Dell EMC VPLEX GeoSynchrony 6.

2 Service
Pack 1
Security Configuration Guide
6.2.1

January 2024
Rev. A00
Notes, cautions, and warnings

NOTE: A NOTE indicates important information that helps you make better use of your product.

CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid
the problem.

WARNING: A WARNING indicates a potential for property damage, personal injury, or death.

© 2024 Dell Inc. or its subsidiaries. All rights reserved. Dell Technologies, Dell, and other trademarks are trademarks of Dell Inc. or its
subsidiaries. Other trademarks may be trademarks of their respective owners.
 Contents

Tables........................................................................................................................................... 5
Preface.........................................................................................................................................................................................6

Chapter 1: VPLEX Overview...........................................................................................................8

Chapter 2: Security Recommendations........................................................................................ 12

Chapter 3: VPLEX Management Server Operating System and Networking.................................. 13

Accessing the management server................................................................................................................................14
Using SSH to access the management server shell............................................................................................ 14
Using HTTPS to access the VPLEX GUI................................................................................................................ 14
Using IPsec VPN in a VPLEX Metro implementation.......................................................................................... 14
Using SCP to copy files.............................................................................................................................................. 15
Using a tunneled VNC connection to access the management server desktop...........................................17

Chapter 4: IP addresses and component IDs................................................................................ 19

Chapter 5: Implementing IPv6..................................................................................................... 24

Chapter 6: Security configuration settings..................................................................................25

User Roles, Accounts, and Privileges........................................................................................................................... 25

Chapter 7: Configuring User Authentication................................................................................ 28

Role-Based Access Control Feature: Overview.........................................................................................................28
Role Descriptions ....................................................................................................................................................29
Role-based access control and NDU...................................................................................................................... 30
Implementing LDAP.......................................................................................................................................................... 30
Password Policy ................................................................................................................................................................ 31
Synchronizing service account password to MMCS peer...................................................................................... 33

Chapter 8: Manage user accounts............................................................................................... 35

Adding user accounts.......................................................................................................................................................35
View or Modify User Account Details.......................................................................................................................... 35
Changing passwords.........................................................................................................................................................37
Resetting passwords........................................................................................................................................................ 37
Changing the service account password.....................................................................................................................38
Deleting user accounts.................................................................................................................................................... 38

Chapter 9: Log File Settings........................................................................................................ 39

Chapter 10: Communication Security Settings............................................................................ 40

Communication security settings.................................................................................................................................. 40
IP WAN COM................................................................................................................................................................40
Accessibility.................................................................................................................................................................. 40

Contents 3
 Port Usage..................................................................................................................................................................... 41
Communications Specifications - VPLEX Metro System.................................................................................. 42
Communications Specifications - VPLEX Local System.................................................................................... 44
Network Encryption....................................................................................................................................................45
Creating a Local Certification Authority................................................................................................................ 45
Finding the host certificates SHA256 and MD5 fingerprints........................................................................... 46
Finding the SSH key fingerprint (for SSH users)................................................................................................ 47
Data security settings.................................................................................................................................................47

4 Contents
 Tables

1 Typographical conventions used............................................................................................................................ 6

2 MMCS IP Addresses................................................................................................................................................ 21
3 Quad-Engine Cluster Director IP Addresses...................................................................................................... 21
4 Dual-Engine Cluster Director IP Addresses....................................................................................................... 22
5 Single-Engine Cluster Director IP Addresses.................................................................................................... 22
6 Last Octets of Director IP Addresses................................................................................................................. 22
7 Cables and Director IP Addresses........................................................................................................................22
8 IPv6 Support on VPLEX Components................................................................................................................ 24
9 VPLEX User Accounts and Privileges.................................................................................................................25
10 VPLEX Operations and Account Types..............................................................................................................26
11 Description of Roles in Role-Based Access Control........................................................................................29
12 Default Password Policies...................................................................................................................................... 31
13 VPLEX Component Log Files................................................................................................................................ 39
14 Port Usage................................................................................................................................................................. 41
15 Communication in a VPLEX Metro System....................................................................................................... 43
16 Communication in a VPLEX Local System.........................................................................................................44

Tables 5
 Preface
As part of an effort to improve its product lines, Dell EMC periodically releases revisions of its software and hardware.
Therefore, some functions that are described in this document might not be supported by all versions of the software or
hardware currently in use. The product release notes provide the most up-to-date information about product features.
Contact your Dell EMC technical support professional if a product does not function properly or does not function as described
in this document.
NOTE: This document was accurate at publication time. Go to Dell EMC Online Support to ensure that you are using the
latest version of this document.

Purpose
This document is part of the VPLEX documentation set, and includes conceptual information about managing your VPLEX
system.

Audience
This guide is intended for use by customers and service providers to configure and manage a storage environment.

Related Documentation
Contains document titles for the appliance document set. Related documents (available on Dell EMC Online Support and Solve)
include:
● VPLEX Release Notes for GeoSynchrony Releases
● VPLEX Product Guide
● VPLEX Hardware Environment Setup Guide
● VPLEX Configuration Worksheet
● VPLEX Configuration Guide
● VPLEX Security Configuration Guide
● VPLEX CLI Reference Guide
● VPLEX Administration Guide
● Unisphere for VPLEX Help
● VPLEX Element Manager API Guide Version 2 (REST API v2)
● VPLEX Open-Source Licenses
● VPLEX GPL3 Open-Source Licenses
● Procedures provided through the SolVe Desktop
● Dell EMC Host Connectivity Guides
● Dell EMC VPLEX Hardware Installation Guide
● Various best practice technical notes available at Dell EMC Online Support.

Typographical conventions
Table 1. Typographical conventions used
Type style Description
Bold Used for names of interface elements, such as names of
windows, dialog boxes, buttons, fields, tab names, key names,
and menu paths (what the user specifically selects or clicks).
Italic Used for full titles of publications referenced in text

6 Preface
Table 1. Typographical conventions used (continued)
Type style Description
Monospace Used for:
● System code
● System output, such as an error message or script
● Pathnames, filenames, prompts, and syntax
● Commands and options
Monospace italic Used for variables
Monospace bold Used for user input
[] Square brackets enclose optional values.
| Vertical bar indicates alternate selections - the bar means
"or".
{} Braces enclose content that the user must specify, such as x
or y or z.
... Ellipses indicate nonessential information that is omitted from
the example.

Where to get help

Support and product information can be obtained as follows:
Product information - For documentation, release notes, software updates, or information about products, go to Dell EMC
Online Support.
Technical support - Go to Dell EMC Online Support and click Service Center. You will see several options for contacting Dell
EMC Technical Support. To open a service request, you must have a valid support agreement. Contact your Dell EMC sales
representative for details about obtaining a valid support agreement or with questions about your account.
Online communities - Go to Dell EMC Community Network for peer contacts, conversations, and content on product support
and solutions. Interactively engage online with customers, partners, and certified professionals for all Dell EMC products.

Your comments
Your suggestions help to improve the accuracy, organization, and overall quality of the user publications. Send your opinions of
this document to: [email protected].

Preface 7
 1
VPLEX Overview
A Dell EMC VPLEX cluster consists of one, two, or four engines (each containing two directors), and a management server. A
dual-engine or quad-engine cluster also includes a pair of Fibre Channel switches for communication between directors.
The standby power supply protects each VS2 engine in all configurations. The VS2 Dual and Quad-Engine configurations come
with Fibre Channel switches and UPS' from which the Fibre Channel switches get their power. All VS2s configurations have a
separate management server. For the Dual and Quad-engine configurations, their management servers get their power from a
UPS.
Each VS6 engine has Battery Backup Units (BBU) that replace the SPS that was given in the VS2s. The Dual and Quad-engine
VS6s have InfiniBand (IB) Switches and UPS'. The IB Switches get their power from the UPS'. The VS6 engine has two
Management Module Control Stations (MMCS), the top one in engine-1-1 is the management server (MMSC-A) and the second
one, MMCS-B. It does not act as a management server, or backup to the MMCS-A. It is only used to manage the alternate IP
address, .253, in the VS6 configuration. There is only one management server per VS6 configuration that is in engine-1-1, and it
is powered by the engine chassis.
The management server has a public Ethernet port, which gives cluster management services when connected to the customer
network. It can also give call-home services through the public Ethernet port by connecting to Dell EMC Secure Remote
Support (ESRS) gateway deployed on the same network. The Dell ESRS gateway is also used by Dell EMC personnel to give
remote service.
Two VPLEX implementations are available:
● VPLEX Local (single cluster)
● VPLEX Metro (two clusters separated by synchronous distances)
In a VPLEX Metro implementation, the clusters are connected over IP between the management servers.
VPLEX user authentication is configured locally on the management server or remotely on an OpenLDAP or Active Directory
server which integrates with UNIX using Service for UNIX 3.5, Identity Management for UNIX, or other authentication service.
A management server in each VPLEX cluster authenticates users against account information that is kept on its local file system
or against the LDAP/AD server. An authenticated user can manage resources in the local cluster.
In a VPLEX Metro, users authenticated by either management server, can manage all resources in both clusters. The below
figure shows a VPLEX cluster configuration (quad system) example.

