access. It is possible for the Administrator to turn shell access to
service on or off per account basis as described in this document.

Role-based access control and NDU

This topic describes the impact of role-based access in relation to NDUs.

Impact of role-based access control on NDU and Non-NDU tasks

NDU and non-NDU tasks are impacted as follows.
● For NDUs - There are no noticeable change in behavior during NDU with regards to shell access. However, user should note
in the NDU that in the next major release, explicit access must be granted through role-based access control for shell access
going forward (after upgrading to next major release). It is possible this explicit access for next major release may be granted
through an automated step in the upgrade process, though this is not confirmed at this time.
● For non-NDU tasks - The Administrator must explicitly grant shell access after creating new accounts (vplexuser and
readonly roles). Shell access continue for preexisting accounts with shell access (admin and service). Again, in subsequent
releases, all accounts are required to be granted explicit shell access through role-based access control.
Existing metro node customer performs NDUs
John is an existing Dell EMC customer. He is defined as admin and has always had Administrator privileges and shell access.
John sees no change in behavior and does not need to grant himself shell access (using role-based access control) while
upgrading. John needs to grant himself explicit shell access in future major releases.

Configuring user authentication 25

New metro node customer performs Greenfield install
Pete is a new Dell EMC metro node customer performing a Greenfield install (no NDU). Pete plans to log in as either the admin
or as the service user. By default, admin and service users have shell access. So, Pete does not need to perform any tasks in
order to execute shell commands.
Existing metro node customer
Mary is a metro node customer. She NDUs to metro node release 6.0. After the NDU, Mary finds she needs to grant shell
access to a new user, Paul. Mary must use role-based access control to define Paul as a User with shell access, even though
she doesn't have to explicitly define shell access for herself until the next major release.
Existing metro node customer with shell scripts
Susan is a metro node customer. She NDUs to metro node release 6.0. Susan has many scripts that she runs which access the
shell, running under her admin account (which had shell access). Again, she will not have to explicitly grant shell access with
role-based access control for metro node release 6.0, but she will for the next major release.

LDAP/AD user authentication

For the metro node access to LDAP/AD users, see the Authenticate Service Directory document available in SolVe.

Password policy
Details password policies and default values
The metro node management server uses a Pluggable Authentication Module (PAM) infrastructure to enforce minimum
password quality. It uses pam_cracklib, a library that checks for dictionary words, to check potential passwords.

Table 9. Default password policies

Policy name Description Default value
Minimum password length The minimum number of characters used when creating or changing a 8
password. The minimum number of characters includes numbers, uppercase
and lowercase letters, and special characters.
Minimum password age The minimum number of days a password cannot be changed after the last 1
password change. The service account default is 0 days.
Maximum password age The maximum number of days that a password can be used since the last 90
password change. After the maximum number of days, the account is locked
and the user must contact the admin user to reset the password. The
service account default is 3650 days.
Password expiration warning The number of days before the password expires. A warning message 15
indicating that the password must be changed is displayed. The service
account default is 30 days.
Password inactive days The number of days after a password has expired before the account is 1
locked.

In Release 7.0 and later, the management server uses the default value for the password policies listed in the Default password
policies table, and you can configure each password policy to meet your specific needs. The new value will be updated in the
appropriate configuration file, and existing users will be updated with the new configuration. Refer to the Metro node CLI Guide
for information on the commands used to set password policies and the values allowed.
Note the following:
● Password policies do not apply to users configured using the LDAP server.
● The Password inactive days policy does not apply to the admin account to protect the admin user from account lockouts.
● During the management server software upgrade, an existing user’s password is not changed−− only the user’s password
age information changes.
● You must be an admin user to configure a password policy.

26 Configuring user authentication

Valid password characters
The following characters are allowed in a metro node cli password:
● A-Z
● a-z
● 0-9
● . ? / * @ ^ % # + = - _ ~ : space
Note the following rules:
● A space is allowed only between the characters in a password, not in the beginning or the end of the password.
● The # cannot be used in the beginning of a password.
● The passphrase used during the VPN configuration can contain letters, numbers, and special characters.

