EMC VPLEX

Security Configuration Guide

P/N 300-010-493 Rev A05 June 7, 2011

This guide provides an overview of VPLEX security configuration settings, including secure deployment and usage settings needed to securely use VPLEX. Topics include:

VPLEX overview ......................................................................................................... 2 VPLEX management server operating system and networking .......................... 4 IP addresses and component IDs .............................................................................. 8 Security configuration settings................................................................................ 12 Log file settings.......................................................................................................... 16 Communication security settings ........................................................................... 17 Data security settings................................................................................................ 20

VPLEX overview

VPLEX overview
An EMC VPLEX cluster consists of one, two, or four engines (each containing two directors), and a management server. A dual-engine or quad-engine cluster also contains a pair or Fibre Channel switches for communication between directors. Each engine is protected by a standby power supply (SPS), and each Fibre Channel switch gets its power through an uninterruptible power supply (UPS). (In a dual-engine or quad-engine cluster, the management server also gets power from a UPS.) The management server has a public Ethernet port, which provides cluster management services when connected to the customer network. The management server can also provide call-home services through the public Ethernet port by connecting to an EMC Secure Remote Support (ESRS) gateway deployed on the same network. The ESRS gateway is also used by EMC personnel to provide remote service. Three VPLEX implementations are available:

VPLEX Local (single cluster) VPLEX Metro (two clusters separated by synchronous distances) VPLEX Geo (two clusters separated by asynchronous distances).

In a VPLEX Metro or VPLEX Geo implementation, the clusters are connected over Fibre Channel between the directors, and over IP between the management servers. VPLEX user authentication is configured locally on the management server or remotely on an OpenLDAP or Active Directory server (with service for Unix SFU 3.5). A management server in each VPLEX cluster authenticates users against account information kept on its local filesystem or against LDAP/AD server. An authenticated user can manage resources in the local cluster. In a VPLEX Metro or VPLEX Geo implementation, users authenticated by either management server can manage all resources in both clusters. Figure 1 on page 3 shows a VPLEX cluster configuration example.

EMC VPLEX Security Configuration Guide

DRAFT
VPLEX overview

Engine 4

SPS

SPS

Engine 3

SPS

SPS

FC Switch B UPS B FC Switch A UPS A Management Server

Engine 2

SPS

SPS

Engine 1

SPS

SPS

SYM-002272

Figure 1

VPLEX cluster configuration

EMC VPLEX Security Configuration Guide

VPLEX management server operating system and networking

VPLEX management server operating system and networking

The VPLEX management servers operating system (OS) is based on a Novell SUSE Linux Enterprise Server 10 distribution. The operating system has been configured to meet EMC security standards by disabling or removing unused services, and protecting access to network services through a firewall. A management server has four Ethernet ports, identified as eth0 through eth3 by the operating system, and shown in Figure 2. A 1 Gb/s public management port (eth3) is the only Ethernet port in the VPLEX rack that may be connected to an external management LAN. Other components in the rack are connected to two redundant private management Ethernet networks, connected to the management server's eth0 and eth2 ports. A service port (eth1) can be connected to a local laptop, providing access to the same services as a host on the management LAN.
Ethernet port Service cable

Customer workstation

eth1

eth3
Customer IP network

Management server eth0

Figure 2

Customer-provided Ethernet cable

eth2
eth

Management server, rear view

Accessing the management server

Using SSH to access the management server shell

Three protocols allow access to a VPLEX management server over a secure and encrypted connection: SSH, HTTPS, and IPsec VPN. Users can log in to the management server shell over SSH, through the management server's public Ethernet port or service port. The SSH service is available on the standard port 22. An SSH login with appropriate credentials allows access to a Linux shell on the management server. From there:

Users can access the VPLEX command line interface (VPlexcli). An admin account user can create, modify, and delete user accounts. A service account user can inspect log files, start and stop services, and upgrade firmware and software.

SSH also can be used to establish a secure tunnel between the management server and the host running the SSH client. Using a tunneled VNC connection to access the management server desktop on page 5 provides more information.

EMC VPLEX Security Configuration Guide

DRAFT
VPLEX management server operating system and networking

Using HTTPS to access the VPLEX GUI

The VPLEX Management Consoles graphical user interface (GUI) is accessible as a web service on the management server's public Ethernet port and the service port, using the HTTPS protocol. It is available on the standard port 443. The following URL initiates an HTTPS connection to the GUI:
https://<management_server_public_IP_address>

The GUI encrypts all traffic using a server certificate. Creating a host certificate on page 18 provides more information.
Note: The GUI has a timer that logs the user out after 10 minutes if no activity has occurred. If you want to change the timeout setting, contact the EMC Support Center.

Using IPsec VPN in a VPLEX Metro implementation

The management server in each VPLEX Metro cluster must connect to each other over a Virtual Private Network (VPN) through the public Ethernet port, as shown in Figure 3.

Customer IP network
IPsec tunnel eth3 Mgmt server 1 eth0 eth2 Mgmt server 2 eth0 eth2 eth3

Subnet B 128.221.253.32/27

Subnet A 128.221.252.32/27

Subnet B 128.221.253.64/27

Subnet A 128.221.252.64/27

Cluster 1

Cluster 2
IPsec_VPN

Figure 3

IPsec VPN connection

Although you might have already secured the network connections between two VPLEX Metro or VPLEX Geo clusters, the management servers must establish an explicit VPN connection, to acknowledge that the remote management server has full management control over the local cluster and its resources. The VPLEX management server uses strongSwan, an open source implementation of IPsec for Linux. Using SCP to copy files The Secure Copy Protocol (SCP) allows users to transfer files to and from the management server. SCP uses the same credentials as SSH. Popular SCP clients are WinSCP and PSCP provided by the PuTTY package, and the SCP client provided by OpenSSH. The SSH protocol provides a mechanism for sending unencrypted traffic through an encrypted SSH connection. Most SSH clients, such as OpenSSH and PuTTY, allow users to establish SSH tunnels by specifying a port on their local machine (source port), and a port on the management server (destination port).

Using a tunneled VNC connection to access the management server desktop

EMC VPLEX Security Configuration Guide

VPLEX management server operating system and networking

Access to the management server's desktop is provided by VNC access through an SSH tunnel. Users must first establish an SSH tunnel between destination port 5901 and local port 5901, and then connect a VNC viewer to local port 5901. Popular VNC clients are RealVNC and TightVNC. To establish a tunnel, you must log in with your standard SSH credentials. After a successful login, the SSH client program must remain running, to allow the SSH tunnel to remain operational. Follow these steps to establish a tunneled VNC connection using PuTTY: 1. Launch PuTTY.exe, and configure the PuTTY window as shown in Figure 4 and the following: Server address Public IP address of the VPLEX management server. Session name Type a name for the PuTTY session you are configuring. This allows you to load the saved session if you need to reconnect later, eliminating the need to configure the individual parameters again. Default settings Verify, and set as shown if necessary.

Server address

(default) Session name

(default)

PuTTY_VNC

Figure 4

PuTTY Configuration window

2. Expand SSH in the Category list, and click Tunnels. 3. Configure the SSH port forwarding parameters as shown in Figure 5, and then click Add.

EMC VPLEX Security Configuration Guide

DRAFT
VPLEX management server operating system and networking

5901 localhost:5901

tunnels

Figure 5

PuTTY configuration: SSH port forwarding parameters

4. Click Open to establish an SSH tunnel to the management server. When prompted, type the admin account password. 5. Authenticate as usual, and leave the PuTTY window open. 6. Launch the VNC viewer, and connect to localhost:5901.

EMC VPLEX Security Configuration Guide

IP addresses and component IDs

IP addresses and component IDs

The IP addresses of the VPLEX hardware components are determined by a set of formulae that depend on the internal management network (A or B), the Cluster IP Seed, and (for directors) the Enclosure ID (which matches the engine number). Figure 6 shows the IP addresses in a cluster with a Cluster IP Seed of 1, and Figure 7 on page 9 shows the addresses for a Cluster IP Seed of 2. Note that the Cluster IP Seed is the same as the Cluster ID, which depends on the VPLEX implementation:

VPLEX Local - The Cluster ID is always 1. VPLEX Metro or VPLEX Geo - The Cluster ID for the first cluster that is set up is 1, and the second cluster is 2.

VPLEX VS1 hardware

Cluster IP Seed = 1 Enclosure IDs = engine numbers Management network A addresses Management network B addresses Engine 4: Director 4B Director 4A Engine 4: Director 4B Director 4A

128.221.253.42 128.221.253.41

128.221.252.42 128.221.252.41

Engine 3: Director 3B Director 3A

128.221.253.40 128.221.253.39

Engine 3: Director 3B Director 3A

128.221.252.40 128.221.252.39

FC switch B 128.221.253.34

Service port 128.221.252.2

Public Ethernet port Customer-assigned

FC switch A 128.221.252.34

Mgt B port 128.221.253.33

Mgt A port 128.221.252.33

Management server Engine 2: Director 2B Director 2A

Engine 2: Director 2B Director 2A

128.221.253.38 128.221.253.37

128.221.252.38 128.221.252.37

Engine 1: Director 1B Director 1A

128.221.253.36 128.221.253.35

Engine 1: Director 1B Director 1A

128.221.252.36 128.221.252.35
Zep-028_1

Figure 6

Component IP addresses in Cluster 1

EMC VPLEX Security Configuration Guide

DRAFT
IP addresses and component IDs

Cluster IP Seed = 2 Enclosure IDs = engine numbers Management network B addresses Engine 4: Director 4B Director 4A Management network A addresses Engine 4: Director 4B Director 4A

128.221.253.74 128.221.253.73

128.221.252.74 128.221.252.73

Engine 3: Director 3B Director 3A

128.221.253.72 128.221.253.71

Engine 3: Director 3B Director 3A

128.221.252.72 128.221.252.71

FC switch B 128.221.253.66

Service port 128.221.252.2

Public Ethernet port Customer-assigned

FC switch A 128.221.252.66

Mgt B port 128.221.253.65

Mgt A port 128.221.252.65

Management server Engine 2: Director 2B Director 2A

Engine 2: Director 2B Director 2A

128.221.253.70 128.221.253.69

128.221.252.70 128.221.252.69

Engine 1: Director 1B Director 1A

128.221.253.68 128.221.253.67

Engine 1: Director 1B Director 1A

128.221.252.68 128.221.252.67
Zep-028_2

Figure 7

Component IP addresses in VPLEX Metro or VPLEX Geo Cluster 2

EMC VPLEX Security Configuration Guide

IP addresses and component IDs

VPLEX VS2 hardware

Cluster IP Seed = 1 Enclosure IDs = engine numbers Engine 4: Director 4B, A side: 128.221.252.42 Director 4B, B side: 128.221.253.42 Engine 4: Director 4A, A side: 128.221.252.41 Director 4A, B side: 128.221.253.41

Engine 3: Director 3B, A side: 128.221.252.40 Director 3B, B side: 128.221.253.40

Engine 3: Director 3A, A side: 128.221.252.39 Director 3A, B side: 128.221.253.39

FC switch B 128.221.253.34

Service port 128.221.252.2

Public Ethernet port Customer-assigned

FC switch A 128.221.252.34

Mgt B port 128.221.253.33

Mgt A port 128.221.252.33

Management server

Engine 2: Director 2B, A side: 128.221.252.38 Director 2B, B side: 128.221.253.38

Engine 2: Director 2A, A side: 128.221.252.37 Director 2A, B side: 128.221.253.37

Engine 1: Director 1B, A side: 128.221.252.36 Director 1B, B side: 128.221.253.36

Engine 1: Director 1A, A side: 128.221.252.35 Director 1A, B side: 128.221.253.35

VPLX-000242

Figure 8

Component IP addresses in Cluster 1

10

EMC VPLEX Security Configuration Guide

DRAFT
IP addresses and component IDs

Cluster IP Seed = 2 Enclosure IDs = engine numbers Engine 4: Director 4B, A side: 128.221.252.74 Director 4B, B side: 128.221.253.74 Engine 4: Director 4A, A side: 128.221.252.73 Director 4A, B side: 128.221.253.73

Engine 3: Director 3B, A side: 128.221.252.72 Director 3B, B side: 128.221.253.72

Engine 3: Director 3A, A side: 128.221.252.71 Director 3A, B side: 128.221.253.71

FC switch B 128.221.253.66

Service port 128.221.252.2

Public Ethernet port Customer-assigned

FC switch A 128.221.252.66

Mgt B port 128.221.253.65

Mgt A port 128.221.252.65

Management server

Engine 2: Director 2B, A side: 128.221.252.70 Director 2B, B side: 128.221.253.70

Engine 2: Director 2A, A side: 128.221.252.69 Director 2A, B side: 128.221.253.69

Engine 1: Director 1B, A side: 128.221.252.68 Director 1B, B side: 128.221.253.68

Engine 1: Director 1A, A side: 128.221.252.67 Director 1A, B side: 128.221.253.67

VPLX-000243

Figure 9

Component IP addresses in VPLEX Metro or VPLEX Geo Cluster 2

EMC VPLEX Security Configuration Guide

11

Security configuration settings

Security configuration settings

This section provides an overview of the settings required to use VPLEX securely.

