EMC

Avamar

7.0
Extended Retention
Security Guide
P/N 300-015-244
REV 01
EMC Avamar 7.0 Extended Retention Security Guide 2
Copyright 2001- 2013 EMC Corporation. All rights reserved. Published in the USA.
Published July, 2013
EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without
notice.
The information in this publication is provided as is. EMC Corporation makes no representations or warranties of any kind with respect
to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular
purpose. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.
EMC
2
, EMC, and the EMC logo are registered trademarks or trademarks of EMC Corporation in the United States and other countries.
All other trademarks used herein are the property of their respective owners.
For the most up-to-date regulatory document for your product line, go to the technical documentation and advisories section on the
EMC online support website.
EMC Avamar 7.0 Extended Retention Security Guide 3
CONTENTS
Preface
Chapter 1 Security Configuration
Access control............................................................................................. 10
Default accounts................................................................................... 10
Authentication configuration................................................................. 10
User authorization................................................................................. 10
Component access control .................................................................... 10
Certificate management ........................................................................ 11
Lockbox management ........................................................................... 13
Log settings ................................................................................................ 14
Communication security.............................................................................. 14
Port usage............................................................................................. 14
Network encryption............................................................................... 15
Data security............................................................................................... 15
Secure serviceability ................................................................................... 15
The Lockbox tool ......................................................................................... 16
Running the Lockbox tool ...................................................................... 16
Lockbox tool examples.......................................................................... 18
4 EMC Avamar 7.0 Extended Retention Security Guide
Contents
EMC Avamar 7.0 Extended Retention Security Guide 5
PREFACE
As part of an effort to improve its product lines, EMC periodically releases revisions of its
software and hardware. Therefore, some functions described in this document might not
be supported by all versions of the software or hardware currently in use. The product
release notes provide the most up-to-date information on product features.
Contact your EMC representative if a product does not function properly or does not
function as described in this document.
Note: This document was accurate at publication time. New versions of this document
might be released on the EMC online support website. Check the EMC online support
website to ensure that you are using the latest version of this document.
Purpose
This document describes how to configure security features for the EMC Avamar extended
retention feature.
Audience
This document is intended for the host system administrator, system programmer, or
operator who will be involved in managing the Avamar extended retention feature.
Revision history
The following table presents the revision history of this document.
Related documentation
The following EMC publications provide additional information:
EMC Avamar 7.0 Extended Retention User Guide
EMC Avamar 7.0 Extended Retention Release Notes
EMC Avamar 7.0 Media Access Node Customer Hardware Installation Guide
EMC Avamar Compatibility and Interoperability Matrix
EMC Avamar Data Store Gen4 Customer Service Guide
EMC Avamar Data Store Site Prep Technical Specifications
Table 1 Revision history
Revision Date Description
01 July 10, 2013 Initial release of Avamar 7.0.
6 EMC Avamar 7.0 Extended Retention Security Guide
Conventions used in this document
EMC uses the following conventions for special notices:

DANGER indicates a hazardous situation which, if not avoided, will result in death or
serious injury.

WARNING indicates a hazardous situation which, if not avoided, could result in death or
serious injury.

CAUTION, used with the safety alert symbol, indicates a hazardous situation which, if not
avoided, could result in minor or moderate injury.

NOTICE is used to address practices not related to personal injury.

Note: A note presents information that is important, but not hazard-related.
IMPORTANT
An important notice contains information essential to software or hardware operation.
Typographical conventions
EMC uses the following type style conventions in this document:
Bold Use for names of interface elements, such as names of windows, dialog
boxes, buttons, fields, tab names, key names, and menu paths (what the
user specifically selects or clicks)
Italic Use for full titles of publications referenced in text
Monospace Use for:
System output, such as an error message or script
System code
Pathnames, filenames, prompts, and syntax
Commands and options
Monospace italic Use for variables.
Monospace bold Use for user input.
[ ] Square brackets enclose optional values
| Vertical bar indicates alternate selections the bar means or
{ } Braces enclose content that the user must specify, such as x or y or z
... Ellipses indicate nonessential information omitted from the example
EMC Avamar 7.0 Extended Retention Security Guide 7
Where to get help
The Avamar support page provides access to licensing information, product
documentation, advisories, and downloads, as well as how-to and troubleshooting
information. This information may enable you to resolve a product issue before you
contact EMC Customer Service.