Synchronizing service account password to MMCS

peer
In certain cases, you may need to manually synchronize the service account password for both MMCS-A and MMCS-B.
In some cases, the service account password may need to be resynchronized to the peer MMCS. Use the security
configure-mmcs-users command to accomplish this. See the EMC VPLEX CLI Reference Guide for more information.
Execute this command only in a troubleshooting scenario, ideally when advised to do so by EMC Customer Support.
Running the security configure-mmcs-users command
Running the command on a VS6 system produces the following result.

VPlexcli:/> security configure-mmcs-users

MMCS user configuration was successful.

Running the command on a non-VS6 system produces the following result.

VPlexcli:/> security configure-mmcs-users

This command is supported to run on VPlex VS6 hardware configuration only.

Configuring user authentication 27

 8
Manage user accounts
Topics:
• Adding user accounts
• View user account details
• Changing passwords
• Resetting passwords
• Deleting user accounts

Adding user accounts

About this task
NOTE: In a metro node Metro configuration, metro node CLI accounts created on one management server are not
propagated to the second metro node management server. The user list command displays only those accounts that are
configured on the local metro node management server, not both server.
A user with an admin account can create an account as follows:

Steps
1. Launch PuTTY (or a similar SSH client), and establish a connection to the public IP address of the metro node management
server.
2. Log in with username admin.
a. If a user first time logs in with username admin, then the user is prompted to change the admin password.
b. In the metro node, the Admin account password must be changed on all nodes individually.
3. From the Linux shell prompt, type this command to connect to the VPlexcli:
vplexcli
4. From the VPlexcli prompt, type the following command:

user add -u username

a. When prompted, type the admin account password.

b. When prompted for a password for the new user, type a password.
c. When prompted, retype the new password.
NOTE: The new user must change the password the first time he or she logs in.

View user account details

To view the user account details, follow these steps:

Steps
1. Launch PuTTY or a similar SSH client, and establish a connection to the public IP address of the metro node management
server.
2. Log in with username admin.
3. From the Linux shell prompt, to connect to the Vplexcli, type the command vplexcli.
4. From the VPlexcli prompt, to view the user details, type the command user list.

28 Manage user accounts

Changing passwords
Any user can change his/her own password as follows:

Steps
1. Launch PuTTY (or a similar SSH client), and establish a connection to the public IP address of the metro node management
server.
2. Log in with the applicable username.
3. From the Linux shell prompt, type this command to connect to the VPlexcli:
vplexcli
4. Log in with username admin.
5. From the VPlexcli prompt, type the following command:

user passwd -u username

a. When prompted, type the old password.

b. When prompted for a new password, type a password that adheres to the rules in Password policy.
c. When prompted, retype the new password.

Resetting passwords
A user with an admin account can reset passwords for other users as follows:

Steps
1. Launch PuTTY (or a similar SSH client), and establish a connection to the public IP address of the metro node management
server.
2. Log in with username admin.
3. From the Linux shell prompt, type this command to connect to the VPlexcli:
vplexcli
4. Log in with username admin.
5. From the VPlexcli prompt, type the following command:

user reset -u username

a. When prompted, type the admin account password.

b. When prompted for a password for the new user, type a password that adheres to the rules in Password policy.
c. When prompted, retype the new password.
NOTE: The user must change the password the next time he or she logs in.

Deleting user accounts

A user with an admin account can delete a different account as follows:

Steps
1. Launch PuTTY (or a similar SSH client), and establish a connection to the public IP address of the metro node management
server.
2. Log in with username admin.
3. From the Linux shell prompt, type this command to connect to the VPlexcli:
vplexcli
4. Log in with username admin.

Manage user accounts 29

5. From the VPlexcli prompt, type the following command:

user remove -u username

When prompted, type the admin account password.

30 Manage user accounts

 9
Log file settings
This section describes log files relevant to security.

Log file location

The following table lists the name and location of VPLEX component log files relevant to security.

