Dell EMC Data Protection Central Security Configuration GuideProtection Central on a physical or...

Dell EMC Data Protection CentralVersion 19.2

Security Configuration GuideREV 03

February 2020

Copyright © 2017-2020 Dell Inc. or its subsidiaries. All rights reserved.

Dell believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS-IS.” DELL MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND

WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF

MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. USE, COPYING, AND DISTRIBUTION OF ANY DELL SOFTWARE DESCRIBED

IN THIS PUBLICATION REQUIRES AN APPLICABLE SOFTWARE LICENSE.

Dell Technologies, Dell, EMC, Dell EMC and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be the property

of their respective owners. Published in the USA.

Dell EMCHopkinton, Massachusetts 01748-91031-508-435-1000 In North America 1-866-464-7381www.DellEMC.com

2 Dell EMC Data Protection Central Security Configuration Guide

Preface 5

Security Quick Reference 9Deployment models........................................................................................... 10

Open Virtualization Appliance deployment............................................10Physical or virtual server deployment................................................... 10

Security profiles................................................................................................ 10

Product and Subsystem Security 11Security controls map........................................................................................12Authentication................................................................................................... 13

Login security settings..........................................................................13Authentication types and setup considerations.....................................15Configuring LDAP ................................................................................ 15User and credential management.........................................................26Authentication to external data protection systems.............................28

Authorization.................................................................................................... 29SSO limitations with PowerProtect Data Manager........................................... 29Network security ............................................................................................. 30

Network exposure................................................................................30Modify the Data Protection Central firewall ........................................ 34

Data security.....................................................................................................36Lockbox............................................................................................... 36

Cryptography....................................................................................................36Certificate management.......................................................................36

Auditing and logging..........................................................................................38Serviceability.................................................................................................... 39

Security patches.................................................................................. 39Data Protection Central OS update......................................................39

Product code integrity ..................................................................................... 39

Federal standards and compliance 41FIPS 140-2 compliance......................................................................................42

Display FIPS mode............................................................................... 42Enable FIPS mode................................................................................ 43Disable FIPS mode............................................................................... 44Reset the lockbox internal encryption key............................................44

STIG compliance...............................................................................................44Internet Protocol version 6............................................................................... 47VPAT accessibility features...............................................................................47

Screen reader support..........................................................................47Keyboard navigation.............................................................................47

Miscellaneous Configuration and Management 55Licensing...........................................................................................................56Protect authenticity and integrity ....................................................................56Perform backups and restores of Data Protection Central................................56

Chapter 1

Chapter 2

Chapter 3

Chapter 4

CONTENTS

Dell EMC Data Protection Central Security Configuration Guide 3

Embedded component usage ........................................................................... 56

Contents


Preface

As part of an effort to improve product lines, periodic revisions of software and hardware arereleased. Therefore, all versions of the software or hardware currently in use might not supportsome functions that are described in this document. The product release notes provide the mostup-to-date information on product features.

If a product does not function correctly or does not function as described in this document,contact a technical support professional.

Note: This document was accurate at publication time. To ensure that you are using the latestversion of this document, go to the Support website https://www.dell.com/support.

Purpose

This document includes information about security features and capabilities of Data ProtectionCentral.

Audience

This document is intended for individuals who are responsible for managing security for DataProtection Central.

Revision history

The following table presents the revision history of this document.

Table 1 Revision history

Revision Date Description

03 February 2020 Updates to the following topics:

l Default user accounts on page 13

l TCP port allocations per system on page 32

l Generate a self-signed certificate on page 37

l Modify the Data Protection Central firewall onpage 34

02 December 2019 Added procedure to reset lockbox internal encryptionkey. Updated procedure to enable FIPS mode.

01 November 2019 Release of the Data Protection Central 19.2 SecurityConfiguration Guide.

Terms used in this guide

References to Data Domain systems in this guide, in the UI, and elsewhere in the product includePowerProtect DD systems and older Data Domain systems.

References to PowerProtect systems in this guide include PowerProtect software andPowerProtect appliance unless otherwise specified.

Related Documentation

For information about Data Protection Central compatibility, refer to the Data Protection CentralRelease Notes.


https://www.dell.com/support

The Data Protection Central documentation set includes the following publications:

l Data Protection Central Getting Started Guide

l Data Protection Central Security Configuration Guide

l Data Protection Central Release Notes

l Data Protection Central Administration Guide

The documentation for the following products includes more information:

l Avamar

l Data Domain

l Search

l Data Protection Advisor

l NetWorker

l PowerProtect software and PowerProtect appliance

Special notice conventions that are used in this document

The following conventions are used for special notices:

NOTICE Identifies content that warns of potential business or data loss.

Note: Contains information that is incidental, but not essential, to the topic.

Typographical conventions

The following type style conventions are used in this document:

Table 2 Style conventions

Bold Used for interface elements that a user specifically selects or clicks,for example, names of buttons, fields, tab names, and menu paths.Also used for the name of a dialog box, page, pane, screen area withtitle, table label, and window.

Italic Used for full titles of publications that are referenced in text.

Monospace Used for:

l System code

l System output, such as an error message or script

l Pathnames, file names, file name extensions, prompts, andsyntax

l Commands and options

Monospace italic Used for variables.

Monospace bold Used for user input.

[ ] Square brackets enclose optional values.

| Vertical line indicates alternate selections. The vertical line means orfor the alternate selections.

{ } Braces enclose content that the user must specify, such as x, y, or z.

... Ellipses indicate non-essential information that is omitted from theexample.

Preface


You can use the following resources to find more information about this product, obtain support,and provide feedback.

Where to find product documentation

l https://www.dell.com/support

l https://community.emc.com

Where to get support

The Support website https://www.dell.com/support provides access to product licensing,documentation, advisories, downloads, and how-to and troubleshooting information. Theinformation can enable you to resolve a product issue before you contact Support.

To access a product-specific page:

1. Go to https://www.dell.com/support.

2. In the search box, type a product name, and then from the list that appears, select theproduct.

Knowledgebase

The Knowledgebase contains applicable solutions that you can search for either by solutionnumber (for example, KB000xxxxxx) or by keyword.

To search the Knowledgebase:


2. On the Support tab, click Knowledge Base.

3. In the search box, type either the solution number or keywords. Optionally, you can limit thesearch to specific products by typing a product name in the search box, and then selecting theproduct from the list that appears.

Live chat

To participate in a live interactive chat with a support agent:


2. On the Support tab, click Contact Support.

3. On the Contact Information page, click the relevant support, and then proceed.

Service requests

To obtain in-depth help from Licensing, submit a service request. To submit a service request:


2. On the Support tab, click Service Requests.

Note: To create a service request, you must have a valid support agreement. For details abouteither an account or obtaining a valid support agreement, contact a sales representative. Tofind the details of a service request, in the Service Request Number field, type theservice request number, and then click the right arrow.

To review an open service request:


2. On the Support tab, click Service Requests.

3. On the Service Requests page, under Manage Your Service Requests, click View All DellService Requests.

Preface



https://community.emc.com







Online communities

For peer contacts, conversations, and content on product support and solutions, go to theCommunity Network https://community.emc.com. Interactively engage with customers, partners,and certified professionals online.

How to provide feedback

Feedback helps to improve the accuracy, organization, and overall quality of publications. You cansend feedback to [email protected].

Preface


https://community.emc.com

mailto:[email protected]

CHAPTER 1

Security Quick Reference

Topics include:

l Deployment models................................................................................................................10l Security profiles.....................................................................................................................10


Deployment modelsYou can deploy Data Protection Central as an OVA in VMware environments or with a .jar file on aLinux operating system in a physical or virtual server that is not hosted by VMware.

Open Virtualization Appliance deploymentIf you have VMware vSphere virtual machine environment, it is recommended that you deploy DataProtection Central as an Open Virtualization Appliance (OVA).

The OVA deployment model includes a pre-configured bundle with the Data Protection Centralsoftware and the Linux operating system that the Data Protection Central software runs on.

The OVA environment also includes a pre-configured firewall that is tuned to the Data ProtectionCentral communication needs with the monitored systems.

The OVA is deployed with an OVF template file. Refer to the VMware documentation for specificinformation regarding how to deploy an OVA or OVF template.

The Data Protection Central Getting Started Guide provides information on deploying DataProtection Central as an OVA.

Physical or virtual server deploymentData Protection Central is also available as a self-extracting JAR file with a set of Linux RPM files.

This alternative deployment model is useful if you do not have access to a VMware vSphere virtualmachine environment. You can deploy Data Protection Central with this method on a Linux serverrunning a compatible version of SUSE Linux Enterprise Server.

The Data Protection Central Getting Started Guide provides information on deploying DataProtection Central on a physical or virtual machine that is not hosted by VMware.

