DELL V36X Power Flex Security Configuration User Guide

: June 14, 2024
: Dell

Table of Contents

V36X Power Flex Security Configuration
Introduction
Access Control Settings
Communication Security Settings
Running scripts on hosts
Known security issues
Deploying PowerFlex with SELinux
Documents / Resources
- Read User Manual Online (PDF format)
- Download This Manual (PDF format)

Dell PowerFlex v3.6.x
Security Configuration Guide

V36X Power Flex Security Configuration

Notes, cautions, and warnings

NOTE: A NOTE indicates important information that helps you make better use of your product.
CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem.
WARNING: A WARNING indicates a potential for property damage, personal injury, or death.

© 2020 – 2023 Dell Inc. or its subsidiaries. All rights reserved. Dell Technologies, Dell, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be trademarks of their respective owners.

Introduction

This guide provides an overview of the security settings available in PowerFlex to ensure secure operation of the product.

Security features
PowerFlex has a variety of security features.
Security settings are divided into the following categories:

Access Control Settings describes the settings available to limit access by end-user or external product components.
Log Settings describes settings related to the logging of events.
Communication Security Settings describes settings related to security for the product’s network communications.
Running Scripts on Hosts explains the ability to run user-provided scripts on servers hosting DM or SDS components.
Data Security Settings describes settings available to ensure protection of the data handled by the product.

Data integrity
It is important to define the controls that prevent permanently stored data from being disclosed in an unauthorized manner.
To maintain integrity of data, it is recommended to use D@RE with CloudLink for data-at-rest encryption of both PowerFlex devices and Virtual Machines.
NOTE: For secure erasure, you must use an external tool.

Good to know
Additional security aspects of the PowerFlex system
The following aspects of the PowerFlex system are hardened:

Storage Virtual Machines (SVM) in ESXi-based systems
Apache Tomcat (hardened through STIG)

Access Control Settings

The following topics describe access control settings, which are used to protect resources against unauthorized access.

Supported access control settings
Access control settings are used to protect resources against unauthorized access.
The following access control settings are supported:

MDM:

User roles and passwords are needed to access the MDM. User roles with different access permissions can be assigned to users. Both local and LDAP authentication are supported. For more information, see “User Management” in the Configure and Customize Dell PowerFlex.
Limited MDM access mode—a system can be configured to allow read-only access to the MDM by remote clients. In this mode, only local users connecting to the MDM using the IP address 127.0.0.1 have full configuration privileges.
Restricted SDC mode—a system can be configured to only allow approved SDCs to connect to the MDM. This mode forces you to map volumes only to SDCs which have been previously approved by the user, by configuring them using their GUID.
To increase security, you can specify that only SDCs with preconfigured IP addresses can communicate with the MDM. For more information, see the Configure and Customize Dell PowerFlex.
SSL authentication of internal components to the MDM—allows secure authentication of PowerFlex SDS components to the MDM using a Public and Private Key (Key-Pair) associated with a certificate. The trust is established when adding the SDS, and reconnecting will require reauthentication.
Secure connectivity with external components—allows external components to authenticate the MDM with a certificate and authenticate back to the MDM with a username and password. After authentication, communication between the MDM and external components is performed using TLS (Transport Layer Security) protocols. External components include: PowerFlex Installer client, PowerFlex CLI client, PowerFlex GUI client, vSphere plug-in, and PowerFlex Gateway. The same method is used between the PowerFlex Installer client and LIAs.
An RSA Lockbox is used to store MDM credentials on the PowerFlex Gateway. These credentials are required for authentication purposes by the SNMP trap sender and ESRS.
PowerFlex can be used to run user-provided scripts on servers hosting MDM or SDS components. This feature is supported on Linux-based nodes only. This feature can be used for any purpose external to the PowerFlex system, such as running a set of Linux shell commands, patching an operating system, and more. The feature allows the running of scripts in a safe manner, both from a security and a data integrity perspective.

PowerFlex Gateway:

Access to the PowerFlex Gateway requires defining a dedicated user. This user may either be a local user or an LDAP user.
For more information, see the Configure and Customize Dell PowerFlex, or Dell PowerFlex User Roles and LDAP Usage Technical Notes.
Access to the PowerFlex Installer requires a username and password. This user may either be a local user or an LDAP user.
For more information, see the Configure and Customize Dell PowerFlex, or Dell PowerFlex User Roles and LDAP Usage Technical Notes.
A manually generated public-private key pair can be used to perform SSH key authentication, instead of passwords, between the PowerFlex Gateway and PowerFlex servers.
LDAP support for the PowerFlex Gateway and the PowerFlex Installer now includes up to 8 LDAP servers.

LIA:

PowerFlex Installer / PowerFlex Gateway access to the LIA may be restricted to predefined IP addresses, by configuring the list of trusted IP addresses in the file:
- Windows: C : \ P r o g r a m F i l e s \ e m c \ s c a l e i o \ L I A \ c f g \ c o n f . t x t
- Linux: / o p t / e m c / s c a l e i o / l i a / c f g / c o n f . t x t
Access to the LIA can use local authentication or LDAP authentication, with up to 8 LDAP servers.

REST API:

REST authenticates user access, using the gatewayAdminPassword and mdmPassword (for more information, see the PowerFlex REST API Reference Guide).
REST authenticates user access, using the AMSAdminPassword (for more information, see the VxFlex Ready Node REST API Reference Guide).
REST feature enabler—access to the REST gateway can be blocked by configuring the g a t e w a y U s e r . p r o p e r t i e s file located on the PowerFlex Gateway. The feature is enabled by default. For detailed information, see “Configuring the PowerFlex Gateway by editing the user properties file”, in the Dell PowerFlex REST API Reference Guide.

SNMP:

SNMP—the SNMP trap sender can be enabled or disabled using one of the methods listed below. The feature is disabled by default. For detailed information, see the Configure and Customize Dell PowerFlex.
○ During deployment (on Linux and Windows only)
○ Configuring the g a t e w a y U s e r . p r o p e r t i e s file located on the PowerFlex Gateway.
○ Using the REST API
NOTE: OpenSSL 64-bit v1.0.2k-2l or v1.1.1i or higher is required for secure authentication. In Linux, this version of OpenSSL is only supported in CentOS and RHEL 6.5 or higher.

User authentication
User authentication settings control the process of verifying an identity claimed by a user for accessing the product.

Default accounts
The PowerFlex system has the following default accounts.

Table 1. Default accounts

User Account	Password	Description
PowerFlex Installer admin user	Password is created by the admin at the
beginning of the installation process	Lets the user issue installation

commands in the PowerFlex Installer web client. The PowerFlex Installer has a default admin user. For more information, see “Preparing the PowerFlex Installer and the PowerFlex Gateway” in the PowerFlex Deployment Guide.
SVM root user| Password is set in the plug-in| The account provides full administrator privileges to all configuration and monitoring activities via the vSphere plugin.
MDM admin| Admin| The MDM has only one default account (“admin”) with a default password (“admin”) with the Super User role. The password must be reset at first login during system deployment. This account is a Super User, and provides full administrator privileges to all configuration and monitoring activities via the CLI and the GUI.

Reset the admin user password
You can reset the password of the default admin user (Superuser) using the combination of a file written to the MDM and the r e s e t _ a d m i n CLI command.

Prerequisites
Ensure that you are using the admin user with Superuser permissions.

About this task
NOTE: The procedure refers only to the default admin user with Superuser permissions, which was created during the system setup.

Steps

Create a text file named M D M S E R V I C E M O D E on the MDM in the location corresponding to your operating system:
● Windows: C : \ P r o g r a m F i l e s \ e m c \ s c a l e i o \ M D M \ l o g s \ M D M S E R V I C E M O D E
● Linux: / o p t / e m c / s c a l e i o / m d m / l o g s / M D M S E R V I C E M O D E
In the body of the file, type the text R e s e t A d m i n, and save the file.
From the CLI, run the r e s e t a d m i n command:
s c l i – – r e s e t a d m i n

Results
The admin user password is reset to a d m i n.

Authentication configuration

Local passwords must meet specific requirements.
NOTE: For LDAP users, the requirements are defined by the authenticating server according to the organization’s user policy.

User authentication is initially configured during PowerFlex installation, and users can be added and removed later, using the PowerFlex CLI (and only by a privileged user). The MDM and LIA passwords must meet the following criteria:

Include at least 3 of the following 4 groups: [a-z], [A-Z], [0-9], special characters (!@#$ …)
Contain between 6 and 31 characters
No white spaces
NOTE: The ESXi 6 password policy has the following additional requirements:
● Passwords must contain characters from at least three character classes.
● Passwords containing characters from three character classes must be at least seven characters long.
● Passwords containing characters from all four character classes must be at least seven characters long.
An uppercase character that begins a password does not count toward the number of character classes used. A number that ends a password does not count toward the number of character classes used.