To access the Avamar support page:
1. Go to https://support.EMC.com/products.
2. Type a product name in the Find a Product box.
3. Select the product from the list that appears.
4. Click the arrow next to the Find a Product box.
5. (Optional) Add the product to the My Products list by clicking Add to my products in
the top right corner of the Support by Product page.
Documentation
The Avamar product documentation provides a comprehensive set of feature overview,
operational task, and technical reference information. Review the following documents in
addition to product administration and user guides:
Release notes provide an overview of new features and known limitations for a
release.
Technical notes provide technical details about specific product features, including
step-by-step tasks, where necessary.
White papers provide an in-depth technical perspective of a product or products as
applied to critical business issues or requirements.
Knowledgebase
The EMC Knowledgebase contains applicable solutions that you can search for either by
solution number (for example, esgxxxxxx) or by keyword.
To search the EMC Knowledgebase:
1. Click the Search link at the top of the page.
2. Type either the solution number or keywords in the search box.
3. (Optional) Limit the search to specific products by typing a product name in the Scope
by product box and then selecting the product from the list that appears.
4. Select Knowledgebase from the Scope by resource list.
5. (Optional) Specify advanced options by clicking Advanced options and specifying
values in the available fields.
6. Click the search button.
Online communities
Visit EMC Community Network (https://community.EMC.com) for peer contacts,
conversations, and content on product support and solutions. Interactively engage online
with customers, partners and certified professionals for all EMC products.
8 EMC Avamar 7.0 Extended Retention Security Guide
Live chat
To engage EMC Customer Service by using live interactive chat, click Join Live Chat on the
Service Center panel of the Avamar support page.
Service Requests
For in-depth help from EMC Customer Service, submit a service request by clicking Create
Service Requests on the Service Center panel of the Avamar support page.
Note: To open a service request, you must have a valid support agreement. Contact your
EMC sales representative for details about obtaining a valid support agreement or with
questions about your account.
To review an open service request, click the Service Center link on the Service Center
panel, and then click View and manage service requests.
Facilitating support
EMC recommends that you enable ConnectEMC and Email Home on all Avamar systems:
ConnectEMC automatically generates service requests for high priority events.
Email Home emails configuration, capacity, and general system information to EMC
Customer Service.
Your comments
Your suggestions will help us continue to improve the accuracy, organization, and overall
quality of the user publications. Send your opinions of this document to:
BSGDocumentation@emc.com
Please include the following information:
Product name and version
Document name, part number, and revision (for example, A01)
Page numbers
Other details that will help us address the documentation issue
Security Configuration 9
CHAPTER 1
Security Configuration
The following topics provide information on security configurations for the EMC
Avamar extended retention feature:
Access control......................................................................................................... 10
Log settings ............................................................................................................ 14
Communication security.......................................................................................... 14
Data security........................................................................................................... 15
Secure serviceability ............................................................................................... 15
The Lockbox tool ..................................................................................................... 16
10 EMC Avamar 7.0 Extended Retention Security Guide
Security Configuration
Access control
Access control settings provide protection of resources against unauthorized access.
Default accounts
Table 1 contains the default Avamar extended retention feature accounts and their
passwords.
Authentication configuration
The Avamar extended retention feature requires configuration of a super user at install
time. The super user can create additional users after the feature is installed.
User authorization
The privileges of Avamar extended retention users are controlled by the roles to which they
belong. Four roles have been defined:
Super user
Administrator
Auditor
General user
Component access control
The following components of the Avamar extended retention feature implement security
features for access:
Apache ActiveMQ Message Broker
Apache Tomcat
Avamar extended retention feature PostgreSQL Database
Media Access Node
Note: The Media Access Node is the R510 Gen4 hardware node that the Avamar
extended retention feature runs on.
Apache ActiveMQ Message Broker
Access to the ApacheActiveMQ message broker is controlled by SSL mutual
authentication. In the Avamar extended retention feature, every message broker client
must trust the message broker, and the broker must trust the clients. In SSL, this is
accomplished by exchanging certificates.