Security profilesData Protection Central has a default security profile for secure http access. However, you canreplace the security certificate.

Security Quick Reference


CHAPTER 2

Product and Subsystem Security

Topics include:

l Security controls map............................................................................................................ 12l Authentication....................................................................................................................... 13l Authorization.........................................................................................................................29l SSO limitations with PowerProtect Data Manager................................................................29l Network security ..................................................................................................................30l Data security......................................................................................................................... 36l Cryptography........................................................................................................................ 36l Auditing and logging.............................................................................................................. 38l Serviceability.........................................................................................................................39l Product code integrity ..........................................................................................................39


Security controls mapData Protection Central runs on virtual servers, supporting NetWorker and Avamar servers andData Domain backup targets.

Each Avamar system uses a Data Protection Central adapter to send alerts and events toRabbitMQ, which is the message queue system.

For NetWorker, Data Protection Central connects to the RabbitMQ on the NetWorker server toreceive job activity events information.

The Data Protection Central monitoring service saves the alert and event data from RabbitMQ tothe MongoDB database.

The Data Protection Central UI provides a centralized location for monitoring of alerts and eventsand providing management capabilities.

All system credentials are stored within the Data Protection Central secure storage.

Figure 1 on page 12 displays the Data Protection Central security controls map.

Figure 1 Security controls



AuthenticationLearn about authentication in Data Protection Central.

Login security settingsData Protection Central includes login security settings.

Access controlAccess control settings provide protection of resources against unauthorized access.

Default user accounts

Data Protection Central includes three default user accounts.

Local user account

Data Protection Central provides a single default local administrative user account.

The username of this internal account is [email protected].

The local administrator has access to all operations in the Data Protection Central web userinterface and access to all external systems that can be launched from Data Protection Central.

The first time you log in to Data Protection Central, you must use the local account,[email protected].

Note: If LDAP access is configured during deployment, the first-time login can be throughLDAP or the local account, [email protected].

Operating system admin user account

The Linux system administrator can log in to Data Protection Central using a secure shell (ssh) forsystem administration and maintenance.

This default account is only bundled with OVA deployments.

Operating system root account

After logging into Data Protection Central with ssh as the system administrator, switch to the rootuser to have administrative access to files and directories on the Data Protection Central operatingsystem.

This default account is only bundled with OVA deployments.

External user accounts

When an LDAP or Active Directory (AD) server is connected to Data Protection Central, you cangrant additional accounts to the Data Protection Central administrator role. Add them to the DataProtection Central administrative group provided in the ldap.properties file.

Each of these administrator accounts that are added through LDAP or AD have full authorizationand access to Data Protection Central functions. Data Protection Central also supports customdashboard settings for each administrator account.



Failed login behaviorData Protection Central includes security settings for when there are multiple unsuccessfulauthentication occurrences.

Local user account lockout

After five consecutive failed attempts to login to the local user account, Data Protection Centraltemporarily locks out the user for a period of five minutes.

Any attempts to login during the lockout period causes the lockout timer to reset back to fiveminutes.

To end the temporary lockout, restart the ELG service.

To restart the ELG service, run the following commands:

1. service msm-elg stop

2. service msm-elg start

Operating system user account lockout

If you make three consecutive failed SSH login attempts for the operating system user account,that account is temporarily locked out of the Data Protection Central Linux operating system for aperiod of five minutes.

You are unable to log in to the Data Protection Central Linux operating system with this accountduring the lock-out period, even with the correct password. However, you can log in with adifferent user account.

Automatic session timeoutEach account has an automatic timeout setting

SSH and console session timeout

After 600 seconds of inactivity, connections to Data Protection Central made through SSH andthe console, for OVA deployments, are automatically terminated.

This timeout does not apply to login sessions to the Data Protection Central web user interface,which has a different timeout interval and mechanism.

Idle browser session timeout

By default, after 20 minutes of inactivity, the Data Protection Central session times out and youare automatically logged out.

Modify the idle browser session timeout settingProcedure

1. Open the application.properties file located in /usr/local/dpc/lib/elg/ for editing.

2. Add the following entry to the application.properties file:

server.session.timeout=X

Where X is the idle timeout value in seconds.

The minimum idle timeout value is 120 (2 minutes) and the maximum is 1800 (30 minutes).



3. Save and close the application.properties file.

4. Restart the msm-elg service using the following command:

service msm-elg restart

Authentication types and setup considerationsLearn about Single Sign-On (SSO) authentication and setup considerations in Data ProtectionCentral.

Internal account SSO authenticationData Protection Central uses Single Sign-On (SSO) authentication for the local user account (ifSSO is not disabled).

External LDAP or AD account SSO authenticationData Protection Central supports lightweight directory access protocol (LDAP) and ActiveDirectory (AD).

Data Protection Central can authenticate users against directory servers, such as Windows ActiveDirectory, using LDAP or LDAPS. Authentication against an LDAP server simplifies managementbecause you do not need a separate set of credentials for Data Protection Central administration.

After you configure LDAP authentication, you can log in to the Data Protection Central webconsole with any LDAP or AD account. Data Protection Central performs SSO authentication forexternal users and internally validates credentials and user authority with the LDAP or AD server.

Configuring LDAPLearn about LDAP requirements and configuration procedures.

Data Protection Central supports OpenLDAP and Active Directory (AD) authentication.

You can configure LDAP during or after deploying Data Protection Central.

The Troubleshooting chapter in the Data Protection Central Administration Guide provides detailedtroubleshooting information on diagnosing and resolving common LDAP configuration issues.

Note: LDAP without TLS protocol communicates in clear text without encryption. SecureLDAP (LDAPS) does not support communication in clear text. When you configure LDAPwithout TLS, to improve security, it is recommended that you use a segmented networkcontaining only the LDAP server and the Data Protection Central server.

Configure LDAP or AD user accessBefore you configure Lightweight Directory Access Protocol (LDAP) or Windows Active Directory(AD), configure the users who will access Data Protection Central.

About this task

Perform this procedure on the server that hosts Lightweight Directory Access Protocol (LDAP) orWindows Active Directory (AD).

Procedure

1. Create an administrative user group that will contain the users who can access DataProtection Central.

The following list describes the default containers, according to the configuration type:



l For Lightweight Directory Access Protocol (LDAP), the default user group is theOU=People folder.

l For Windows Active Directory (AD), the default user group is the OU=Users folder.

2. For AD accounts only, set the user group scope setting to Global.

Note: Users who are part of this group are granted administrative privileges to DataProtection Central and the system management applications for any systems added toData Protection Central, including Single-Sign On access.

3. Add any users that require access to Data Protection Central to the user group.

Add a secure LDAP (LDAPS) certificateLearn how to add a secure LDAP (LDAPS) certificate.

About this task

Secure LDAP (LDAPs) uses TLS and requires certificate-based authentication.

If the LDAP server that authenticates Data Protection Central credentials uses a non-standardcertificate authority, add the root certificate of the authority that signed the LDAP servercertificate to the Data Protection Central keystore.

Data Protection Central automatically uses the certificate authorities available within the standardJava keystore.

Procedure

1. To retrieve the certificate details from the LDAP server, type the following command:

/usr/local/dpc/bin/dpc trust-ldaps <LDAPS server FQDN or IP:LDAPS PORT>

The certificate details are listed. The operation prompts you to continue.

2. To add the LDAP server's certificate to the Data Protection Central Java keystore, type y inresponse to the prompt.

3. After the certificate is added to the keystore, restart the Data Protection Central servicesusing the following commands:

/usr/local/dpc/bin/dpc stop/usr/local/dpc/bin/dpc start

Add LDAP or AD while deploying Data Protection CentralYou can configure Lightweight Directory Access Protocol (LDAP) or Windows Active Directory(AD) when you deploy Data Protection Central.

Procedure

1. While deploying the Data Protection Central OVA, under Configure LDAP (Optional),specify the following settings:

l LDAP server name / IP address: Type the LDAP server name or IP address of theserver where LDAP is hosted.Type the name in one of the following formats:

n Type the LDAP server name in the following format:

fully qualified domain name (FQDN)



For example:

sample.dpc.local

n Or, type the IP address of the LDAP server.For example:

192.168.2.10

l Configure for secure LDAP (ldaps): Select either LDAP or LDAPS, depending on theLDAP security type.

l Port number of the LDAP: Type the LDAP server port number.

l Admin user Distinguished Name (DN): Type the administrative username in thedistinguished name format.For example, consider the following entry for LDAP:

uid=admin,ou=people,dc=dpc,dc=local

For example, consider the following entry for Active Directory:

cn=Administrator,dc=abc,dc=xyz,dc=com

Or, an entry with User Principal Name (UPN) format, like this:

[email protected]

l Admin Password: Type the password for the administrative user.

l Search Admin group name: Type the name of the user group name that contains theusers who require access to Data Protection Central.For example, if the group distinguished name is cn=dp_admin, ou=groups,dc=dpc, dc=local, specify dp_admin in the Search Admin group name field.