8 VPLEX Overview
 Engine 4, Director B ON
I
O
OFF
ON
I
O
OFF
Engine 4, Director A

SPS 4B SPS 4A
ON ON
I I
O O
OFF OFF

Engine 3, Director B Engine 3, Director A

ON ON
I I
O O
OFF OFF

SPS 3B SPS 3A
Laptop tray
Fibre Channel switch B
UPS B
Fibre Channel switch A
UPS A
OFF OFF
O O
I I

Management server
ON ON

Engine 2, Director B OFF

O
I
ON
OFF
O
I
ON
Engine 2, Director A

SPS 2B SPS 2A
OFF OFF
O O
I I
ON ON

Engine 1, Director B Engine 1, Director A

SPS 1B SPS 1A

VPLX-000228

Figure 1. VPLEX Cluster Configuration (VS2)

VPLEX Overview 9
Figure 2. VPLEX Cluster Configuration (VS6) - front view

10 VPLEX Overview
Figure 3. VPLEX Cluster Configuration (VS6) - rear view

VPLEX Overview 11
 2
Security Recommendations
While the Security Configuration Guide must be reviewed in its entirety, the below section serves to highlight the most
important security recommendations of Dell EMC to ensure the security of your data and environment.
● Given the elevated permissions granted to the service account the password of the account must be changed in order to
better protect VPLEX from misuse or abuse of those privileges. Changing the Service Account Password provides more
information.
● To protect your data in the communications between clusters in VPLEX Metro configuration an external encryption solution
such as IPSec must be used to guarantee confidentiality and authentication for the IP WAN COM link. Communication
Security Settings gives more information.
● To protect the identity and integrity of your users and their account credentials all LDAP communication must be configured
to use the LDAPS protocol. Implementing LDAP gives more information.
● When the service account password is changed the customer must make either their field engineer, their SAM, or Support,
aware of it is being changed, and what the new password is. So, it can be added to the connectivity Hub. When support gets
a case, and access is required, they can take the permission from the customer to access the current service account, if the
password is available. It prevents delay in working a case to resolve.
● When the service account password is changed, it is advice that the customer tells their field engineer, their SAM, or
Support, aware of it is being changed and what the new password is.

12 Security Recommendations
 3
VPLEX Management Server Operating
System and Networking
The operating system (OS) of the VPLEX management server is based on Novell SUSE Linux Enterprise Server. The
management server in GeoSynchrony releases 5.3 to 5.5.2 and patches run SUSE Linux Enterprise Server 11 patch 3. Starting
with release 6.0 to 6.2 Patch 7, the management server, including MMCS-A and MMCS-B on VS6, runs SUSE Linux Enterprise
Server 11 Service Pack 4. In 6.2 Service Pack 1 the management servers, including MMCS-A and MMCS-B on the VS6, runs
SUSE Linux Enterprise Server 15 Service Pack 3.
NOTE: Before 6.2.x all the releases are End of Service Support (EOSS), and it is recommended to upgrade VPLEX to
the latest GeoSynchrony code release to get the benefit of all fixes, security fixes, and improvements not available in the
current running code level.
The operating system has been configured to meet Dell EMC security standards by disabling or removing unused services and
packages, and protecting access to network services through a firewall.
Used packages are hardened with security updates.
A VS2 management server has four Ethernet ports, identified as eth0 through eth3 by the operating system, which is shown in
the figure below. A 1 Gb/s public management port (eth3) is the only Ethernet port in the VPLEX rack that may be connected
to an external management LAN. Other components in the rack are connected to two redundant private management Ethernet
networks, which are connected to the management server eth0 and eth2 ports. A service port (eth1) can be connected to a
local laptop, giving access to the same services as a host on the management LAN.

Figure 4. VS2 Management server - rear view

In a VS6 system, the management server module (MMCS-A and MMCS-B) is on the first engine in the cluster. All the remaining
engines have Akula management modules for the management connectivity. MMCS A is the Management interface to a public
network and to the other VPLEX components in the cluster.

Figure 5. Customer IP network connections on MMCS-A and MMCS-B

Topics:
• Accessing the management server

VPLEX Management Server Operating System and Networking 13

Accessing the management server
Three protocols allow access to a VPLEX management server over a secure and encrypted connection: SSH, HTTPS, and IPsec
VPN.

Using SSH to access the management server shell

Users can log in to the management server shell over SSH version 2, through the management server's public Ethernet port or
service port. The SSH service is available on the standard port 22.

About this task

An SSH login with appropriate credentials allows access to a Linux shell on the management server. From there:
● Users can access the VPLEX command line interface (VPlexcli).
● A service account user can also inspect log files, start and stop services, and upgrade firmware and software.
SSH also can be used to establish a secure tunnel between the management server and the host running the SSH client. Using
SSH to access the management server shell provides more information.

Using HTTPS to access the VPLEX GUI

The Unisphere for VPLEX graphical user interface (GUI) is accessible as a web service on the public management server of the
Ethernet port and the service port, using the HTTPS protocol. It is available on the standard port 443.

About this task

The following URL initiates an HTTPS connection to the GUI:

https://management_server_public_IP_address

To access the GUI using an IPv6 address, use the following URL:

https://[mgmtserver_ipv6_addr]

For example:

https://[3ffe:80c0:22c:803c:215:17ff:fed3:207]/smsflex/VPlexConsole.html

NOTE: Accessing the VPLEX GUI or the VPLEX CLI over IPv6 is possible only if the client machine is also in an IPv6
network. The readonly user can access the GUI in read-only mode with limitations.
The GUI encrypts all traffic using a server certificate. Creating a host certificate provides more information.
NOTE: The GUI has a timer that logs the user out after 10 minutes of inactivity. You can modify the timeout value to a
maximum of 12 hours.

Using IPsec VPN in a VPLEX Metro implementation

About this task
The management server in each VPLEX Metro cluster must connect to each other over a Virtual Private Network (VPN)
through the public Ethernet port, as shown in the following figure.

14 VPLEX Management Server Operating System and Networking

Figure 6. IPSec VPN connection

Although you might have already secured the network connections between two VPLEX Metro clusters, the management
servers must establish an explicit VPN connection, to acknowledge that the remote management server has full management
control over the local cluster and its resources.
The VPLEX management server uses strongSwan, an open source implementation of IPsec for Linux.

Using SCP to copy files

The Secure Copy Protocol (SCP) allows users to transfer files to and from the management server. SCP uses the same
credentials as SSH. Popular SCP clients are WinSCP and PSCP provided by the PuTTY package, and the SCP client provided by
OpenSSH.

Transferring files to and from the management server using SCP

VPLEX allows file transfer to/from the management server using SCP. In VPLEX release 6.0 and later, SCP permissions are
granted with shell access.

Prerequisites
To use SCP to transfer files to and from the management server, you must have shell access.

About this task

Users with no shell access can transfer files to a specific management server directory. You can transfer files with SCP to a
specified directory and retrieve files out from another directory that is located in management server.

NOTE: You cannot transfer or retrieve directories.

Files that are transferred with SCP into or out of the management server can be viewed in the contexts /management-
server/users/share/in and /management-server/users/share/out respectively. All users see identical output
(independent of file ownership) under these in and out contexts. Only the owner of the file (admin or service users) can
delete a file.
For example, if user testuser1 (with no shell access) uses SCP to transfer a file named a.txt into the management server,
anyone that is logged into the management server sees a.txt displayed in the /management-server/users/share/in
context. No one other than testuser1 (or admin or service) can delete a.txt from the management server.
service and admin users are authorized to delete any existing file in the SCP subdirectories, using the CLI rm command. Other
users are only authorized to delete files to which they have access. See the rm command in the EMC VPLEX CLI Reference
Guide for details.
To modify permissions for SCP file transfers to and from the management server, do the following.

VPLEX Management Server Operating System and Networking 15

Steps
1. Verify the attribute value for VPLEX local user testuser1 by listing the management-server/users/local/
testuser1 context. shell-access should be set to false by default.