For more information, see “Security” and “User Management” in the Configure and Customize Dell PowerFlex.
NOTE: ESXi 6 security policy is disabled.

User authorization
User authorization settings control the rights or permissions that are granted to a user to access a resource managed by the product. Local users and LDAP users are supported by the system.
When users are added to the MDM, user role definitions must be assigned to them.
NOTE: Local authentication can be disabled on the PowerFlex Installer / PowerFlex Gateway. For more information, see the “Security” in the Configure and Customize Dell PowerFlex.

Table 2. Local and LDAP User roles and permissions

User role| Query| Configure parameters| Configure user credentials
---|---|---|---
| Local| LDAP| Local| LDAP| Local| LDAP
| | | Backend operations only (Protection Domains, Storage Pools, Fault Sets, SDSs, Devices, other system settings)| |
Frontend Configurator| Yes| No| Yes
Frontend operations only (Volumes, SDCs, Snapshots)| No| No
Administrator| Yes| No| Yes| No| May configure Configurator and Monitor users
Security Roles| No| No| No| No| May define Administrator users and control LDAP
Super User
(only one Super User is allowed per system, and it must be a local user)| Yes| Not applicable| Yes| Not applicable| Yes| Not applicable

Login banner

A login banner can be configured for both PowerFlex GUI and CLI users.
A login banner is a text file that is displayed upon login to the system. It can be used to communicate messages or to obtain user consent to real-time monitoring of information and retrieval of stored files. When the login banner is set up, it appears during the system login process before the login credential prompts. The login banner displays differently in the PowerFlex GUI and in the CLI interfaces:

GUI—When logging in, the login banner is displayed, and must be approved.
CLI—When logging in, the user is prompted to press any key, after which the banner is displayed. To continue, the banner must be approved.

If a login banner is not required, the feature can be disabled. For more information about configuring these banners, refer to the Configure and Customize Dell PowerFlex.

Component access control
Component access control settings define control over access to the product by external and internal systems or components.
Component authentication
The system provides secure connectivity between internal and external components.

Secure connectivity with internal system SDS components
The SSL authentication feature allows secure authentication of PowerFlex SDS components using a Public and Private Key (Key-Pair) associated with a certificate. The feature works as follows:

When an SDS is added to the PowerFlex system (for example, using the – – a d d _ s d s c o m m a n d), it generates its own certificate and a CSR to the MDM.
The MDM acts as the Certificate Authority, and signs the certificates, using its own credentials.
Every time that an SDS reconnects to the system, authentication occurs. If the challenge fails, that component will not be able to connect to the PowerFlex system.
If necessary, or if a malfunction occurs, this feature provides a secure protected manner in which to disable secure authentication.

OpenSSL FIPS compliance
You can enable OpenSSL Federal Information Processing Standards (FIPS) compliance implementation in the MDM for communication between the external components, including the PowerFlex GUI, PowerFlex Gateway, and CLI, to the MDM.
It can also be enabled for any other usage of the OpenSSL library. For instructions on how to enable OpenSSL FIPS compliance implementation, see “Enable OpenSSL FIPS compliance.”

Secure connectivity with external components
This feature allows external components to authenticate the MDM with a certificate and authenticate back to the MDM with a user name and password. After authentication, communication between the MDM and external components is performed using TLS (Transport Layer Security) protocols. Secure communication with the MDM is authenticated by the following PowerFlex components:

CLI client
PowerFlex Gateway
PowerFlex GUI client
PowerFlex Installer client
vSphere plug-in

The same method is employed between the PowerFlex Installer and all LIAs.
On the PowerFlex Gateway, setting the security.bypass_certificate_check property in the gateway properties file to t r u e will result in the gateway blindly trusting the certificates of the hosts to which it is trying to connect. Typically, the gateway connects to the MDM or to LIA. This setting affects REST and PowerFlex Installer connections, because they are all included in the gateway. The default setting of this property is f a l s e.
Any actions relating to the acceptance of certificates will still add the certificates to the trust store file ( t r u s t s t o r e . j k s) for future use, when this property is set to f a l s e. Such actions are:

MDM certificate and LIA certificate approval during installation with the PowerFlex Installer
The REST request t r u s t H o s t C e r t i f i c a t e

SSH
A manually generated public-private key pair can be used to perform SSH key authentication, instead of passwords, between the PowerFlex Gateway and PowerFlex system servers.
NOTE: Whenever Apache Tomcat is shut down normally and restarted, or when an application reload is triggered, the standard Manager implementation will attempt to serialize all currently active sessions to a disk file located via the pathname (by default SESSIONS.SER) attribute. All such saved sessions will then be deserialized and activated (assuming they have not expired in the mean time) when the application reload is completed. To remove saved sessions after a PowerFlex Gateway restart, delete the following file: / o p t / e m c / s c a l e i o / g a t e w a y / w o r k / C a t a l i n a /l o c a l h o s t / _ / S E S S I O N S . s e r

LIA security configuration
Configure LIA parameters for component authorization.
All the configurable parameters of LIA are included in the file / o p t / e m c / s c a l e i o / l i a / c f g / c o n f . t x t. The list includes:
l i a t o k e n, l i a e n a b l e i n s t a l l, l i a e n a b l e u n i n s t a l l, l i a e n a b l e c o n f i g u r e, l i a e n a b l e f e t c h l o g s, l i a a u t h m o d e, and l d a p 0 _ u r i.

Managing component certificates
PowerFlex supports replacing the certificates of the following components:

PowerFlex Gateway
MDM
PowerFlex presentation server

Certificate management for PowerFlex Gateway
This section explains how to replace the PowerFlex Gateway’s self-signed security certificate with your organization’s “trusted” certificate, and how to create a new “trusted” certificate. The PowerFlex Gateway automatically creates its own self-signed security certificate when it is installed or upgraded. If your organization has no special security certificate requirements, you can keep working with the default certificate.

Replace the default self-signed security certificate with your own trusted certificate
Create your own trusted certificate, and then replace the default certificate with the one that you created.

Steps

Find the location of k e y t o o l on your server, and open it.
It is a part of the Java (JRE or JDK) installation on your server, in the b i n directory. For example:
● C : \ P r o g r a m F i l e s \ J a v a \ j d k 1 . 8 . 0 _ X X \ b i n \ k e y t o o l . e x e
● / u s r / b i n / k e y t o o l
Generate your RSA private key:
k e y t o o l – g e n k e y – a l i a s < Y O U R A L I A S > – k e y a l g R S A – k e y s t o r e 
a. If you want to define a password, add the following parameters to the command. Use the same password for both parameters.
– s t o r e p a s s < K E Y S T O R E P A S S W O R D > – k e y p a s s < K E Y S T O R E _ P A S S W O R D >
NOTE: Specify a directory outside the PowerFlex Gateway installation directory for the newly created keystore file.
This will prevent it from being overwritten when the PowerFlex Gateway is upgraded or reinstalled.
If you already have a Certificate Signing Request (CSR), skip this step.
If you need a CSR, generate one by typing the following command. (If you did not define a keystore password in the previous step, omit the password flags.)
k e y t o o l – c e r t r e q – k e y a l g R S A – a l i a s < Y O U R A L I A S > – f i l e c e r t r e q . t x t
– k e y s t o r e – s t o r e p a s s < K E Y S T O R E P A S S W O R D > – k e y p a s s
< K E Y S T O R E _ P A S S W O R D >
If you already have an SSL certificate, skip this step.
If you need an SSL certificate, use your CSR to obtain a new certificate from a third-party trusted SSL certificate provider.
Save the certificate file on your server, outside the PowerFlex Gateway installation directory.
5. Import the Trusted Root, by typing this command. (If you did not define a keystore password, omit the password flags.)
k e y t o o l – i m p o r t – a l i a s r o o t – k e y s t o r e – t r u s t c a c e r t s
– f i l e < L O C A T I O N O F Y O U R r o o t . c e r F I L E > – s t o r e p a s s < K E Y S T O R E P A S S W O R D > – k e y p a s s
< K E Y S T O R E _ P A S S W O R D > **NOTE:** The certificate must be in x.509 format. If a message appears saying that the root is already in the system-wide store, import it anyway.
Import the intermediate certificates, by typing the command. (If you did not define a keystore password, omit the password flags.)
k e y t o o l – i m p o r t – a l i a s i n t e r m e d i a t e C A – k e y s t o r e 
– t r u s t c a c e r t s – f i l e < L O C A T I O N O F Y O U R i n t e r m e d i a t e . c e r F I L E > – s t o r e p a s s < k e y s t o r e p a s s w o r d > – k e y p a s s < k e y s t o r e p a s s w o r d >
You must provide a unique alias name for every intermediate certificate that you upload with this step.
Install the SSL Certificate under the same alias that the CSR was created from ( in previous steps), by typing the command (if you did not define a keystore password, omit the password flags):
k e y t o o l – i m p o r t – a l i a s < Y O U R A L I A S > – k e y s t o r e 
– t r u s t c a c e r t s – f i l e < L O C A T I O N O F S S L C E R T I F I C A T E > – s t o r e p a s s < k e y s t o r e p a s s w o r d >
– k e y p a s s < k e y s t o r e p a s s w o r d >
Edit the following items in the file \ c o n f \ c a t a l i n a . p r o p e r t i e s:
a. k e y s t o r e . f i l e = 
b. k e y s t o r e . p a s s w o r d = 
If you did not define a password, the default password is c h a n g e i t.
Restart the PowerFlex Gateway service:
● Windows: From the Windows Services window, restart the EMC ScaleIO Gateway.
● Linux: Type the following command:
s e r v i c e s c a l e i o – g a t e w a y r e s t a r t

Replacement of the security certificate is complete.