The default user group name is dp_admin.

l Base Distinguished Name (DN): Type the domain base distinguished name.For example:

dc=dpc,dc=xyz,dc=com

l LDAP Type: Select the type of LDAP:

n Windows Active Directory (AD)

n Lightweight Directory Access Protocol (LDAP) server

2. Click Next, and proceed with deploying the OVA.

Results

The administrator password is stored in the Data Protection Central lockbox and deleted from theLDAP properties file.



Add LDAP or AD after deploying Data Protection CentralYou can optionally configure LDAP or AD after deploying Data Protection Central.

About this task

The following roadmap describes the workflow to add LDAP or AD to Data Protection Central.

Procedure

1. Access the Data Protection Central system through ssh and prepare to add LDAP.

Prepare to add LDAP or AD to the Data Protection Central system on page 18 providesinformation.

2. Create the LDAP properties file.

Create an LDAP properties file on page 18 and Examples of the LDAP properties file onpage 22 provide information.

3. Finish adding LDAP and log in to the Data Protection Central user interface.

Finish adding LDAP or AD and log in to the Data Protection Central user interface on page23 provides information.

Prepare to add LDAP or AD to the Data Protection Central system

Before you add LDAP or AD, you must access the Data Protection Central system and stop theservices.

Procedure

1. Login to the Data Protection Central system using SSH.

2. To switch to the root user, type the following command:

su -

3. To stop the Data Protection Central services, type the following command:

/usr/local/dpc/bin/dpc stop

After you finish

Create or edit the ldap.properties file in the /var/lib/dpc/elg/ folder to specify thevalues that are specific to the environment.

Create an LDAP properties file

Learn how to create an LDAP properties file.

The LDAP properties file must match the exact file name of ldap.properties and be located inthe /var/lib/dpc/elg/ directory.

Follow these guidelines when creating the LDAP properties file:

l Use lower-case for all LDAP keys in the LDAP properties file.

l It is recommended to not change the key names.

l Do not insert leading or trailing spaces in LDAP key names. For more details, see Spaces in theLDAP properties file on page 20.



l Observe the requirements for handling special characters. See Special characters in adminusername and password on page 21.

Note: To quickly create an LDAP properties file, it is recommended that you copy the LDAPproperties template file that is at /usr/local/dpc/lib/elg/conf/ldap.properties.example into /var/lib/dpc/elg/ldap.properties.

Table 3 on page 19 describes the attributes that you can specify in the LDAP properties file.

Table 3 LDAP properties file attributes

Attribute Description Examples

elg.ldap.type Required.Specifies the type of LDAP environment.Specify either LDAP or AD.

elg.ldap.type=LDAP

elg.ldap.type=AD

elg.ldap.server.urls Required.Specifies the URL of the server whereLDAP is hosted. Type the URL in thefollowing format:

{ldap | ldaps}://<hostname>:<port>

elg.ldap.server.urls=ldap://ldap.dpc.local:389/

elg.ldap.server.urls=ldaps://ldap.dpc.local:636/

elg.ldap.base.dn Required.Specifies the domain base distinguishedname of the LDAP server.

elg.ldap.base.dn=dc=dpc,dc=local

elg.ldap.admin.dn Required.Specifies the service account usernamein the base distinguished name (DN)format.

A service account user can:

1. Perform the Bind DN.

2. Look up the user.

3. Return the user's groupmembership.

For example:LDAP:

elg.ldap.admin.dn=uid=admin,ou=people,dc=dpc,dc=local

Active Directory:

elg.ldap.admin.dn=cn=administrator,dc=abc,dc=xyz,dc=com

or, alternatively:

[email protected]

elg.ldap.admin.password Required.Specifies the password for theadministrative user.

After you save the file and restart theData Protection Central services, the

elg.ldap.admin.password=changeme1

or, if the password contains Java specialcharacters, escape the special characterwith a backslash \:



Table 3 LDAP properties file attributes (continued)

Attribute Description Examples

password is stored in the lockbox anddeleted from the ldap.properties file.

For example, if the password is change\me1, enter it like this:

elg.ldap.admin.password=change\\me1

elg.ldap.group.search.name Required.Specifies the user group name thatcontains the users who require access toData Protection Central.

If you do not specify this attribute, thedefault value of dp_admin is used.

For example, if the distinguished name ofthe group is cn=backupadmins,ou=groups, dc=dpc, dc=local,

specify the group name with the followingentry:

elg.ldap.group.search.name=backupadmins

elg.ldap.group.search.base Optional.Specifies the distinguished name of theadministrator user group on the LDAPserver.

Note: Do not specify this attributeunless there are duplicate entries ofthe group name on the LDAP or ADserver. If you specify this attributewhen there is a single instance of agroup, user authentication may fail.

If the group name specified withelg.ldap.group.search.name is

duplicated on the LDAP or AD server,specify this attribute for Data ProtectionCentral to identify the correct instanceof the group name.

When there is only one instance of thegroup name, Data Protection Centralautomatically locates the group on theLDAP or AD server.

For example, consider the followingscenario.

The LDAP server has two BackupAdminsgroups in different locations. The groupshave the following distinguished names:

l cn=backupadmins,ou=groups,dc=dpc,dc=local

l cn=backupadmins,ou=groupcontainer,dc=dpc,dc=local

You want to use the group located in thegroupcontainer folder. Data Protection

Central.

In this scenario, specify:

elg.ldap.group.search.base=ou=groupcontainer

elg.ldap.tls.protocols Optional.Specifies the TLS protocol version.

Note: By default, Data ProtectionCentral 19.2 and later supports onlyTLS 1.2. Also, FIPS-compliantoperation requires TLS 1.2.

elg.ldap.tls.protocols=TLSv1.2

Spaces in the LDAP properties fileLearn about guidelines for using spaces in the LDAP properties file.

LDAP keys

Do not insert spaces in the LDAP key names.



Example 1 Avoid spaces in LDAP key names

elg.ldap.base.dn // is a valid keyelg.ldap. base.dn // is NOT a valid key

LDAP values

LDAP values can have spaces, if required, but do not use spaces before or after the value string.

Example 2 Avoid spaces before and after value string

// Is valid valueelg.ldap.type=AD

// Not valid value (because space is inserted before and after value)elg.ldap.type= AD

// Not valid value (because trailing space is inserted after value)elg.ldap.type=AD

The LDAP value string can have special characters, and there are no restrictions oncase.

Special characters in admin username and passwordIf the Admin username or password in the ldap.properties file incorporates Java specialcharacters, they must be escaped by a \ (backslash).

Example 3 Admin username example

If the Admin username in the ldap.properties file uses the domain\usernameformat, the following example would be incorrect because it omits the escapecharacter (a backslash):

elg.ldap.admin.dn=dpc.local\administrator

The correct syntax includes the \ escape character:

elg.ldap.admin.dn=dpc.local\\administrator

Example 4 Admin password example

If the Admin password incorporates a Java special character, the following examplewould be incorrect:

elg.ldap.admin.password=password1\



Example 4 Admin password example (continued)

The correct syntax would be:

elg.ldap.admin.password=password1\\

Supported Java special characters

Table 4 on page 22 provides examples of Java special characters that you must escape by usinga backslash.

Table 4 Examples of Java special characters

Special characters escaped by \ Display

\' Single quotation mark

\" Double quotation mark

\\ Backslash

\t Tab

\b Backspace

\r Carriage return

\f Formfeed

\n Newline

Examples of the LDAP properties file

Consider the following examples of the LDAP property file.

Example 5 Example LDAP properties file

elg.ldap.type=LDAPelg.ldap.server.urls=ldaps://dpc.local.domain.com:636/elg.ldap.base.dn=dc=local,dc=domain,dc=comelg.ldap.admin.dn=uid=Admin,ou=People,dc=local,dc=domain,dc=comelg.ldap.admin.password=PgK17y5*elg.ldap.group.search.name=dp_admin

Example 6 Example LDAP properties file for active directory

elg.ldap.type=ADelg.ldap.server.urls=ldap://dpc.corp.domain.com:389/elg.ldap.base.dn=dc=corp,dc=domain,dc=comelg.ldap.admin.dn=cn=Administrator,cn=Users,dc=sddc,dc=localelg.ldap.admin.password=4tHgI8fLelg.ldap.group.search.name=dp_admin



Finish adding LDAP or AD and log in to the Data Protection Central userinterface

After you add the ldap.properties file, perform the following steps to complete the LDAPconfiguration.

