Av Extended Retention Security Guide

8/11/2019 Av Extended Retention Security Guide

1/18

EMCAvamar7.0

Extended Retention

Security Guide

P/N 300-015-244REV 01


2/18

EMC Avamar 7.0 Extended Retention Security Guide2

Copyright 2001- 2013 EMC Corporation. All rights reserved. Published in the USA.

Published July, 2013

EMC believes the information in this publication is accurate as of its publication date. The information is subject to change withoutnotice.

The information in this publication is provided as is. EMC Corporation makes no representations or warranties of any kind with respectto the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular

purpose. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.

EMC2, EMC, and the EMC logo are registered trademarks or trademarks of EMC Corporation in the United States and other countries.

All other trademarks used herein are the property of their respective owners.

For the most up-to-date regulatory document for your product line, go to the technical documentation and advisories section on the

EMC online support website.


3/18

EMC Avamar 7.0 Extended Retention Security Guide 3

CONTENTS

Preface

Chapter 1 Security Configuration

Access control ............................................................................................. 10Default accounts ................................................................................... 10Authentication configuration................................................................. 10User authorization................................................................................. 10Component access control .................................................................... 10Certificate management ........................................................................ 11Lockbox management ........................................................................... 13

Log settings ................................................................................................ 14Communication security.............................................................................. 14

Port usage............................................................................................. 14Network encryption ............................................................................... 15

Data security............................................................................................... 15Secure serviceability ................................................................................... 15The Lockbox tool ......................................................................................... 16

Running the Lockbox tool ...................................................................... 16Lockbox tool examples.......................................................................... 18


4/18

4 EMC Avamar 7.0 Extended Retention Security Guide

Contents


5/18


PREFACE

As part of an effort to improve its product lines, EMC periodically releases revisions of its

software and hardware. Therefore, some functions described in this document might notbe supported by all versions of the software or hardware currently in use. The product

release notes provide the most up-to-date information on product features.

Contact your EMC representative if a product does not function properly or does not

function as described in this document.

Note This document was accurate at publication time. New versions of this document

might be released on the EMC online support website. Check the EMC online support

website to ensure that you are using the latest version of this document.

PurposeThis document describes how to configure security features for the EMC Avamar extendedretention feature.

Audience

This document is intended for the host system administrator, system programmer, oroperator who will be involved in managing the Avamar extended retention feature.

Revision history

The following table presents the revision history of this document.

Related documentation

The following EMC publications provide additional information:

EMC Avamar 7.0 Extended Retention User Guide

EMC Avamar 7.0 Extended Retention Release Notes

EMC Avamar 7.0 Media Access Node Customer Hardware Installation Guide

EMC Avamar Compatibility and Interoperability Matrix

EMC Avamar Data Store Gen4 Customer Service Guide EMC Avamar Data Store Site Prep Technical Specifications

Table 1 Revision history

Revision Date Description

01 July 10, 2013 Initial release of Avamar 7.0.


6/18


Conventions used in this document

EMC uses the following conventions for special notices:

DANGER indicates a hazardous situation which, if not avoided, will result in death or

serious injury.

WARNING indicates a hazardous situation which, if not avoided, could result in death or

serious injury.

CAUTION, used with the safety alert symbol, indicates a hazardous situation which, if not

avoided, could result in minor or moderate injury.

NOTICE is used to address practices not related to personal injury.

Note A note presents information that is important, but not hazard-related.

IMPORTANT

An important notice contains information essential to software or hardware operation.

Typographical conventionsEMC uses the following type style conventions in this document:

Bold

Use for names of interface elements, such as names of windows, dialogboxes, buttons, fields, tab names, key names, and menu paths (what theuser specifically selects or clicks)

Italic Use for full titles of publications referenced in text

Monospace Use for:

System output, such as an error message or script

System code

Pathnames, filenames, prompts, and syntax

Commands and options

Monospace italic Use for variables.

Monospace bold Use for user input.