Replace the default self-signed security certificate with your own selfsigned certificate
Replace the default self-signed security certificate with your own self- signed security certificate.

Steps

Find the location of k e y t o o l on your server, and open it.
It is usually a part of the Java (JRE or JDK) installation on your server, in the b i n directory. For example:
● C : \ P r o g r a m F i l e s \ J a v a \ j d k 1 . 8 . 0 _ X X \ b i n \ k e y t o o l . e x e
● / u s r / b i n / k e y t o o l
Generate your RSA private key:
k e y t o o l – g e n k e y – a l i a s < Y O U R _ A L I A S > – k e y a l g R S A – v a l i d i t y 3 6 0 – k e y s i z e 2 0 4 8 – k e y s t o r e
 a. If you want to define a password, add the following parameters to the command. Use the same password for both parameters. – s t o r e p a s s < K E Y S T O R E _ P A S S W O R D > – k e y p a s s < K E Y S T O R E _ P A S S W O R D > **NOTE:** Specify a directory outside the PowerFlex Gateway installation directory for the newly created keystore file. This will prevent it from being overwritten when the PowerFlex Gateway is upgraded or reinstalled.
Edit the following items in the file \ c o n f \ c a t a l i n a . p r o p e r t i e s:
a. k e y s t o r e . f i l e = 
b. k e y s t o r e . p a s s w o r d = 
If you did not define a password, the default password is c h a n g e i t.
Restart the PowerFlex Gateway service:
● Windows: From the Windows Services window, restart the EMC ScaleIO Gateway.
● Linux: Type the following command:
s e r v i c e s c a l e i o – g a t e w a y r e s t a r t

Results
Replacement of the security certificate is complete.
Configure OpenStack interoperation with the PowerFlex Gateway
Configure the PowerFlex Cinder driver to verify the PowerFlex Gateway SSL certificate.

About this task
The OpenStack PowerFlex Cinder driver communicates with the PowerFlex Gateway through HTTPS (in other words, over SSL). By default, the driver ignores the gateway SSL certificate verification. However, the PowerFlex Cinder driver can be configured to verify the certificate.
NOTE: You can generate a self-signed certificate (.PEM file), using the keytool utility.
To enable certificate verification, add the following parameters to the file / e t c / c i n d e r / c i n d e r s c a l e i o . c o n f i g on the Cinder node:
v e r i f y s e r v e r c e r t i f i c a t e = t r u e
s e r v e r c e r t i f i c a t e p a t h =

Generate a self-signed certificate using the keytool utility
Generate self-signed certificates using the keytool utility. The certificates can by used by the OpenStack PowerFlex driver to communicate with the PowerFlex Gateway.
About this task
To generate a self-signed certificate using the keytool utility, perform the following steps:

Steps

Create a keystore file ( . J K S):
k e y t o o l – g e n k e y p a i r – k e y s i z e 1 0 2 4 – a l i a s h e r o n g _ k e y – k e y p a s s k e y p a s s – k e y s t o r e h e r o n g . j k s – s t o r e p a s s j k s p a s s
Export the keystore file to a . P E M file:
k e y t o o l – e x p o r t c e r t – a l i a s h e r o n g k e y – k e y p a s s k e y p a s s – k e y s t o r e h e r o n g . j k s – s t o r e p a s s j k s p a s s – r f c – f i l e k e y t o o l c r t . p e m
The certificate is stored in the file < k e y t o o l _ c r t . p e m >. During configuration of the Cinder driver, the path to this . P E M file is required.

Workflow for externally signed security certificates
The system generates and signs self-signed certificates automatically when secure communication is enabled, and no user intervention is required. You can replace the certificates by an externally signed security certificate. A Certificate Authority (CA) uses the CSR (Certificate Signing Request) file to create an externally signed security certificate.

About this task
The workflow describes how to replace the certificates signed by an external CA for each MDM.

Steps

Log in to the primary MDM with a security or administrator user role:
s c l i – – m d m i p – – l o g i n – – u s e r n a m e a d m i n – – p a s s w o r d
Generate the CSR file on the primary MDM, for the specified MDM (target):
s c l i – – g e n e r a t e m d m c s r f i l e – – t a r g e t m d m i p < m d m i p >
The file m d m – t a r g e t _ h o s t n a m e . c s r is created and saved to:
● Linux: / o p t / e m c / s c a l e i o / m d m / c f g
● Windows: C : \ P r o g r a m F i l e s \ e m c \ s c a l e i o \ m d m \ c f g
Send the generated CSR file to the CA for signing.
The CA returns the following files:
a. A certificate for each MDM.
b. A trusted/root certificate and its’ intermediate certificate from the CA.
On each MDM, from the CLI, add the root and intermediate certificate to the truststore, using the – – a d d c e r t i f i c a t e command. Refer to PowerFlex CLI Reference Guide for more information.
s c l i – – a d d c e r t i f i c a t e – – c e r t i f i c a t e _ f i l e r o o t – c a . p e m . c r t
Run the following commands using Java’s keytool to import all the certificates to each of the following components’ truststore. It is recommended to restart the machine after running the commands.
● PowerFlex Gateway
○ Linux: / o p t / e m c / s c a l e i o / g a t e w a y / w e b a p p s / R O O T / W E B – I N F / c l a s s e s / c e r t i f i c a t e s / t r u s t s t o r e . j k s
○ Windows (64 bit): C : \ P r o g r a m
F i l e s \ E M C \ S c a l e I O \ G a t e w a y \ w e b a p p s \ R O O T \ W E B I N F \ c l a s s e s \ c e r t i f i c a t e s \ t r u s t s t o r e . j k s
● PowerFlex presentation server
NOTE: Refer to “Update the certificate for the PowerFlex presentation server” for detailed steps on how to import the certificate from the MDM to the PowerFlex presentation server.
○ Linux: / e t c / m g m t – s e r v e r / . c o n f i g / m d m – t r u s t s t o r e . j k s
● vSphere plugin
○ Linux: $ H O M E / . v m w a r e / s c a l e i o / c e r t i f i c a t e s
○ Windows: C : \ U s e r s \ [ u s e r _ n a m e ] \ A p p D a t a \ R o a m i n g \ V M w a r e \ s c a l e i o \ c e r t i f i c a t e s \ t r u s t s t o r e . j k s or C :
\ W i n d o w s \ S y s t e m 3 2 \ c o n f i g \ s y s t e m p r o f i l e \ A p p D a t a \ R o a m i n g \ V M w a r e \ s c a l e i o \ c e r t i f i c a t e s
Trust is now established.
Save the signed certificate for the MDM in / o p t / e m c / s c a l e i o / m d m / c f g.
Rename the MDM certificate file to m d m s i g n e d c e r t i f i c a t e . p e m.
From the MDM, remotely log in to the primary MDM with a security or administrator user role:
s c l i – – m d m i p – – l o g i n – – u s e r n a m e a d m i n – – p a s s w o r d
Run the following command to begin applying the signed certificate to each of the MDMs:
/ o p t / e m c / s c a l e i o / m d m / b i n / a p p l y s i g n e d c e r t i f i c a t e . p y – – m d m i p – l o c a l m d m i p < l o c a l m d m i p >
If the remote read-only feature is enabled on the MDM, add – – s k i p c l i c o m m a n d to the command, and later, while logged in with user that has security permissions, run the command s c l i – – r e p l a c e m d m s e c u r i t y f i l e s.
NOTE: This step changes the MDM certificate, and might cause a brief failure period (switch ownership).

Update certificate for PowerFlex presentation server
Import the CA certificates from the MDM to the PowerFlex presentation server.