VPlexcli:/management-server/users/local/testuser1> ls
Name Value
------------ ---------
role-name vplexuser
shell-access false
user-name testuser1

2. Run the following examples to test SCP file transfers for restricted shell user testuser1.
a. Transfer files from a remote server and verify that the file transfer was successful by listing the management server SCP
in context.

admin@host1:~>scp monitor.xml [email protected]:

Password:
monitor.xml 100% 1532 1.5KB/s 00:00

VPlexcli:/> ll /management-server/share/in/

Name
---------------
logfile
loginbanner.txt
monitor.xml

b. Transfer files from the management server to an external host and verify the result in the management server. The file
should be present in shell location /diag/share/out/. This path equates to /managementserver/share/out/ in
the CLI.

VPlexcli:/> ll /management-server/share/out/

Name
--------
testfile

Copy files to a remote server using scp.

admin@host1:~> scp [email protected]:testfile .

Password:
testfile 100% 0 0.0KB/s 00:00
admin@host1:~> ls
bin monitor.xml testfile

c. Transfer files to a management server directory that is inaccessible to the shell restricted user testuser1 using scp.

admin@host1:~> scp testfile testuser1@<mgmt-server-ip>:/tmp/

admin@host1:~> scp logfile [email protected]:/tmp/

Warning: Permanently added '10.110.19.35' (ECDSA) to the list of known hosts.

Password:
[ERROR]/tmp/: Re-enter the command without the destination file path.
Usage: 'scp <absolute path to file> <user>@<public-ip-address>:'

Use SCP to transfer a file from the management server to an external host. The file is present in location /tmp/

admin@host1:~> scp [email protected]:/tmp/testfile .

16 VPLEX Management Server Operating System and Networking

 After the command fails, display the log file to verify the cause of failure.

Warning: Permanently added '10.110.19.35' (ECDSA) to the list of known hosts.

Password:
[ERROR]scp: /tmp/testfile: No such file or directory

d. Delete a.txt from the SCP share/in context using the rm command.

VPlexcli:/management-server/share/in> ls
a.txt b.txt

VPlexcli:/management-server/share/in> rm a.txt

VPlexcli:/management-server/share/in> ls
b.txt

Using a tunneled VNC connection to access the management

server desktop
The SSH protocol provides a mechanism for sending unencrypted traffic through an encrypted SSH connection. Most SSH
clients, such as OpenSSH and PuTTY, allow users to establish SSH tunnels by specifying a port on their local machine (source
port), and a port on the management server (destination port).

About this task

Access to the management server's desktop is provided by VNC access through an SSH tunnel. Users must first establish an
SSH tunnel between destination port 5901 and local port 5901, and then connect a VNC viewer to local port 5901. Popular VNC
clients are RealVNC and TightVNC.
To establish a tunnel, you must log in with your standard SSH credentials. After a successful login, the SSH client program must
remain running, to allow the SSH tunnel to remain operational.
Follow these steps to establish a tunneled VNC connection using PuTTY:

Steps
1. Launch PuTTY.exe, and configure the PuTTY window as shown in the figure below:
● Server address — Public IP address of the VPLEX management server.
● Session name — Type a name for the PuTTY session you are configuring. This allows you to load the saved session if you
need to reconnect later, eliminating the need to configure the individual parameters again.
● Default settings — Verify, and set as shown if necessary.

VPLEX Management Server Operating System and Networking 17

 Figure 7. PuTTY configuration window

2. Expand SSH in the Category list, and click Tunnels.

3. Configure the SSH port forwarding parameters as shown in the figure below, and then click Add.

Figure 8. PuTTY configuration: SSH port forwarding parameters

4. Click Open to establish an SSH tunnel to the management server.

When prompted, type the account password.

5. Authenticate as usual, and leave the PuTTY window open.

6. Launch the VNC viewer, and connect to localhost:5901.

18 VPLEX Management Server Operating System and Networking

 4
IP addresses and component IDs
The IP addresses of the VPLEX hardware components are determined using formulae that depend on the internal management
network (A or B), the Cluster IP Seed, and (for directors) the Enclosure ID (which matches the engine number).
The figures below show the IP addresses in a cluster with a Cluster IP Seed of 1 and addresses for a Cluster IP Seed of 2. The
Cluster IP Seed is the same as the Cluster ID, which depends on the following VPLEX implementation:
● VPLEX Local - The Cluster ID is always 1.
● VPLEX Metro - The Cluster ID for the first cluster that is set up is 1, and the second cluster is 2.
NOTE: The management server supports the coexistence of both the IPv6 and IPv4 address. However, the directors only
support IPv4 addresses.

Figure 9. VPLEX VS2 hardware component IP addresses in cluster 1

IP addresses and component IDs 19

Figure 10. VPLEX VS2 hardware component IP addresses in cluster 2

Figure 11. VPLEX VS6 hardware component IP addresses in cluster 1

20 IP addresses and component IDs

Figure 12. VPLEX VS6 hardware component IP addresses in cluster 2

MMCS IP Addresses
This table lists the IP addresses of the MMCS modules on engine-1 of VPLEX VS6 systems.

Table 2. MMCS IP Addresses

MMCS Cluster 1 IP Address Cluster 2 IP Address
A 128.221.252.33 128.221.252.65
B 128.221.253.33 128.221.253.65

Director IP Addresses on VPLEX VS6

List of IP addresses of all directors on both clusters in a quad-engine VPLEX system.

Table 3. Quad-Engine Cluster Director IP Addresses

Director Name Cluster 1 IP Addresses Director Name Cluster 2 IP Addresses
Director-1-1-A 128.221.252.35 128.221.253.35 Director-2-1-A 128.221.252.67 128.221.253.67
Director-1-1-B 128.221.252.36 128.221.253.36 Director-2-1-B 128.221.252.68 128.221.253.68
Director-1-2-A 128.221.252.37 128.221.253.37 Director-2-2-A 128.221.252.69 128.221.253.69
Director-1-2-B 128.221.252.38 128.221.253.38 Director-2-2-B 128.221.252.70 128.221.253.70
Director-1-3-A 128.221.252.39 128.221.253.39 Director-2-3-A 128.221.252.71 128.221.253.71
Director-1-3-B 128.221.252.40 128.221.253.40 Director-2-3-B 128.221.252.72 128.221.253.72
Director-1-4-A 128.221.252.41 128.221.253.41 Director-2-4-A 128.221.252.73 128.221.253.73
Director-1-4-B 128.221.252.42 128.221.253.42 Director-2-4-B 128.221.252.74 128.221.253.74

Dual-Engine Cluster - Director IP Addresses

List of IP addresses of all directors on both clusters in a dual-engine VPLEX system.

IP addresses and component IDs 21

Table 4. Dual-Engine Cluster Director IP Addresses
Director Name Cluster 1 IP Addresses Director Name Cluster 2 IP Addresses
Director-1-1-A 128.221.252.35 128.221.253.35 Director-2-1-A 128.221.252.67 128.221.253.67
Director-1-1-B 128.221.252.36 128.221.253.36 Director-2-1-B 128.221.252.68 128.221.253.68
Director-1-2-A 128.221.252.37 128.221.253.37 Director-2-2-A 128.221.252.69 128.221.253.69
Director-1-2-B 128.221.252.38 128.221.253.38 Director-2-2-B 128.221.252.70 128.221.253.70

Single-Engine Cluster - Director IP Addresses

List of IP addresses of all directors on both clusters in a single-engine VPLEX system.

Table 5. Single-Engine Cluster Director IP Addresses

Director Name Cluster 1 IP Addresses Director Name Cluster 2 IP Addresses
Director-1-1-A 128.221.252.35 128.221.253.35 Director-2-1-A 128.221.252.67 128.221.253.67
Director-1-1-B 128.221.252.36 128.221.253.36 Director-2-1-B 128.221.252.68 128.221.253.68

Last Octets of Director IP Addresses

Table 6. Last Octets of Director IP Addresses
Deployment Director Name Cluster 1 Octets Director Name Cluster 2 Octets
Single, Dual, Quad Director-1-1-A 35 Director-2-1-A 67
Single, Dual, Quad Director-1-1-B 36 Director-2-1-B 68
Dual, Quad Director-1-2-A 37 Director-2-2-A 69
Dual, Quad Director-1-2-B 38 Director-2-2-B 70
Quad Director-1-3-A 39 Director-2-3-A 71
Quad Director-1-3-B 40 Director-2-3-B 72
Quad Director-1-4-A 41 Director-2-4-A 73
Quad Director-1-4-B 42 Director-2-4-B 74

IP Addresses
Table 7. Cables and Director IP Addresses
Cable Director IP Address
Cable From To If cable is in Cluster 1 If cable is in Cluster 2
ID in
Figure
A1 MMCS-A Management A Eng-2 MM-A LAN Service Director-1-1-A, subnet B Director-2-1-A, subnet B
Fabric connector port
128.221.253.35 128.221.253.67