[ ] Square brackets enclose optional values

| Vertical bar indicates alternate selections the bar means or

{ } Braces enclose content that the user must specify, such as x or y or z

... Ellipses indicate nonessential information omitted from the example


7/18


Where to get help

The Avamar support page provides access to licensing information, productdocumentation, advisories, and downloads, as well as how-to and troubleshootinginformation. This information may enable you to resolve a product issue before youcontact EMC Customer Service.

To access the Avamar support page:

1. Go to https://support.EMC.com/products.

2. Type a product name in theFind a Product

box.

3. Select the product from the list that appears.

4. Click the arrow next to the Find a Productbox.

5. (Optional) Add the product to the My Productslist by clicking Add to my productsin

the top right corner of the Support by Productpage.

Documentation

The Avamar product documentation provides a comprehensive set of feature overview,operational task, and technical reference information. Review the following documents inaddition to product administration and user guides:

Release notes provide an overview of new features and known limitations for a

release.

Technical notes provide technical details about specific product features, including

step-by-step tasks, where necessary.

White papers provide an in-depth technical perspective of a product or products as

applied to critical business issues or requirements.

KnowledgebaseThe EMC Knowledgebase contains applicable solutions that you can search for either bysolution number (for example, esgxxxxxx) or by keyword.

To search the EMC Knowledgebase:

1. Click the Searchlink at the top of the page.

2. Type either the solution number or keywords in the search box.

3. (Optional) Limit the search to specific products by typing a product name in the Scope

by productbox and then selecting the product from the list that appears.

4. Select Knowledgebasefrom the Scope by resourcelist.

5. (Optional) Specify advanced options by clicking Advanced optionsand specifying

values in the available fields.

6. Click the search button.

Online communities

Visit EMC Community Network (https://community.EMC.com) for peer contacts,conversations, and content on product support and solutions. Interactively engage onlinewith customers, partners and certified professionals for all EMC products.
https://support.emc.com/productshttps://support.emc.com/products


8/18


Live chat

To engage EMC Customer Service by using live interactive chat, click Join Live Chat on theService Center panel of the Avamar support page.

Service Requests

For in-depth help from EMC Customer Service, submit a service request by clicking CreateService Requests on the Service Center panel of the Avamar support page.

Note To open a service request, you must have a valid support agreement. Contact your

EMC sales representative for details about obtaining a valid support agreement or with

questions about your account.

To review an open service request, click the Service Center link on the Service Centerpanel, and then click View and manage service requests.

Facilitating support

EMC recommends that you enable ConnectEMC and Email Home on all Avamar systems: ConnectEMC automatically generates service requests for high priority events.

Email Home emails configuration, capacity, and general system information to EMC

Customer Service.

Your comments

Your suggestions will help us continue to improve the accuracy, organization, and overallquality of the user publications. Send your opinions of this document to:

[email protected]

Please include the following information:

Product name and version

Document name, part number, and revision (for example, A01)

Page numbers

Other details that will help us address the documentation issue
mailto:[email protected]


9/18


10/18


Security Configuration

Access control

Access control settings provide protection of resources against unauthorized access.

Default accounts

Table 1 contains the default Avamar extended retention feature accounts and their

passwords.

Authentication configuration

The Avamar extended retention feature requires configuration of a super user at install

time. The super user can create additional users after the feature is installed.

User authorization

The privileges of Avamar extended retention users are controlled by the roles to which they

belong. Four roles have been defined:

Super user

Administrator

Auditor

General user

Component access control

The following components of the Avamar extended retention feature implement security

features for access:

Apache ActiveMQ Message Broker

Apache Tomcat

Avamar extended retention feature PostgreSQL Database

Media Access Node

Note The Media Access Node is the R510 Gen4 hardware node that the Avamar

extended retention feature runs on.

Apache ActiveMQ Message Broker

Access to the ApacheActiveMQ message broker is controlled by SSL mutual

authentication. In the Avamar extended retention feature, every message broker client

must trust the message broker, and the broker must trust the clients. In SSL, this is

accomplished by exchanging certificates.

Table 2 Default account names and passwords

Account Password Description

suser Set when the Avamar extended retentionfeature is installed. Can be changed in theframeworks user interface.

The super user for the Avamar extendedretention features framework.

postgres Set when database is installed. Can bechanged using PostgreSQL tools.