Steps

Copy the root and intermediate CA certificate files i n t e r – c a . p e m . c r t and r o o t – c a . p e m . c r t to the server that is installed with the PowerFlex presentation server.
Run the following command for root and intermediate CA certificates and save the output:
o p e n s s l x 5 0 9 – n o o u t – i n r o o t – c a . p e m . c r t – s u b j e c t
o p e n s s l x 5 0 9 – n o o u t – i n i n t e r – c a . p e m . c r t – s u b j e c t
Run the keytool command to import the root and intermediate CA certificate from the MDM:
k e y t o o l – i m p o r t – t r u s t c a c e r t s – a l i a s “ < t h e s u b j e c t y o u g o t a s t h e o u t p u t o f t h e
p r e v i o u s c o m m a n d > ” – f i l e / t m p / r o o t – c a . p e m . c r t – k e y s t o r e / e t c / m g m t – s e r v e r / . c o n f i g / m d m t
r u s t s t o r e . j k s
k e y t o o l – i m p o r t – t r u s t c a c e r t s – a l i a s ” < t h e s u b j e c t y o u g o t a s t h e o u t p u t o f t h e
p r e v i o u s c o m m a n d > ” – f i l e / t m p / i n t e r – c a . p e m . c r t – k e y s t o r e / e t c / m g m t – s e r v e r / . c o n f i g / m d m t
r u s t s t o r e . j k s
– a l i a s refers to a unique alias in the truststore, and – f i l e is the path to the trusted/root certificate. It is recommended to use the certificates’ subject for the alias.
Example:
k e y t o o l – i m p o r t – t r u s t c a c e r t s – a l i a s ” / C = A U / S T = C A / L = C A / O = C A / O U = C A / C N = C A /
e m a i l A d d r e s s = t o m . s m i t h @ d e l l . c o m ” – f i l e / t m p / r o o t – c a . p e m . c r t – k e y s t o r e / e t c / m g m t s
e r v e r / . c o n f i g / m d m – t r u s t s t o r e . j k s
k e y t o o l – i m p o r t – t r u s t c a c e r t s – a l i a s ” / C = A U / S T = C A / O = C A / O U = C A / C N = C A /
e m a i l A d d r e s s = t o m . s m i t h @ d e l l . c o m ” – f i l e / t m p / i n t e r – c a . p e m . c r t – k e y s t o r e / e t c / m g m t s
e r v e r / . c o n f i g / m d m – t r u s t s t o r e . j k s
Restart the PowerFlex presentation server:
s e r v i c e m g m t – s e r v e r r e s t a r t
NOTE: For RHEL6.10, use the command i n i t c t l r e s t a r t m g m t – s e r v e r.

Results
CA signed certificates are now set up on the system.

There are several logs collected by PowerFlex.
A log is a chronological record of system activities that is sufficient to enable the reconstruction and examination of the sequence of environments and activities surrounding or leading to an operation, procedure, or event in a security-relevant transaction from inception to final results.

Log description
The various logs collected by different components of the system are saved in different locations.
NOTE: PowerFlex uses Apache Tomcat, which has its own set of standard logs. For more information about Tomcat logs, refer to Apache Tomcat documentation.

Table 3. Log files

Component	Location

MDM log
The logs do not contain any user data (as the user data do not pass through the MDM)
The logs may contain the MDM’s user names (but never passwords), IP addresses, MDM configuration commands, events etc.| Linux: /opt/emc/scaleio/mdm/logs
REST logs| \logs
For example:
Windows—c:\Program Files\emc\scaleio\gateway\logs
Linux—/opt/emc/scaleio/gateway/logs The following logs are available:
●    scaleio.log
●    scaleio-trace.log
●    operations.log
●    localhost_access_log.log
●    audit.log
●    api_operations.log
PowerFlex Installer logs| \logs
For example:
●    Windows:
○    c:\Program Files\emc\scaleio\gateway\logs
●    Linux:
○    /opt/emc/scaleio/gateway/logs
The following logs are available:
●    scaleio.log
●    scaleio-trace.log
●    operations.log
●    localhost_access_log.log
LIA logs| Windows:
●    C:\Program Files\emc\scaleio\lia\logs
Linux:
●    /opt/emc/scaleio/lia/logs
Tomcat logs| Windows:
●    C:\Program Files\EMC\ScaleIO\Gateway\logs\tomcat.log
Linux:
●    /opt/emc/scaleio/gateway/logs
PowerFlex presentation server logs| Linux:
●    opt/emc/scaleio/mgmt-server/logs
vSphere PowerFlex plug-in
PowerFlex plug-in deployment log:| Windows:
●    c:\Windows\System32\config\systemprofile\AppDdata\Roamin \VMware\scaleio\deployment.log
Linux:
● /opt/.vmware/scaleio/deployment.log
PowerFlex plug-in rollback log:| Windows:
● c:\Windows\System32\config\systemprofile\AppData\Roaming \VMware\scaleio\rollback.log
Linux:
● /opt/.vmware/scaleio/rollback.log
PowerFlex plug-in network creation log:| Windows:
● c:\Windows\System32\config\systemprofile\AppData\Roaming \VMware\scaleio\networkCreation.log
Linux:
●    /opt/.vmware/scaleio/networkCreation.log
vSphere Virgo log:| Windows:
● c:\ProgramData\Vmware\vSphere Web Client\serviceability\logsvsphere_client_virgo.logLinux:
● /storage/log/vmware/vsphere-client/logs/ vsphere_client_virgo.log
perrcli/storcli log:| Event logs

Log management and retrieval

The logs can be managed and retrieved in various ways.

Log roll-over (REST):
○ In the configuration of the log’s behavior ( l o g b a c k . x m l—see below), each log is defined to be no greater than 10 MB. Once it reaches this size, a new log file is created. Once the maximum (10) is reached, the oldest log is overwritten (roll-over). The log files are: n a m e x x x . l o g , n a m e x x x . 1 . l o g . z i p , … n a m e _ x x x . 1 0 . l o g . z i p.
Configuration of an external Syslog server:
○ During PowerFlex installation, you can use the PowerFlex Installer web client to configure Syslog event reporting. You can also configure these features after installation, using the CLI.For more information, see “Viewing Events” in the Monitor Dell PowerFlex.
Configuration of logging levels:
○ PowerFlex Gateway (REST)—The log can be configured by editing the file: < g a t e w a y i n s t a l l a t i o n f o l d e r > \ w e b a p p s \ R O O T \ W E B – I N F \ c l a s s e s \ l o g b a c k . x m l
○ PowerFlex Installer—The log can be configured by editing the file: < g a t e w a y i n s t a l l a t i o n f o l d e r > \ w e b a p p s \ R O O T \ W E B – I N F \ c l a s s e s \ l o g b a c k . x m l
vSphere Web Client logging
○ To enable debug logging for the vSphere Web Client service:
NOTE: Take a backup of the s e r v i c e a b i l i t y . x m l file before modifying it.
1. Stop the vSphere Web Client service.
2. Navigate to the configuration folder:
￭ For vCenter Server 6.x— C : \ P r o g r a m D a t a \ V M w a r e \ v C e n t e r S e r v e r \ r u n t i m e \ v s p h e r e c l i e n t \ s e r v e r \ c o n f i g u r a t i o n
￭ For vCenter Server Virtual Appliance 6.x— / u s r / l i b / v m w a r e – v s p h e r e – c l i e n t / s e r v e r / c o n f i g u r a t i o n
3. Open the s e r v i c e a b i l i t y . x m l file using a text editor.
NOTE: Take a backup of the s e r v i c e a b i l i t y . x m l file before modifying it.
4. Edit the root level logging parameter by replacing the default INFO with DEBUG. For example, change the s e r v i c e a b i l i t y . x m l default configuration from:
< r o o t l e v e l = ” I N F O ” >
< a p p e n d e r – r e f r e f = ” S I F T E D L O G F I L E ” > < / a p p e n d e r – r e f >
< a p p e n d e r – r e f r e f = ” L O G F I L E ” > < / a p p e n d e r – r e f >
< / r o o t >
to:
< r o o t l e v e l = ” D E B U G ” >
< a p p e n d e r – r e f r e f = ” S I F T E D L O G F I L E ” > < / a p p e n d e r – r e f >
< a p p e n d e r – r e f r e f = ” L O G F I L E ” > < / a p p e n d e r – r e f >
< / r o o t >
5. To add a logging section for the PowerFlex plugin, create a section to increase logging to Debug levels:
< l o g g e r l e v e l = ” D E B U G ” a d d i t i v i t y = ” f a l s e ” n a m e = ” c o m . e m c ” >
< a p p e n d e r – r e f r e f = ” S I F T E D L O G F I L E ” / >
< a p p e n d e r – r e f r e f = ” L o g _ F I L E ” / >
< / l o g g e r >
Save and close the file.
Start the vSphere Web Client service. Additional logs will be written to the C : \ P r o g r a m D a t a \ V M w a r e \ v S p h e r e W e b C l i e n t \ L o g s folder
SRS feature (Secure Remote Support)—SRS support enables secure, high-speed, 24×7, remote connection between Dell and customer installations, including:
○ Remote monitoring
○ Remote diagnosis and repair
○ Daily sending of system events (rsyslog output), alerts, and PowerFlex topology. For more information, see “Perform other SRS configuration activities” in the Configure and Customize Dell PowerFlex.
Viewing events locally—Use the s h o w e v e n t s . p y command, using filter switches to control the severity of alerts. For more information, see “Viewing Events” in the Monitor Dell PowerFlex.
Configuration for external log management tools like envision—NA
Configuration of time synchronization with an external source (e.g. via NTP, Windows Time Service, etc.)—NA
Get Info—Get Info allows you to assemble a ZIP file of system logs for troubleshooting. You can run this function from a local node for its own logs, or by using the PowerFlex Installer to assemble logs from all MDM and SDS nodes in the system. For more information, see “Retrieving logs for PowerFlex components” in the PowerFlex Log Collection Technical Notes.

