Unisphere Security and Basic Management
Upon completion of this module, you should be able to:
• List Unisphere security features
• Describe Unisphere authentication using LDAP
• Audit Control Station events
• Explain VNX system notification methods and event
monitoring
• Implement Unisphere Security
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
1
Unisphere Security and Basic
Management
Lesson 1: Unisphere and CLI interfaces
This lesson covers the following topics:
• VNX administration
• Unisphere interface navigation
• Command Line Interface (CLI) for File and Block access
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
2
VNX Administration
• Administration performed via GUI or CLI connection to VNX
 Unisphere GUI
 CLI to Control Station (for File) or Host Secure CLI (for Block)
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
3
EMC Unisphere
Enter the IP address
of the VNX Control
Station or Storage
Processor
Browser session
Unisphere
VNX Client
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
4
Unisphere Interface Terms and Components (1 of 8)
1
2
3
Expand
Main Pane
1.
2.
3.
Top Navigation
Bar
Task Pane
Main Pane
Copyright © 2014 EMC Corporation. All Rights Reserved.
Expand
Task
Pane
Unisphere Security and Basic Management
5
Unisphere Interface Terms and Components (2 of 8)
1
Navigation
“breadcrumb”
1.
2.
Toolbar Search
Option
General Options
Copyright © 2014 EMC Corporation. All Rights Reserved.
2
Hide
Task Menu
Expand
Task
Menu
Logged
User
Unisphere Security and Basic Management
6
Unisphere Interface Terms and Components (3 of 8)
 TTTTTTTTTTTTTTTTTTTTTT
Right-click of mouse over a
query selection opens menu
with actions for selected object
Copyright © 2014 EMC Corporation. All Rights Reserved.
Mouse over an option of the Top
Navigation Bar opens a
submenu
Unisphere Security and Basic Management
7
Unisphere Interface Terms and Components (4 of 8)
Tools
Page
Help
Export to CSV
file
Refresh the
Page
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
8
Unisphere Interface Terms and Components (5 of 8)
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
9
Unisphere Interface Terms and Components (6 of 8)
• Mouse cursor over field name
 Wait for pop-up description
 Quick answers for simple
usability questions
• Example:
 User is creating a NFS Export
for a File System (discussed
later on this course)
 The Create NFS export dialog
box opens with data form
 Mouse cursor was placed
over “Read-only Hosts:”
 Operator waited two seconds
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
10
Unisphere Interface Terms and Components (7 of 8)
• Wizards




Copyright © 2014 EMC Corporation. All Rights Reserved.
Generates pop-up window
Simplified step walk through
Designed for novice users
Further modification and management
done using Navigation and Task pages
Unisphere Security and Basic Management
11
VNX for File Command Line Interface (CLI)
• Used for the completion of most administrative tasks
• Primary function: scripting of repetitive tasks
• CLI can be accessed in the Control Station (CS)
 Local access available directly at the Control Station console
 Remote access available via an SSH interface tool like PuTTy
• Approximately 80 Linux-like commands.