The database super user. Used to exportand import Avamar backups.


11/18

Access control 11


Apache Tomcat

Apache Tomcat uses a certificate to authenticate itself to web clients.

Avamar extended retention feature database login roles

The Avamar extended retention feature uses four databases to store data such as users,

roles, events, job information, and export schedules. The following table lists thedatabases, and the users who own them.

Certificate management

Each Avamar extended retention feature component that participates in SSL

communications keeps its certificates in a Java KeyStore (JKS) file. Key store files contain

certificates that components use to identify themselves as well as the certificates of

entities they trust. Some components keep their certificates and the certificates of trusted

entities in the same key store file while others keep the certificates of trusted entities in a

separate file called a trust store. Although key store and trust store files have the same

JKS format, the Avamar extended retention feature trust store files have a .ts suffixwhereas the key store files have a .ks suffix.

Note JKS files can be managed with a Java tool called keytool. Keytool is part of the

standard JDK, which is included in the Avamar extended retention feature software.

Keytool is located in /opt/EMC/IMF/jre/bin.

Table 3 Avamar extended retention feature databases and login roles

Database Login roles and passwords

PostgreSQL The PostgreSQL database is owned by user,postgres

. The password for this user isset during installation. The default password is

changeme

.

IMF The IMF database is owned byIMF_PG_USER

. The default password isIMF_PG_USER

.

Note The owner and password for the IMF database are stored in plaintext in

/opt/EMC/IMF/apache-tomcat/imf/WEB-INF/classes/imf-persistence.properties.

Quartz The Quartz database is owned byIMF_PG_USER

. The default password isIMF_PG_USER

.

Note

The owner and password for the Quartz database are stored in plaintext in

/opt/EMC/IMF/apache-tomcat/catalina_base/imf/WEB-INF/classes/imf-persistenc

e.properties and imfscheduler.properties.

Policy The Policy database is owned by POLICY_USER. The default password isPOLICY_USER.

Note

The Policy database password is stored in the IMF lockbox, located in

/opt/EMC/IMF/data/lockbox. The user and password can be changed using theLockbox tool as described in The Lockbox tool on page 16.


12/18



In the Avamar extended retention feature, there are JKS files for the following components:

Apache Tomcat containing the certificate that Tomcat uses to authenticate itself to

web clients

Apache ActiveMQ message broker containing a separate key store and trust

store that are used for mutual authentication with clients

message broker clients containing a key store (and sometimes a trust store)

containing certificates used for mutual authentication with the message broker

Each JKS file is protected by a password. The Avamar extended retention feature

components store their key and trust store passwords in a lockbox file as described in the

The Lockbox Tool (page 15).

Note The Avamar extended retention feature incorporates some third-party software that

does not use the lockbox.

Table 4shows the location of the passwords for the key stores used by Apache Tomcat and

ActiveMQ. Since the Avamar extended retention feature file permissions are set to preventaccess by anyone but the owner, one must own these files in order to read or modify them.

Table 5shows the location of key store files for Avamar extended retention feature

components.

Table 4 Apache component passwords

Component JSK password location

Apache Tomcat /opt/EMC/IMF/apache-tomcat/catalina_base/conf/server.xml in the

Connector element

Apache ActiveMQ /opt/EMC/IMF/apache-activemq/conf/activemq.xml in the sslContextelement

Table 5 Key store files

Component Key store directory Key store file(s)

Apache Tomcat /opt/EMC/IMF/apache-tomcat/catalina_base/imf/WEB-INF/classes

IMF.ks

Apache ActiveMQ MessageBroker

/opt/EMC/IMF/apache-activemq/conf broker.ksbroker.ts

User Event Listener /opt/EMC/IMF/apache-tomcat/catalina_base/imf/WEB-INF/classes

IMFUserEventListener.ks

Security Event Module /opt/EMC/IMF/apache-tomcat/catalina_base/imf/WEB-INF/classes