A2 Eng-2 MM-A LAN Eng-3 MM-A LAN Service Director-1-2-A, subnet B Director-2-2-A, subnet B
Management port port
128.221.253.37 128.221.253.69

A3 Eng-3 MM-A LAN Eng-4 MM-A LAN Service Director-1-3-A, subnet B Director-2-3-A, subnet B
Management port port

22 IP addresses and component IDs

Table 7. Cables and Director IP Addresses (continued)
Cable Director IP Address

128.221.253.39 128.221.253.71

B1 MMCS-B Management B Eng-4 MM-B LAN Director-1-1-B, subnet A Director-2-1-B, subnet A

Fabric connector Management port
128.221.252.36 128.221.252.68

B2 Eng-2 MM-B LAN Eng-3 MM-B LAN Service Director-1-2-B, subnet A Director-2-2-B, subnet A
Management port port
128.221.252.38 128.221.252.70

B3 Eng-3 MM-B LAN Eng-4 MM-B LAN Service Director-1-3-B, subnet A Director-2-3-B, subnet A
Management port port
128.221.252.40 128.221.252.72

IP addresses and component IDs 23

 5
Implementing IPv6
In VPLEX, an IP address can be either an IPv4 address and/or an IPv6 address. While VPLEX continues to support IPv4, now it
now gives support for the full IPv6 stack and dual stack IPv4/IPv6, including:
● Browser session
● VPN connection
NOTE: In a virtual private network, the end points must always be of the same address family. That is, each leg in the VPN
connection must be either IPv4 or IPv6.
● WAN link ports
● CLI session
● Cluster Witness
● Recover Point

In Release 5.3, IPv6 is available only with new installations.

The transition from an IPv4 network to a network where IPv4 and IPv6 co-exist is challenging because the two protocols are
not designed to be interoperable with each other. Transition technologies such as tunneling, or other translator gateways are
required to exchange traffic between the two types of network.
The VPLEX management server uses the dual stack mechanism to deploy IPv6. This mechanism gives complete support for both
IPv4 and IPv6, and allows applications to talk to both IPv4 and IPv6. However, the choice of IP version is based on the name
lookup and application preference.
The following table describes IPv6 support on VPLEX components along with additional notes.

Table 8. IPv6 Support on VPLEX Components

VPLEX Components Supports Supports Co- Notes
IPv4 IPv6 Existence
Management server/ Yes Yes Yes ● The management server supports only global scope
MMCS-A IPv6 static address configuration.
● The management server supports the coexistence
of both the IPv4 and IPv6 address.
Director Yes No No Directors continue to support IPv4 address.
Cluster Witness Yes Yes Yes IPv6 address for a cluster witness can be specified
using the Vcenter or the VMware console -> Configure
Network.
WAN COM Yes Yes No The IP-WAN-COM link operates either on IPv4 or IPv6.
VASA Provider Yes No No Although VPLEX SMS supports IPv6, VASA provider
continues to support only IPv4 in Release 5.3.
Therefore, VASA providers running in an IPv6
environment must specify the IPv4 SMS address for
VASA provider setup or registration.
Recover Point Yes Yes Yes RecoverPoint can communicate with the management
server using either an IPv4 address or an IPv6 address.
LDAP/AD server Yes Yes Yes The IP address can be specified during the LDAP
configuration. To change the configured IP address the
configuration must be re-created.

The VPLEX Administration Guide gives additional information about IPv6.

24 Implementing IPv6
 6
Security configuration settings
This section provides an overview of user accounts and privileges.
Topics:
• User Roles, Accounts, and Privileges

User Roles, Accounts, and Privileges

Table 9. VPLEX User Accounts and Privileges
Component Account Type Default Password Privileges
Management server service Mi@Dim7T (2) ● Access to the management server desktop,
(1) / MMCS-A VPlexcli, and Unisphere for VPLEX GUI
● Ability to start and stop management server
services
● Run permissions for VPlexcli-related scripts.
● Ability to perform VPlexcli commands
● Read/write access to log files
admin teS6nAX2 (3) ● Access to management server desktop,
VPlexcli, and Unisphere for VPLEX GUI
● Ability to create, modify, and delete new user
accounts.
● Ability to perform VPlexcli commands
● Read-only access to log files
vplexuser (default null ● Access dependent on that granted with Role-
user) based User Access. See Role-based User
Access for complete descriptions of user
types and permissions.
readonly null ● Limited access dependent on the access
granted with Role-based User Access.
See Role-based User Access for complete
descriptions of user types and permissions.
● Root privileges are disabled.
● The list of commands that are supported for
readonly accounts is given for each release
in the SolVe Desktop, in Administration >
Configure > "Restricted Commands."
root null ● Root privileges
● Access to management server desktop
● Read-only access to log files
Fibre Channel COM service Mi@Dim7T ● Access to the Fibre Channel internal switch
switches (Excluding interface
FRU switches) (4) ● Ability to start and stop switch services
admin Ry3fog4M ● Access to the Fibre Channel internal switch
interface
● Ability to add and delete other accounts on
the switch interface

Security configuration settings 25

Table 9. VPLEX User Accounts and Privileges (continued)
Component Account Type Default Password Privileges
● Ability to change passwords on the switch
interface

Fibre Channel COM root fibranne ● Access to the Fibre Channel internal switch
switch (FRU switches interface
ONLY) (5) ● Ability to add and delete other accounts on
the switch interface
● Ability to change passwords on the switch
interface, including the root and factory
passwords
admin password ● Access to the Fibre Channel internal switch
interface
● Ability to add and delete other accounts on
the switch interface
● Ability to change passwords on the switch
interface

Management Server root calvin ● Root privileges

iDRAC ● Access to management server desktop
● Change the Default password of this
component by connecting to iDRAC port as
per customers password policy.

(1) You cannot delete the default management server accounts.

(2) Given the elevated permissions that are granted to the service account, its password must be changed in order to better
protect VPLEX from misuse or abuse of those privileges. Changing the service account password gives more information.
(3) The first user who tries to log in as admin is prompted to change the admin password before logging in. To change the
password when prompted, follow the steps in Changing Passwords. Follow all instructions except for changing the password
after you log in.
(4) Fibre Channel COM switches exist only in dual-engine and quad-engine VPLEX clusters.
(5) In switches that are shipped for field replacement or hardware upgrade (rather than as part of a cabinet system), there is no
service account.

Table 10. VPLEX Operations and Account Types

Component Operation Service Admin User
Management server/ Startup and shutdown Yes No No
MMCS-A
Create, modify, and delete users. No Yes No
Modify your own password. Yes Yes Yes
Update or reset passwords for other users. No Yes No
Set IP configuration Yes No No
Change host names Yes No No
Start or stop NTP (1). Yes No No
Start or stop VPN. Yes No No
Install, upgrade, backup, and restore. Yes No No
Run CRON jobs. Yes Yes Yes
VPLEX CLI (VPLEX Configure SNMP Yes Yes Yes
management)
Manage users and passwords. No Yes No
Manage password policy. No Yes No

26 Security configuration settings

Table 10. VPLEX Operations and Account Types (continued)
Component Operation Service Admin User
Configure CallHome Yes Yes Yes
Create or renew certificates. Yes Yes Yes
Start and stop NTP (1). Yes Yes Yes
Configure LDAP Yes Yes Yes
Configure VPN Yes Yes Yes
Configure Cluster Witness Yes No No
Run EZ-Setup Yes No No
Configure and manage storage. Yes Yes Yes
Fibre Channel COM Log in Yes Yes Yes
Switch
Run switch commands. Yes Yes Yes

(1) ICMP/Ping is needed between SMS(cluster 1) and external NT.P.

NOTE: The root privileges for performing maintenance activities on Cluster Witness are restricted to the Service account.

Security configuration settings 27

 7
Configuring User Authentication
VPLEX customers can choose to configure their user accounts using either:

NOTE: TLS v1.2 and above are supported in 6.2 SP1, but versions below 1.2 are no longer supported.

● An external OpenLDAP or Active Directory server which integrates with UNIX using Service for UNIX 3.5, Identity
Management for UNIX, or other authentication service.
OpenLDAP and Active Directory users are authenticated by the server. Usernames and passwords that are created on an
external server are fetched from the remote system to the VPLEX system each time they are used.
● The VPLEX management server
Usernames and passwords are created locally on the VPLEX system, and are stored on VPLEX.

Customers who do not want to use an external LDAP server for maintaining user accounts create their user accounts on the
VPLEX system itself.
VPLEX is preconfigured with two default user accounts: admin and service.
See the Dell EMC VPLEX CLI Command Reference Guide for information about the commands used to configure user
authentication.
Topics:
• Role-Based Access Control Feature: Overview
• Implementing LDAP
• Password Policy
• Synchronizing service account password to MMCS peer

Role-Based Access Control Feature: Overview

NOTE: This feature does not support adding users at the OS level that can only be done in LDAP.

