Dell PowerStore 1000T EMC PowerStore Security Configuration Guide - Page 16

External SSH access, Configuring external SSH access, SSH sessions, Service account password

Get Dell PowerStore 1000T PDF manuals and user guides View all Dell PowerStore 1000T manuals
Add to My Manuals
Save this manual to your list of manuals

Page 16 highlights

If you enable CHAP after hosts are added, update each host's initiators. If CHAP is enabled, you cannot add a host to a host group that does not have CHAP credentials. Once CHAP is enabled and you add a host later, manually register the host in the PowerStore Manager, under Compute select Hosts & Host Groups. You need to enter credentials at the iSCSI level for authentication use. In this case, copy the IQN from the host and then add the related CHAP credentials for each initiator. Configure CHAP for a cluster through any of the following means: • CHAP - A CHAP settings page that you can access from the PowerStore Manager (click Settings and under Security select CHAP). • REST API server - Application interface that can receive REST API requests to configure CHAP settings. For more information about the REST API, refer to the PowerStore REST API Reference Guide. To determine the status of CHAP, in the PowerStore Manager, click Settings and under Security select CHAP. External SSH access Each appliance can optionally enable external secure shell (SSH) access to the SSH port of the appliance IP address, which takes the user to the service feature on the primary node of an appliance. The appliance IP address floats between the two nodes of the appliance as the primary designation changes. If external SSH is disabled, SSH access is disallowed. When an appliance first comes up and is not configured, SSH is enabled by default so that the appliance can be serviced if issues are encountered before it is added to a cluster. When a new cluster is created or for a join cluster operation, all appliances should have SSH initially set to disabled. Configuring external SSH access Configure external SSH access to appliances within a cluster by using any of the following means: • SSH Management - A SSH settings page that you can access from the PowerStore Manager (click Settings and under Security select SSH Management). • REST API server - Application interface that can receive REST API requests to configure SSH settings. For more information about the REST API, refer to the PowerStore REST API Reference Guide. • svc_service_config - A service command that you can enter directly as the service user on the appliance. For more information about this command, refer to the PowerStore Service Scripts Guide. To determine the status of SSH on appliances within a cluster, in the PowerStore Manager, click Settings and under Security select SSH Management. You can also enable or disable SSH on one or more appliances that you select. Once the SSH service has been successfully enabled, use any SSH client to log in to the appliance IP address. Accessing the appliance requires service user credentials. The service account enables users to perform the following functions: • Perform specialized appliance service scripts for monitoring and troubleshooting appliance system settings and operations. • Operate only a limited set of commands that are assigned as a member of a non-privileged Linux user account in restricted shell mode. This account does not have access to proprietary system files, configuration files, or user or customer data. For maximum appliance security, it is recommended to leave the external SSH service interface disabled at all times unless it is specifically needed to perform service operations on the appliance. After performing the necessary service operations, disable the SSH interface to ensure that the appliance remains secure. SSH sessions The PowerStore SSH service interface sessions are maintained according to the settings established by the SSH client. Session characteristics are determined by the SSH client configuration settings. Service account password The service account is an account that service personnel can use to perform basic Linux commands. During initial configuration of the appliance, you must change the default service password. The service password restrictions are the same as those that apply to the System management accounts (see Username and password usage on page 7). 16 Authentication and access

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
If you enable CHAP after hosts are added, update each host's initiators. If CHAP is enabled, you cannot add a host to a host group that
does not have CHAP credentials. Once CHAP is enabled and you add a host later, manually register the host in the PowerStore Manager,
under
Compute
select
Hosts & Host Groups
. You need to enter credentials at the iSCSI level for authentication use. In this case, copy
the IQN from the host and then add the related CHAP credentials for each initiator.
Configure CHAP for a cluster through any of the following means:
CHAP
- A CHAP settings page that you can access from the PowerStore Manager (click
Settings
and under
Security
select
CHAP
).
REST API server - Application interface that can receive REST API requests to configure CHAP settings. For more information about
the REST API, refer to the
PowerStore REST API Reference Guide
.
To determine the status of CHAP, in the PowerStore Manager, click
Settings
and under
Security
select
CHAP
.
External SSH access
Each appliance can optionally enable external secure shell (SSH) access to the SSH port of the appliance IP address, which takes the user
to the service feature on the primary node of an appliance. The appliance IP address floats between the two nodes of the appliance as the
primary designation changes. If external SSH is disabled, SSH access is disallowed.
When an appliance first comes up and is not configured, SSH is enabled by default so that the appliance can be serviced if issues are
encountered before it is added to a cluster. When a new cluster is created or for a join cluster operation, all appliances should have SSH
initially set to disabled.
Configuring external SSH access
Configure external SSH access to appliances within a cluster by using any of the following means:
SSH Management
– A SSH settings page that you can access from the PowerStore Manager (click
Settings
and under
Security
select
SSH Management
).
REST API server – Application interface that can receive REST API requests to configure SSH settings. For more information about
the REST API, refer to the
PowerStore REST API Reference Guide
.
svc_service_config
– A service command that you can enter directly as the service user on the appliance. For more information
about this command, refer to the
PowerStore Service Scripts Guide
.
To determine the status of SSH on appliances within a cluster, in the PowerStore Manager, click
Settings
and under
Security
select
SSH Management
. You can also enable or disable SSH on one or more appliances that you select.
Once the SSH service has been successfully enabled, use any SSH client to log in to the appliance IP address. Accessing the appliance
requires service user credentials.
The service account enables users to perform the following functions:
Perform specialized appliance service scripts for monitoring and troubleshooting appliance system settings and operations.
Operate only a limited set of commands that are assigned as a member of a non-privileged Linux user account in restricted shell mode.
This account does not have access to proprietary system files, configuration files, or user or customer data.
For maximum appliance security, it is recommended to leave the external SSH service interface disabled at all times unless it is specifically
needed to perform service operations on the appliance. After performing the necessary service operations, disable the SSH interface to
ensure that the appliance remains secure.
SSH sessions
The PowerStore SSH service interface sessions are maintained according to the settings established by the SSH client. Session
characteristics are determined by the SSH client configuration settings.
Service account password
The service account is an account that service personnel can use to perform basic Linux commands.
During initial configuration of the appliance, you must change the default service password. The service password restrictions are the
same as those that apply to the System management accounts (see
Username and password usage
on page 7).
16
Authentication and access