Table 10. VPLEX component log files

Component Location
Unisphere for VPLEX /var/log/VPlex/cli/session.log_username

management server OS /var/log/messages

ConnectEMC /var/log/ConnectEMC/logs/ConnectEMC.log
files

Firewall /var/log/firewall

VPN (ipsec) /var/log/events.log

Log file management and retrieval

All logs rotate automatically, to avoid unbounded consumption of disk space.

Log file settings 31

 10
Communication Security Settings
This chapter contains the following topics.
Topics:
• Communication security settings

Communication security settings

This section describes the communication security settings that enable you to establish secure communication channels
between metro node components, as well as metro node components and external systems.

IP WAN COM
A metro node Metro system does not support native encryption over an IP WAN-COM link. It is recommended that you deploy
an external encryption solution such as IPSec to achieve data confidentiality and end point authentication over IP WAN COM
links between clusters.
Th metro node uses the TCP protocol for its IP WAN-COM communications. Configure TCP ports on the firewall for IP
WAN-COM communications. If the firewall type is filter and not proxy, you must open the following firewall ports:
● TCP ports
○ Port 61484
○ Port 61483
○ Port 61482
○ Ports 32768 to 61000

Accessibility
To establish secure communication, note the following:
● The following protocols must be allowed on the customer firewall (both in the outbound and inbound filters):
# Encapsulating Security Payload (ESP): IP protocol number 50
# Authentication Header (AH): IP protocol number 51
● The following ports must be allowed on the customer firewall:
# Internet Key Exchange (IKE): UDP port 500
# NAT Traversal in the IKE (IPsec NAT-T): UDP port 4500
# Secure Shell (SSH): TCP port 22
● Static IP addresses must be assigned to the public ports on each management server (eth3) and the public port in the
Cluster Witness Server. If these IP addresses are in different subnets, the IP management network must be able to route
packets between all such subnets.
● IP management network must be capable of transferring SSH traffic between management servers and Cluster Witness
Server.
● IP management network must be capable of transferring ICMP traffic between management servers and Cluster Witness
Server in order to enable configuration, upgrade, and diagnostics of Cluster Witness.
● The required minimum value for Maximum Transmission Unit (MTU) is 1500 bytes. Configure MTU as 1500 or larger.
NOTE: The IP management network must not be able to route to the following reserved metro node subnets:
128.221.252.0/24, 128.221.253.0/24, and 128.221.254.0/24.

32 Communication Security Settings

 If metro node is deployed with IP inter-cluster network, the inter-cluster network must not be able to route to the following
reserved metro node subnets: 128.221.252.0/24, 128.221.253.0/24, and 128.221.254.0/24.

Port Usage
The following table lists all the network ports and services used by metro node components. This information, along with the
firewall settings is needed to use the product.

Service or Port number Protocol Interface

ssh (22) - EC-01
https (443) - EC-01
ntp (123) - -
snmp (161/162) - -
smtp - -
5000 TCP EC-00
5020 TCP EC-01
32768-61000 TCP LC-[01] WC-[01]
61482 TCP LC-[01] WC-[01]
61483 TCP LC-[01] WC-[01]
61484 TCP LC-[01] WC-[01]
65000 TCP EC-01
65180 TCP -

NOTE: ICMP/Ping is required between the metro node management server (cluster 1) and external NTP.

Communications specifications - VPLEX Metro system

This figure illustrates the communication between VPLEX components in a VPLEX Metro system.

Communication Security Settings 33

Figure 10. VPLEX Metro system

This table describes the possible communication between the VPLEX components in a VPLEX Metro system.