Procedure

1. To assign administrator ownership on the ldap.properties file, type the following command:

chown admin:admin /var/lib/dpc/elg/ldap.properties

2. To set the protection of the ldap.properties file, type the following command:

chmod 644 /var/lib/dpc/elg/ldap.properties

3. To restart Data Protection Central and activate the change, type the following command:

/usr/local/dpc/bin/dpc start

4. Once Data Protection Central is started, type the following command to confirm that all ofthe services are active:

/usr/local/dpc/bin/dpc status

5. Launch a web browser and navigate to the Data Protection Central address using the fullyqualified domain name.

For example:

https://dpc.local.com

6. Log in to the Data Protection Central user interface with the credentials for the LDAP useraccount.

Verify the LDAP or AD connection statusYou can verify the LDAP or AD connection status by looking for messages in the log file or on theAudit page.

Check the LDAP status in the log file

Check the /var/log/dpc/elg/elg.log log file for messages about the LDAP connectionstatus.

Messages that appear during LDAP connection failure

If the following message appears, the LDAP client did not make a successful connection to theLDAP server:

2018-04-03 11:00:26,929 INFO localhost-startStop-1 c.e.c.c.SecurityConfig LDAP or AD Directory Service providers are not available



There are multiple issues that can prevent the LDAP client from connecting to the LDAP server.Look for error messages in the log file that provide more information.

The following table describes various error messages that appear during LDAP connection failuresand their causes.

Table 5 LDAP communication messages

Message Cause

INFO localhost-startStop-1 c.e.c.c.SecurityConfig LDAP or AD Directory Service providers are not available

No LDAP or AD settings are provided or theyare provided with incorrect information.

.ADLdapAuthenticationProvider Ignoring AD authentication. Verification of ldap settings failed. Failed to connect

Invalid AD configuration information.

.LdapAuthenticationProvider Ignoring LDAP authentication. Verification of ldap settings failed. Failed to connect

Invalid LDAP configuration information.

PKIX path building failed: java.security.cert.CertPathBuilderException: Could not build a validated path

Validation of the LDAP server certificatecould not be completed.One possible solution for this issue is to addthe LDAP server certificate to the DataProtection Central Java keystore.

Messages that appear during LDAP connection success

Messages similar to the following appear when the LDAP client successfully connects to the LDAPserver:

c.e.c.s.a.l.LDAPSecureStorage LDAP admin credentials are securedc.e.c.s.a.l.ExternalAuthenticationProvider Type: LDAPc.e.c.s.a.l.ExternalAuthenticationProvider Base DN: dc=mydomain,dc=comc.e.c.s.a.l.ExternalAuthenticationProvider Admin user DN: cn=Administrator,dc=my-domain,dc=comc.e.c.s.a.l.ExternalAuthenticationProvider User Base: ou=peoplec.e.c.s.a.l.ExternalAuthenticationProvider User Search DN: (|(uid={0})(cn={0}))c.e.c.s.a.l.ExternalAuthenticationProvider User Pattern DN: []c.e.c.s.a.l.ExternalAuthenticationProvider Group Name: dp_adminc.e.c.s.a.l.ExternalAuthenticationProvider Group Search Base: ou=groupc.e.c.s.a.l.ExternalAuthenticationProvider Group Search Filter:(&(member={0})(cn=dp_admin))o.s.s.l.DefaultSpringSecurityContextSource URL 'ldap://12.3.104.150:546/dc=my-domain,dc=com', root DN is 'dc=mydomain,dc=com'12.3.104.150:546/dc=my-domain,dc=com', root DN is 'dc=mydomain,dc=com'

Check the LDAP status on the Audit page

You can verify the success of the LDAP configuration on the Data Protection Central Audit page.

If LDAP configuration is successful, you can log into the Data Protection Central web userinterface with an LDAP account. If configuration fails, login to Data Protection Central using [email protected] account and browse to the Audit for details.



The Audit page shows the overall status of the operation and the status of each individual sub-task. You can use this information to locate the point in the operation that caused the LDAPconfiguration to fail.

The following figure shows an example of an LDAP configuration activity on the Audit page.

Figure 2 LDAP configuration activities on the Audit page

Login format with LDAP usersLearn about login formats that Data Protection Central supports for LDAP users.

Active Directory username login format

Data Protection Central supports User Principal Name (UPN) login format in release 18.2 andearlier. Later versions support both UPN and sAMAccountName user login format.

Note: PowerProtect supports only UPN format.

The following examples demonstrate the username formats that Data Protection Central supports.

Example 7 UPN format

UpnUsername@domain

UpnUsername@upnSuffixDomain

Example 8 sAMAccountName format

username

domain\username

username@domain



User and credential managementLearn how to manage Data Protection Central users and credentials.

Pre-loaded accountsThe following table describes the pre-loaded Data Protection Central accounts.

Table 6 Pre-loaded accounts

User account Description

Data Protection Centraladministrator

The default user for Data Protection Central web applicationadministration.

Linux operating system admin The default user for Data Protection Central operating systemlevel administration.This account is for OVA deployments only.

Note: Only the Linux OS admin can log in using a secureshell (ssh).

Linux operating system root The root operation system account.This account is for OVA deployments only.

Default credentials

The following table describes the default credentials for the pre-loaded Data Protection Centralaccounts.

Table 7 Default credentials

Account User Password

Data ProtectionCentraladministrator

[email protected] This password is set when DataProtection Central is deployed.

Linux operatingsystem admin

admin This password is set when DataProtection Central is deployed.

Linux operatingsystem root

root This password is set when DataProtection Central is deployed.

Managing credentialsLearn how to manage user login credentials.

The default provider root password is stored in a configuration file. To reset the local and defaultaccount, edit the configuration file, and then restart the server.

The password that is entered during the OVA deployment is stored in a configuration file. On thefirst startup, the password is stored in an encrypted format in the Data Protection Central lockbox,and then the configuration file is deleted.



Reset user account and password

In certain situations, you may be required to reset the [email protected] user account andpassword.

About this task

The user account and password are configured during deployment. These credentials enableaccess to the Data Protection Central user interface. If required, you can reset this account and itspassword by following the steps in this procedure.

Procedure

1. Open an SSH session with an SSH tool, such as PuTTY.

2. As the Linux OS user admin, log in to the Data Protection Central host.

3. Type the following commands:

cd /usr/local/dpc/lib/elgsudo service msm-monitor stopsudo service msm-elg stopbin/elgcli -lockbox -resetUserAccount -uiPassword <ui_password>cd /var/lib/dpc/security/chown admin:admin clp_lb.lb*sudo service msm-monitor startsudo service msm-elg start

The UI password must contain at least nine characters including one uppercase, one lowercase, one number, and one special character: ! @ # $ % ^ & * ( ) - _

Modifying the Linux operating system user credentials

For OVA deployments of Data Protection Central, the Linux admin and root user passwords areconfigured when you deploy the OVA template. You can change the Linux admin and root userpasswords using the standard Linux password change command.

From either an SSH session connected to the Data Protection Central system or using the DataProtection Central system console, run the following command to change the operating systemadmin or root password:

passwd {admin | root}

The Linux documentation provides more information on using the passwd command.

Password complexity

The following table describes the password complexity requirements.

Table 8 Password complexity requirements

Account Password complexity requirements

Data Protection Central administrator l A minimum of 9 characters.

l A maximum of 15 characters.

l At least 1 lowercase character.

l At least 1 uppercase character.

l At least 1 number.



Table 8 Password complexity requirements (continued)

Account Password complexity requirements

l At least 1 of the following specialcharacters:! @ # $ % ^ & * ( ) - _

l The password cannot include any whitespace.

Linux operating system admin The password length must be between 8 and256 characters.

Linux operating system root The password length must be between 8 and256 characters.

Authentication to external data protection systemsData Protection Central includes features to monitor and manage external data protectionsystems, such as Avamar. Data Protection Central requires credentials to access the externalsystem.

Configuring remote connectionsData Protection Central establishes a remote connection to external systems that you add fromthe System Management page.

When you add a system to Data Protection Central, you must provide connection informationincluding the hostname and credentials for that system. Data Protection Central stores thisconnection information and uses it to access the remote system.

Credential securityData Protection Central stores external credentials securely.

After you add a system to Data Protection Central, the external system credentials are stored in asecure lockbox.

Single Sign-OnData Protection Central supports Single Sign-On (SSO) authentication for certain externalsystems.

SSO streamlines the process of managing systems by logging you into system managementapplications directly when you launch them from Data Protection Central.