Communication Security Settings

The following topics describe the PowerFlex system’s security settings. Communication security settings enable the establishment of secure communication channels between the product components, as well as between product componentsand external systems or components.

Replication security
There are new security features to ensure that PowerFlex replication can be used securely.
In addition, Challenge-Handshake Authentication Protocol (CHAP) authentication is used for authentication between the all of the SDRs of each peer system within each Protection Domain. This authentication is bidirectional. The authentication is at the network level. If authentication fails, the network socket is not created and there is no connection between the two SDRs. This also determines the authorization of an SDR to write to its target volumes on the peer system.

MDM to MDM encrypted communications
To ensure security between the two replication systems, the management communications between them must be encrypted.
This is achieved by running the communications between the two MDM clusters of the replicated systems over TLS 1.2. In order to implement TLS, it is required that both MDM clusters have the MDM certificate of the other cluster. You must perform a certificate exchange between the two peer systems. Without this certificate exchange, it is not possible to set up replication peer systems. The following steps are necessary:
between the twopeer systems. Withoutthis certificate exchange, it is impossible to set up replication peer systems. The following stepsare necessary:

Using the SCLI, extract the root certificate on each system: s c l i – – e x t r a c t r o o t c a – – c e r t i f i c a t e f i l e < F I L E N A M E >
Copy the root certificates to peer system using s c p or any file transfer method.
Using the SCLI, add the copied certificate as a trusted certificate: s c l i – – a d d t r u s t e d c a – – c e r t i f i c a t e f i l e < F I L E N A M E > – – c o m m e n t < C O M M E N T ( e . g . , N a m e O f _ S y s t e m ) >

The certificate exchange between peer systems should be performed by a system administrator who has root access to all MDM nodes on both peer systems. Detailed instructions on performing this procedure are included in the “Post- deployment task” section of the Configure and Customize Dell PowerFlex.

SDR to SDC Authentication
In addition, Challenge-Handshake Authentication Protocol (CHAP) is used for authentication between the SDRs of each peer system within each Protection Domain. This authentication is bidirectional. The authentication is at the network level. If authentication fails, the network socket is not created and there is no connection between the two SDRs. This also determines the authorization of an SDR to write to its target volumes on the peer system.
NOTE: Access to a remote SDR does not grant access to the volumes maintained by the remote SDR unless they are determined as replicated by the source SDR.

SDC authentication
This feature ensures security by applying CHAP (Challenge-Handshake Authentication Protocol) based authentication of the SDC to the MDM for access to the system in general and to mapped volumes in particular. This prevents the SDC from accessing unauthorized volumes. Once enabled, the SDC internally performs mutual CHAP authentication with the SDSs and the SDRs with no manual intervention.

Prerequisites
Enable SDC authentication according to the following rules:

v3.5 or later must be installed on the SDC
For each SDC, a CHAP authentication password is generated by the MDM
All SDCs must be configured with their generated passwords
Run the – – c h e c k s d c a u t h e n t i c a t i o n _ s t a t u s command, to check the status of the SDCs and whether they are ready to authenticate

About this task
NOTE: Using CHAP authentication with SDC also means that an SDC can only perform I/O operations on volumes explicitly mapped to it. The SDS will block SDC I/O operations on unmapped volumes.
NOTE: CHAP authentication is also used internally for I/O authentication to the SDS and SDR, however it is always enabled and not controlled by the user.

This procedure describes how to enable SDC authentication.

Steps

Get the shared generated password for SDC from the MDM using the command:
s c l i – – g e n e r a t e s d c p a s s w o r d – – ( s d c _ i d | s d c i p ) [ – – r e a s o n < R E A S O N > ] The reason parameter (mandatory) is used to verify that the SDC password is being reset and not changed by accident. The reason is stored in the MDM events log.
NOTE: SDCs not configured with a password are disconnected after the feature is enabled in step 3.
Copy the password that was generated in < S D C P A S S W O R D _ S T R I N G >, used in the next step.
On the SDC, run the following command:
● Linux:
/ o p t / e m c / s c a l e i o / s d c / b i n / d r v c f g – – s e t m d m p a s s w o r d – – i p < M D M I P > – – p a s s w o r d
< S D C _ P A S S W O R D _ S T R I N G > – – f i l e / e t c / e m c / s c a l e i o / d r v _ c f g . t x t **NOTE:** The file option is required for password persistency, for cases such as service scini restart or SDC reboot. Open the file to verify the < S D C _ P A S S W O R D _ S T R I N G > is logged at the end of the MDM line. ● **ESXi:** a. c a t / e t c / v m w a r e / e s x . c o n f | g r e p s c i n i | g r e p o p t i o n s A string is returned representing all of the ESXi configuration parameters currently set. Copy the string with the enclosing quotation marks and paste in a text editor for editing. b. At the end of the string, add the following text, within the quotation marks: I o c t l M d m P a s s w o r d S t r = < M D M _ I P > – < M D M _ P A S S W O R D > **where:** ○ is the MDM IP address ○ is the MDM password **For example:** ” I o c t l I n i G u i d S t r = c d 0 6 9 c e 3 – b f 2 a – 5 d e a – b 5 0 a – 1 a 5 e b c 8 e f 3 d e I o c t l M d m I P S t r = 1 9 2 . 1 6 9 . 2 1 7 . 1 6 5 , 1 7 2 . 1 7 . 2 1 7 . 1 6 5 , 1 9 2 . 1 6 9 . 2 1 7 . 1 6 6 , 1 7 2 . 1 7 . 2 1 7 . 1 6 6 , 1 9 2 . 1 6 9 . 2 1 7 . 1 6 7 , 1 7 2 . 1 7 . 2 1 7 . 1 6 7 I o c t l M d m P a s s w o r d S t r = 1 9 2 . 1 6 9 . 2 1 7 . 1 6 5 – A Q A A A A A A A A D u / 1 0 f X W 3 B S 1 w P B D g n k R 0 6 t d n e G o U K 7 V Q ” c. Run the following command with the string appended to the end: e s x c l i s y s t e m m o d u l e p a r a m e t e r s s e t – m s c i n i – p < S T R I N G > **For example:** e s x c l i s y s t e m m o d u l e p a r a m e t e r s s e t – m s c i n i – p ” I o c t l I n i G u i d S t r = c d 0 6 9 c e 3 b f 2 a – 5 d e a – b 5 0 a – 1 a 5 e b c 8 e f 3 d e I o c t l M d m I P S t r = 1 9 2 . 1 6 9 . 2 1 7 . 1 6 5 , 1 7 2 . 1 7 . 2 1 7 . 1 6 5 , 1 9 2 . 1 6 9 . 2 1 7 . 1 6 6 , 1 7 2 . 1 7 . 2 1 7 . 1 6 6 , 1 9 2 . 1 6 9 . 2 1 7 . 1 6 7 , 1 7 2 . 1 7 . 2 1 7 . 1 6 7 I o c t l M d m P a s s w o r d S t r = 1 9 2 . 1 6 9 . 2 1 7 . 1 6 5 – A Q A A A A A A A A D u / 1 0 f X W 3 B S 1 w P B D g n k R 0 6 t d n e G o U K 7 V Q “
To check SDC readiness for all SDCs in the system, before enabling SDC authentication, run the following command:
NOTE: It is important to complete the previous steps for all SDCs before running the command. s c l i – – c h e c k s d c a u t h e n t i c a t i o n s t a t u s [ – – r u n t e s t ] [ – – f i l e n a m e < F I L E N A M E > ] Where:
● – – r u n t e s t runs a connectivity test to check whether the SDCs can successfully authenticate using CHAP
● – – f i l e n a m e < F I L E N A M E > is the full file name and path for the generated report.
The command sends a report that includes the SDCs authentication password status.
NOTE: When running this command, the SDCs are disconnected for a very short period from the MDM. This does not interrupt running I/Os or have any impact on MDM/SDC activity. It is recommended to run the command when the system is in a healthy state and not during rebalancing or rebuilding operations.
To enable SDC authentication, run the following command:
s c l i – – s e t s d c a u t h e n t i c a t i o n – – e n a b l e
To disable SDC authentication, run the following command:
s c l i – – s e t s d c a u t h e n t i c a t i o n – – d i s a b l e
Reboot the ESXi for the configuration to take effect.