IMFSecurityEventModule.ks

IMF Scehduler /opt/EMC/IMF/apache-tomcat/catalina_base/imf/WEB-INF/classes

IMFScheduler.ks

Security Logger /opt/EMC/securitylogger/config IMFSecurityLogger.ks

Transport System Service /opt/EMC/TransportSystemService/config GridSystemService.ks

Backup Service /opt/EMC/BackupService/config IMF-Backup-Service.ks
http://-/?-http://-/?-http://-/?-http://-/?-


13/18

Access control 13


Lockbox management

The RSA Common Security Toolkit 1.1 Lockbox is incorporated into the Avamar extended

retention feature for storing encrypted secrets (like passwords) that otherwise would have

to be stored as plain text. Secured software components often require users or client

software to supply a password. Since EMC security policy does not allow storing plain text

passwords either in files or source code and since it would be cumbersome to ask a user

to type a password every time one is required, passwords are stored in the lockbox. Once

configured, the lockbox allows software to obtain passwords without a user having to type

a password.

Each lockbox has a password that is set when the Avamar extended retention feature is

installed and can be changed by using the command line utility documented in the

section The Lockbox tool on page 16. The same tool can be used to display and modify

the contents of the lockboxes.

If the password for a secured entity is changed and its password is stored in a lockbox, the

lockbox must be updated with the correct password. The names of the items stored in

each lockbox are listed below. Most of the items are component key store or trust

store filenames and their passwords.

Backup Manager /opt/EMC/IMF/data/messagebus-ssl backupmgr.ks

Grid Resource Manager /opt/EMC/IMF/data/messagebus-ssl gridresourcemgr.ks

Grid Task Manager /opt/EMC/IMF/data/messagebus-ssl gridtaskmgr.ks

Table 5 Key store files

Component Key store directory Key store file(s)

Table 6 Lockbox files

Component Lockbox file

Framework /opt/EMC/IMF/data/lockbox

Security Logger /opt/EMC/securitylogger/config/lockbox

Transport System Service /opt/EMC/TransportSystemService/config/lockbox

Backup Service /opt/EMC/BackupService/config/lockbox

Table 7 Lockbox contents

Lockbox Contents

Framework IMFUserEventListener.keyStore

IMFUserEventListener.keyStorePassword

IMFSecurityEventModule.keyStore

IMFSecurityEventModule.keyStorePassword

IMFScheduler.keyStore

IMFScheduler.keyStorePassword


14/18



Log settings

The Avamar extended retention feature has a security logger and log viewer. Security

events, which are stored in the framework database, are logged at four levels:

Informational

Warning

Severe

Critical

The log viewer provides filtering by severity level and date range. It also provides the

ability to archive and delete selected events. The Avamar extended retention features

online help provides more information.

Communication security

Communication security settings enable the establishment of secure communication

channels between:

Product components

Product components and external systems or components.

Port usage

The ports listed in Table 8are the Avamar extended retention feature default ports. The

extended retention feature allows some of these ports to be changed; however, the

procedure involves manually editing various configuration files.

Security Logger IMFSecurityLogger.keyStore

IMFSecurityLogger.keyStorePassword

Transport System Service GridSystemService.keyStoreGridSystemService.keyStorePassword

Backup Service IMF-Backup-Service.keyStore

IMF-Backup-Service.keyStorePassword

ARCHIVE_SERVER_USER

ARCHIVE_SERVER_PASSWORD

ARCHIVE_SERVER_NAME

Table 7 Lockbox contents

Lockbox Contents

Table 8 Default ports

Component Protocol Port Description

Apache ActiveMQ TCP 61617 SSL connection to the message broker

Apache Tomcat TCP 7443 HTTPS connection to web server

Apache Tomcat TCP 7000 Port available for stopping Tomcat

PostgreSQL TCP 5568 JDBC connection to database server
http://-/?-http://-/?-


15/18

Data security 15


Network encryption

Table 9contains the encryption strategies that are employed by the Avamar extended

retention feature for communication between components.

Data security

Encryption of archived data is controlled by the library drive setting.

The Avamar extended retention feature provides a cleanse feature that frees up space on

the Media Access Nodes internal Avamar Server. The cleanse can occur immediately

before data is imported from tape. It can also be run at any time.

