Embed Size (px)
Citation preview
EMC® Avamar® 7.0Extended Retention
Security GuideP/N 300-015-244 REV 01
EMC Avamar 7.0 Extended Retention Security Guide2
Copyright © 2001- 2013 EMC Corporation. All rights reserved. Published in the USA.
Published July, 2013
EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.
The information in this publication is provided as is. EMC Corporation makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.
EMC2, EMC, and the EMC logo are registered trademarks or trademarks of EMC Corporation in the United States and other countries. All other trademarks used herein are the property of their respective owners.
For the most up-to-date regulatory document for your product line, go to the technical documentation and advisories section on the EMC online support website.
CONTENTS
Preface
Chapter 1 Security Configuration
Access control............................................................................................. 10Default accounts ................................................................................... 10Authentication configuration................................................................. 10User authorization................................................................................. 10Component access control .................................................................... 10Certificate management ........................................................................ 11Lockbox management ........................................................................... 13
Log settings ................................................................................................ 14 Communication security.............................................................................. 14
Port usage............................................................................................. 14Network encryption ............................................................................... 15
Data security............................................................................................... 15 Secure serviceability ................................................................................... 15 The Lockbox tool ......................................................................................... 16
Running the Lockbox tool ...................................................................... 16Lockbox tool examples.......................................................................... 18
EMC Avamar 7.0 Extended Retention Security Guide 3
Contents
4 EMC Avamar 7.0 Extended Retention Security Guide
PREFACE
As part of an effort to improve its product lines, EMC periodically releases revisions of its software and hardware. Therefore, some functions described in this document might not be supported by all versions of the software or hardware currently in use. The product release notes provide the most up-to-date information on product features.
Contact your EMC representative if a product does not function properly or does not function as described in this document.
Note: This document was accurate at publication time. New versions of this document might be released on the EMC online support website. Check the EMC online support website to ensure that you are using the latest version of this document.
PurposeThis document describes how to configure security features for the EMC Avamar extended retention feature.
AudienceThis document is intended for the host system administrator, system programmer, or operator who will be involved in managing the Avamar extended retention feature.
Revision historyThe following table presents the revision history of this document.
Related documentationThe following EMC publications provide additional information:
EMC Avamar 7.0 Extended Retention User Guide EMC Avamar 7.0 Extended Retention Release Notes EMC Avamar 7.0 Media Access Node Customer Hardware Installation Guide EMC Avamar Compatibility and Interoperability Matrix EMC Avamar Data Store Gen4 Customer Service Guide EMC Avamar Data Store Site Prep Technical Specifications
Table 1 Revision history
Revision Date Description
01 July 10, 2013 Initial release of Avamar 7.0.
EMC Avamar 7.0 Extended Retention Security Guide 5
Conventions used in this documentEMC uses the following conventions for special notices:
DANGER indicates a hazardous situation which, if not avoided, will result in death or serious injury.
WARNING indicates a hazardous situation which, if not avoided, could result in death or serious injury.
CAUTION, used with the safety alert symbol, indicates a hazardous situation which, if not avoided, could result in minor or moderate injury.
NOTICE is used to address practices not related to personal injury.
Note: A note presents information that is important, but not hazard-related.
IMPORTANT
An important notice contains information essential to software or hardware operation.
Typographical conventions
EMC uses the following type style conventions in this document:
Bold Use for names of interface elements, such as names of windows, dialog boxes, buttons, fields, tab names, key names, and menu paths (what the user specifically selects or clicks)
Italic Use for full titles of publications referenced in text
Monospace Use for:• System output, such as an error message or script• System code• Pathnames, filenames, prompts, and syntax• Commands and options
Monospace italic Use for variables.
Monospace bold Use for user input.
[ ] Square brackets enclose optional values
| Vertical bar indicates alternate selections — the bar means “or”
{ } Braces enclose content that the user must specify, such as x or y or z
... Ellipses indicate nonessential information omitted from the example
6 EMC Avamar 7.0 Extended Retention Security Guide
Where to get helpThe Avamar support page provides access to licensing information, product documentation, advisories, and downloads, as well as how-to and troubleshooting information. This information may enable you to resolve a product issue before you contact EMC Customer Service.