Table 2 Default account names and passwords
Account Password Description
suser Set when the Avamar extended retention
feature is installed. Can be changed in the
frameworks user interface.
The super user for the Avamar extended
retention features framework.
postgres Set when database is installed. Can be
changed using PostgreSQL tools.
The database super user. Used to export
and import Avamar backups.
Access control 11
Security Configuration
Apache Tomcat
Apache Tomcat uses a certificate to authenticate itself to web clients.
Avamar extended retention feature database login roles
The Avamar extended retention feature uses four databases to store data such as users,
roles, events, job information, and export schedules. The following table lists the
databases, and the users who own them.
Certificate management
Each Avamar extended retention feature component that participates in SSL
communications keeps its certificates in a Java KeyStore (JKS) file. Key store files contain
certificates that components use to identify themselves as well as the certificates of
entities they trust. Some components keep their certificates and the certificates of trusted
entities in the same key store file while others keep the certificates of trusted entities in a
separate file called a trust store. Although key store and trust store files have the same
JKS format, the Avamar extended retention feature trust store files have a .ts suffix
whereas the key store files have a .ks suffix.
Note: JKS files can be managed with a Java tool called keytool. Keytool is part of the
standard JDK, which is included in the Avamar extended retention feature software.
Keytool is located in /opt/EMC/IMF/jre/bin.
Table 3 Avamar extended retention feature databases and login roles
Database Login roles and passwords
PostgreSQL The PostgreSQL database is owned by user, postgres. The password for this user is
set during installation. The default password is changeme.
IMF The IMF database is owned by IMF_PG_USER. The default password is
IMF_PG_USER.
Note: The owner and password for the IMF database are stored in plaintext in
/opt/EMC/IMF/apache-tomcat/imf/WEB-INF/classes/imf-persistence.properties.
Quartz The Quartz database is owned by IMF_PG_USER. The default password is
IMF_PG_USER.
Note: The owner and password for the Quartz database are stored in plaintext in
/opt/EMC/IMF/apache-tomcat/catalina_base/imf/WEB-INF/classes/imf-persistenc
e.properties and imfscheduler.properties.
Policy The Policy database is owned by POLICY_USER. The default password is
POLICY_USER.
Note: The Policy database password is stored in the IMF lockbox, located in
/opt/EMC/IMF/data/lockbox. The user and password can be changed using the
Lockbox tool as described in The Lockbox tool on page 16.
12 EMC Avamar 7.0 Extended Retention Security Guide
Security Configuration
In the Avamar extended retention feature, there are JKS files for the following components:
Apache Tomcat containing the certificate that Tomcat uses to authenticate itself to
web clients
Apache ActiveMQ message broker containing a separate key store and trust
store that are used for mutual authentication with clients
message broker clients containing a key store (and sometimes a trust store)
containing certificates used for mutual authentication with the message broker
Each JKS file is protected by a password. The Avamar extended retention feature
components store their key and trust store passwords in a lockbox file as described in the
The Lockbox Tool (page 15).
Note: The Avamar extended retention feature incorporates some third-party software that
does not use the lockbox.
Table 4 shows the location of the passwords for the key stores used by Apache Tomcat and
ActiveMQ. Since the Avamar extended retention feature file permissions are set to prevent
access by anyone but the owner, one must own these files in order to read or modify them.
Table 5 shows the location of key store files for Avamar extended retention feature
components.