 CS runs an EMC-customized Linux
• Data Movers (DM) do not have CLI
 Commands are entered from CS
 CS route the commands to
 Data Movers
 Storage Systems
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
12
VNX for File CLI Commands
• cel_ commands
 Execute to remotely-linked VNX for File systems
• cs_ commands
 Execute to the local Control Station
• fs_ commands
 Execute to the specified file system
• nas_ commands
 Execute to the Control Station database
• server_ commands
 Execute directly to a Data Mover
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
13
Unisphere Integration with VNX for File CLI
• Integration with Command Line Interface (CLI)
 VNX for File CLI commands can be executed via GUI interface
 Only one command at a time
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
14
VNX for Block Command Line Interface (CLI)
• Secure CLI is a comprehensive VNX CLI for Block solution
 Client application installed on supported Windows, Linux /Unix hosts
 Commands consist of naviseccli command and options
 Commands: Storage connectivity/provisioning, and management, LUN
compression/expansion/migration, storage domain/host agents
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
15
SP Setup Page
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
16
Unisphere Security and Basic
Management
Lesson 1: Summary
During this lesson the following topics were covered:
• VNX administration
• Unisphere interface navigation
• Command Line Interface (CLI) for File and Block access
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
17
Unisphere Security and Basic
Management
Lesson 2: Unisphere Security Features
This lesson covers the following topics:
• VNX Administrative user authentication
• Unisphere Security Features
• Unisphere authentication scopes
• Unisphere user roles for system administration
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
18
VNX Management Access Security
• Different management applications with access to VNX system
• Access limited to authorized users and applications
 Authentication
 Identify user making a request
 Authorization
 Determine if user has the right to exercise the request
 Privacy
 Avoid unauthorized disclosure of information to user
 Trust
 Verify the identity of the communication parties
 Audit
 Record of activities performed by authenticated user
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
19
VNX Administration Security
Login
• VNX access via GUI or CLI interfaces require user authentication
• Administrative options for
 Unique administrative user accounts
 Role based administration
 Secure authentication and management
 SSL/TLS &SSH
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
20
Administrative Authentication Scope
• Authentication Scopes
Storage Domain
 Global
 Local
Global
 LDAP
Global
User
Login
Local
Local
User
LDAP
User
LDAP
LDAP Server
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
21
VNX Default Management Accounts
• VNX for File and Unified systems default management accounts
Account
Description
root
VNX for File local account which provides administrator
level privileges on the CS
nasadmin
VNX for File local account which provides administrator
level privileges on the CS
sysadmin
Global system account which provides administrator level
privileges for both VNX for File and VNX for Block
• VNX for Block systems do not have default factory installed
management accounts
 A global account can be created during initialization or first login
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
22
Administrative Roles
• Areas of Administrative
•
responsibility
Privileges to VNX object
 Read/Modify/Full Control
• Associated to User’s Primary
group
Copyright © 2014 EMC Corporation. All Rights Reserved.
• System-defined roles
 Cannot be modified/deleted
• User-defined role
 Custom configured
• Roles apply to GUI & CLI
Unisphere Security and Basic Management
23
Unisphere SSL/TLS Certificates
• Certificates secure VNX network links for:
 Management
 LDAP bindings
 Establishing a trusted identity
VMware
ESXi
Client
Software
 PKI encoding and decoding
• Default self-signed certificates
 SPA, SPB & Control Station
 2048 bit RSA keys
• Generate Data Mover self-signed
•
certificates
Configure CA-signed certificates
 SPA, SPB & Data Movers
Copyright © 2014 EMC Corporation. All Rights Reserved.
FileMover
LDAP
SSL/TLS
Management
Unisphere Security and Basic Management
24
VNX Log Auditing
• Audit Logging on a VNX for Block system
 Check for suspicious activity logged on the VNX SPs
 Provides information on the affected SPs and the associated hosts
• Auditing on a VNX for File system
 Capture management activities initiated from the Control Station
 Verify access to key system files and end-user data
• Integration with RSA enVision
 Application provides collection, analysis and reporting of
administrative events logged by the VNX storage systems
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
25
Unisphere Security and Basic
Management
Lesson 2: Summary
During this lesson the following topics were covered:
• VNX Administrative user authentication
• Unisphere authentication scopes
• Unisphere Security features
• Unisphere user roles for system administration
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
26
Unisphere Security and Basic
Monitoring
Lesson 3: Unisphere Authentication using LDAP
This lesson covers the following topics:
• VNX integration with LDAP for management
• Binding the Control Station and SPs to LDAP
• Configuring group mappings
• Assigning administrative roles to LDAP users
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
27
Configuring LDAP Authentication Overview
• Configure LDAP binding to LDAP server
• Map a VNX Administrative Role to an LDAP Group
• VNX creates Local group and maps it to LDAP Group
1
2
LDAP-based Domains
• Microsoft AD
• iPlanet
• OpenLDAP
LDAP Binding
Role to Group mapping
Group mapping
Copyright © 2014 EMC Corporation. All Rights Reserved.