Secure serviceability

The message broker has a web administration console that provides some diagnostic

capabilities such as viewing the number of messages and topics in queues and their

current state.

The Avamar extended retention feature is installed with port 8161 closed.

To open port 8161:

1. Edit /opt/EMC/IMF/apache-activemq/activemq_base/conf/activemq.xml.

2. Uncomment the following line:

3. Save and close activemq.xml.

4. In a web browser, type the following URL to access the web console:

http://Media_Access_Node_IP_address:8161/admin

Additional information is available at http://activemq.apache.org.

SSHD TCP 22 Default SSH port.

Archive Service Event TCP 6667 Archive Service Event forwarding port

AVDTO TCP 2888 AVDTO daemon port

Table 8 Default ports

Component Protocol Port Description

Table 9 Encryption strategies

Communication Encryption type

Between web server and browser SSL with server authentication

Between ActiveMQ and Avamar DataTransport components

SSL with mutual authentication

Between the PostgreSQL database and theAvamar extended retention feature

Not encrypted
http://-/?-http://-/?-


16/18



JMX tools like jconsole can be used to diagnose ActiveMQ. However, JMX access is

password protected. You can log in as one of two users:

controlRole Full access

monitorRole Read access

The usernames and passwords are stored in the following files:

/opt/EMC/IMF/apache-activemq/activemq_base/conf/jmx.access

/opt/EMC/IMF/apache-activemq/activemq_base/conf/jmx.password

If these files are changed, the shutdown script,

/opt/EMC/IMF/apache-activemq/activemq_base/bin/activemqstop.sh, must also be

modified since the service shutdown uses the JMX username and password.

For additional information, refer to http://activemq.apache.org.

The Lockbox tool

The lockbox tool is a command line tool implemented as an executable jar file that can beused for the following tasks:

Create a lockbox

Set or change a lockbox password

Add or remove a host allowed to access the lockbox without a password

Display, change, or remove a name-value pair

The Lockbox tool requires that two environment variables be set:

LOCK_BOX_FILE The full or relative path to the lockbox file. If not set, this defaults to

lockbox in the current directory.

LD_LIBRARY_PATH The shared library location specified in Table 10.

Running the Lockbox tool

You execute the Lockbox tool by typing the following:

java -jar lockbox.jar operation[argument] [argument]

where lockbox is one of:

imf-lockbox-2.0-SNAPSHOT

imf-lockbox

Table 1 Lockbox tool and library locations

Component Lockbox tool location Shared library location

Security Logger /opt/EMC/securitylogger/lib/imf-lockbox.jar /opt/EMC/securitylogger/lib/linux

Transport SystemService

/opt/EMC/TransportSystemService/lib/imf-lockbox.jar

/opt/EMC/TransportSystemService/lib/native

Backup Service /opt/EMC/BackupService/lib/imf-lockbox.jar /opt/EMC/BackupService/lib/native

IMF /opt/EMC/IMF/apache-tomcat/catalina_base/imf/WEB-INF/ lib/imf-lockbox-3.2.0-2.jar

/opt/EMC/IMF/apache-tomcat/catalina_base/imf/WEB-INF/lib/linux


17/18

The Lockbox tool 17


Either lockbox file will work.

Table 11describes the possible values for operationand argument. Square brackets

indicate optional arguments.

If the command is not run from the directory containing the lockbox .jar file, then you must

specify the full or relative path to the tool. Additionally, you may need to specify the pathto the Java executable. The Java Runtime Environment (JRE) is included in the Avamar

extended retention feature and can be found at the locations shown in Table 12.

Information can be obtained from the lockbox without having to supply the lockbox

password. The lockbox stores secrets as name and value pairs. It can be configured to

allow setting, modifying, and removing these values without supplying a password.

However, administrative operations always require a password.