Table 4 Apache component passwords
Component JSK password location
Apache Tomcat /opt/EMC/IMF/apache-tomcat/catalina_base/conf/server.xml in the
Connector element
Apache ActiveMQ /opt/EMC/IMF/apache-activemq/conf/activemq.xml in the sslContext
element
Table 5 Key store files
Component Key store directory Key store file(s)
Apache Tomcat /opt/EMC/IMF/apache-tomcat/catalina_base/imf/
WEB-INF/classes
IMF.ks
Apache ActiveMQ Message
Broker
/opt/EMC/IMF/apache-activemq/conf broker.ks
broker.ts
User Event Listener /opt/EMC/IMF/apache-tomcat/catalina_base/imf/
WEB-INF/classes
IMFUserEventListener.ks
Security Event Module /opt/EMC/IMF/apache-tomcat/catalina_base/imf/
WEB-INF/classes
IMFSecurityEventModule.ks
IMF Scehduler /opt/EMC/IMF/apache-tomcat/catalina_base/imf/
WEB-INF/classes
IMFScheduler.ks
Security Logger /opt/EMC/securitylogger/config IMFSecurityLogger.ks
Transport System Service /opt/EMC/TransportSystemService/config GridSystemService.ks
Backup Service /opt/EMC/BackupService/config IMF-Backup-Service.ks
Access control 13
Security Configuration
Lockbox management
The RSA Common Security Toolkit 1.1 Lockbox is incorporated into the Avamar extended
retention feature for storing encrypted secrets (like passwords) that otherwise would have
to be stored as plain text. Secured software components often require users or client
software to supply a password. Since EMC security policy does not allow storing plain text
passwords either in files or source code and since it would be cumbersome to ask a user
to type a password every time one is required, passwords are stored in the lockbox. Once
configured, the lockbox allows software to obtain passwords without a user having to type
a password.
Each lockbox has a password that is set when the Avamar extended retention feature is
installed and can be changed by using the command line utility documented in the
section The Lockbox tool on page 16. The same tool can be used to display and modify
the contents of the lockboxes.
If the password for a secured entity is changed and its password is stored in a lockbox, the
lockbox must be updated with the correct password. The names of the items stored in
each lockbox are listed below. Most of the items are component key store or trust
store filenames and their passwords.
Backup Manager /opt/EMC/IMF/data/messagebus-ssl backupmgr.ks
Grid Resource Manager /opt/EMC/IMF/data/messagebus-ssl gridresourcemgr.ks
Grid Task Manager /opt/EMC/IMF/data/messagebus-ssl gridtaskmgr.ks
Table 5 Key store files
Component Key store directory Key store file(s)
Table 6 Lockbox files
Component Lockbox file
Framework /opt/EMC/IMF/data/lockbox
Security Logger /opt/EMC/securitylogger/config/lockbox
Transport System Service /opt/EMC/TransportSystemService/config/lockbox
Backup Service /opt/EMC/BackupService/config/lockbox
Table 7 Lockbox contents
Lockbox Contents
Framework IMFUserEventListener.keyStore
IMFUserEventListener.keyStorePassword
IMFSecurityEventModule.keyStore
IMFSecurityEventModule.keyStorePassword
IMFScheduler.keyStore
IMFScheduler.keyStorePassword
14 EMC Avamar 7.0 Extended Retention Security Guide
Security Configuration
Log settings
The Avamar extended retention feature has a security logger and log viewer. Security
events, which are stored in the framework database, are logged at four levels:
Informational
Warning
Severe
Critical
The log viewer provides filtering by severity level and date range. It also provides the
ability to archive and delete selected events. The Avamar extended retention features
online help provides more information.
Communication security
Communication security settings enable the establishment of secure communication
channels between:
Product components
Product components and external systems or components.
Port usage
The ports listed in Table 8 are the Avamar extended retention feature default ports. The
extended retention feature allows some of these ports to be changed; however, the
procedure involves manually editing various configuration files.
Security Logger IMFSecurityLogger.keyStore
IMFSecurityLogger.keyStorePassword
Transport System Service GridSystemService.keyStore
GridSystemService.keyStorePassword
Backup Service IMF-Backup-Service.keyStore
IMF-Backup-Service.keyStorePassword
ARCHIVE_SERVER_USER
ARCHIVE_SERVER_PASSWORD
ARCHIVE_SERVER_NAME
Table 7 Lockbox contents
Lockbox Contents
Table 8 Default ports
Component Protocol Port Description
Apache ActiveMQ TCP 61617 SSL connection to the message broker
Apache Tomcat TCP 7443 HTTPS connection to web server
Apache Tomcat TCP 7000 Port available for stopping Tomcat
PostgreSQL TCP 5568 JDBC connection to database server
Data security 15
Security Configuration
Network encryption
Table 9 contains the encryption strategies that are employed by the Avamar extended
retention feature for communication between components.
Data security
Encryption of archived data is controlled by the library drive setting.