3
Unisphere Security and Basic Management
28
Configuring LDAP Binding: Part 1
• Settings > Security
 From System Tasks pane Manage LDAP Domain
• Server tab
 IP address & port number
 Server Type and Protocol
 Domain Name
 BindDN and Password
 User and Group search Paths
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
29
Configuring LDAP Binding: Part 2
• Role Mapping tab
 For LDAP Group object
 Domain group or user name
• Advanced tab
 Customize various LDAP
attributes
 Role for user or group
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
30
Automatic LDAP Group Mapping
• New local group automatically created on VNX
• Automatic mapping between new local group and LDAP domain
group
 Members of LDAP group granted administrative rights for role
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
31
LDAP User Login
• GUI Login
 LDAP Credentials
 Username/Password
 Select Use LDAP option
• CLI Login to Control Station
 LDAP credentials
 Username format:
<username>@<domain name>
login as: ptesca@corp.hmarine.com
ptesca@corp.hmarine.com@10.127.57.130's password:*******
[ptesca@VNX3cs0 ~]$
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
32
Unisphere Security and Basic
Management
Lesson 3: Summary
During this lesson the following topics were covered:
• Integration of VNX with LDAP domains and users
• How to bind the Control Station and SPs to LDAP
• Configuration of Group mappings
• Assignment of Administrative Roles to LDAP users
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
33
Unisphere Security and Basic
Management
Lesson 4: Control Station Auditing
This lesson covers the following topics:
• Auditing the administrative access to the Control Station
• Auditing events
• Control Station audit commands, creation of logs and reports
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
34
Auditing on the VNX Control Station
• The purpose of auditing is to record the security-relevant events
that happen on a system
 Provides information about who initiated the event and the
event’s affect on the system (e.g., success or failure)
• Auditing is driven by several factors including compliance
•
concerns and basic system management
Auditing is enabled by default
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
35
Default Audit Events
• Defined in /etc/audit/audit.rules
 Root file system access by Administrators
 A list of sensitive system files
 Changes to the audit infrastructure
 Users authenticating to the system
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
36
Record Types
• Several main record types associated to audit events
 The main record types are listed on the table below
Record
Type
SYSCALL
Description
Information associated with a system call invocation
PATH
Information about a file being accessed
CWD
The current working directory of the process
USER_XX
XX
Events associated with a user authenticating to the system
FS_WATC
H
Associated with accessing a file system object that has an explicit watch placed on it.
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
37
Audit Commands
• Native Linux commands
 No VNX specific commands
 Man pages
•
 Requires root permissions
/sbin/auditctl
•
 Controls the kernel’s audit subsystem
/sbin/ausearch
•
 For reading the audit trail
/sbin/aureport
•
 Produces summary reports of audit logs
/sbin/service auditd
 Controls the audit subsystem
 Options: start, stop, status, restart, reload, rotate, condrestart
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
38
Audit Control
• Configure Audit behavior - /sbin/auditctl
 Example shows abbreviated output of this command help
# ./auditctl -h
usage: auditctl [options]
-a <l,a>
Append rule to end of <l>ist with <a>ction
-A <l,a>
Add rule at beginning of <l>ist with <a>ction
-b <backlog>
Set max number of outstanding audit buffers
allowed Default=64
-d <l,a>
Delete rule from <l>ist with <a>ction
l=task,entry,exit,user,watch,exclude
a=never,possible,always
-D
Delete all rules and watches
-e [0..2]
Set enabled flag
-f [0..2]
Set failure flag
0=silent 1=printk 2=panic
-F f=v
Build rule: field name, operator(=,!=,<,>,<=,
>=,^,&) value
-h
Help
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
39
Viewing Audit Log
• Reading the audit trail - /sbin/ausearch
 Example shows file system paths accessed
 Output below is abbreviated.