Systems must meet the following version requirements to enable SSO:

Table 9 System version requirements for SSO

System type User interface Supported versions

Avamar Avamar Administrator 7.5.1 and later

AUI 18.1 and later

NetWorker NetWorker ManagementConsole (NMC)

18.1 and later



Table 9 System version requirements for SSO (continued)

System type User interface Supported versions

NetWorker Management WebUI

18.1 and later

Search Search Web User Interface 18.1 and later

Data Protection Advisor DPA Web Console 18.2 and later

Data Domain Data Domain System Manager 6.2.0.10 and later

PowerProtect PowerProtect Data Manager 19.2 and later

If systems do not meet these version requirements, SSO is not available. You can monitor the SSOhealth status on the Health page.

Note: The SSO health status reflects the Data Protection Central SSO connection statusrather than the status of the remote system. The SSO health may be reported as healthy whenthe monitored system is out of sync.

AuthorizationData Protection Central supports a single administrative role.

Both the default [email protected] account and any LDAP users added to the administrativegroup in the ldap.properties file are granted the administrator role in Data Protection Central.

When the Data Protection Central administrator logs in, they have access to all Data ProtectionCentral features and functions.

The administrator also has administrative access to external system management applications,such as Avamar Administrator, for all systems added to Data Protection Central.

SSO limitations with PowerProtect Data ManagerLearn about PowerProtect Data Manager limitations with SSO authentication from the DataProtection Central for AD and LDAP users.

Unless otherwise stated, PowerProtect Data Manager limitations that are described here applyonly to Data Protection Central external users. The Data Protection Central local user works asexpected and uses the admin role that is assigned in PowerProtect Data Manager.

Configuration

Observe these limitations:

l The same LDAP or AD server that is attached to Data Protection Central must be configured inPowerProtect Data Manager. PowerProtect Data Manager validates that the user exists.

l Add the group role in PowerProtect Data Manager for users who plan to monitor PowerProtectData Manager from Data Protection Central.

Authentication


l The LDAP or AD user login through Data Protection Central must be part of the group rolemapping in PowerProtect Data Manager.

l PowerProtect Data Manager SSO supports only UPN login format (for example,username@domain).



Authorization

The role that PowerProtect Data Manager assigns takes precedence over Data Protection Central.

For example:

If an LDAP user has administrator role in Data Protection Central and user role in PowerProtectData Manager, when the user logs in to Data Protection Central and launches into PowerProtectData Manager using SSO, the user role is designated (not the administrator role).

Sessions


This information applies to local and external LDAP and AD users. When SSO launch occursthrough Data Protection Central, PowerProtect Data Manager creates its own session for theexternal user that is provided through Data Protection Central.

Example scenario:

1. A user logs in to Data Protection Central and initiates an SSO click-and-launch toPowerProtect Data Manager.

2. When this user logs out of Data Protection Central, the user session in PowerProtect DataManager does not close, but remains active.

3. If a second user logs in to Data Protection Central and initiates an SSO click-and-launch toPowerProtect Data Manager, the SSO login does not occur if the first user is still logged in.See the Data Protection Central Release Notes for this known issue.

Network securityLearn about network security in Data Protection Central.

Data Protection Central uses a firewall to enhance security by restricting inbound and outboundnetwork traffic to the TCP and UDP ports. The tables in this section list the inbound and outboundports that Data Protection Central uses.

Network exposureData Protection Central uses inbound and outbound ports when communicating with remotesystems.

l Outbound ports on page 30

l Inbound ports on page 32

l TCP port allocations per system on page 32

Outbound portsData Protection Central can use outbound ports when connecting to a remote system.

The ports that are listed in Table 10 on page 30 are the Data Protection Central outbound ports:

Table 10 Outbound ports

Port number Layer 4 Protocol Service

7 TCP, UDP ECHO

22 TCP SSH

25 TCP SMTP



Table 10 Outbound ports (continued)


53 UDP, TCP DNS

67,68 TCP DHCP

80 TCP HTTP

88 TCP, UDP Kerberos

111 TCP, UDP ONC RPC

123 TCP, UDP NTP

161-163 TCP, UDP SNMP

389 TCP, UDP LDAP

443 TCP HTTPS

448 TCP Data Protection SearchAdmin REST API

464 TCP, UDP Kerberos

514 TCP, UDP rsh

587 TCP SMTP

636 TCP, UDP LDAPS

902 TCP VMware ESXi

2049 TCP, UDP NFS

2052 TCP, UDP mountd, clearvisn

3009 TCP Data Domain REST API

5671 AMQP over SSL RabbitMQNote: Needed forNetWorker 9.2.1.4,18.1.0.2-41, or 18.2.0-28,and later versions.

5672 AMQP RabbitMQNeeded for NetWorkerversions earlier than 9.2.1.4,18.1.0.2-41, or 18.2.0-28.

8443 TCP MCSDK 8443 is an alternativefor 443

9000 TCP NetWorker ManagementConsole

9002 TCP Data Protection Advisor RESTAPI

9090 TCP NetWorker AuthenticationService and REST API



Table 10 Outbound ports (continued)


9443 TCP Avamar Management Consoleweb service

Inbound portsLearn about the inbound ports that are available for use by a remote system when connecting toData Protection Central.

The ports that are listed in Table 11 on page 32 are the Data Protection Central inbound ports.

Table 11 Inbound ports


22 TCP SSH

80 TCP HTTP

443 TCP HTTPS

5671 TCP RabbitMQ over AMQP

TCP port allocations per systemLearn about the TCP ports that Data Protection Central allocates for each of the managementsystems it supports.

In the port columns of the tables that follow, "incoming" describes a connection that comes infrom the remote system to the designated Data Protection Central port.

"Outgoing" describes a connection that goes out from the Data Protection Central system to thedesignated remote system port.

The TCP ports listed in the tables that follow constitute the minimum requirement to support thedesignated system.

Avamar

Table 12 Avamar ports

Connection Protocol Port Purpose

Avamar to Data ProtectionCentral RabbitMQ

AMQP overTLS

Incoming5671

Activity, Alerts, Status,Capacity, Inventory for Assets,Policies, Schedules, Data Sets,Retention (Avamar Messages)

Data Protection Central ELGto Avamar server

SOAP overHTTPS

Outgoing9443

Monitors activation, SSOregistration, policy management,running policies, asset backups

Avamar server to DataProtection Central UI overNGINX

HTTP Incoming80

Retrieves signed root CAcertificate (for RabbitMQ shovelsetup)



Table 12 Avamar ports (continued)


Avamar server to DataProtection Central SSO overNGINX

HTTPS Incoming443

Verifies SSO user, SSOregistration, posting certificatesign request (for RabbitMQshovel setup)

Networker

Table 13 Networker ports


Data Protection CentralMonitor to NetWorkerRabbitMQ

AMQP overTLS

Outgoing5671

Activity monitoring

Data Protection Central ELGto NetWorker

HTTPS Outgoing9090

Health reporting

NetWorker server to DataProtection Central SSO overNGINX

HTTPS Incoming443

Verifies SSO user, SSOregistration

PowerProtect Data Manager

Table 14 PowerProtect Data Manager


Data Protection Central ELGand Monitor to PowerProtectData Manager

HTTPS Outgoing8443

Uses PowerProtect DataManager REST API

Data Protection Central SSOto PowerProtect DataManager UI

HTTPS Outgoing443

SSO authentication

PowerProtect Data Managerserver to Data ProtectionCentral SSO over NGINX

HTTPS Incoming443


Data Domain

Table 15 Data Domain ports


Data Protection CentralMonitor to Data Domain

SSH Outgoing 22 Runs Data Domain CLIcommands

Data Protection Central ELGto Data Domain

HTTPS Outgoing3009

Uses Data Domain REST API



Table 15 Data Domain ports (continued)


Data Domain server to DataProtection Central SSO overNGINX

HTTPS Incoming443


Data Protection Advisor

Table 16 Data Protection Advisor ports


Data Protection Advisor serverto Data Protection CentralSSO over NGINX

HTTPS Incoming443

Verifies SSO user

Data Protection Central toData Protection Advisor server

HTTPS Outgoing9002

Runs and retrieves reports,launches Data ProtectionAdvisor UI

Data Protection Search

Table 17 Search ports


Search server to DataProtection Central SSO overNGINX

HTTPS Incoming443


Data Protection Central ELGto Search server

HTTPS Outgoing443

Initial verification that serverexists, certificate validation

LDAP Server

Table 18 LDAP ports


Data Protection Central toLDAP server

LDAP andLDAPS

Outgoing389 and 636(by default)

LDAP-based authentication

Modify the Data Protection Central firewallIf you add a system to Data Protection Central that uses a nonstandard port, modify the DataProtection Central firewall to allow communication with that port.