To access the Avamar support page:
1. Go to https://support.EMC.com/products.
2. Type a product name in the Find a Product box.
3. Select the product from the list that appears.
4. Click the arrow next to the Find a Product box.
5. (Optional) Add the product to the My Products list by clicking Add to my products in the top right corner of the Support by Product page.
Documentation
The Avamar product documentation provides a comprehensive set of feature overview, operational task, and technical reference information. Review the following documents in addition to product administration and user guides:
Release notes provide an overview of new features and known limitations for a release.
Technical notes provide technical details about specific product features, including step-by-step tasks, where necessary.
White papers provide an in-depth technical perspective of a product or products as applied to critical business issues or requirements.
Knowledgebase
The EMC Knowledgebase contains applicable solutions that you can search for either by solution number (for example, esgxxxxxx) or by keyword.
To search the EMC Knowledgebase:
1. Click the Search link at the top of the page.
2. Type either the solution number or keywords in the search box.
3. (Optional) Limit the search to specific products by typing a product name in the Scope by product box and then selecting the product from the list that appears.
4. Select Knowledgebase from the Scope by resource list.
5. (Optional) Specify advanced options by clicking Advanced options and specifying values in the available fields.
6. Click the search button.
Online communities
Visit EMC Community Network (https://community.EMC.com) for peer contacts, conversations, and content on product support and solutions. Interactively engage online with customers, partners and certified professionals for all EMC products.
EMC Avamar 7.0 Extended Retention Security Guide 7
Live chat
To engage EMC Customer Service by using live interactive chat, click Join Live Chat on the Service Center panel of the Avamar support page.
Service Requests
For in-depth help from EMC Customer Service, submit a service request by clicking Create Service Requests on the Service Center panel of the Avamar support page.
Note: To open a service request, you must have a valid support agreement. Contact your EMC sales representative for details about obtaining a valid support agreement or with questions about your account.
To review an open service request, click the Service Center link on the Service Center panel, and then click View and manage service requests.
Facilitating support
EMC recommends that you enable ConnectEMC and Email Home on all Avamar systems:
ConnectEMC automatically generates service requests for high priority events.
Email Home emails configuration, capacity, and general system information to EMC Customer Service.
Your commentsYour suggestions will help us continue to improve the accuracy, organization, and overall quality of the user publications. Send your opinions of this document to:
Please include the following information:
Product name and version
Document name, part number, and revision (for example, A01)
Page numbers
Other details that will help us address the documentation issue
8 EMC Avamar 7.0 Extended Retention Security Guide
CHAPTER 1Security Configuration
The following topics provide information on security configurations for the EMC® Avamar® extended retention feature:
Access control......................................................................................................... 10 Log settings ............................................................................................................ 14 Communication security.......................................................................................... 14 Data security........................................................................................................... 15 Secure serviceability ............................................................................................... 15 The Lockbox tool ..................................................................................................... 16
Security Configuration 9
Security Configuration
Access controlAccess control settings provide protection of resources against unauthorized access.
Default accounts
Table 1 contains the default Avamar extended retention feature accounts and their passwords.
Authentication configuration
The Avamar extended retention feature requires configuration of a super user at install time. The super user can create additional users after the feature is installed.
User authorization
The privileges of Avamar extended retention users are controlled by the roles to which they belong. Four roles have been defined:
Super user Administrator Auditor General user
Component access control
The following components of the Avamar extended retention feature implement security features for access:
Apache ActiveMQ Message Broker Apache Tomcat Avamar extended retention feature PostgreSQL Database Media Access Node
Note: The Media Access Node is the R510 Gen4 hardware node that the Avamar extended retention feature runs on.
Apache ActiveMQ Message BrokerAccess to the ApacheActiveMQ message broker is controlled by SSL mutual authentication. In the Avamar extended retention feature, every message broker client must trust the message broker, and the broker must trust the clients. In SSL, this is accomplished by exchanging certificates.
Table 2 Default account names and passwords
Account Password Description
suser Set when the Avamar extended retention feature is installed. Can be changed in the framework’s user interface.
The super user for the Avamar extended retention feature’s framework.
postgres Set when database is installed. Can be changed using PostgreSQL tools.
The database super user. Used to export and import Avamar backups.
10 EMC Avamar 7.0 Extended Retention Security Guide
Security Configuration
Apache TomcatApache Tomcat uses a certificate to authenticate itself to web clients.
Avamar extended retention feature database login rolesThe Avamar extended retention feature uses four databases to store data such as users, roles, events, job information, and export schedules. The following table lists the databases, and the users who own them.
Certificate management
Each Avamar extended retention feature component that participates in SSL communications keeps its certificates in a Java KeyStore (JKS) file. “Key store” files contain certificates that components use to identify themselves as well as the certificates of entities they trust. Some components keep their certificates and the certificates of trusted entities in the same key store file while others keep the certificates of trusted entities in a separate file called a “trust store.” Although key store and trust store files have the same JKS format, the Avamar extended retention feature trust store files have a .ts suffix whereas the key store files have a .ks suffix.
Note: JKS files can be managed with a Java tool called keytool. Keytool is part of the standard JDK, which is included in the Avamar extended retention feature software. Keytool is located in /opt/EMC/IMF/jre/bin.
Table 3 Avamar extended retention feature databases and login roles
Database Login roles and passwords
PostgreSQL The PostgreSQL database is owned by user, postgres. The password for this user is set during installation. The default password is changeme.
IMF The IMF database is owned by IMF_PG_USER. The default password is IMF_PG_USER.
Note: The owner and password for the IMF database are stored in plaintext in /opt/EMC/IMF/apache-tomcat/imf/WEB-INF/classes/imf-persistence.properties.
Quartz The Quartz database is owned by IMF_PG_USER. The default password is IMF_PG_USER.
Note: The owner and password for the Quartz database are stored in plaintext in /opt/EMC/IMF/apache-tomcat/catalina_base/imf/WEB-INF/classes/imf-persistence.properties and imfscheduler.properties.
Policy The Policy database is owned by POLICY_USER. The default password is POLICY_USER.
Note: The Policy database password is stored in the IMF lockbox, located in /opt/EMC/IMF/data/lockbox. The user and password can be changed using the Lockbox tool as described in “The Lockbox tool” on page 16.
Access control 11
Security Configuration
In the Avamar extended retention feature, there are JKS files for the following components:
Apache Tomcat — containing the certificate that Tomcat uses to authenticate itself to web clients
Apache ActiveMQ message broker — containing a separate “key store” and “trust store” that are used for mutual authentication with clients
message broker clients — containing a “key store” (and sometimes a “trust store”) containing certificates used for mutual authentication with the message broker
Each JKS file is protected by a password. The Avamar extended retention feature components store their key and trust store passwords in a lockbox file as described in the The Lockbox Tool (page 15).
Note: The Avamar extended retention feature incorporates some third-party software that does not use the lockbox.
Table 4 shows the location of the passwords for the key stores used by Apache Tomcat and ActiveMQ. Since the Avamar extended retention feature file permissions are set to prevent access by anyone but the owner, one must own these files in order to read or modify them.
Table 5 shows the location of key store files for Avamar extended retention feature components.
Table 4 Apache component passwords
Component JSK password location
Apache Tomcat /opt/EMC/IMF/apache-tomcat/catalina_base/conf/server.xml in theConnector element
Apache ActiveMQ /opt/EMC/IMF/apache-activemq/conf/activemq.xml in the sslContext element
Table 5 Key store files
Component Key store directory Key store file(s)
Apache Tomcat /opt/EMC/IMF/apache-tomcat/catalina_base/imf/WEB-INF/classes
IMF.ks
Apache ActiveMQ Message Broker
/opt/EMC/IMF/apache-activemq/conf broker.ksbroker.ts
User Event Listener /opt/EMC/IMF/apache-tomcat/catalina_base/imf/WEB-INF/classes
IMFUserEventListener.ks
Security Event Module /opt/EMC/IMF/apache-tomcat/catalina_base/imf/WEB-INF/classes
IMFSecurityEventModule.ks
IMF Scehduler /opt/EMC/IMF/apache-tomcat/catalina_base/imf/WEB-INF/classes
IMFScheduler.ks
Security Logger /opt/EMC/securitylogger/config IMFSecurityLogger.ks
Transport System Service /opt/EMC/TransportSystemService/config GridSystemService.ks
Backup Service /opt/EMC/BackupService/config IMF-Backup-Service.ks
12 EMC Avamar 7.0 Extended Retention Security Guide
Security Configuration
Lockbox management
The RSA Common Security Toolkit 1.1 Lockbox is incorporated into the Avamar extended retention feature for storing encrypted secrets (like passwords) that otherwise would have to be stored as plain text. Secured software components often require users or client software to supply a password. Since EMC security policy does not allow storing plain text passwords either in files or source code and since it would be cumbersome to ask a user to type a password every time one is required, passwords are stored in the lockbox. Once configured, the lockbox allows software to obtain passwords without a user having to type a password.
Each lockbox has a password that is set when the Avamar extended retention feature is installed and can be changed by using the command line utility documented in the section “The Lockbox tool” on page 16. The same tool can be used to display and modify the contents of the lockboxes.
If the password for a secured entity is changed and its password is stored in a lockbox, the lockbox must be updated with the correct password. The names of the items stored in each lockbox are listed below. Most of the items are component “key store” or “trust store” filenames and their passwords.
Backup Manager /opt/EMC/IMF/data/messagebus-ssl backupmgr.ks
Grid Resource Manager /opt/EMC/IMF/data/messagebus-ssl gridresourcemgr.ks
Grid Task Manager /opt/EMC/IMF/data/messagebus-ssl gridtaskmgr.ks
Table 5 Key store files
Component Key store directory Key store file(s)
Table 6 Lockbox files
Component Lockbox file
Framework /opt/EMC/IMF/data/lockbox
Security Logger /opt/EMC/securitylogger/config/lockbox
Transport System Service /opt/EMC/TransportSystemService/config/lockbox
Backup Service /opt/EMC/BackupService/config/lockbox
Table 7 Lockbox contents
Lockbox Contents
Framework IMFUserEventListener.keyStoreIMFUserEventListener.keyStorePasswordIMFSecurityEventModule.keyStoreIMFSecurityEventModule.keyStorePasswordIMFScheduler.keyStoreIMFScheduler.keyStorePassword
Access control 13
Security Configuration
Log settingsThe Avamar extended retention feature has a security logger and log viewer. Security events, which are stored in the framework database, are logged at four levels:
Informational Warning Severe Critical
The log viewer provides filtering by severity level and date range. It also provides the ability to archive and delete selected events. The Avamar extended retention feature’s online help provides more information.
Communication securityCommunication security settings enable the establishment of secure communication channels between:
Product components Product components and external systems or components.
Port usage
The ports listed in Table 8 are the Avamar extended retention feature default ports. The extended retention feature allows some of these ports to be changed; however, the procedure involves manually editing various configuration files.
Security Logger IMFSecurityLogger.keyStoreIMFSecurityLogger.keyStorePassword
Transport System Service GridSystemService.keyStoreGridSystemService.keyStorePassword
Backup Service IMF-Backup-Service.keyStore IMF-Backup-Service.keyStorePasswordARCHIVE_SERVER_USERARCHIVE_SERVER_PASSWORDARCHIVE_SERVER_NAME
Table 7 Lockbox contents
Lockbox Contents
Table 8 Default ports
Component Protocol Port Description
Apache ActiveMQ TCP 61617 SSL connection to the message broker
Apache Tomcat TCP 7443 HTTPS connection to web server
Apache Tomcat TCP 7000 Port available for stopping Tomcat
PostgreSQL TCP 5568 JDBC connection to database server
14 EMC Avamar 7.0 Extended Retention Security Guide
Security Configuration
Network encryption
Table 9 contains the encryption strategies that are employed by the Avamar extended retention feature for communication between components.
Data securityEncryption of archived data is controlled by the library drive setting.
The Avamar extended retention feature provides a cleanse feature that frees up space on the Media Access Node’s internal Avamar Server. The cleanse can occur immediately before data is imported from tape. It can also be run at any time.
Secure serviceabilityThe message broker has a web administration console that provides some diagnostic capabilities such as viewing the number of messages and topics in queues and their current state.
The Avamar extended retention feature is installed with port 8161 closed.
To open port 8161:
1. Edit /opt/EMC/IMF/apache-activemq/activemq_base/conf/activemq.xml.
2. Uncomment the following line:
<import resource="jetty.xml"/>
3. Save and close activemq.xml.
4. In a web browser, type the following URL to access the web console:
http://Media_Access_Node_IP_address:8161/admin
Additional information is available at http://activemq.apache.org.
SSHD TCP 22 Default SSH port.
Archive Service Event TCP 6667 Archive Service Event forwarding port
AVDTO TCP 2888 AVDTO daemon port
Table 8 Default ports
Component Protocol Port Description
Table 9 Encryption strategies
Communication Encryption type
Between web server and browser SSL with server authentication
Between ActiveMQ and Avamar DataTransport components
SSL with mutual authentication
Between the PostgreSQL database and the Avamar extended retention feature
Not encrypted
Data security 15
Security Configuration
JMX tools like jconsole can be used to diagnose ActiveMQ. However, JMX access is password protected. You can log in as one of two users:
controlRole — Full access monitorRole — Read access
The usernames and passwords are stored in the following files:
/opt/EMC/IMF/apache-activemq/activemq_base/conf/jmx.access /opt/EMC/IMF/apache-activemq/activemq_base/conf/jmx.password
If these files are changed, the shutdown script, /opt/EMC/IMF/apache-activemq/activemq_base/bin/activemqstop.sh, must also be modified since the service shutdown uses the JMX username and password.
For additional information, refer to http://activemq.apache.org.
The Lockbox toolThe lockbox tool is a command line tool implemented as an executable jar file that can be used for the following tasks:
Create a lockbox Set or change a lockbox password Add or remove a host allowed to access the lockbox without a password Display, change, or remove a name-value pair
The Lockbox tool requires that two environment variables be set:
LOCK_BOX_FILE — The full or relative path to the lockbox file. If not set, this defaults to “lockbox” in the current directory.
LD_LIBRARY_PATH — The shared library location specified in Table 10.
Running the Lockbox tool
You execute the Lockbox tool by typing the following:
java -jar lockbox.jar operation [argument] [argument]
where lockbox is one of:
imf-lockbox-2.0-SNAPSHOT imf-lockbox
Table 10 Lockbox tool and library locations
Component Lockbox tool location Shared library location
Security Logger /opt/EMC/securitylogger/lib/imf-lockbox.jar /opt/EMC/securitylogger/lib/linux
Transport System Service
/opt/EMC/TransportSystemService/lib/ imf-lockbox.jar
/opt/EMC/TransportSystemService/lib/native
Backup Service /opt/EMC/BackupService/lib/imf-lockbox.jar /opt/EMC/BackupService/lib/native
IMF /opt/EMC/IMF/apache-tomcat/catalina_base/imf/WEB-INF/ lib/imf-lockbox-3.2.0-2.jar
/opt/EMC/IMF/apache-tomcat/catalina_base/imf/WEB-INF/lib/linux
16 EMC Avamar 7.0 Extended Retention Security Guide
Security Configuration
Either lockbox file will work.
Table 11 describes the possible values for operation and argument. Square brackets indicate optional arguments.
If the command is not run from the directory containing the lockbox .jar file, then you must specify the full or relative path to the tool. Additionally, you may need to specify the path to the Java executable. The Java Runtime Environment (JRE) is included in the Avamar extended retention feature and can be found at the locations shown in Table 12.
Information can be obtained from the lockbox without having to supply the lockbox password. The lockbox stores secrets as name and value pairs. It can be configured to allow setting, modifying, and removing these values without supplying a password. However, administrative operations always require a password.
In order to access the lockbox without supplying a password, the host from which the access is being executed must be registered with the lockbox. Registering a host is an administrative operation requiring a password. Once a host is registered, any user who
Table 11 Lockbox tool operations and arguments
Operation Argument 1 Argument 2 Description
create [password] Create a new lockbox password.
set item_name item_value Set or change the value of item_name.
display item_name Display the value of item_name.
remove item_name Remove item_name from the lockbox.
list_hosts [password] Display the host list, which lists the hosts registered to access the lockbox without a password.
add_this_host [password] Add the local host to the host list.
add_host host_name [password] Add the host_name to the host list.
remove_host host_name [password] Remove the host_name from the host list.
change_pass_phrase [new_password] [old_password] Change the lockbox password.
Table 12 Java runtime locations
Component Java runtime location
Framework /opt/EMC/IMF/jre/bin
Security Logger /opt/EMC/securitylogger/jre/bin
Transport System Service /opt/EMC/TransportSystemService/jre/bin
Backup Service /opt/EMC/BackupService/jre/bin
The Lockbox tool 17
Security Configuration
can execute code on that host can access a lockbox secret, assuming they know the name of the secret. For this reason, it is important that the permissions on the lockbox file are set appropriately.
Unless specified on the command line, LockBoxTool.jar will prompt for a password for administrative operations. If the local host is not in the host list, the user will be prompted for a password for non-administrative operations. Once a password is successfully typed during any operation, the local host will be added to the host list. When a lockbox is being created or its password is being changed, the user will have to type the new password twice to make sure it is typed correctly.
Lockbox tool examples
Examples of how to use LockBoxTool.jar are provided below.
Example 1: Display the hosts that can use the lockbox without a password..
root@host220:~/#: export LD_LIBRARY_PATH=/DTO/EMC/TransportSystemService/lib/nativeroot@host220:~/#: export LOCK_BOX_FILE=/DTO/EMC/TransportSystemService/config/lockboxroot@host220:~/#: cd /DTO/EMC/TransportSystemServiceroot@host220:/DTO/EMC/TransportSystemService/#: jre/bin/java -jar lib/imf-lockbox.jar list_hosts 'Test123!'host1.example.comhost2.example.comroot@host220:/DTO/EMC/TransportSystemService/#:
Example 2: Change the password for the lockbox from "Test123!" to "MySecret-123".
root@host220:~/#: export LD_LIBRARY_PATH=/DTO/EMC/TransportSystemService/lib/nativeroot@host220:~/#: export LOCK_BOX_FILE=/DTO/EMC/TransportSystemService/config/lockboxroot@host220:~/#: cd /DTO/EMC/TransportSystemServiceroot@host220:/DTO/EMC/TransportSystemService/#: jre/bin/java -jar lib/imf-lockbox.jar change_pass_phrase 'MySecret-123' 'Test123!'root@host220:/DTO/EMC/TransportSystemService/#:
Example 3: Display the value of the key store password, whose name is GridSystemService.keyStorePassword.
root@host220:~/#: export LD_LIBRARY_PATH=/DTO/EMC/TransportSystemService/lib/nativeroot@host220:~/#: export LOCK_BOX_FILE=/DTO/EMC/TransportSystemService/config/lockboxroot@host220:~/#: cd /DTO/EMC/TransportSystemServiceroot@host220:/DTO/EMC/TransportSystemService/#: jre/bin/java -jar lib/imf-lockbox.jar display GridSystemService.keyStorePasswordItem GridSystemService.keyStorePassword is set to "Test123!".root@host220:/DTO/EMC/TransportSystemService/#:
Example 4 Change the key store password from "Test123!" to "MySecret-456".
root@host220:~/#: export LD_LIBRARY_PATH=/DTO/EMC/TransportSystemService/lib/nativeroot@host220:~/#: export LOCK_BOX_FILE=/DTO/EMC/TransportSystemService/config/lockboxroot@host220:~/#: cd /DTO/EMC/TransportSystemServiceroot@host220:/DTO/EMC/TransportSystemService/#: jre/bin/java -jar lib/imf-lockbox.jar set GridSystemService.keyStorePassword 'MySecret-456'Item GridSystemService.keyStorePassword is set to "MySecret-456".root@host220:/DTO/EMC/TransportSystemService/#:
18 EMC Avamar 7.0 Extended Retention Security Guide