Results
SDC authentication is enabled or disabled.
Related tasks
Gracefully reboot the ESXi host

Gracefully reboot the ESXi host
Perform the following steps to gracefully reboot the ESXi host.
Prerequisites

Ensure that you have the ESXi host login credentials.
Ensure that you have admin rights for accessing the PowerFlex GUI.

Steps

Log in to vCenter via the vSphere Web Client, and locate the relevant ESXi host.
Migrate the VMs associated with this ESXi host to another ESXi host.
NOTE: To view the VMs associated with the ESXi host, select the ESXi host, and then click VMs.
Log in to the PowerFlex GUI as an admin user.
In the Backend > Storage view, select By SDSs table view.
Right-click the SDS node you are rebooting, and select Enter Maintenance Mode.
In the Enter maintenance mode window, ensure that there are no errors, and then click OK.
When the operation finishes successfully, click Close.
The node’s IP address appears with a wrench next to it.
On the ESXi node, enter maintenance mode:
a. Log in to the vCenter via the vSphere Client or Web Client, and locate the relevant ESXi IP address.
b. Select the SVM, and from the Basic Tasks pane select Shut down the virtual machine.
c. When the SVM is off, right-click the node and select Enter Maintenance Mode.
Gracefully reboot the node using the relevant API for the operating system.
Right-click the ESXi host and select Maintenance Mode > Enter Maintenance Mode.
Click OK to confirm.
Right-click the ESXi host, and select Actions > Power > Reboot to reboot the host.
Click OK to confirm.
Ensure that the ESXi host is displayed as on and connected in Hosts and Clusters view.
Right-click the node and select Maintenance Mode > Exit Maintenance Mode.
Expand the host and select the relevant VM. If the VM does not power on automatically, power it on manually.
After the node is up, from your internet browser, log in to the PowerFlex GUI as an admin user.
Perform the following checks:
a. In the left pane, click Alerts, and then in the right pane confirm that no SDS disconnect message appears.
b. In the left pane, click SDCs, and then in the right pane confirm that the SDC’s connected status is Yes.
c. In the left pane, click Dashboard, and validate that the system is in optimal state.
In the PowerFlex GUI Backend > Storage view, in By SDSs table view, right-click the SDS and select Exit Maintenance Mode.
In the Action window, click OK.
Wait for the rebalance operations to finish.

Results
The ESXi host is now operational and application I/O can be started on the node. You can migrate the VMs back to the node.
Related tasks
SDC authentication

Port usage and changing default ports
Before installing or upgrading PowerFlex, ensure that the ports listed in the table are not used by other processes.
The following table lists the ports used by PowerFlex.
Table 4. Default ports

Port used by| Port #| Protocol| File to change| Field to modify (or to add, if it does not exist)| Notes
---|---|---|---|---|---
MDM listener| 6611| Proprietary (Protobuf) over TCP| NOTE: Cannot be modified, and must be available
MDM cluster member| 9011| Proprietary (Protobuf) over TCP| /opt/emc/ scaleio/mdm/cfg/ conf.txt| actorc luster port= _< N EW_POR _T >|
MDM peer connection| 7611| Proprietary (Protobuf) over TCP| /opt/emc/ scaleio/mdm/cfg/ conf.txt| mdm_ext ernal_p ort=| To change the port assigned to the peer MDM system, first change the value of the mdm_external_port field. Then restart the MDM process. Finally, run the — modify_replication_peersystem port SCLI command. For more information on this command, see the Dell PowerFlex CLI Reference Guide.
SDS listener| 7072| Proprietary protocol over TCP| /opt/emc/ scaleio/sds/cfg/ conf.txt| tgt_por t=<NEW _PORT>| SDCs and SDRs connect through this port for data communications and to the MDM for metadata communications.
SDR listener| 11088| NEW_POR T| /opt/emc/ scaleio/sdr/cfg/ conf.txt| tgt_por t=<NEW _PORT>| SDCs connect through this port for data communications and to the MDM for metadata communications.
NOTE: Incoming and outgoing ports must be enabled.
Source SDR to target SDR| 11088| NEW_POR T| /opt/emc/ scaleio/sdr/cfg/ conf.txt| tgt_por t=| SDCs connect through this port for data communications and to the MDM for metadata communications.
NOTE: Incoming and outgoing ports must be enabled.
SDRs communicate with each other, and send replicated data to eachother, over TCP port 11088. This port must be opened for egress in any firewall on the source system side, and it must be open for ingress on the target system side. If replication is being performed in both directions between the two systems, then port 11088 must be open in the firewall for both egress and ingress on both sides.
LIA listener| 9099| Proprietary (Protobuf) over TCP| /opt/emc/ scaleio/lia/cfg/ conf.txt| lia_por t=<NEW

_PORT>

| The PowerFlex Installer connects to the LIA to perform installation and maintenance- related operations.
PowerFlex Gateway- Installation Manager/REST (not secure)| 80 (or 8080, together with 8443)| REST over HTTPS| <gateway installation directory>/conf/ catalina.propertie s| http.po rt=80 (or 8080)| The ports mentioned in parentheses are alternative ports, but can only be used if they were specified during system deployment.
After changing a port, you must restart the PowerFlex Gateway service/daemon:
● Linux: Run service scaleio- gateway restart
● Windows: Restart the EMC ScaleIO Gateway service
NOTE: When deploying PowerFlex Gateway, if one of the following ports is not free, the deployment will fail: 80, 8080, 443, 8443. If this occurs, free
| | | | | the above-mentioned ports, and then redeploy the PowerFlex Gateway.
PowerFlex presentation server| 8443| HTTPS and WSS| /etc/mgmt- server/.config/ mgmt-server| MGMT_SE RVER_OP TIONS=’
https.p ort=<NE W_PORT >’| This is the port used to open a web connection to the WebUI in the browser.
NOTE: It is not recommended to install the PowerFlex presentation server and PowerFlex Gateway on the same host due to conflict on port 8443. If it is unavoidable, change the port used for the PowerFlex presentation server to 9443. For instructions, see the Deploy Dell PowerFlex Guide.
SNMP| 162| SNMP v2
over UDP| / webapps/ROOT/WEB- INF/classes/ gatewayUserPropert ies| snmp.po rt| SNMP traps for system alerts are sent to a trap receiver via this port.
The PowerFlex Gateway sends messages to: snmp.traps_receiver_ip on the port snmp.port
If you change the port number, restart the PowerFlex Gateway afterwards.
SDBG for MDM (Manager)| 25620| | | | Used by PowerFlex internal debugging tools to extract live information from the system for debugging purposes.
SDBG for MDM (Tie Breaker)| 25600| | | |
SDBG for SDS| 25640| | | |

The following diagram illustrates the components and the ports they use.

Communication Security Settings

NOTE: For iDRAC security-related information, see “iDRAC Port Information” in the iDRAC User’s Guide.

Network encryption
The PowerFlex system performs network encryption for its different components.
The PowerFlex Installer client, CLI client, PowerFlex GUI client, vSphere plug-in, and PowerFlex Gateway (REST) use TLSv1.2
—after authentication, communication between the MDM and external components is performed using TLSv1.2 (Transport Layer Security) protocols. The same method is used between the PowerFlex Installer client and LIAs. For more information, see “Security” in the Configure and Customize Dell PowerFlex.
PowerFlex Gateway (REST) certificate validation—the OpenStack PowerFlex driver communicates with the PowerFlex Gateway through https, (over TLSv1.2). By default, the driver ignores verification of the PowerFlex Gateway’s TLSv1.2 certificate, but it can verify the certificate if the following configuration parameters are defined:

v e r i f y s e r v e r c e r t i f i c a t e—set to T r u e, if the server’s certificate must be verified, and to F a l s e if no verification is required.
s e r v e r c e r t i f i c a t e p a t h—If the parameter v e r i f y s e r v e r c e r t i f i c a t e is set to T r u e, specify the location of the . p e m file containing the server’s certificate.
For instructions for generating a self-signed certificate using Keytool, see the section “Generate a self-signed certificate using the keytool utility” in the Deploy Dell PowerFlex .
The following encryption methods are approved for use with your system:
MDM supported ciphers :
○ TLS_RSA_WITH_AES_128_GCM_SHA256
○ TLS_RSA_WITH_AES_256_GCM_SHA384
PowerFlex Gateway supported ciphers (to the MDM):
○ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
○ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
○ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
○ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
○ TLS_RSA_WITH_AES_256_GCM_SHA384
○ TLS_RSA_WITH_AES_128_GCM_SHA256
PowerFlex presentation server supported ciphers (to the MDM):
○ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
○ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
○ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
○ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
○ TLS_RSA_WITH_AES_256_GCM_SHA384
○ TLS_RSA_WITH_AES_128_GCM_SHA256
○ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
○ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
○ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
○ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
○ TLS_RSA_WITH_AES_256_GCM_SHA384
○ TLS_RSA_WITH_AES_128_GCM_SHA256

Remove TLSv1.0/1.1 from sslEnabledProtocols parameter
PowerFlex Gateway does not support TLSv1.0/1.1.