Procedure

1. To access the Data Protection Central system, run the following command:

ssh -l <username> <dpc_fqdn>



2. To switch to the root user, run the following command:

su -

3. To edit the Data Protection Central firewall rules file, open the following file with a Linux fileeditor:

/usr/local/dpc/lib/firewall/scripts/SuSEfirewall2-dpc-custom

4. In the fw_custom_before_denyall() method, under production rules, modify the --dport entry to add the port you want Data Protection Central to access.

For example:

# production rules exec_rule -A $chain -j ACCEPT -m multiport -p tcp --dport 22,88,389,443,448,636,2049,2052,3009,9000,9002,9443

It is recommended that you replace the default service port with the alternate port. Thefollowing table describes the ports that system services use by default:

Service Port

Avamar Management Console 9443

NetWorker Authentication Service and RESTAPI

9090

NetWorker Management Console 9000

Data Domain REST API 3009

Search Rest API 448

Search UI and PowerProtect Data Manager 443

Data Protection Advisor 9002

5. Save and close the file.

6. To restart the firewall and apply the changes, run the following commands:

service SuSEfirewall2 stop

service SuSEfirewall2_init stop

service SuSEfirewall2 start

service SuSEfirewall2_init start



Data securityThe data that are held, managed, used, or operated on by Data Protection Central is stored andsecured.

Data Protection Central does not encrypt event, or application data within MongoDB.

Data Protection Central prevents unauthorized access to the Data Protection Central system.

LockboxData Protection Central uses a secure storage lockbox to encrypt and store both internal systemcredentials and credentials for external systems that Data Protection Central monitors andmanages.

The lockbox is created during deployment and is secured by a lockbox password. The password isencrypted and stored in the lockbox along with Stable System Values (SSVs), which uniquelyidentify the Data Protection Central host. The lockbox uses the SSVs to generate an encryptionkey to encrypt the system credentials.

Stable System Values (SSVs)Stable System values (SSVs) validate access to the lockbox.

When data is written to or retrieved from the lockbox, the SSVs in the lockbox are comparedagainst the SSVs generated from the host. If the SSVs match, the operation is permitted. If theSSVs do not match, the operation fails.

CryptographyLearn about cryptography in Data Protection Central.

Data Protection Central uses cryptography for the following components:

l Access control

l Authentication

l Digital signatures

Certificate managementData Protection Central uses certificates for secure http access (https).

By default, Data Protection Central generates a default SSL self-signed certificate in the followinglocation:

/var/lib/dpc/webcertsThe self-signed certificate is sufficient to establish an encrypted channel between web browsersand the server. The self-signed certificate cannot be used for authentication.

You can use the following types of certificates for Data Protection Central authentication:

l A self-signed certificate.

l A certificate that is signed by a trusted certificate authority (CA) vendor.

Note: Consider company policies when creating certificates.



Generate a self-signed certificateTo enable a secure browser connection, create a private key and a self-signed certificate.

About this task

To comply with FIPS 140-2 and related documents, use digital certificates with a minimumstrength of 112 bits of security for the digital signature algorithm and hashes. For example, useRSA 2048-bit moduli (or greater) or ECDSA certificates that are based on p-256 and SHA-256hash.

Procedure

1. To connect to the Data Protection Central server as an admin user, run the followingcommand:

ssh admin@SERVER

2. To change to the root user, run the following command:

su -

3. To change the directory to /var/lib/dpc/webcerts, run the following command:

cd /var/lib/dpc/webcerts

4. To generate a new RSA certificate, run the following command:

openssl req -newkey rsa:2048 -sha256 -x509 -keyout private-key.pem -out cert.pem -nodes -days 1095

5. To generate a new ECDSA certificate, run the following command:

openssl ecparam -name secp521r1 -genkey -noout -out /var/lib/dpc/webcerts/ecdsa-private-key.pemopenssl req -new -x509 -key /var/lib/dpc/webcerts/ecdsa-private-key.pem -out /var/lib/dpc/webcerts/ecdsa-server.pem -days 1095

6. Set the owner and group of the new certificate files to the following:

chown admin:admin *.pem

7. Restart NGINX.

systemctl restart nginx

8. To verify the new self-signed certificate, browse Data Protection Central.



Generate a Certificate Signing RequestTo enable a secure browser connection, generate a Certificate Signing Request (CSR).

Procedure

1. To connect to the Data Protection Central server as an admin user, type the followingcommand:

ssh admin@SERVER

2. To change to the root user, type the following command:

su -

3. To change the directory to /var/lib/dpc/webcerts, type the following command:

cd /var/lib/dpc/webcerts

4. To generate a new certificate using the private key at the self-sign step, type the followingcommand:

openssl req -newkey rsa:2048 -sha256 -key private-key.pem -out cert.csr

5. Send the cert.csr to a certificate authority (CA) vendor.

6. Replace the current cert.pem file to the certificate received from the CA vendor.

7. Restart NGINX.

systemctl restart nginx

8. To verify the new certificate, browse Data Protection Central.

Auditing and loggingLearn about auditing and logging in Data Protection Central.

The following list includes information about the Data Protection Central directory structure andlog information:

l The /var/log/dpc/install directory hosts all logs generated from deploying or upgradingData Protection Central.

l The /var/lib/dpc directory hosts all Data Protection Central generated data which consistsof MongoDB and RabbitMQ.

l The /var/log/dpc directory hosts all Data Protection Central related logs including NGINX,MongoDB, and RabbitMQ.

l All Data Protection Central related logs are under:/var/log/dpc/[module name]



[module name].out files contain console logging from starting and running the moduleprocess.

[module name].log files contain logging from the module.

l All Elemental Gateway (ELG) logs are under:/var/log/dpc/elg/

l The Data Protection Central user interface (msm-ui-main service) log is under:/var/log/dpc/msm-ui-mainThis log file is small and contains information from starting the Node.js server.

l The Data Protection Central Monitoring (dpc-monitor service) logs are under:/var/log/dpc/monitorThis directory contains the rolling log files from the monitoring process.

ServiceabilityThe Support website at https://support.emc.com provides access to licensing information,product documentation, advisories, and downloads, as well as how-to and troubleshootinginformation. This information may enable you to resolve a product issue before you contactSupport.

There is no special login to Data Protection Central for service personnel.

Ensure that you install security patches and other updates when they are available.

Security patchesA security update for Data Protection Central may be periodically provided.

The periodic updates are cumulative.

Each periodic update is announced through a security advisory. The security advisory providesdetails about the contents of the periodic update and installation instructions. To view theseadvisories or to register for email notifications, go to the Support website at:

https://support.emc.com

Data Protection Central OS updatePeriodically, security patches and fixes are released for the Data Protection Central OS.

About this task

These fixes must be installed on OVA deployments of Data Protection Central. When available, it ishighly recommended that you install these security patches and fixes on the Data ProtectionCentral server.

When you upgrade from a pre-19.2 Data Protection Central release, enabling FIPS operationrequires you to install the most recent Data Protection Central OS update.

The Data Protection Central OS Update Release Notes provides information about the securitypatches and fixes that are in the Data Protection Central OS update. The Support KB article https://support.emc.com/kb/522157 provides instructions for installing the OS update.

Product code integrityWhen the Data Protection Central software is uploaded to the online support website, a SHA-256checksum is also provided. It is recommended that you use the checksum and to verify theauthenticity of the Data Protection Central deployment file.



https://support.emc.com

https://support.emc.com/

https://support.emc.com/kb/522157

The Data Protection Central deployment files, both OVA and JAR objects, are digitally signed. Youcan verify the authenticity of the OVA file when you deploy the OVF template. When you deploythe JAR file, run the jarsigner --verify -verbose command to verify the authenticity.



CHAPTER 3

Federal standards and compliance

Topics include:

l FIPS 140-2 compliance.......................................................................................................... 42l STIG compliance................................................................................................................... 44l Internet Protocol version 6....................................................................................................47l VPAT accessibility features................................................................................................... 47


FIPS 140-2 complianceFederal Information Processing Standard 140-2 is a standard that describes US Federalgovernment requirements that IT products should meet for Sensitive, but Unclassified (SBU) use.

The standard defines the security requirements for a cryptographic module that is used in asecurity system protecting unclassified information within IT systems. To learn more about FIPS140-2, see FIPS 140-2 publication.

FIPS mode requirements and limitations

To operate Data Protection Central in FIPS mode, ensure that these requirements and limitationsare observed:

l FIPS mode is supported only on Data Protection Central 19.2 and later.

l The installation must be an OVA installation and not a stand-alone .jar installation. The stand-alone .jar installation does not support FIPS mode.

l A fully compliant FIPS environment requires you to enable FIPS mode for Data ProtectionCentral and the element management systems that Data Protection Central monitors. Allcomponent versions must be FIPS-compliant.

l For new OVA deployments:

1. Install the Data Protection Central 19.2 OVA. See the Data Protection Central Getting StartedGuide for instructions.

2. Install the latest Data Protection Central operating system update. The Support KB article https://support.emc.com/kb/522157 provides instructions.