Table 11. Communication in a VPLEX Metro system

Serial A <-> B A <-> C A <-> D B <->C B <-> D B <-> E C <-> D C <-> E
Number
1 Yes Yes Yes (only Yes Yes (only Yes (only
for initial for code for code
setup) upgrades) upgrades)
2 Yes Yes Yes (only Yes Yes (only Yes (only
for initial for code for code
setup) upgrades) upgrades)
3 Yes Yes
4 Yes Yes
5 Yes Yes
6 Yes Yes Yes
7 Yes Yes Yes
8 Yes
9 Yes Yes
10 Yes Yes
11 Yes Yes
12 Yes Yes
13 Yes Yes
14 Yes Yes

34 Communication Security Settings

Table 11. Communication in a VPLEX Metro system (continued)
Serial A <-> B A <-> C A <-> D B <->C B <-> D B <-> E C <-> D C <-> E
Number
15 Yes Yes
16 Yes Yes Yes

Legend:
● A - VPLEX Management Client
● B - Management Server 1
● C - Management Server 2
● D - VPLEX Cluster Witness
● E - ESRS Server

Communications specifications - VPLEX Local system

This figure illustrates the communication between VPLEX components in a VPLEX Local system.

Figure 11. VPLEX Local system

This table describes the possible communication between the VPLEX components in a VPLEX Local system.

Table 12. Communication in a VPLEX Local system

Serial Number A <-> B B <-> C
1 Yes
2 Yes
3 Yes
4 Yes
5 Yes
6

Communication Security Settings 35

Table 12. Communication in a VPLEX Local system (continued)
Serial Number A <-> B B <-> C
7
8
9 Yes
10 Yes
11 Yes
12 Yes
13 Yes
14 Yes
15
16

Legend:
● A - VPLEX Management Client
● B - Management Server 1
● C - ESRS Server

Network Encryption
The metro node management server supports SSH through the sshd daemon provided by the FIPS compliant OpenSSH
package. It supports version 2 of the SSH protocol. When the management server starts for the first time, the sshd daemon
generateskey-pairs (private and public key) for communication with SSH clients. rsa, dsa and ecdsa key-pairs are
generated to support communication with SSH version 2 clients.
The HTTPS protocol and the IPsec VPN use a X.509 host certificate to identify the server and encrypt all traffic. X.509 host
certificates use a 2048 bit host key. During initial setup of a metro node cluster, a local Certification Authority (which signs the
host certificate request) is created automatically.
Metro node supports a corporate Certification Authority signing the host certificate requests. Users can import the corporate
Certificate Authority signed CA, host certificate and key file. The IPSec encryption can use RSA or ECDSA cryptography
generated key-pair certificates. You can use only one type (RSA or ECDSA) in configuring VPN in all the three components
of metro node, for example, the two management servers and the cluster witness server. Note that for a metro node Metro
configuration, the host certificates for both web and VPN to be imported on both clusters should be signed and created using
the same CA certificate.
To import the corporate Certificate Authority signed certificates, see the metro node CLI Guide.

Creating a local Certification Authority

About this task
See the Installation guide for metro node available in SolVe.

Creating a host certificate

About this task

NOTE: Host certificates are created as a part of EZsetup during a first time installation.

The VPlexcli command security create-host-certificate generates a host certificate request and signs it with the Certification
Authority certificate created in the Creating a local Certification Authority on page 36. By default, this command creates the
following:

36 Communication Security Settings

● A 2048 key in /etc/ipsec.d/private/hostKey.pem
You must provide the CA key passphrase for the host key and the host certificate subject which must be the cluster's serial
number (found on the label attached to the top of the metro node cabinet).

Installing the host certificate for use by HTTPS

Use the security web-configure command to install the host certificate for HTTPS.

About this task

See the Dell EMC CLI Reference Guide for metro node for more information.

Obtaining host certificate and host key fingerprints

When users first connect to the management server over SSH or by connecting to the UI using the HTTPs protocol, they are
asked to confirm the server's identity. Most client programs display the management server's fingerprints as MD5 or SHA1
checksums, allowing you to verify that they are connected to the metro node management server and not to another machine,
possibly deployed to harvest logins and passwords for a man-in-the-middle attack.