Steps

From the PowerFlex Gateway machine, go to:
● Linux: / o p t / e m c / s c a l i o / g a t e w a y / c o n f
● Windows: C : \ P r o g r a m F i l e s \ E M C \ S c a l e I O \ G a t e w a y \ c o n f
Open the s e r v e r . x m l file and search for s s l E n a b l e d P r o t o c o l s.
Delete T L S v 1 . 0 or T L S v 1 . 1 and save the file.
To restart the PowerFlex Gateway service, run:
● Linux: s e r v i c e s c a l e i o – g a t e w a y r e s t a r t
● Windows: Restart the PowerFlex Gateway service

Enable OpenSSL FIPS compliance
Enable the implementation of OpenSSL Federal Information Processing Standards (FIPS) compliance in the MDM for communication between the external components, including the PowerFlex GUI, PowerFlex Gateway, and CLI, to the MDM.
It is also enabled for any other usage of the OpenSSL library.

Prerequisites
The MDM must be hosted on Linux with the OpenSSL package installed.
Steps

On each host running PowerFlex, open the configuration file of each component with a text editor.
The configuration file is / o p t / e m c / s c a l e i o / < C O M P O N E N T > / c f g / c o n f . t x t, where is the lowercase name of the component (e.g. “sds”).
Add the parameter s e c u r i t y e n a b l e f i p s = 1 to the file.
Save and close the file
Open the SCLI configuration file with a text editor:
The configuration file is located at: ~ / . s c l i / c o n f . t x t.
Add the parameter s e c u r i t y e n a b l e f i p s = 1 to the file.
Save and close the file.
On each host, restart each component’s service:
s e r v i c e s c a l e i o – < C O M P O N E N T > r e s t a r t
Verify FIPS enablement
a. Update the GRUB bootloader to include fips=1
See the following example:
c a t / e t c / d e f a u l t / g r u b | g r e p G R U B C M D L I N E L I N U X =
G R U B C M D L I N E L I N U X = ” c r a s h k e r n e l = a u t o r d . l v m . l v = v g o s / r o o t r d . l v m . l v = v g o s / s w a p r h g b
q u i e t f i p s = 1 ”
b. Update GRUB config
g r u b 2 – m k c o n f i g – o / b o o t / g r u b 2 / g r u b . c f g
c. Update Initrd
d r a c u t – f
d. Reboot node, after entering IMM/PMM to go active
Verify that OpenSSL FIPS compliance has been enabled by running:
c a t / p r o c / s y s / c r y p t o / f i p s _ e n a b l e d
If it has been enabled correctly, the output should be 1. If the output is not 1, enable OpenSSL FIPS at the operating system level.

Running scripts on hosts

PowerFlex can be used to run user-provided scripts on Linux-based servers hosting MDM or SDS components.

Running scripts on hosts
PowerFlex can be used to run user-provided scripts on servers hosting MDM or SDS components. This feature is supported on Linux-based nodes only.
The PowerFlex Installer can be used to run a user-provided script on a host where PowerFlex is deployed. This feature can be used for any purpose external to the PowerFlex system, such as running a set of Linux shell commands, patching an operating system, and more. The feature allows the running of scripts in a safe manner, both from a security and a data integrity perspective. It also enables better security of the system and improved lifecycle management.
As a security precaution, the scripts are not automatically distributed to each node by the PowerFlex Installer. After verifying that the script is trustworthy, the admin user must manually copy the script to each node where the script is required.
PowerFlex Installer orchestrates the running of the script, ensuring that SDSs are placed in Maintenance Mode, to protect data during the process. In addition, parallel execution of scripts is only permitted on SDSs located in different Protection Domains.
After the scripts have been run on an SDS, it exits Maintenance Mode.
Optionally, servers can be set to reboot after execution of the script. The process can also run a verification script either after the reboot, or after execution of the script, when no reboot is required.
For details on how to run a script on one or more hosts, see the Configure and Customize Dell PowerFlex.

Known security issues

This section lists known security issues and workarounds.

Issues with Lockbox after OS upgrade
After an OS upgrade, the Lockbox may not be present or may lose content.
Issue
After upgrading the Operating System, the System Stable Values (SSVs) that Lockbox uses to fingerprint the system it is part of might change. In other words, the Lockbox may not be present or may lose content after the OS upgrade.
Resolution
To update or reconfigure the Lockbox:

Open Lockbox with the password that was used to create it.
Reconfigure the Lockbox.
NOTE: If the Lockbox is not present, re-create the Lockbox using the command:
/ o p t / e m c / s c a l e i o / g a t e w a y / b i n / F O S G W T o o l . s h – – s e t l d a p p r o p e r t i e s – – s e r v e r u r l
l d a p : / / < L D A P S E R V E R I P > – – b a s e d n ” ” – c
r e a t e d e f a u l t _ l o c k b o x
LDAPS users must use: l d a p s : / / < L D A P S E R V E R I P >
instead of l d a p : / / in the example above.

Incorrect folder permissions on the SVM
The chrony user is used for configuring NTP using the chrony suite. The user has incorrect permissions for folder / v a r / l i b / c h r o n y , which can lead to security vulnerabilities.
About this task
On the SVM, the chrony user’s home directory has a permission mode more permissive than 750 (Owner=READ/WRITE/ EXECUTE, Group=READ/EXECUTE, Other=NONE). This can allow a malicious user to gain access to user data by escalating privileges. Permission mode for “Other” should always have “READ” and “EXECUTE” disabled. To fix the permission mode:

Steps

Use root login to log into the SVM.
Manually run the following command: c h m o d 7 5 0 / v a r / l i b / c h r o n y

Results
The permission mode for the folder is secure.

Disabling IPMI
If you are not using IPMI over LAN for monitoring or management using third- party tools, disable IPMI on all nodes in the system in order to close a security vulnerability.

Disable IPMI on a R630/R730xd server
Use the following procedure to disable IPMI on PowerFlex R630/R730xd nodes.
About this task
You can run this procedure at any time post-deployment.
Prerequisites
Ensure that:

You have network connectivity to the server.
You know the IP address of the iDRAC port.
You know the password for accessing iDRAC as root). If necessary, the customer can give you the credentials.

Steps

Open a new browser session and log in to iDRAC.
On the left menu, click iDRAC settings > Network.
On the Network page upper menu, click IPMI Settings.
The page jumps to the IPMI settings area.
In the Value column, clear the Enable IPMI Over LAN check box, and then click Apply.
The Network page refreshes.
On the upper menu, click IPMI Settings again, and then confirm that the Enable IPMI Over LAN check box is cleared .
Log out of iDRAC.
Repeat the above steps on every R630/R730xd node in the system.

Disable IPMI on a R640/R740xd/R840 server
Use the following procedure to disable IPMI on PowerFlex R640/R740xd/R840 nodes.

About this task
You can run this procedure at any time post-deployment.
Prerequisites
Ensure that:

You have network connectivity to the server.
You know the IP address of the iDRAC port.
You know the password for accessing iDRAC as root). If necessary, the customer can give you the credentials.

Steps

Open a new browser session and log in to iDRAC.
On the main menu, click iDRAC settings > Connectivity.
In the Connectivity tab, select Network > IPMI Settings.
The IPMI configuration settings appear.
Change the Enable IPMI Over LAN option to Disabled, and then click Apply.
In the Success message, click OK.
Log out of iDRAC.
Repeat the above steps on every R640/R740xd/R840 node in the system.

Deploying PowerFlex with SELinux

PowerFlex does not support native deployment on an operating system configured with Security-Enhanced Linux (SELinux) in enforcing mode. Therefore, prerequisites must be adhered to, and preparation guidelines must be followed prior to system deployment. These guidelines also apply to an existing system that is being moved to SELinux enforcing mode.
CAUTION: If you are not sure whether all other processes have been configured with SELinux policies, do not enable SELinux in enforcing mode. Contact your system administrator for guidance.

For more information about SELinux, see https://www.redhat.com/en/topics/linux/what-is-selinux.

SELinux Prerequisites
The following packages are prerequisites for Security-Enhanced Linux (SELinux).