3. Run the FIPS enable command. See Enable FIPS mode on page 43.

l For upgrades:

1. Upgrade to Data Protection Central 19.2. See the Data Protection Central AdministrationGuide for instructions.

2. Install the latest Data Protection Central operating system update. The Support KB article https://support.emc.com/kb/522157 provides instructions.

3. Run the FIPS enable command. See Enable FIPS mode on page 43.

Note: Failure to follow this sequence prevents the Data Protection Central from operatingin FIPS mode.

l You must be using Transport Layer Security protocol version 1.2 (TLS 1.2) to operate DataProtection Central in FIPS mode. Earlier versions of TLS are not FIPS-compliant. Enabling TLS1.0 or 1.1 protocol renders Data Protection Central non-compliant.

l FIPS mode requires that the lockbox master password have a minimum of 14 characters. If thecurrent lockbox master password has fewer than 14 characters, you must reset this password.See the Data Protection Central Administration Guide for instructions.

l The Data Protection Central SSO server is not FIPS compliant and is disabled when FIPS modeis enabled. For this reason, the click-and-launch capability requires users to log in to elementmanagement systems. After logging in, contextual click-and-launch functionality within DataProtection Central may be limited.

Display FIPS modeYou can determine the status of FIPS mode on Data Protection Central.

About this task

FIPS mode is disabled by default.



http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf



Procedure

1. Use SSH to log in to Data Protection Central as an admin user.

2. Change the directory to /usr/local/dpc/bin.

3. Type: dpc-fips-status.

Depending on the FIPS mode, one of these messages is displayed:

FIPS mode Message

Disabled Return code: -1FIPS has not been configured.

Enabled and all files configured Return code: 0 All FIPS files have been configured.

Enabled but errors may exist withsome configuration files

Return code: 2WARNING: Not all DPC FIPS configuration files have been set to enabled.Expecting <n> but received <n - x>.

You can also determine FIPS status (enabled, disabled, or unstable) by using the dpcstatus command. If the response indicates that the FIPS configuration is unstable, rundpc status detail to display a list of FIPS services and their statuses.

Enable FIPS modeYou can enable FIPS mode on Data Protection Central.

Before you begin

Before you enable FIPS mode on Data Protection Central, ensure that you meet the requirementsthat are described in FIPS mode requirements and limitations on page 42.

Procedure



3. Type: dpc fips-mode on.

4. Change the directory to /etc/ssl.

5. Type: service sshd restart.


7. Type: dpc restart.

Results

When you enable FIPS mode, the system:

1. Modifies the RSA BSAFE cryptographic module to enable FIPS mode.

2. Changes the Data Domain access method from SSH to REST API.

3. Changes the Erlang configuration to run in FIPS mode.



4. Shuts down the SSO service.

Disable FIPS modeProcedure



3. Type: dpc fips-mode off.

4. Change the directory to /etc/ssl.

5. Type: service sshd restart.


7. Type: dpc restart.

Reset the lockbox internal encryption keyAfter a power loss, to operate Data Protection Central in a FIPS-compliant mode, you must resetthe lockbox internal encryption key.

About this task

RSA BSAFE® Crypto-J JSAFE and JCE Software Module 6.2.5 Security Policy Level 1 requires areset of AES GCM encryption keys after a power loss. To operate Data Protection Central in aFIPS 140-2 compliant mode, reset the Data Protection Central lockbox internal encryption key:

Procedure

1. Open an SSH session with an SSH tool, such as PuTTY.

2. As the Linux operating system user admin, log in to the Data Protection Central host.

3. Type the following commands:

cd /usr/local/dpc/lib/elgsudo service msm-elg stopsudo service msm-monitor stop/usr/local/dpc/lib/elg/bin/elgcli -lockbox -passwordReset -password {original_password} -newPassword {new_password}sudo service msm-elg startsudo service msm-monitor start

Where original_password is the password that was specified when the lockbox was created.

STIG compliance

A Security Technical Implementation Guide (STIG) defines a configuration and maintenancestandard for computer deployments that are required by the US Department of Defense (DoD)Information Assurance (IA) program. These guidelines are designed to enhance security settingsand configuration options before the systems are connected to a network. More information aboutthe various STIGs is available at http://iase.disa.mil/stigs/index.html.

Severity Category Codes (CAT) describe the vulnerabilities that are used to assess a facility orsystem security posture. CAT I Severity Code describes security protections that can be bypassed,allowing immediate access by unauthorized personnel or unauthorized use of super-user privileges.CAT I weaknesses must be corrected before an Authorization to Operate (ATO) is granted.



http://iase.disa.mil/stigs/index.html

Data Protection Central compliance with CAT I Security Requirements is described in Table 19 onpage 45.

Table 19 CAT I Security Requirements

STIG Vulnerability ID Rule Title Category Comments

V-55051 The network device mustenforce the assigned privilegelevel for each administrator andauthorizations for access tocommands relative to theprivilege level according to theapplicable policy for the device.

CAT 1 Data Protection Central implementsAccess Control Lists (ACL) to containaccess to privileged commands andconfiguration files to the default userIDs, namely root and admin. Also,Apparmor profiles confine the DataProtection Central applicationprocesses according to the definedApparmor profiles. Data ProtectionCentral runs on SUSE Linux EnterpriseServer, which enables adding ACLs torestrict access according to privilegelevel and organizational policy.

V-55101 The network device must beconfigured to prohibit the useof unnecessary or non-securefunctions, ports, protocols, andservices.

CAT 1 Data Protection Central has a firewallthat allows only the protocols and portsthat the application requires.

V-55103 The network device mustuniquely identify andauthenticate organizationaladministrators (or processesacting on behalf oforganizational administrators).

CAT 1 Data Protection Central uses the Linuxauthentication mechanism forlocal/SSH authentication to uniquelyidentify and authenticateadministrators. For the web interface,the authentication is through the EMClockbox, which also uniquely identifiesand authenticates organizationaladministrators.

V-55131 The network device must onlystore cryptographicrepresentations of passwords.

CAT 1 Data Protection Central uses the Linuxinfrastructure for authentication.Passwords are stored in /etc/shadowin encrypted form. Web interface loginpasswords are stored in EMC lockbox inencrypted form.

V-55133 The network device musttransmit only encryptedrepresentations of passwords.

CAT 1 Data Protection Central uses TLS for allHTTPS and AMQP communicationswith other systems in the solution.

V-55141 The network device, whenusing PKI-based authentication,must accept only certificatesthat are issued by a DoD-approved Certificate Authority.

CAT 1 When adding a system in the DataProtection Central UI, Data ProtectionCentral allows a user to view thecertificate before accepting it. The usershould accept a DoD-approvedcertificate. Data Protection Centralsupports PKI-based authentication andcan be configured to use certificatesthat a DoD-approved CertificateAuthority issues.



Table 19 CAT I Security Requirements (continued)


V-55149 To protect the informationfrom possible exploitation anduse by unauthorized individuals,the network device mustobscure feedback ofauthentication informationduring the authenticationprocess.

CAT 1 Data Protection Central obscuresfeedback of authentication informationduring the authentication process. Forexample, the UI displays asterisks whena user types in a password.

V-55153 The network device must useFIPS 140-2 approvedalgorithms for authentication toa cryptographic module.

CAT 1 Data Protection Central uses FIPS140-2 approved algorithms for allconnections, and uses FIPS 140-2validated cryptographic modules.

V-55159 The network device mustterminate all networkconnections that are associatedwith a device managementsession at the end of thesession, or the session must beterminated after 10 minutes ofinactivity except to fulfilldocumented and validatedmission requirements.

CAT 1 Data Protection Central terminates SSHand console sessions after 10 minutes ofinactivity. Web sessions are terminatedafter 20 minutes. This value isconfigurable (see Idle browser sessiontimeout on page 14). At the end of thesession, Data Protection Centralterminates all network connections thatare associated with the session.

V-55171 The network device must allowonly authorized administratorsto view or change the deviceconfiguration, system files, andother files stored either in thedevice or on removable media(such as a flash drive).

CAT 1 Data Protection Central implementsAccess Control Lists (ACL) to containaccess to privileged commands andconfiguration files to the default users,root and admin, that are delivered withthe product. It is assumed that no otheruser is added to the system. Also,Apparmor profiles confine the DataProtection Central applicationprocesses according to the definedApparmor profiles. Data ProtectionCentral runs on SUSE Linux EnterpriseServer, which enables you to addadditional ACLs to restrict accessaccording to privilege level andorganizational policy.

V-55221 The network device mustprevent non-privileged usersfrom running privilegedfunctions, including disabling,circumventing, or alteringimplemented securitysafeguards andcountermeasures.