# /sbin/ausearch -i -m PATH |grep cwd
type=CWD msg=audit(04/28/2011 09:05:08.909:8442)
type=CWD msg=audit(04/28/2011 09:05:08.911:8443)
type=CWD msg=audit(04/28/2011 09:05:08.914:8444)
type=CWD msg=audit(04/28/2011 09:05:08.916:8445)
type=CWD msg=audit(04/28/2011 09:05:08.917:8446)
type=CWD msg=audit(04/28/2011 09:05:08.974:8447)
type=CWD msg=audit(04/28/2011 09:05:08.975:8448)
type=CWD msg=audit(04/28/2011 09:10:01.119:8472)
type=CWD msg=audit(04/28/2011 09:10:01.120:8473)
type=CWD msg=audit(04/28/2011 09:10:01.132:8475)
type=CWD msg=audit(04/28/2011 09:10:01.133:8476)
type=CWD msg=audit(04/28/2011 09:10:01.137:8477)
Copyright © 2014 EMC Corporation. All Rights Reserved.
:
:
:
:
:
:
:
:
:
:
:
:
cwd=/nbsnas/server
cwd=/nbsnas/server
cwd=/nbsnas/server
cwd=/nbsnas/server
cwd=/nbsnas/server
cwd=/nbsnas/server
cwd=/nbsnas/server
cwd=/home/nasadmin
cwd=/home/nasadmin
cwd=/home/nasadmin
cwd=/home/nasadmin
cwd=/home/nasadmin
Unisphere Security and Basic Management
40
Creating Audit Reports
• Generating Audit Summary Reports - /sbin/aureport
 Example shows Authentication Report
# ./sbin/aureport –auth
Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 04/28/2011 07:30:04 acct="sysadmin ? ? /nas/sbin/change_passwd no 2803462
2. 04/28/2011 07:30:06 acct="root ? ? /nas/sbin/change_passwd no 2803522
3. 04/28/2011 07:30:08 acct="itechi ? ? /nas/sbin/change_passwd no 2803547
4. 04/28/2011 07:34:52 acct="nasadmin 10.12.247.3 ssh /usr/sbin/sshd yes 54
5. 04/28/2011 07:35:09 acct="root ? pts/0 /bin/su yes 256
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
41
Audit Backups
• Audit logs are located in /celerra/audit
• Backup of auditing configuration files and current audit log file
 To backend: /nas/var/auditing/
 Each Control Station synched every 180 seconds
 /nas/var/auditing/cs0/
 /nas/var/auditing/cs1/
 If Control Station in slot 0 is replaced, recovery code will restore
the audit configuration files
 Slot 1 auditing configuration is restored manually
# ls /nas/var/auditing/
cs0 lost+found
# ls /nas/var/auditing/cs0
auditd.conf audit.log audit.rules
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
42
Unisphere Security and Basic
Management
Lesson 4: Summary
During this lesson the following topics were covered:
• Auditing the administrative access to the Control Station
• Events that can be configured for auditing
• Control Station audit commands used for the creation of logs
and reports
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
43
Unisphere Security and Basic
Management
Lesson 5: Notification Methods and Event Monitoring
This lesson covers the following topics:
• Unisphere monitoring features
• Event logs for VNX system activities
• Event monitor operations
• Event monitor notifications
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
44
Unisphere System Monitoring
• System > Monitoring and Alerts >
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
45
Unisphere Monitoring: Alerts
• System > Monitoring and Alerts > Alerts
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
46
Unisphere Monitoring: Background Tasks for File
• System > Monitoring and Alerts > Background Tasks for File
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
47
Unisphere Monitoring: Event Logs for File
• VNX for File related events
 Messages from Data Mover
or Control Station
 Selected time interval and
severity level
 Right-click the mouse over
selection and select details
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
48
Unisphere Monitoring: SP Event Logs
• VNX for Block related events
 Events logged on the Storage Processor
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
49
Unisphere Monitoring: Notifications for File
• System Event Notification: Facility, Severity, Action, Destination
• System Resource Utilization: Storage usage, Storage Protection, DM load
Events
Query
Description
Facility
Facility value must match this value to trigger
notification
Severity
Severity level that will trigger the notification:
0, 1, and 2 – Critical
3 – Error
4 – Warning
4, 6 – informational
Action
Action that must be taken if event meet Facility
and Severity criteria.
Destination
Destination of notification.
Format depends on type of action:
- Absolute path on CS for log file
- Single SNMP trap
- Comma separated e-mail addresses (SMTP)
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
50
Unisphere Monitoring: Notifications for Block
• Creation and Centralized or Distributed Monitors
• Creation and Configuration of Notification templates
 Event Severity: Information, Warning, Error, Critical
 Event Category: Basic Array, MirrorView, SnapView, SAN Copy,
NQM, Alerts, Virtual Provisioning, VNX Snapshots
 Actions: Logs, Combine events, add response, e-mail notification,
paging service, SNMP trap
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
51
Unisphere Monitoring: Statistics for File
• Graphics with info about usage and performance
 File System
 Storage
 Network device
• Change of parameters for visualization and Flexible navigation
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
52
Unisphere Monitoring: Statistics for Block
• Unisphere Analyzer
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
53
Unisphere Security and Basic
Management
Lesson 5: Summary
During this lesson the following topics were covered:
• Unisphere monitoring features
• Event logs for VNX system activities
• Event monitor operations
• Event monitor notifications
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
54
Unisphere Security and Basic
Management
Lesson 6: Implementing Unisphere Security
This lesson covers the following topics:
• Configuring storage domain management of VNX systems
• Configuration of administrative users and assignment of
administrative roles
• Creating email notifications
• Setting notifications for various severity levels
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
55
Unisphere Storage Domains
• All Systems > Domains
 Each VNX is its own storage domain
 Domain members: SPA, SPB, Control Station
 System managed by Unisphere session to any member
 Global user account
 “sysadmin”: Administrative role
Storage Domain
SPA
SPB
CS
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
56
Multi-Domain Management
• All Systems > Domains
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
57
Adding a VNX System to Domain
• All Systems > System List > Add
SP IP
Address
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
58
Creating New Administrative Users
• Settings > Security > User Management
 Requires Administrator or Security Administrator role
 Global users
 Local users
 For File
 For Block
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
59
Assigning Administrative Roles
• Settings > Security > User Management > User Customization for File > Users
> Properties
 Primary Group
 Group Role
Membership
 Client Access
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
60
VNX Email Notifications: Email User
• Setup email account
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
61
VNX Notifications: Create Notifications for File
• Create event to monitor
• Select recipient of notification
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
62
Event Monitoring Configuration
1.
2.
3.
4.
5.
Copyright © 2014 EMC Corporation. All Rights Reserved.
Event Monitor Type
•
Distributed
•
Centralized
Selection of hosts to
monitor
Events by Category
•
Basic Array
•
MirrorView
•
SnapView
•
SAN Copy
•
Alerts
•
VNX Snapshots
Severity
•
Critical
•
Error
•
Warnings
•
Informational
Response
•
Send e-mail
•
Send SNMP trap
Unisphere Security and Basic Management
63
Unisphere Security and Basic
Management
Lesson 6: Summary
During this lesson the following topics were covered:
• Configuring and management of storage domain
• Configuration of administrative users and assignment of
administrative roles
• Setting email notifications
• Setting notifications for File for various severity levels
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
64
Summary
Key points covered in this module:
• VNX provides multiple interface options, including VNX
Unisphere and CLI
• Unisphere supports Global, Local, and LDAP authentication
Options, as well as built-in management accounts. Default and
custom administrative roles help to control management access.
• Control Station auditing can be used to manage desired events.
• Unisphere monitoring and notification can also be used to
manage and report on events.
Copyright © 2014 EMC Corporation. All Rights Reserved.
Unisphere Security and Basic Management
65