Table 5. SELinux prerequisites

Package	Description
policycoreutils	Provides utilities for managing SELinux
selinux-policy	Provides SELinux reference policy
selinux-policy-targeted	Provides SELinux targeted policy
libselinux	Provides SELinux configuration commands
libselinux-utils	Provides SELinux configuration commands
policycoreutils-python	Required to enable the s e m a n a g e command
policycoreutils-devel	Provides troubleshooting capabilities in case an issue

is encountered

Download and copy the SELinux module ZIP file
Initially, an administrator is required to download the Security-Enhanced Linux (SELinux) Policy for PowerFlex to the relevant operating systems.

Steps

Download the latest version of the file P o w e r F l e x S E L i n u x D D M M Y Y Y Y . z i p from: https://www.dell.com/support/ home/en-us/product-support/product/scaleio/drivers
On all relevant nodes, create a folder called / v a r / P o w e r F l e x S E L i n u x /.
Use the command:
m k d i r / v a r / P o w e r F l e x S E L i n u x /
The relevant nodes are:
● MDM
● SDS
● SDR (if used; this includes the relevant rules for LIA)
● SDC
● LIA
● PowerFlex Gateway
● PowerFlex presentation server
Copy or transfer the P o w e r F l e x S E L i n u x D D M M Y Y Y Y . z i p file to the nodes that will be used for PowerFlex.
On each node, perform the following:
a. Change the directory to the folder that you created:
c d / v a r / P o w e r F l e x S E L i n u x /
b. Unzip the file:
t a r – x v f P o w e r F l e x S E L i n u x _ D D M M Y Y Y Y . z i p

Verify that SELinux is enabled
Verify that Security-Enhanced Linux (SELinux) is enabled on all relevant nodes and operating systems.

Steps

Run the following command on all the nodes to check SELinux status:
s e s t a t u s
Expected output if SELinux is enabled and set to enforcing mode:
S E L i n u x s t a t u s : e n a b l e d
S E L i n u x f s m o u n t : / s y s / f s / s e l i n u x
S E L i n u x r o o t d i r e c t o r y : / e t c / s e l i n u x
L o a d e d p o l i c y n a m e : t a r g e t e d
C u r r e n t m o d e : e n f o r c i n g
M o d e f r o m c o n f i g f i l e : e n f o r c i n g
P o l i c y M L S s t a t u s : e n a b l e d
P o l i c y d e n y _ u n k n o w n s t a t u s : a l l o w e d
M a x k e r n e l p o l i c y v e r s i o n : 3 1
Expected output if SELinux is disabled:
S E L i n u x s t a t u s : d i s a b l e d
If SELinux is disabled, follow the corresponding operating system’s guidelines in order to enable it.
For example, for CentOS, the steps are:
a. Run the command:
b . v i / e t c / s e l i n u x / c o n f i g
b. Change the SELINUX line to enforcing or permissive, as needed:
S E L I N U X = e n f o r c i n g
. . .
S E L I N U X T Y P E = t a r g e t e d
c. Schedule a reboot of the operating system.
CAUTION: If this process is running on a pre-deployed PowerFlex system, follow graceful shutdown guidelines to reboot a node with MDM\SDS\SDR\SDC. Refer to “Shutdown or restart a node gracefully” the Upgrade Dell PowerFlex matching your system version.

Load the PowerFlex SELinux module
Load the PowerFlex Security-Enhanced Linux (SELinux) module and prepare to deploy it or run it on the system.

Steps

Ensure that you are in the correct folder for SELinux, using the command:
p w d
Expected location: / v a r / P o w e r F l e x _ S E L i n u x /
Go to the folder, if necessary.
To load the policy and additional settings without impacting a deployed system, run the following command to set the current state of SELinux to Permissive state:
s e t e n f o r c e 0
Run the following command to load the SELinux module:
s e m o d u l e – i d e l l – v x f l e x . p p – v v
Expected result:
A t t e m p t i n g t o i n s t a l l m o d u l e ‘ d e l l – v x f l e x . p p ‘ :
O k : r e t u r n v a l u e o f 0 .
C o m m i t t i n g c h a n g e s :
O k : t r a n s a c t i o n n u m b e r 0
Run the following command:
r e s t o r e c o n – R F / o p t / e m c
This command corrects any missing labels in all directories and files in / o p t / e m c.
Configure the PowerFlex ports in SELinux:
NOTE: Only run commands on the relevant node. For example, if the PowerFlex presentation server or PowerFlex Gateway is on a stand-alone node, do not enable the MDM, SDS, SDR, or LIA ports.
For relevant port information, see “Port usage and changing default ports” in the PowerFlex Security Guide corresponding to the PowerFlex version you are using.
If the default ports settings were changed for any process, update the command below accordingly (for example, for the PowerFlex presentation server https port).
/ u s r / s b i n / s e m a n a g e p o r t – N – a – t v x f l e x m d m p o r t t – p t c p 2 5 6 2 0 ;
/ u s r / s b i n / s e m a n a g e p o r t – N – a – t v x f l e x m d m p o r t t – p t c p 9 0 1 1 ;
/ u s r / s b i n / s e m a n a g e p o r t – N – a – t v x f l e x m d m p o r t t – p t c p 6 6 1 1 ;
/ u s r / s b i n / s e m a n a g e p o r t – N – a – t v x f l e x m d m p o r t t – p t c p 7 6 1 1 ;
/ u s r / s b i n / s e m a n a g e p o r t – N – a – t v x f l e x m d m p o r t t – p t c p 2 5 6 0 0 ;
/ u s r / s b i n / s e m a n a g e p o r t – N – a – t v x f l e x l i a p o r t t – p t c p 9 0 9 9 ;
/ u s r / s b i n / s e m a n a g e p o r t – N – a – t v x f l e x s d r p o r t t – p t c p 1 1 0 8 8 ;
/ u s r / s b i n / s e m a n a g e p o r t – N – a – t v x f l e x s d s p o r t t – p t c p 7 0 7 2 ;
/ u s r / s b i n / s e m a n a g e p o r t – N – a – t v x f l e x s d s p o r t t – p t c p 2 5 6 4 0 ;
/ u s r / s b i n / s e m a n a g e p o r t – N – a – t v x f l e x g a t e w a y p o r t t – p t c p 4 4 3 ;
/ u s r / s b i n / s e m a n a g e p o r t – N – a – t v x f l e x g a t e w a y p o r t t – p t c p 8 0 8 0 ;
NOTE: Ports 443 and 8080 are usually enabled by default in SELinux and might return the following error:
V a l u e E r r o r : P o r t t c p / 4 4 3 a l r e a d y d e f i n e d
V a l u e E r r o r : P o r t t c p / 8 0 8 0 a l r e a d y d e f i n e d
In this case, proceed. This is a valid error.
/ u s r / s b i n / s e m a n a g e p o r t – N – a – t v x f l e x m g m t p o r t t – p t c p 8 4 4 3 ;
/ u s r / s b i n / s e m a n a g e p o r t – N – a – t v x f l e x m g m t p o r t _ t – p t c p 8 0 8 0 ;
Run the following command:
s e t e n f o r c e 1
This command changes the SELinux state to the targeted state for the current run time.
Repeat the steps above on all nodes that will run with SELinux.

Results
Preparation of the operating system on all nodes for PowerFlex running in SELinux is now complete. Proceed with deployment, or continue to use your system if it is already deployed.

Troubleshoot SELinux with PowerFlex issues
When troubleshooting Security-Enhanced Linux (SELinux) issues with PowerFlex, confirm that the issues are related to PowerFlex.
About this task
This procedure requires moving the relevant nodes from SELinux enforcing mode to permissive mode. To return to enforcing mode later on, use the command s e t e n f o r c e 1.

Steps

Change the mode of the relevant nodes from SELinux enforcing mode to permissive mode:
s e t e n f o r c e 0
If the issue disappears in permissive mode, stay in this mode and run the following commands:
s e m o d u l e – l | g r e p v x f l e x
a u d i t 2 a l l o w – a
s e m a n a g e p o r t – l | g r e p v x f l e x
Save the output to file, for sharing when opening a customer support ticket.
Zip the / v a r / l o g / a u d i t / folder and share the file in the support ticket.
In rare cases, the support person might ask you to change SELinux logging to a higher level using this command: ”
s e m o d u l e
– D B
This might require repeating the failed operation with this setting enabled. After the information is collected, run the following command to revert to the standard logging level:
s e m o d u l e
– B
See the following for troubleshooting information: https://access.redhat.com/documentation/en- us/red_hat_enterprise_linux/8/html/using_selinux/troubleshooting-problems- related-to-selinux_using-selinux.

Deploying PowerFlex with SELinux

Documents / Resources

| DELL V36X Power Flex Security Configuration [pdf] User Guide
V36X Power Flex Security Configuration, V36X, Power Flex Security Configuration, Flex Security Configuration, Security Configuration, Configuration
---|---