About this task

Once a user confirms the management server's identity, subsequent connections will not ask for this confirmation, but instead
warn the user if the management server's fingerprint has changed, which may be another indication of man-in-the-middle
attacks.
A metro node administrator might be asked by security-conscious users for the fingerprints of both the X.509 certificate used
for the UI and for the host keys used for SSH access to the management server.

Finding the host certificates's SHA256, SHA1 and (for GUI users)
MD5 fingerprints

About this task

To find the host certificate's SHA1 and (for GUI users) MD5 fingerprints, do the following.

Steps
1. Type the following command:

openssl x509 -noout -in hostCert.pem -fingerprint -sha256

Output example:

SHA256
Fingerprint=91:65:4C:02:80:C0:C8:54:24:4A:71:2B:BF:C1:D5:3C:08:A2:2B:36:BC:7B:3D:A2:B3
:8A:72:83:66:E1:36:25

2. At the Linux shell prompt, type the following command:

/etc/ipsec.d/certs # openssl x509 -noout -in hostCert.pem -fingerprint -md5

Output example:

MD5 Fingerprint=6E:2C:A5:8E:86:11:45:26:02:09:62:97:6F:18:FD:62

Communication Security Settings 37

Finding the SSH key fingerprint (for SSH users)

About this task

To find the SSH key fingerprint (for SSH users), do the following

Steps
1. At the Linux shell prompt, type the following command:

/etc/ssh > ssh-keygen -l -f ssh_host_dsa_key

Output example:

1024 52:42:70:0c:22:aa:2f:e3:09:18:93:c8:20:a4:78:0c ssh_host_dsa_key.pub

2. Type the following command:

/etc/ssh > ssh-keygen -l -f ssh_host_rsa_key

Output example:

1024 a4:d8:64:d0:24:b9:2c:3d:06:24:5f:3a:30:ba:83:f8 ssh_host_rsa_key.pub

3. Type the following command:

/etc/ssh > ssh-keygen -l -f ssh_host_ecdsa_key

Output example:

256 ca:05:f3:9a:3e:51:fe:53:51:90:39:bf:6b:f5:78:56 [MD5]root@ManagementServer (ECDSA)

Configurable HTTPS/TLS protocol

From VPLEX 6.0, the HTTPS/TLS protocol is configurable for webserver-client connections.
Ability to configure the HTTPS/TLS protocol mitigates the POODLE (Passing Oracle on Downgraded Legacy Encryption)
vulnerability over TLS-encrypted client-server HTTPS connections.
You can now choose TLS levels TLSv1.0, TLSv1.1 and TLSv1.2 over SSLv3 (which has POODLE vulnerability).

Set TLS version for Web server HTTPS connection

Use the following procedure to set the TLS version for Web server HTTPS connections in order to mitigate security risks from
POODLE (Passing Oracle on Downgraded Legacy Encryption).

Steps
1. Enter the set sslversion command to set the TLS version for a Web server HTTPS connection.
Use the following command format:

set sslversion TLSv1, SSLv2Hello,TLSversion'

where TLSversion is one of the following values:

● TLSv1.0
● TLSv1.1
● TLSv1.2

38 Communication Security Settings

 NOTE: TLSv1.2 is the recommended protocol version by default

2. Enter the webserver restart command to apply the changes.

Setting TLS version

VPlexcli:/security/web-server> set ssl-version TLSv1, SSLv2Hello,TLSv1.2

NOTE: After entering the CLI command, restart the Web server with the webserver restart command to apply the
changes.

Data security settings

Encryption of data at rest: user passwords
Hashed user passwords are stored in /etc/shadow on the metro node management server.
GeoSynchrony uses a hardcoded hashing algorithm to encrypt the passwords.
From version 6.0, the SHA-512 encryption algorithm is used to encrypt and store passwords, using the UNIX crypt(3) function.
Passwords are stored in the metro node password database in following format:

$6$<salt>$<encrypted>

$6$ = encryption method, i.e. SHA-512

<salt> = 16 character salt string
<encrypted> = 86 character encrypted password string

Communication Security Settings 39