In order to access the lockbox without supplying a password, the host from which the

access is being executed must be registered with the lockbox. Registering a host is an

administrative operation requiring a password. Once a host is registered, any user who

Table 11 Lockbox tool operations and arguments

Operation Argument 1 Argument 2 Description

create [password] Create a new lockbox password.

set item_name item_value Set or change the value ofitem_name.

display item_name Display the value of item_name.

remove item_name Remove item_name from thelockbox.

list_hosts [password] Display the host list, which lists thehosts registered to access thelockbox without a password.

add_this_host [password] Add the local host to the host list.

add_host host_name [password] Add the host_name to the host list.

remove_host host_name [password] Remove the host_name from thehost list.

change_pass_phrase [new_password] [old_password] Change the lockbox password.

Table 12 Java runtime locations

Component Java runtime location

Framework /opt/EMC/IMF/jre/bin

Security Logger /opt/EMC/securitylogger/jre/bin

Transport System Service /opt/EMC/TransportSystemService/jre/bin

Backup Service /opt/EMC/BackupService/jre/bin
http://-/?-http://-/?-http://-/?-http://-/?-


18/18


can execute code on that host can access a lockbox secret, assuming they know the name

of the secret. For this reason, it is important that the permissions on the lockbox file are

set appropriately.

Unless specified on the command line, LockBoxTool.jar will prompt for a password for

administrative operations. If the local host is not in the host list, the user will be prompted

for a password for non-administrative operations. Once a password is successfully typedduring any operation, the local host will be added to the host list. When a lockbox is being

created or its password is being changed, the user will have to type the new password

twice to make sure it is typed correctly.

Lockbox tool examples

Examples of how to use LockBoxTool.jar are provided below.

Example 1: Display the hosts that can use the lockbox without a password..

root@host220:~/#: export LD_LIBRARY_PATH=/DTO/EMC/TransportSystemService/lib/nativeroot@host220:~/#: export LOCK_BOX_FILE=/DTO/EMC/TransportSystemService/config/lockbox

root@host220:~/#: cd /DTO/EMC/TransportSystemServiceroot@host220:/DTO/EMC/TransportSystemService/#: jre/bin/java -jar lib/imf-lockbox.jarlist_hosts 'Test123!'host1.example.comhost2.example.comroot@host220:/DTO/EMC/TransportSystemService/#:

Example 2: Change the password for the lockbox from "Test123!" to "MySecret-123".

root@host220:~/#: export LD_LIBRARY_PATH=/DTO/EMC/TransportSystemService/lib/nativeroot@host220:~/#: export LOCK_BOX_FILE=/DTO/EMC/TransportSystemService/config/lockboxroot@host220:~/#: cd /DTO/EMC/TransportSystemServiceroot@host220:/DTO/EMC/TransportSystemService/#: jre/bin/java -jar lib/imf-lockbox.jarchange_pass_phrase 'MySecret-123' 'Test123!'root@host220:/DTO/EMC/TransportSystemService/#:

Example 3: Display the value of the key store password, whose name is

GridSystemService.keyStorePassword.

root@host220:~/#: export LD_LIBRARY_PATH=/DTO/EMC/TransportSystemService/lib/nativeroot@host220:~/#: export LOCK_BOX_FILE=/DTO/EMC/TransportSystemService/config/lockboxroot@host220:~/#: cd /DTO/EMC/TransportSystemServiceroot@host220:/DTO/EMC/TransportSystemService/#: jre/bin/java -jar lib/imf-lockbox.jar displayGridSystemService.keyStorePasswordItem GridSystemService.keyStorePassword is set to "Test123!".root@host220:/DTO/EMC/TransportSystemService/#:

Example 4 Change the key store password from "Test123!" to "MySecret-456".

root@host220:~/#: export LD_LIBRARY_PATH=/DTO/EMC/TransportSystemService/lib/nativeroot@host220:~/#: export LOCK_BOX_FILE=/DTO/EMC/TransportSystemService/config/lockboxroot@host220:~/#: cd /DTO/EMC/TransportSystemServiceroot@host220:/DTO/EMC/TransportSystemService/#: jre/bin/java -jar lib/imf-lockbox.jar setGridSystemService.keyStorePassword 'MySecret-456'Item GridSystemService.keyStorePassword is set to "MySecret-456".root@host220:/DTO/EMC/TransportSystemService/#:

Av Extended Retention Security Guide

Documents

Transcript of Av Extended Retention Security Guide