CAT 1 Data Protection Central implementsAccess Control Lists (ACL) to containaccess to privileged commands andconfiguration files to the default userIDs, namely root and admin. Also,Apparmor profiles confine the DataProtection Central applicationprocesses according to the definedApparmor profiles. Data ProtectionCentral runs on SUSE Linux EnterpriseServer, which enables you to add



Table 19 CAT I Security Requirements (continued)


additional ACLs to restrict accessaccording to privilege level andorganizational policy.

V-55265 The network devices must useFIPS-validated Keyed-HashMessage Authentication Code(HMAC) to protect theintegrity of non-localmaintenance and diagnosticcommunications.

CAT 1 Data Protection Central uses FIPS140-2 approved algorithms for allconnections, and uses FIPS 140-2validated cryptographic modules.

V-55267 Applications that are used fornon-local maintenance sessionsmust implement cryptographicmechanisms to protect theconfidentiality of non-localmaintenance and diagnosticcommunications.

CAT 1 Data Protection Central uses SSH andHTTPS. Only SCP can be used tosecurely copy files from and to DataProtection Central.

Internet Protocol version 6IPv6 is the latest version of the Internet Protocol.

Data Protection Central functions in IPv6-only and dual-stack (IPv4 and IPv6) environments.

VPAT accessibility featuresThe Voluntary Product Accessibility Template (VPAT) is a document that describes productcompliance with Section 508 accessibility standards.

The content that follows describes accessibility features of the Data Protection Central.

Screen reader supportThe Data Protection Central web application supports screen reader software, such as Job AccessWith Speech (JAWS) and NonVisual Desktop Access (NVDA). Screen reader software helps blindand visually impaired users to read the screen.

Keyboard navigationYou can use keyboard controls to browse through the Data Protection Central web application.

FocusWeb browsers have a focus style that indicates a focused user interface element. The focus stylediffers depending on the web browser being used.

For example, in Microsoft Internet Explorer and Mozilla Firefox, the focus style is a dotted borderwhile in Google Chrome it is a blue solid border.

Before performing any task using a user interface element, ensure that the web browser focus isset on the user interface element.



Only one focus can be set at a time. It is possible to have no user interface elements focused. Forexample, on the initial load of a web page.

Tab, Shift+Tab, and arrow keysTo browse forward through user interface elements in a web browser, use the Tab key.

To browse backward through user interface elements, use the Shift+Tab keys.

You can use arrow keys to browse inside user interface elements such as menus, list boxes, or gridcontrols. You can also use arrow keys to scroll up or down when there is a scrollbar.

Browse sequence for user interface elementsThe browse sequence for user interface elements uses the following hierarchy.

1. Parent to children.

2. Top to bottom.

3. Left to right.

The Tab key sequence loops endlessly. If you reach the last user interface control, and then pressthe Tab key again, the web browser focus shifts to the first user interface control.

Browser barsFor most browsers, the browser bars such as the Address Bar, Tab Bar, or Status Bar also occupya spot in the tab sequence. This occupation spot means that you must press an additional two orthree tabs to start over from the first user interface control in the web page.

Dashboard controlsThe controls on the Dashboard enable you to access any widget in the Data Protection CentralDashboard.

Use the Tab key to advance the focus to the first widget (the topmost, leftmost widget in theDashboard). To advance the focus to interactive UI elements within the widget, continue to pressthe Tab key. To interact with a UI element in a widget, use the Enter or Space key. To advance tothe next widget, use the Tab key.

Left navigation controlsLeft pane navigation controls enable you to access any menu page in Data Protection Central.

With the focus on any member of the left pane navigation, use the Tab or Shift + Tab keys tochange the focus to the item that you want. Press the Enter key to open the page.



Figure 3 Left navigation controls

Detail pane controlsThe right side of the user interface provides a Detail pane with controls that enable you to accessspecific details within the pane.

Some of the Data Protection Central pages provide a Detail pane for the selected item in the gridview. Use Tab or Shift + Tab to scroll through the items in the Detail pane. Depending on the DataProtection Central page, you can view additional information or launch a UI by pressing the Enterkey.

For example, to view activities for a selected asset in the Asset Inventory page, in the Detail pane,change focus to VIEW ACTIVITIES, and press the Enter or Space key.

Figure 4 Asset Inventory Detail pane



Widget Filter controlsKeyboard controls enable you to access the options within the Dashboard widget filters.

1.In the Dashboard, with the focus on the widget overflow button , press the Tab key, and thenpress the Enter or Space key. The Widget Filter dialog opens with the focus on the Search

text box:

2. Press the Tab key twice to place the focus on the Available list of systems.

3. Use the keyboard up or down arrow keys to change the focus to a system in the list. With a

system highlighted, the focus automatically changes to the element.

4. To move the selected item to the Filtered by list, press the Enter or Space key. The focus

changes to the element.

5. To move the item from the Filtered By list to the Available list, press the Enter or Space key.

6. To add more systems to the Filtered By list, use the keyboard up or down arrow keys to selectanother system in the Available list. Then press the Enter or Space key.

7. To apply the changes, press the Tab key until the focus changes to the APPLY button. Thenpress the Enter or Space key.



Calendar controlsThe calendar that is available in the date-and-time widget has keyboard controls for selecting aspecific calendar date.

Figure 5 Calendar controls

1. To access a different month than the one that is displayed, use Tab or Shift + Tab to changethe focus to the < or > element. Then press Enter until you access the desired month.

2. Press Tab until the focus changes to a date on the calendar.

3. Use the arrow keys to cycle through the dates until the focus is on the desired date.

4. To select the date and close the calendar, press Enter.

Data grid controlsIn Data Protection Central, a data grid presents tabular information that has column titles. Datagrid controls can have sub-controls.

The following is a list of the sub-controls:

l Select all control

l Column header control

l Row header control

l Cell control



Figure 6 Data grid controls

The tab sequence between the sub-controls is Select All > Column Header > Cell.

Inside the sub-controls, you can use a keyboard arrow key to browse between user interfaceelements.

Use the spacebar to select or clear checkboxes.

Use the Enter or Space key to perform tasks such as opening a filter dialog or overflow dialog.

Arrow within grid cellSome cells within a grid contain an arrow that you can use to display or hide additional information.

Figure 7 Hide additional information example



Figure 8 Display additional information example

The following controls are available for use when an arrow appears within a grid cell:

l Use the Tab key to move the focus to the arrow.

l Use the Enter or Space key to display or hide additional information.

Overflow button within grid cellSome cells within a grid contain an overflow button that you can use to display or hide additionalactions.

Figure 9 Overflow menu controls

The following controls are available for use when an overflow button appears within a grid cell:

1. To move the focus to the overflow button, use the Tab or Shift + Tab key.

2. To display or hide a list of additional actions, use the Enter or Space key.

3. To move the focus to the first action list item, use the Tab key.

4. To move through multiple action list items, use Tab and Shift + Tab keys.

5. To select an action, press the Enter or Space key.



CHAPTER 4

Miscellaneous Configuration and Management

Topics include:

l Licensing............................................................................................................................... 56l Protect authenticity and integrity ........................................................................................ 56l Perform backups and restores of Data Protection Central.................................................... 56l Embedded component usage ............................................................................................... 56


LicensingData Protection Central does not require any special or additional product licensing.

Protect authenticity and integrityTo ensure product integrity, the Data Protection Central installation components are signed.

Enable external web access with SSL using a trusted certificate authority (CA).

Perform backups and restores of Data Protection CentralTo protect Data Protection Central from a disaster scenario, It is recommended that you performbackups of Data Protection Central. If required, you can restore Data Protection Central fromthese backups.

About this task

Virtual machine based backups of Data Protection Central are recommended. Refer to the vCenterdocumentation for more information.

If you are not using vCenter to perform backup and restore operations, you can also perform thefollowing steps to backup and restore Data Protection Central.

Procedure

1. Backup the /var/lib/dpc directory.

2. To shutdown the Data Protection Central software, type the following command:

sudo /usr/local/dpc/bin/dpc stop

3. Restore the /var/lib/dpc directory.

4. To start Data Protection Central, type the following command:

sudo /usr/local/dpc/bin/dpc start

Embedded component usageLearn about Data Protection Central embedded component usage.

To locate Data Protection Central OSS third party software, use the /usr/local/dpc/licenses folder. This folder contains the oss-ship-manifest.xls file, which specifies thelicense information. The End User License Agreement (EULA) is also in this folder.

Miscellaneous Configuration and Management


Dell EMC Data Protection Central Security Configuration GuideProtection Central on a physical or...

Documents

Transcript of Dell EMC Data Protection Central Security Configuration GuideProtection Central on a physical or...