To improve security beginning with GeoSynchrony release 6.0 the shell access is limited to the admin and service users only.
Any user or script that is previously defined with shell access (such as service, for example) continues to have shell access
in release 6.0. Users or scripts not having shell access before 6.0 must have their accounts that are explicitly defined by
Role-based access control.
See the Dell EMC VPLEX CLI Reference Guide for more information about the User add command with the -r option.
The management server takes user-defined as admin or service to the shell command line upon login. Users without access are
redirected to the VPLEXCLI.
All users using LDAP credentials are defined as vplexuser by default.
Individual login credentials can be set for LDAP users as every user account has a different username and password. However,
all LDAP users are given identical privileges (same role and same shell access value). The Administrator can either grant or
revoke shell access to any customizable role, such as vplexuser.

28 Configuring User Authentication

Connecting to the Management Server (Local and Metro), Entering into
VPLEXCLI

Conceptual: Connect to Cluster 2 (Metro)

In previous releases, these sections had the user invoking CLI from the Shell. This will not be needed for 6.0 and later releases.
The user will automatically be taken to the CLI (unless that user is admin or service or is defined as having shell privileges by
the Administrator). In these sections, you may want to note the following:
NOTE: In order to issue shell commands, you must either be logged in as the admin and service, or have shell access that
is explicitly granted by the Administrator. See the Dell EMC VPLEX Security Configuration Guide for instructions on using
the CLI to define accounts for shell access.

SCP File Transfers

VPLEX allows file transfer to/from the management server that is using SCP. In VPLEX release 6.0, SCP permissions are
granted with shell access.
Users with no shell access can perform SCP on files only (not on directories) from or to a single directory. An additional CLI
context represents this SCP directory. See the Dell EMC Security Configuration Guide for detailed information and examples.

NOTE: If you do not have shell access, you can only access a single directory when uploading and downloading files.

Role Descriptions
This topic describes roles that are supported under role-based access.
Shell access is turned off by default for all new VPLEX accounts. Roles are defined as follows:
● securityadmin - The VPLEX administrator at the customer site uses this role. There is only one securityadmin account
allowed in the management server. securityadmin has the same permissions as the vplexuser role yet also manages user
authorization and authentication (creating and deleting accounts).
● service - Only authorized Dell EMC service personnel use this role to configure VPLEX.
● vplexuser - This role is the basic minimum-access VPLEX user account. Best practices encourage that most users be
assigned this role with a unique customized account name. Limit assigning securityadmin roles to ensure security in your
installation. vplexuser role accounts correspond to accounts created by the admin and authorized VPLEX LDAP accounts.
● readonly - The readonly role limits users to perform read-only commands with the CLI, ensuring the user does not invoke
commands that damage or inhibit VPLEX functionality. It also gives a method of ensuring that automated monitoring tools
and scripts (CLI or REST) do not accidentally invoke damaging or unintended commands. The Admin can create one or
more accounts that have the readonly role. vplexuser role accounts (and authorized VPLEX LDAP accounts) created by the
Administrator may be defined as readonly when considered necessary.

Table 11. Description of Roles in Role-Based Access Control

Role User name Shell access(default)
securityadmin admin Customizable(true)
service service Always true
vplexuser Customized name Customizable(false)
readonly Customized name Customizable(false)

Current admin and service users continue to have shell access. It is possible for the Administrator to turn shell access to
service on or off per account basis as described in this document.

Configuring User Authentication 29

Role-based access control and NDU
This topic describes the impact of role-based access in relation to NDUs.

Impact of role-based access control on NDU and Non-NDU tasks

Starting in 6.0 and later, NDU and non-NDU tasks are impacted as follows.
● For NDUs - There will be no noticeable change in behavior during NDU regarding shell access. However, in the NDU that
in the next major release, explicit access must be granted through role-based access control for shell access proceeding
forward (after upgrading to next major release). It is possible this explicit access for next major release may be granted
through an automated step in the upgrade process, though this is not confirmed now.
● For non-NDU tasks - The Administrator must explicitly grant shell access after creating accounts (vplexuser and readonly
roles). Shell access continues for preexisting accounts with shell access (admin and service). Again, be alerted that in
subsequent releases all accounts have to be granted explicit shell access by role-based access control.
Existing VPLEX customer NDUs to VPLEX release 6.0
John is an existing EMC customer. He is defined as admin and has always had Administrator privileges and shell access. For
VPLEX release 6.0, John sees no change in behavior and does not need to grant himself shell access (using role-based access
control) when upgrading to VPLEX release 6.0. John will, however, need to grant himself explicit shell access in future major
releases.
New VPLEX customer performs Greenfield install
Pete is a new EMC VPLEX customer performing a Greenfield install (no NDU). Pete plans to log in as either the admin or as the
service user. admin and service users have shell access by default in VPLEX release 6.0 so Pete does not need to perform any
tasks in order to perform shell commands.
Existing VPLEX customer NDUs to VPLEX release 6.0 and adds new user
Mary is a VPLEX customer. She NDUs to VPLEX release 6.0. After the NDU, Mary finds she needs to grant shell access to a
new user, Paul. Mary must use role-based access control to define Paul as a User with shell access, even though she does not
have to explicitly define shell access for herself until the next major release.
Existing VPLEX customer with shell scripts
Susan is a VPLEX customer. She NDUs to VPLEX release 6.0. Susan has many scripts that she runs which access the shell,
running under her admin account (which had shell access). Again, she will not have to explicitly grant shell access with
role-based access control for VPLEX release 6.0, but she will for the next major release.

Implementing LDAP
Starting in Release 5.2 and later, LDAP configuration is securely persisted using an internal security component. This removes
bind user credential vulnerabilities. The new implementation of LDAP includes the following:
● Use a new internal security component that ensures information is securely persisted.
● Support for Directory Server groups, a logical collection of users. Groups can be specified using the configuration commands
and can be added or removed using the map and unmap commands.
NOTE:
● LDAP should be reset before upgrading to the 6.2.1, and re-configure after upgrade.
● Nested groups and dynamic groups are not supported.
● Mapping of Organizational Unit (OUs) is not supported. Use of groups to map multiple users is recommended.
For upgraded systems or systems that have not previously had LDAP configured, existing configuration information or the way it
is persisted is not automatically modified. Authentications continue as they were earlier to upgrade. However, users can continue
to be mapped or unmapped with the old configuration.
To use the new implementation in a system where an LDAP configuration exists the LDAP configuration must be reconfigured
(unconfigured and configured) to leverage the new security features.
NOTE: Dell EMC recommends using LDAPS protocol for safe communication between Management Server and Directory
Server.

LDAP configuration in the Management Server requires Directory Server attributes which are not explicitly captured
during the EZSetup interview process. Default values are used instead of causing configuration issues only for Microsoft

30 Configuring User Authentication

 Windows Active Directory Server. Instead, use the authentication directory-service configure command for configuring the
Management Server with Microsoft Windows Active Directory configuration details after completing EZSetup.
The VPLEX CLI Guide provides information about the commands that are used to configure LDAP.

Password Policy
Details of password policies and default values.
The VPLEX management server uses a Pluggable Authentication Module (PAM) infrastructure to enforce minimum password
quality. It uses pam_cracklib, a library that checks for dictionary words, to check potential passwords.

Table 12. Default Password Policies

Policy Name Description Default Value
Minimum password length The minimum number of characters used when creating or changing a 8
password. The minimum number of characters includes numbers, uppercase
and lowercase letters, and special characters.
Minimum password age The minimum number of days a password cannot be changed after the last 1
password change. The service account default is 0 days.
Maximum password age The maximum number of days that a password can be used since the last 90
password change. After the maximum number of days the account is locked
and the user must contact the admin user to reset the password. The
service account default is 3650 days.
Password expiration warning The number of days before the password expires. A warning message 15
indicating that the password must be changed is displayed. The service
account default is 30 days.
Password inactive days The number of days after a password has expired before the account is 1
locked.

Starting in Release 5.2 and later, the management server uses the default value for the password policies that are listed in the
above table. You can configure each password policy to meet your specific needs. The new value is updated in the appropriate
configuration file, and existing users are updated with the new configuration. See VPLEX CLI Command Reference Guide for
information about the commands that are used to set password policies and the values allowed.
Note the following:
● Password policies do not apply to users configured using the LDAP server. LDAP server supports the valid password
characters.
● The Password inactive days policy does not apply to the admin account to protect the admin user from account lockouts.
● During the management server software upgrade, password of an existing user is not changed. Only the password age
information of the user changes.
● You must be an admin user to configure a password policy.
NOTE: VS6 systems support only the GeoSynchrony version 6.0 and later.

Password Policy Default Values After an Upgrade

● If upgrading from a release earlier 5.1 to release 5.2, the default values are new. If wanted, you can change these values. See
VPLEX CLI Command Reference Guide for information about setting password policies.
● If upgrading from release 5.1 to 5.2, the admin user no longer has the 90-day expiration set. The default value for the
minimum password length is 14 as it was set previously. You can change this value if wanted. See VPLEX CLI Command
Reference Guide for information about setting password policies.
● After upgrading to release 5.2, the admin user will not be locked after the password expires. If the password for the
administrator account has not been changed since the last 91 days, after upgrading to release 5.2, the admin user will be
forced to change the password on the first login (after it has expired).

NOTE: VS6 systems support only the GeoSynchrony version 6.0 and later.

Configuring User Authentication 31

● After upgrading to 5.5 from 5.2 or earlier, 5.3 or 5.4, if you did not change the default service password, you must do so
within 30 days. A message displays to remind you that the default service password expires in 30 days.
● After upgrading to 6.0.x from 5.5.x or earlier, if you did not change the default service password, you must do so within 30
days. During an NDU, every upgrade path does not goes to the password policy and the password settings of the service
account. So, an upgrade path can miss seeing the use of the default service account password. Within the 6.0.x, versions
setting the service account password back to the default one can cause an upgrade path to see the default password and
the password can be forced to expire in 30 days, if it was not caught in the previous upgrade paths.
● When installing VPLEX 5.5 on a new system, follow these prompts to change the default service password.

Checking if the default password is in use...

Changing password for service.

Please enter the old password:

Please enter the new password:
Please reenter the new password:

Successfully completed password change for service.

Similar steps to change the default service password are performed after the upgrade from VPLEX 5.2/5.4/5.5 to VPLEX
5.5. These are not encountered if the default service password has already been changed earlier in VPLEX 5.5 upgrade.

Valid Password Characters

The following characters are allowed in a VPlexcli password:
● A-Z
● a-z
● 0-9
● . ? / * @ ^ % # + = - _ ~ : Space
Note the following rules:
● A space is allowed only between the characters in a password, not in the beginning or the end of the password.
● The # cannot be used in the beginning of a password.
● The passphrase that is used during the VPN configuration can contain letters, numbers, and special characters.

Cluster Witness Passwords

When upgrading to VPLEX 6.0, the Cluster Witness default password is automatically changed, for security reasons, to a
random value, which can be displayed by the Administrator.
The Administrator can change the password to a specific value by running the configuration cw-change-password
command. See VPLEX CLI Command Reference Guide for more information.
Cluster Witness passwords allow additional characters:
!,$,&,(,),[,]
Changing Cluster Witness Passwords

1. Update the cws password to a random password string (works if default

CWS password is set currently):

VPlexcli:/> configuration cw-change-password

This command will change the Cluster Witness Server password.

Are you sure you want to continue? (Y/N): Y

Cluster Witness Server credentials updated successfully

----------

2. Update the cws password (works if default CWS password is set currently):

32 Configuring User Authentication

 VPlexcli:/> configuration cw-change-password -p

This command will change the Cluster Witness Server password.

Are you sure you want to continue? (Y/N): Y

Enter the new cluster witness password:

Re-enter password:

The Cluster Witness Server password is changed successfully

----------

3. Force update the CWS password:

VPlexcli:/> configuration cw-change-password -f -p

Enter the new cluster witness password:

Re-enter password:

The Cluster Witness Server password is changed successfully

----------

4. Force update the CWS password from a known pre-set password to new password:

VPlexcli:/> configuration cw-change-password -c -p -f

Enter the existing cluster witness service user's password:

Re-enter password:

Enter the new cluster witness password:

Re-enter password:

The Cluster Witness Server password is changed successfully

----------

5. Force update the CWS password from a known pre-set password to a random string:

VPlexcli:/> configuration cw-change-password -c -f

Enter the existing cluster witness service user's password:

Re-enter password:

The Cluster Witness Server password is changed successfully

Synchronizing service account password to MMCS

peer
In certain cases, you may need to manually synchronize the service account password for both MMCS-A and MMCS-B.
In some cases, the service account password may need to be resynchronized to the peer MMCS. Use the security
configure-mmcs-users command to accomplish this. See the EMC VPLEX CLI Reference Guide for more information.
Execute this command only in a troubleshooting scenario, ideally when advised to do so by EMC Customer Support.
Running the security configure-mmcs-users command
Running the command on a VS6 system produces the following result.

VPlexcli:/> security configure-mmcs-users

MMCS user configuration was successful.

Configuring User Authentication 33

Running the command on a non-VS6 system produces the following result.

VPlexcli:/> security configure-mmcs-users

This command is supported to run on VPlex VS6 hardware configuration only.

34 Configuring User Authentication

 8
Manage user accounts
Topics:
• Adding user accounts
• View or Modify User Account Details
• Changing passwords
• Resetting passwords
• Changing the service account password
• Deleting user accounts

Adding user accounts

About this task
NOTE: In a VPLEX Metro configuration, VPLEX CLI accounts created on one management server are not propagated to
the second management server. The user list command is displayed to only those accounts that are configured on the local
management server, not both server.
A user with an admin account can create an account as follows:

Steps
1. Launch PuTTY (or a similar SSH client), and establish a connection to the public IP address of the VPLEX management
server.
2. Log in with username admin.
3. From the Linux shell prompt, type this command to connect to the VPlexcli:
vplexcli
4. Log in with username admin.
5. From the VPlexcli prompt, type the following command:

user add -u username

a. When prompted, type the admin account password.

b. When prompted for a password for the new user, type a password that adheres to the rules in Password policy.
c. When prompted, retype the new password.

NOTE: The new user must change the password the first time they log in.

View or Modify User Account Details

View or modify user accounts by changing attributes of the users context.

Prerequisites
When modifying user accounts, determine if the user needs shell access or not.
You must have administrator privileges to modify user accounts.
For an overview of role-based access control functionality and impact, see the VPLEX Security Configuration Guide.

Manage user accounts 35

About this task
You grant or restrict shell access by modifying attributes with shell-access, invoking the set command in the users context.
vplexuser and readonly roles are defined with customizable usernames. Either the local or ldap context is defined
depending on the method that is used to access a user account (either LDAP or Local access).
List the management-server/users context to view both LDAP and Local users. For example:

VPlexcli:/management-server/users> ll

● ldap context - The ldap context displays the role-name and the shell-access associated with an LDAP user. All
LDAP users are given identical privileges and every LDAP user is treated the same.
Attributes associated with an LDAP user account are:
○ role-name - Name of the role with which the user account is associated.
○ shell-access - Defines the shell access privileges for a user.
In this example, the role-name vplexuser has shell access as an LDAP user:

VPlexcli:/management-server/users/ldap> ll
Name Value
------------ ---------
role-name vplexuser
shell-access false

● local context - The local context displays the role-name and the shell-access associated for a user with local
access. By default, admin and service are local users. In addition, any user in the system that is created by admin are local
users.
Attributes associated with a local user account are:
○ user-name - Name of the user
○ role-name - Name of the role with which the user account is associated
○ shell-access - Defines the user's shell access privileges.
In this example, the admin user is defined with role securityadmin and shell-access disabled.

VPlexcli:/management-server/users/local/admin> ll
Name Value

role-name securityadmin

shell-access false

user-name admin

To modify attributes such as role-name or shell-access, run the set command on the appropriate user account context.

Steps
1. List the attributes of the user (testuser in this example) by go to the appropriate context and running the ll command.

VPlexcli:/management-server/users/local/testuser> ll
role-name : user
shell-access : false
user-name : testuser

2. To grant shell access for testuser, run the set command.

a. Set shell-access to true as follows: set shell-access true.
b. Enter the administrator password.
c. Verify that the attributes of the user (testuser in this example) have been successfully modified by go to the
appropriate context and running the ll command.
3. To revoke or restrict shell access for testuser, use the set command.
a. Set shell-access to true as follows: set shell-access false.
b. Enter the administrator password.

36 Manage user accounts

 c. Verify that the attributes of the user (testuser in this example) have been successfully modified by go to the
appropriate context and running the ll command. If shell-access was granted, the following output is displayed.

VPlexcli:/management-server/users/local/testuser> ll
role-name : user
shell-access : false
user-name : testuser

NOTE:
● role-name and shell-access are the only two writable attributes. user-name is not modifiable.
● The service account cannot be restricted from having shell access.
● The role-name of admin and service accounts is not modifiable. For local user/LDAP accounts, role-name can
be modified to either vplexuser or readonly. If any other role-name is given, the command fails with the
following error message:

set: Evaluation of <<set role-name service>> failed.

cause: Failed to update value of 'role-name'.
cause: Failure committing new value for role-name on admin.
cause: Invalid role-name. Valid values are 'readonly' and
'vplexuser'. All values are case-sensitive.

Changing passwords
Any user can change their own password as follows:

Steps
1. Launch PuTTY (or a similar SSH client), and establish a connection to the public IP address of the VPLEX management
server.
2. Log in with the applicable username.
3. From the Linux shell prompt, type this command to connect to the VPlexcli:
vplexcli
4. Log in with username admin.
5. From the VPlexcli prompt, type the following command:

user passwd -u username

a. When prompted, type the old password.

b. When prompted for a new password, type a password that adheres to the rules in Password policy.
c. When prompted, retype the new password.

Resetting passwords
A user with an admin account can reset passwords for other users as follows:

Steps
1. Launch PuTTY (or a similar SSH client), and establish a connection to the public IP address of the VPLEX management
server.
2. Log in with username admin.
3. From the Linux shell prompt, type this command to connect to the VPlexcli:
vplexcli
4. Log in with username admin.

Manage user accounts 37

5. From the VPlexcli prompt, type the following command:

user reset -u username

a. When prompted, type the admin account password.

b. When prompted for a password for the new user, type a password that adheres to the rules in Password policy.
c. When prompted, retype the new password.

NOTE: The user must change the password the next time they log in.

Changing the service account password

About this task
Beginning with release 5.5, users are required to change the service password upon first use. EZSetup prompts the user to
change the service user password during the initial setup. Note that the policies for passwords listed in Password policy apply to
the service password.
The service password change is required in order to provide optimal protection for the powerful service account. The service
account is used by EMC to provide remote support through the EMC ESRS gateway. Therefore, the service password must be
updated or recorded in the customer service database in order to provide this support.
The service password must be changed in two locations:
● Management server
● Fibre Channel switches
To change the service password on the Fibre Channel switches, use the switch's passwd command.

Deleting user accounts

A user with an admin account can delete a different account as follows:

Steps
1. Launch PuTTY (or a similar SSH client), and establish a connection to the public IP address of the VPLEX management
server.
2. Log in with username admin.
3. From the Linux shell prompt, type this command to connect to the VPlexcli:
vplexcli
4. Log in with username admin.
5. From the VPlexcli prompt, type the following command:

user remove -u username

When prompted, type the admin account password.

38 Manage user accounts

 9
Log File Settings
This section describes log files relevant to security.

Log File Location

The following table lists the name and location of VPLEX component log files relevant to security.

Table 13. VPLEX Component Log Files

Component Location
Unisphere for VPLEX /var/log/VPlex/cli/session.log_username

management server OS /var/log/messages

ConnectEMC /var/log/ConnectEMC/logs/ConnectEMC.log
files

Firewall /var/log/firewall

VPN (ipsec) /var/log/events.log

Firmware logs /var/log/VPlex/cli/firmware.log_*

Client logs /var/log/VPlex/cli/client.log_*

Perf logs /var/log/VPlex/cli/fe_perf_stats*

Log File Management and Retrieval

All logs rotate automatically, to avoid unbounded consumption of disk space.

Log File Settings 39

 10
Communication Security Settings
This chapter contains the following topics.
Topics:
• Communication security settings

Communication security settings

This section describes the communication security settings that enable you to establish secure communication channels
between VPLEX components, as well as VPLEX components and external systems.

IP WAN COM
A VPLEX Metro system does not support native encryption over an IP WAN-COM link. Dell EMC recommends that you deploy
an external encryption solution such as IPSec to achieve data confidentiality and end-point authentication over IP WAN COM
links between clusters.
For releases earlier than 6.0 Service Pack 1 Patch 5, VPLEX used ephemeral ports in the range of 32768 to 61000 for UDP
connections over IP WAN-COM. Starting in Release 6.0 Service Pack 1 Patch 5, VPLEX uses the TCP protocol for its IP
WAN-COM communications. Configure TCP ports on the firewall for IP WAN-COM communications to work after an upgrade to
6.0 Service Pack 1 Patch 5. If the firewall type is filter and not proxy, you must open the following firewall ports:
● UDP ports (for releases earlier than 6.0 Service Pack 1 Patch 5)
○ Port 10000 (bi-directional)
○ Port 11000 (bi-directional)
○ Ports 32768 to 61000 (UDP bi-directional)
● TCP ports (for release 6.0 Service Pack 1 Patch 5 and later)
○ Port 61484
○ Port 61483
○ Port 61482
○ Ports 32768 to 61000
NOTE:
● Open the TCP ports before upgrading to 6.0 Service Pack 1 Patch 5 to ensure WAN connectivity.
● Close the UDP ports after the upgrade and confirmation that VPLEX is running 6.0 Service Pack 1 Patch 5, and can
communicate using TCP ports. If you do not close the UDP ports, UDP packets that are destined to those ports
make it through the firewall, but the director drops the packets. To ensure security for the firewall and network, EMC
recommends that you close the UDP ports after the upgrade.

Accessibility
To establish secure communication, note the following:
● The following protocols must be allowed on the customer firewall (both in the outbound and inbound filters):
# Encapsulating Security Payload (ESP): IP protocol number 50
# Authentication Header (AH): IP protocol number 51
● The following ports must be allowed on the customer firewall:
# Internet Key Exchange (IKE): UDP port 500
# NAT Traversal in the IKE (IPsec NAT-T): UDP port 4500

40 Communication Security Settings

 # Secure Shell (SSH): TCP port 22
● Static IP addresses must be assigned to the public ports on each management server (eth3) and the public port in the
Cluster Witness Server. If these IP addresses are in different subnets, the IP management network must be able to route
packets between all such subnets.
● The firewall configuration settings in the IP management network must not prevent the creation of IPsec tunnels. Cluster
Witness traffic as well as VPLEX management traffic leverages VPN tunnels established on top of IPsec.
● IP management network must be capable of transferring SSH traffic between management servers and Cluster Witness
Server.
● IP management network must be capable of transferring ICMP traffic between management servers and Cluster Witness
Server in order to enable configuration, upgrade, and diagnostics of Cluster Witness.
● The required minimum value for Maximum Transmission Unit (MTU) is 1500 bytes. Configure MTU as 1500 or larger.
NOTE: The IP management network must not be able to route to the following reserved VPLEX subnets: 128.221.252.0/24,
128.221.253.0/24, and 128.221.254.0/24.

If VPLEX is deployed with IP inter-cluster network, the inter-cluster network must not be able to route to the following
reserved VPLEX subnets: 128.221.252.0/24, 128.221.253.0/24, and 128.221.254.0/24.

Port Usage
The following table lists all the network ports, and the services used by VPLEX components. This information, along with the
firewall settings are required to use the product.

Table 14. Port Usage

Index Number Port Function Service Management Management Cluster
Server 1 Server 2 Witness
1 Public port Log in to the management SSH Yes Yes Yes
TCP/22 server OS, copy files to
and from the management
2 Service port server using the SCP
TCP/22 subservice, and establish
SSH tunnels.
3 Public port EMC Secure Remote ESRS Yes Yes No
TCP/21 Service(ESRS) access to
VPLEX
4 Public port
TCP/443
5 Public port
TCP/5400 to
5413
6 Public port IPSECVPN ISAKMP Yes Yes Yes
UDP/500
7 Public port IPSEC VPN IPSEC NAT Yes Yes Yes
UDP/4500 traversal
8 Public port Time synchronization NTP (1) Yes Yes No
UDP/123 service
9 Public port Get performance statistics. SNMP Yes Yes No
TCP/161
10 Public port
UDP/161
11 Public port Web access to the VPLEX HTTPS Yes Yes No
TCP/443 Unisphere for GUI of VPLEX
12 Service port
TCP/443

Communication Security Settings 41

Table 14. Port Usage (continued)
Index Number Port Function Service Management Management Cluster
Server 1 Server 2 Witness
13 Localhost TCP/ Access to the management VNC Yes Yes No
5901 (No servers desktop. Not
specific available on the public
customer network. It must be
firewall settings accessed through SSH
are needed). tunnel.
14 Localhost TCP/ VPlexcli. Not available on Telnet Yes Yes No
49500 (No the public network, and
specific must be accessed through
customer SSH.
firewall settings
are needed).
15 Public port Domain Name Service DNS Yes Yes Yes
UDP/53
16 Any firewall N/A N/A Yes Yes Yes
between the
Cluster Witness
Server and the
management
servers that are
required to
allow traffic for
the IP protocol
number 1
(ICMP), 50
(ESP) und 51
(AH)

CAUTION: For VPLEX Performance Monitor, ensure that Port 443 is open on the firewall between VPLEX
Performance Monitor and VPLEX. See Knowledge Base article 474842 for more information about configuring
the firewall policy for VPLEX IP WAN-COM communications over filter-based firewall.