The Avamar extended retention feature provides a cleanse feature that frees up space on
the Media Access Nodes internal Avamar Server. The cleanse can occur immediately
before data is imported from tape. It can also be run at any time.
Secure serviceability
The message broker has a web administration console that provides some diagnostic
capabilities such as viewing the number of messages and topics in queues and their
current state.
The Avamar extended retention feature is installed with port 8161 closed.
To open port 8161:
1. Edit /opt/EMC/IMF/apache-activemq/activemq_base/conf/activemq.xml.
2. Uncomment the following line:
<import resource="jetty.xml"/>
3. Save and close activemq.xml.
4. In a web browser, type the following URL to access the web console:
http://Media_Access_Node_IP_address:8161/admin
Additional information is available at http://activemq.apache.org.
SSHD TCP 22 Default SSH port.
Archive Service Event TCP 6667 Archive Service Event forwarding port
AVDTO TCP 2888 AVDTO daemon port
Table 8 Default ports
Component Protocol Port Description
Table 9 Encryption strategies
Communication Encryption type
Between web server and browser SSL with server authentication
Between ActiveMQ and Avamar Data
Transport components
SSL with mutual authentication
Between the PostgreSQL database and the
Avamar extended retention feature
Not encrypted
16 EMC Avamar 7.0 Extended Retention Security Guide
Security Configuration
JMX tools like jconsole can be used to diagnose ActiveMQ. However, JMX access is
password protected. You can log in as one of two users:
controlRole Full access
monitorRole Read access
The usernames and passwords are stored in the following files:
/opt/EMC/IMF/apache-activemq/activemq_base/conf/jmx.access
/opt/EMC/IMF/apache-activemq/activemq_base/conf/jmx.password
If these files are changed, the shutdown script,
/opt/EMC/IMF/apache-activemq/activemq_base/bin/activemqstop.sh, must also be
modified since the service shutdown uses the JMX username and password.
For additional information, refer to http://activemq.apache.org.
The Lockbox tool
The lockbox tool is a command line tool implemented as an executable jar file that can be
used for the following tasks:
Create a lockbox
Set or change a lockbox password
Add or remove a host allowed to access the lockbox without a password
Display, change, or remove a name-value pair
The Lockbox tool requires that two environment variables be set:
LOCK_BOX_FILE The full or relative path to the lockbox file. If not set, this defaults to
lockbox in the current directory.
LD_LIBRARY_PATH The shared library location specified in Table 10.
Running the Lockbox tool
You execute the Lockbox tool by typing the following:
java -jar lockbox.jar operation [argument] [argument]
where lockbox is one of:
imf-lockbox-2.0-SNAPSHOT
imf-lockbox
Table 10 Lockbox tool and library locations
Component Lockbox tool location Shared library location
Security Logger /opt/EMC/securitylogger/lib/imf-lockbox.jar /opt/EMC/securitylogger/lib/linux
Transport System
Service
/opt/EMC/TransportSystemService/lib/
imf-lockbox.jar
/opt/EMC/TransportSystemService/lib/native
Backup Service /opt/EMC/BackupService/lib/imf-lockbox.jar /opt/EMC/BackupService/lib/native
IMF /opt/EMC/IMF/apache-tomcat/catalina_base/
imf/WEB-INF/ lib/imf-lockbox-3.2.0-2.jar
/opt/EMC/IMF/apache-tomcat/catalina_base/imf/
WEB-INF/lib/linux
The Lockbox tool 17
Security Configuration

Either lockbox file will work.

Table 11 describes the possible values for operation and argument. Square brackets
indicate optional arguments.
If the command is not run from the directory containing the lockbox .jar file, then you must
specify the full or relative path to the tool. Additionally, you may need to specify the path
to the Java executable. The Java Runtime Environment (JRE) is included in the Avamar
extended retention feature and can be found at the locations shown in Table 12.
Information can be obtained from the lockbox without having to supply the lockbox
password. The lockbox stores secrets as name and value pairs. It can be configured to
allow setting, modifying, and removing these values without supplying a password.
However, administrative operations always require a password.