User roles and accounts

Table 1

Table 1 describes each VPLEX user account.

VPLEX user roles and accounts Role Service a Default account service Default password Mi@Dim7T Privileges Access to the management server desktop, VPlexcli, and Management Console GUI Ability to start and stop management server services Access to most files on the filesystem Ability to create, modify, and delete VPLEX user accounts Access to management server desktop, VPlexcli, and GUI Ability to start and stop management server services Access to the switch interface Ability to start and stop switch services Access to most files on the switch Access to the switch interface Ability to add and delete other accounts Ability to change passwords Access to the switch interface

Component Management server

Administrator a admin

teS6nAX2 b

Fibre Channel COM switches c

Service

service d

Mi@Dim7T

Administrator

admin

Ry3fog4M d

User

user

jYw13ABn

a. You cannot delete the default management server accounts. b. The first user who logs in as admin is prompted to change this password, which is required before any user can log in to the VPlexcli as admin. To change the password when prompted, follow the steps in Changing passwords on page 13, with the exception of step 4 (because you are asked to change the password after you log in). c. Fibre Channel COM switches exist only in dual-engine and quad-engine VPLEX clusters. d. In switches that are shipped for field replacement or hardware upgrade (rather than as part of a cabinet system), the admin account password is password, and there is no service account.

Configuring user authentication

VPLEX user authentication is configured locally on the management server or remotely on an OpenLDAP or Active Directory server (with service for Unix SFU 3.5). Usernames and passwords are stored on the management server, and cannot be managed by external authentication services. Refer to the VPLEX CLI Guide for information on the commands used to configure user authentication. The VPLEX management server uses a pluggable authentication module (pam) infrastructure to enforce minimum password quality. It uses pam_cracklib, a library that checks for dictionary words, to check potential passwords. The command man pam_cracklib on the management server provides more information about how this pam module works. The management server uses all default parameters.

Password policy

12

EMC VPLEX Security Configuration Guide

DRAFT
Security configuration settings

pam_cracklib applies the following rules:

Minimum password length of eight characters, including numbers, upper-case and lower-case letters, and special characters No dictionary words Comparison to the previous password: checks for palindromes, case-only changes, password similarity and rotation, to prevent users from using an old password with only a slight change

Adding user accounts

A user with an admin account can create a new account as follows: 1. Launch PuTTY (or a similar SSH client), and establish a connection to the public IP address of the VPLEX management server. 2. Log in with username admin. 3. From the Linux shell prompt, type the applicable command to connect to the VPlexcli: If VPLEX GeoSynchrony 4.0.x is running on the cluster:
telnet localhost 49500

If VPLEX GeoSynchrony 4.1.x or later is running on the cluster:

vplexcli

Log in with username admin. 4. From the VPlexcli prompt, type the following command:
user add -u <username>

a. When prompted, type the admin account password. b. When prompted for a password for the new user, type a password that adheres to the rules in Password policy on page 12. c. When prompted, retype the new password.
Note: The new user must change the password the first time he or she logs in.

Changing passwords

Any user with an admin or service account can change his/her own password as follows: 1. Launch PuTTY (or a similar SSH client), and establish a connection to the public IP address of the VPLEX management server. 2. Log in with the applicable username: admin or service. 3. From the Linux shell prompt, type the applicable command to connect to the VPlexcli: If VPLEX GeoSynchrony 4.0.x is running on the cluster:
telnet localhost 49500

If VPLEX GeoSynchrony 4.1.x or later is running on the cluster:

vplexcli

Log in with the applicable username: admin or service.

EMC VPLEX Security Configuration Guide

13

Security configuration settings

4. From the VPlexcli prompt, type the following command:

user passwd -u <username>

a. When prompted, type the old password. b. When prompted for a new password, type a password that adheres to the rules in Password policy on page 12. c. When prompted, retype the new password. Resetting passwords A user with an admin account can reset passwords for other users as follows: 1. Launch PuTTY (or a similar SSH client), and establish a connection to the public IP address of the VPLEX management server. 2. Log in with username admin. 3. From the Linux shell prompt, type the applicable command to connect to the VPlexcli: If VPLEX GeoSynchrony 4.0.x is running on the cluster:
telnet localhost 49500

If VPLEX GeoSynchrony 4.1.x or later is running on the cluster:

vplexcli

Log in with username admin. 4. From the VPlexcli prompt, type the following command:
user reset -u <username>

a. When prompted, type the admin account password. b. When prompted for a password for the new user, type a password that adheres to the rules in Password policy on page 12. c. When prompted, retype the new password.
Note: The user must change the password the next time he or she logs in.

Changing the service account password

Customers who want the service password to be different from the default password must ask the EMC representative installing VPLEX to modify the password. Because the service account is used by EMC to provide remote support through the EMC ESRS gateway, the service password must be recorded in the customer service database in order to provide this support. The service password must be changed in two locations:

Management server Fibre Channel switches

To change the service password on the Fibre Channel switches, use the switch's passwd command. Deleting user accounts A user with an admin account can delete a different account as follows:

14

EMC VPLEX Security Configuration Guide

DRAFT
Security configuration settings

1. Launch PuTTY (or a similar SSH client), and establish a connection to the public IP address of the VPLEX management server. 2. Log in with username admin. 3. From the Linux shell prompt, type the applicable command to connect to the VPlexcli: If VPLEX GeoSynchrony 4.0.x is running on the cluster:
telnet localhost 49500

If VPLEX GeoSynchrony 4.1.x or later is running on the cluster:

vplexcli

Log in with username admin. 4. From the VPlexcli prompt, type the following command:
user remove -u <username>

When prompted, type the admin account password.

EMC VPLEX Security Configuration Guide

15

Log file settings

Log file settings

This section describes log files relevant to security.

Log file location

Table 2

Table 2 lists the name and location of VPLEX component log files relevant to security.
VPLEX component log files Component Management Console management server OS ConnectEMC Firewall VPN (ipsec) Location /var/log/VPlex/cli/session.log_<username> /var/log/messages /var/log/ConnectEMC/logs/ConnectEMC.log files /var/log/firewall /var/log/events.log

Log file management and retrieval

All logs rotate automatically, to avoid unbounded consumption of disk space.

16

EMC VPLEX Security Configuration Guide

DRAFT
Communication security settings

Communication security settings

This section describes the communication security settings that enable you to establish secure communication channels between VPLEX components, as well as VPLEX components and external systems. It provides the following information:

Port usage
Table 3

Table 3 lists each port, its function, and the service that uses the port.
Port Usage Port Public port TCP/22 Service port TCP/22 Function Log in to management server OS, copy files to and from the management server using the SCP sub-service, and establish SSH tunnels ESRS (EMC Secure Remote Service) access to VPLEX Service SSH

Public port TCP/21 Public port TCP/443 Public port TCP/5400 to 5413 Public port TCP/50 Public port UDP/500 Public port UDP/4500 Public port UDP/123 Public port TCP/161 Public port UDP/161 Public port TCP/443 Service port TCP/443 Localhost TCP/5901

ESRS

IPsec VPN

ESP ISAKMP IPSEC NAT traversal

Time synchronization service Get performance statistics

NTP SNMP

Web access to the VPLEX Management Consoles graphical user interface

HTTPS

Access to the management VNC server's desktop. Not available on the public network. Must be accessed through SSH tunnel. VPlexcli. Not available on the public network. Must be accessed through SSH. Telnet

Localhost TCP/49500

Network encryption

The VPLEX management server supports SSH through the sshd daemon provided by the OpenSSH package. It supports versions 1 and 2 of the SSH protocol. When the management server starts for the first time, the sshd daemon generates key-pairs (private and public key) for communication with SSH clients. An rsa1 key-pair is generated to support communication with SSH version 1 clients, and rsa and dsa key-pairs are generated to support communication with SSH version 2 clients. All keys have a 2048 bit length.

EMC VPLEX Security Configuration Guide

17

Communication security settings

The HTTPS protocol and the IPsec VPN use a X.509 host certificate to identify the server and encrypt all traffic. X.509 host certificates use a 2048 bit host key. During initial setup of a VPLEX cluster, a local Certification Authority (which signs the host certificate request) is created automatically. Currently, VPLEX does not support a corporate Certification Authority signing the host certificate requests. Creating a local Certification Authority A Certification Authority (CA) on the VPLEX management server must be created solely for the purposes of signing management server certificates. The VPlexcli command security create-ca-cert creates a CA certificate file and private key protected by a passphrase. By default, this command creates the following:

A 2048-bit CA key in /etc/ipsec.d/private/strongswanKey.pem A CA certificate in /etc/ipsec.d/cacerts/strongswanCert.pem that remains valid for 1825 days (5 years)

You must provide a passphrase for the CA key and the CA certificate subject. The CA certificate subject must be the VPLEX cluster's serial number (found on the label attached to the top of the VPLEX cabinet). If you are creating a CA certificate for a VPLEX Metro or VPLEX Geo implementation, you can use either cluster's serial number. Creating a host certificate
Note: Creating host certificates are created as a part of EZsetup during a first time installation.

The VPlexcli command security create-host-certificate generates a host certificate request and signs it with the Certification Authority certificate created in the Creating a local Certification Authority on page 18. By default, this command creates the following:

A 2048 key in /etc/ipsec.d/private/hostKey.pem A host certificate /etc/ipsec.d/certs/hostCert.pem that remains valid for 730 days (2 years)

You must provide the CA key passphrase for the host key, the host certificate subject which must be the cluster's serial number (found on the label attached to the top of the VPLEX cabinet). Installing the host certificate for use by HTTPS At the Linux shell prompt on the management server, type the following command to transform the X.509 certificate into jks format for use by tomcat:
sudo /opt/emc/VPlex/tools/utils/JKSsetup.pl

You must provide the host certificate's passphrase before converting the host certificate into a format suitable for HTTPS service. Obtaining host certificate and host key fingerprints When users first connect to the management server over SSH or by connecting to the GUI using the HTTPs protocol, they are asked to confirm the server's identity. Most client programs display the management server's fingerprints as MD5 or SHA1 checksums, allowing you to verify that they are connected to the VPLEX management server and not to another machine, possibly deployed to harvest logins and passwords for a man-in-the-middle attack.

18

EMC VPLEX Security Configuration Guide

DRAFT
Communication security settings

Once the user confirms the management server's identity, subsequent connections will not ask for this confirmation, but instead warn the user if the management server's fingerprint has changed, which may be another indication of man-in-the-middle attacks. A VPLEX administrator might be asked by security-conscious users for the fingerprints of both the X.509 certificate used for the GUI and for the host keys used for SSH access to the management server. To find the host certificate's SHA1 and (for GUI users) MD5 fingerprints: 1. At the Linux shell prompt, type the following command:
/etc/ipsec.d/certs # openssl x509 -noout -in hostCert.pem -fingerprint -md5

Output example:
MD5 Fingerprint=6E:2C:A5:8E:86:11:45:26:02:09:62:97:6F:18:FD:62

2. Type the following command:

/etc/ipsec.d/certs # openssl x509 -noout -in hostCert.pem -fingerprint -sha1

Output example:
SHA1 Fingerprint=2E:B0:DD:59:DD:C3:29:96:33:74:19:CC:A0:81:28:28:6F:4F:76:E4

To find the SSH key fingerprint (for SSH users): 1. At the Linux shell prompt, type the following command:
/etc/ssh # ssh-keygen -l -f ssh_host_dsa_key

Output example:
1024 52:42:70:0c:22:aa:2f:e3:09:18:93:c8:20:a4:78:0c ssh_host_dsa_key.pub

2. Type the following command:

/etc/ssh # ssh-keygen -l -f ssh_host_rsa_key

Output example:
1024 a4:d8:64:d0:24:b9:2c:3d:06:24:5f:3a:30:ba:83:f8 ssh_host_rsa_key.pub

3. Type the following command:

/etc/ssh # ssh-keygen -l -f ssh_host_key

Output example:
1024 1f:07:f1:f5:21:f6:fa:ae:74:aa:64:d7:4d:67:d4:c2 root@lsca5216

EMC VPLEX Security Configuration Guide

19

Data security settings

Data security settings

Encryption of data at rest: user passwords Hashed user passwords are stored in /etc/passwd on the VPLEX directors. GeoSynchrony uses a hardcoded hashing algorithm to encrypt the passwords.

Copyright 2011 EMC Corporation. All rights reserved. EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. THE INFORMATION IN THIS PUBLICATION IS PROVIDED AS IS. EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. For the most up-to-date regulatory document for your product line, go to the Technical Documentation and Advisories section on EMC Powerlink. For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com. All other trademarks used herein are the property of their respective owners.
20

EMC VPLEX Security Configuration Guide