Notes
(1) ICMP/Ping is needed between the management server (cluster 1) and external NTP.

Communications Specifications - VPLEX Metro System

This figure illustrates the communication between VPLEX components in a VPLEX Metro system.

42 Communication Security Settings

Figure 13. VPLEX Metro System

This table describes the possible communication between the VPLEX components in a VPLEX Metro system.

Table 15. Communication in a VPLEX Metro System

Serial A <-> B A <-> C A <-> D B <->C B <-> D B <-> E C <-> D C <-> E
Number
1 Yes Yes Yes (only Yes Yes (only - Yes (only -
for initial for code for code
setup) upgrades) upgrades)
2 Yes Yes Yes (only Yes Yes (only - Yes (only -
for initial for code for code
setup) upgrades) upgrades)
3 - - - - - Yes - Yes
4 - - - - - Yes - Yes
5 - - - - - Yes - Yes
6 - - - Yes Yes - Yes -
7 - - - Yes Yes - Yes -
8 - - - Yes - - - -
9 Yes Yes - - - - - -
10 Yes Yes - - - - - -
11 Yes Yes - - - - - -
12 Yes Yes - - - - - -
13 Yes Yes - - - - - -
14 Yes Yes - - - - - -

Communication Security Settings 43

Table 15. Communication in a VPLEX Metro System (continued)
Serial A <-> B A <-> C A <-> D B <->C B <-> D B <-> E C <-> D C <-> E
Number
15 - - - Yes - - - Yes
16 - - - Yes Yes - Yes -

Legend:
● A - VPLEX Management Client
● B - Management Server 1
● C - Management Server 2
● D - VPLEX Cluster Witness
● E - ESRS Server

Communications Specifications - VPLEX Local System

This figure illustrates the communication between VPLEX components in a VPLEX Local System.

Figure 14. VPLEX Local system

This table describes the possible communication between the VPLEX components in a VPLEX Local System.

Table 16. Communication in a VPLEX Local System

Serial Number A <-> B B <-> C
1 Yes -
2 Yes -
3 - Yes
4 - Yes
5 - Yes
6 - -

44 Communication Security Settings

Table 16. Communication in a VPLEX Local System (continued)
Serial Number A <-> B B <-> C
7 - -
8 - -
9 Yes -
10 Yes -
11 Yes -
12 Yes -
13 Yes -
14 Yes -
15 - -
16 - -

Legend:
● A - VPLEX Management Client
● B - Management Server 1
● C - ESRS Server

Network Encryption
The VPLEX management server supports SSH through the sshd daemon provided by the FIPS compliant OpenSSH package.
It supports version 2 of the SSH protocol. When the management server starts for the first time, the sshd daemon
generateskey-pairs (private and public key) for communication with SSH clients. rsa, dsa and ecdsa key-pairs are
generated to support communication with SSH version 2 clients.
The HTTPS protocol and the IPsec VPN use a X.509 host certificate to identify the server and encrypt all traffic. X.509 host
certificates use a 2048 bit host key. During initial setup of a VPLEX cluster, a local Certification Authority (which signs the host
certificate request) is created automatically.
VPLEX supports a corporate Certification Authority signing the host certificate requests. Users can import the corporate
Certificate Authority signed CA, host certificate and key file. The IPSec encryption can use RSA or ECDSA cryptography
generated key-pair certificates. You can use only one type (RSA or ECDSA) in configuring VPN in all the three components of
VPLEX, for example, the two management servers and the cluster witness server. Note that for a VPLEX Metro configuration,
the host certificates for both web and VPN to be imported on both clusters should be signed and created using the same CA
certificate.
To import the corporate Certificate Authority signed certificates, refer to the VPLEX CLI Guide.

Creating a Local Certification Authority

A Certification Authority (CA) on the VPLEX management server must be created solely for the purposes of signing
management server certificates.

About this task

The VPlexcli command create-ca-cert creates a CA certificate file and private key that is protected by a passphrase. By
default, this command creates the following:
● A 2048-bit CA key in /etc/ipsec.d/private/strongswanKey.pem
● A CA certificate in /etc/ipsec.d/cacerts/strongswanCert.pem that remains valid for 1825 days (5 years)
NOTE: When certificates are about to expire, you can go to UI and renew the certificates from there. If the certificates
have already expired, then see KBA 000169421 for more information.

" or contact Dell Customer Support.

Communication Security Settings 45

You must give a passphrase for the CA key and the CA certificate subject. The CA certificate subject must be the serial number
of the VPLEX cluster (found on the label that is attached to the top of the VPLEX cabinet). If you are creating a CA certificate
for a VPLEX Metro implementation, you can use either of the serial numbers of the cluster.

Creating a host certificate

About this task

NOTE: Host certificates are created as a part of EZsetup during a first time installation.

The VPlexcli command security create-host-certificate generates a host certificate request and signs it with the Certification
Authority certificate created in the Creating a Local Certification Authority. By default, this command creates the following:
● A 2048 key in /etc/ipsec.d/private/hostKey.pem
● A host certificate in /etc/ipsec.d/certs/hostCert.pem that remains valid for 730 days (2 years)
You must provide the CA key passphrase for the host key and the host certificate subject which must be the cluster's serial
number (found on the label attached to the top of the VPLEX cabinet).

Installing the host certificate for use by HTTPS

Use the security web-configure command to install the host certificate for HTTPS.

About this task

See the EMC VPLEX CLI Reference Guide for more information.

Obtaining host certificate and host key fingerprints

When users first connect to the management server over SSH or by connecting to the UI using the HTTPs protocol, they are
asked to confirm the server identity. Most client programs display the fingerprints of management server as MD5 or SHA256
checksums, allowing you to verify that they are connected to the VPLEX management server and not to another machine,
possibly deployed to harvest logins and passwords for a man-in-the-middle attack.
Once a user confirms the identity of management server, subsequent connections will not ask for this confirmation, but instead
warn the user, if the fingerprint of management server has changed, which may be another indication of man-in-the-middle
attacks.
A VPLEX administrator may be asked by security-conscious users, for the fingerprints of both the X.509 certificate that is used
for the UI, and for the host keys that are used for SSH access to the management server.

Finding the host certificates SHA256 and MD5 fingerprints

About this task
To find the host certificates of SHA256 and MD5 fingerprints for the UI users, do the following.

Steps
1. Type the following command:

openssl x509 -noout -in hostCert.pem -fingerprint -sha256

Output example:

SHA256
Fingerprint=91:65:4C:02:80:C0:C8:54:24:4A:71:2B:BF:C1:D5:3C:08:A2:2B:36:BC:7B:3D:A2:B3
:8A:72:83:66:E1:36:25

46 Communication Security Settings

2. At the Linux shell prompt, type the following command:

/etc/ipsec.d/certs # openssl x509 -noout -in hostCert.pem -fingerprint -md5

Output example:

MD5 Fingerprint=6E:2C:A5:8E:86:11:45:26:02:09:62:97:6F:18:FD:62

Finding the SSH key fingerprint (for SSH users)

About this task

To find the SSH key fingerprint (for SSH users), do the following

Steps
1. At the Linux shell prompt, type the following command:

/etc/ssh > ssh-keygen -l -f ssh_host_dsa_key

Output example:

1024 52:42:70:0c:22:aa:2f:e3:09:18:93:c8:20:a4:78:0c ssh_host_dsa_key.pub

2. Type the following command:

/etc/ssh > ssh-keygen -l -f ssh_host_rsa_key

Output example:

1024 a4:d8:64:d0:24:b9:2c:3d:06:24:5f:3a:30:ba:83:f8 ssh_host_rsa_key.pub

3. Type the following command:

/etc/ssh > ssh-keygen -l -f ssh_host_ecdsa_key

Output example:

256 ca:05:f3:9a:3e:51:fe:53:51:90:39:bf:6b:f5:78:56 [MD5]root@ManagementServer (ECDSA)

Data security settings

Encryption of data at rest: user passwords
Hashed user passwords are stored in /etc/shadow on the VPLEX management server.
GeoSynchrony uses a hard coded hashing algorithm to encrypt the passwords.
Starting in 6.0 and later, the SHA-512 encryption algorithm is used to encrypt and store passwords, using the UNIX crypt(3)
function.
Passwords are stored in the VPLEX password database in following format:

$6$<salt>$<encrypted>

$6$ = encryption method, i.e. SHA-512

<salt> = 16 character salt string
<encrypted> = 86 character encrypted password string

Communication Security Settings 47