In order to access the lockbox without supplying a password, the host from which the
access is being executed must be registered with the lockbox. Registering a host is an
administrative operation requiring a password. Once a host is registered, any user who
Table 11 Lockbox tool operations and arguments
Operation Argument 1 Argument 2 Description
create [password] Create a new lockbox password.
set item_name item_value Set or change the value of
item_name.
display item_name Display the value of item_name.
remove item_name Remove item_name from the
lockbox.
list_hosts [password] Display the host list, which lists the
hosts registered to access the
lockbox without a password.
add_this_host [password] Add the local host to the host list.
add_host host_name [password] Add the host_name to the host list.
remove_host host_name [password] Remove the host_name from the
host list.
change_pass_phrase [new_password] [old_password] Change the lockbox password.
Table 12 Java runtime locations
Component Java runtime location
Framework /opt/EMC/IMF/jre/bin
Security Logger /opt/EMC/securitylogger/jre/bin
Transport System Service /opt/EMC/TransportSystemService/jre/bin
Backup Service /opt/EMC/BackupService/jre/bin
18 EMC Avamar 7.0 Extended Retention Security Guide
Security Configuration
can execute code on that host can access a lockbox secret, assuming they know the name
of the secret. For this reason, it is important that the permissions on the lockbox file are
set appropriately.
Unless specified on the command line, LockBoxTool.jar will prompt for a password for
administrative operations. If the local host is not in the host list, the user will be prompted
for a password for non-administrative operations. Once a password is successfully typed
during any operation, the local host will be added to the host list. When a lockbox is being
created or its password is being changed, the user will have to type the new password
twice to make sure it is typed correctly.
Lockbox tool examples
Examples of how to use LockBoxTool.jar are provided below.
Example 1: Display the hosts that can use the lockbox without a password..
root@host220:~/#: export LD_LIBRARY_PATH=/DTO/EMC/TransportSystemService/lib/native
root@host220:~/#: export LOCK_BOX_FILE=/DTO/EMC/TransportSystemService/config/lockbox
root@host220:~/#: cd /DTO/EMC/TransportSystemService
root@host220:/DTO/EMC/TransportSystemService/#: jre/bin/java -jar lib/imf-lockbox.jar
list_hosts 'Test123!'
host1.example.com
host2.example.com
root@host220:/DTO/EMC/TransportSystemService/#:
Example 2: Change the password for the lockbox from "Test123!" to "MySecret-123".
root@host220:~/#: export LD_LIBRARY_PATH=/DTO/EMC/TransportSystemService/lib/native
root@host220:~/#: export LOCK_BOX_FILE=/DTO/EMC/TransportSystemService/config/lockbox
root@host220:~/#: cd /DTO/EMC/TransportSystemService
root@host220:/DTO/EMC/TransportSystemService/#: jre/bin/java -jar lib/imf-lockbox.jar
change_pass_phrase 'MySecret-123' 'Test123!'
root@host220:/DTO/EMC/TransportSystemService/#:
Example 3: Display the value of the key store password, whose name is
GridSystemService.keyStorePassword.
root@host220:~/#: export LD_LIBRARY_PATH=/DTO/EMC/TransportSystemService/lib/native
root@host220:~/#: export LOCK_BOX_FILE=/DTO/EMC/TransportSystemService/config/lockbox
root@host220:~/#: cd /DTO/EMC/TransportSystemService
root@host220:/DTO/EMC/TransportSystemService/#: jre/bin/java -jar lib/imf-lockbox.jar display
GridSystemService.keyStorePassword
Item GridSystemService.keyStorePassword is set to "Test123!".
root@host220:/DTO/EMC/TransportSystemService/#:
Example 4 Change the key store password from "Test123!" to "MySecret-456".
root@host220:~/#: export LD_LIBRARY_PATH=/DTO/EMC/TransportSystemService/lib/native
root@host220:~/#: export LOCK_BOX_FILE=/DTO/EMC/TransportSystemService/config/lockbox
root@host220:~/#: cd /DTO/EMC/TransportSystemService
root@host220:/DTO/EMC/TransportSystemService/#: jre/bin/java -jar lib/imf-lockbox.jar set
GridSystemService.keyStorePassword 'MySecret-456'
Item GridSystemService.keyStorePassword is set to "MySecret-456".
root@host220:/DTO/EMC/TransportSystemService/#: